The 2024 HIPAA Security Rule Update: What You Need to Know

The Department of Health and Human Services (HHS) finalized the most significant update to the HIPAA Security Rule in 20 years in late 2024. The rule became effective in 2025, but compliance deadlines are staggered — and many covered entities and business associates are already behind.

Here's the complete timeline of what's required, what changed, and what the penalties look like if you miss it.

What Changed in the 2024 Update

The 2024 HIPAA Security Rule update eliminated the distinction between "required" and "addressable" implementation specifications. All specifications are now required. This is the most impactful change for organizations that previously took a flexible interpretation of "addressable" standards.

Key Changes by Category

Risk Analysis (§164.308(a)(1))

The new rule mandates a specific risk analysis methodology, not just "an appropriate risk analysis." Requirements now include:

  • Asset inventory of all electronic protected health information (ePHI) — documented with location, data type, and access rights

  • Threat and vulnerability analysis tied to specific assets

  • Risk level assignment using a documented methodology

  • Review and update at least annually and after any significant operational change

Previously, organizations could interpret "risk analysis" broadly. Now it must follow a documented, repeatable process.

Technical Safeguards (§164.312)

New mandatory technical requirements:

  • Multi-factor authentication for all systems accessing ePHI

  • Encryption of ePHI at rest and in transit (previously "addressable")

  • Anti-malware protection on all relevant systems

  • Network segmentation to limit ePHI access

  • Vulnerability scanning at least every 6 months

  • Penetration testing at least annually

Audit Logging (§164.312(b))

More prescriptive logging requirements:

  • Log all access to ePHI systems, including failed access attempts

  • Log retention: minimum 6 years

  • Regular log review — quarterly minimum

  • Centralized log management

Business Associate Requirements

Business associates (BAs) face increased scrutiny:

  • Annual verification that BAs have implemented required safeguards

  • Updated Business Associate Agreements (BAAs) required within 180 days of the rule's effective date

  • BAs must notify covered entities of security incidents within 24 hours (previously 60 days)

The 2026 HIPAA Compliance Timeline

Q1 2026 (January–March)

BAA updates due (for most covered entities) All Business Associate Agreements must be updated to reflect the new requirements. If your existing BAAs don't include the new incident notification (24-hour) and annual verification provisions, they're non-compliant.

Action items:

  • Audit all existing BAAs

  • Identify missing provisions

  • Issue updated BAAs to all business associates

  • Confirm execution

Annual risk analysis required
If you haven't completed a risk analysis under the new methodology, it's due. Organizations that completed one in 2025 under the new standard are current; those that haven't are already in violation.

Q2 2026 (April–June)

MFA implementation deadline for smaller organizations Smaller covered entities (under 50 employees) were given a phased implementation timeline. The Q2 2026 deadline applies to multi-factor authentication on all systems accessing ePHI.

What counts as MFA:

  • Authenticator apps (Microsoft Authenticator, Google Authenticator)

  • Hardware tokens (YubiKey)

  • SMS OTP is accepted but discouraged (SIM swapping risk)

  • Biometric + PIN combinations

What does NOT count:

  • Password + security question

  • IP allowlisting alone

  • Single-factor with device certificate only

Vulnerability scan completion
First semi-annual vulnerability scan under the new rule must be complete. Document results and remediation plans.

Q3 2026 (July–September)

Encryption implementation verification All ePHI must be encrypted at rest and in transit. Document your encryption standards (AES-256 minimum for data at rest, TLS 1.2+ for data in transit).

Common gaps found in audits:

  • Legacy database instances without transparent data encryption

  • Backup media without encryption

  • ePHI in email without S/MIME or equivalent

  • Mobile devices without device-level encryption enforced via MDM

Annual security awareness training
All workforce members must complete HIPAA security awareness training annually. Document completion with dates and materials used.

Q4 2026 (October–December)

Penetration testing window Annual penetration test required. Plan for 4–8 weeks for scoping, testing, and remediation.

End-of-year audit preparation
HHS OCR audits are increasing. Prepare your documentation package:

  • Risk analysis and risk management plan

  • Policies and procedures inventory

  • Training completion records

  • BAA inventory

  • Incident log

  • Technical safeguard implementation evidence

The Penalty Landscape in 2026

HIPAA penalties are tiered by culpability:

| Tier | Description | Per Violation | Annual Cap |
|------|-------------|---------------|------------|
| Tier 1 | Did not know | $137–$27,500 | $1.9M |
| Tier 2 | Reasonable cause | $1,379–$27,500 | $1.9M |
| Tier 3 | Willful neglect, corrected | $13,785–$68,928 | $1.9M |
| Tier 4 | Willful neglect, uncorrected | $68,928–$2.07M | $2.07M |

Note: Figures updated for 2026 inflation adjustments. Source: HHS.

The key shift in enforcement: HHS OCR is now treating the absence of required controls as Tier 3 or Tier 4 violations — not Tier 1. If the 2024 update was publicly announced and you haven't implemented MFA or updated your BAAs, "I didn't know" is no longer a credible defense.

Common HIPAA Gaps in 2026 (From Real Audits)

  • BAAs never updated — Organizations renewed vendor contracts but didn't issue updated BAAs under the new standard
  • MFA gaps on legacy systems — EHR systems, PACS, and billing systems often don't support modern MFA natively; require middleware or VPN enforcement
  • Informal risk analyses — Spreadsheet-based risk analyses that don't document threat-to-asset mapping at the required level of specificity
  • Business associates unverified — Covered entities sign BAAs but never verify that BAs actually implement the required safeguards
  • Backup encryption — Application-level encryption exists, but backup tapes or cloud backup storage isn't independently encrypted

How to Check Your HIPAA Compliance Status

A structured security assessment maps your current controls to HIPAA Security Rule requirements and shows you exactly which safeguards are missing, implemented, or need documentation.

Our assessment covers all HIPAA Security Rule administrative, technical, and physical safeguard categories — and gives you a prioritized remediation list tied to the 2026 deadline schedule.

Key point: HIPAA compliance isn't binary. OCR assessments consider your good faith effort and documented progress. An organization with a completed risk analysis, an active remediation plan, and documented controls is in a fundamentally different position than one with nothing.

Start with your assessment. Know where you stand before the next audit window opens.

Take our free cybersecurity risk assessment

Score your security posture in 5 minutes — then get your personalized Cyber Pulse brief with live threats and compliance deadlines for your industry.

Start Free Assessment → Get Your Cyber Pulse →