I’ve been having a lot of conversations lately with healthcare organizations that feel pretty confident about where they stand with HIPAA.
And honestly, I get it.
On paper, most of them look solid. Policies are in place. Controls are mapped. They’ve passed audits. Nothing feels obviously broken.
But when you actually walk through how things operate day-to-day, it’s a different story.
Access controls don’t work consistently across systems. Logging is turned on, but no one can really explain what’s being monitored. Processes depend on one or two people instead of being repeatable. Vendors are “approved,” but not really validated.
That gap, between what’s documented and what’s actually happening, is exactly what the proposed 2026 HIPAA Security Rule is targeting.
This isn’t just an update. It’s a correction.
Why This was Inevitable
Healthcare has become one of the most targeted industries for cyberattacks, especially ransomware. And those attacks have made one thing pretty clear:
Most organizations don’t fail because they don’t have controls.
They fail because those controls don’t hold up when tested.
The current HIPAA framework allowed too much flexibility. “Addressable” controls gave organizations room to justify why something wasn’t implemented. Risk assessments were often treated like paperwork exercises. Vendor oversight was inconsistent at best.
So you ended up with environments that looked compliant but weren’t actually secure.
That’s what regulators are trying to fix.
What’s Changing and Why It Matters
One of the biggest shifts is around the idea of “addressable” controls.
For years, organizations could explain why they weren’t doing something like encryption or multi-factor authentication. Maybe it wasn’t feasible. Maybe there was a compensation control. Maybe it was just deferred.
That flexibility is going away.
Now it’s much simpler: either the control is in place, or it isn’t. And for things like MFA and encryption, the expectation is pretty clear: they need to be there.
That alone is going to force a lot of organizations to revisit assumptions they’ve been operating under for years.
But the bigger change isn’t just what controls you have. It’s whether you can prove they actually work.
Saying “we have logging enabled” isn’t going to be enough. You’ll need to show what’s being logged, who’s reviewing it, how often it’s reviewed, and what happens when something goes wrong. The same goes for vulnerability management, incident response, and pretty much every other control area.
This is where many organizations will feel the pressure. Because it shifts the conversation from “we have it” to “we can demonstrate it.”
Visibility Becomes a Real Issue
Another area that’s going to trip people up is basic visibility.
If you ask most teams where their ePHI lives, you’ll usually get a partial answer. Maybe they know the core systems. Maybe they understand the main workflows. But once you get into edge cases, integrations, or legacy environments, things get fuzzy.
The updated rule pushes hard on asset inventories, network diagrams, and data flow mapping.
That sounds straightforward, but in practice, it’s not. Especially in environments that have grown over time without a lot of centralized governance.
The expectation now is clear: if you can’t map your environment and track how data moves, you’re going to have a hard time defending your security posture.
Vendors are No Longer Someone Else’s Problem
Third-party risk is another area where I expect to see a lot of friction.
Historically, many organizations have treated vendor security as a checkbox exercise. You get a BAA in place, maybe review a questionnaire, and move on.
That’s not going to hold up anymore.
The expectation is shifting toward real validation. Organizations will need to understand the security posture of their business associates, enforce stronger requirements, and respond quickly when something goes wrong, sometimes within 24 hours.
In other words, your vendors’ risks are your risks.
This is Also About Resilience, Not Just Security
One thing that stands out in the proposed changes is the emphasis on recovery.
It’s not just about preventing incidents anymore. It’s about what happens when something inevitably gets through.
Can you respond effectively?
Can you restore systems quickly?
Do your backups actually work?
These aren’t theoretical questions anymore. They’re part of the expectation.
That’s a shift from thinking about HIPAA as a privacy and security rule to thinking about it as part of broader operational resilience.
Where is This Going to Get Difficult
None of these requirements are unreasonable on their own. Most of them align with what we already see in frameworks like NIST, CMMC, or FedRAMP.
The challenge is that many healthcare organizations aren’t operating at that level today.
The gaps tend to show up in the same places:
- Inconsistent implementation of MFA
- Limited visibility into assets and data flows
- Logging without meaningful monitoring
- Vendor management that’s more contractual than operational
- Over-reliance on documentation instead of execution
Again, none of this is new. But the tolerance for it is changing.
What I’d be Doing Now
If you’re responsible for security or compliance, this isn’t something to wait on. Even though the rule isn’t final yet, the direction is clear enough to act. Start by getting a realistic view of your environment. Not a checklist, but an actual assessment of how things work in practice. Validate your core controls, MFA, encryption, and endpoint security. Make sure they’re implemented consistently, not just in pockets.
Build out your asset inventory and understand your data flows. This is foundational, and most organizations are weaker here than they think. And test your processes. Incident response, vulnerability management, and access reviews, these all need to work under pressure, not just look good on paper.
Final thought
If there’s one takeaway from all of this, it’s pretty simple:
The standard is changing from “Do you have controls?” to “Can you prove they work?”
That’s a different level of accountability.
Organizations that treat this as just another compliance exercise are going to struggle. The ones that approach it as an opportunity to strengthen how they actually operate will be in a much better position, not just for HIPAA, but for everything else coming behind it.
How Accorian Helps
At Accorian, this is exactly where we’re spending our time with clients right now, helping them move from documented compliance to controls that actually operate the way they’re supposed to. That starts with a realistic view of where things stand today, followed by targeted remediation around core areas like MFA, encryption, asset visibility, and third-party risk. From there, it’s about building repeatable processes, testing them, and making sure the organization can stand up to real scrutiny, not just an audit checklist. The goal isn’t just to get ready for the 2026 HIPAA changes, but to put a foundation in place that holds up as expectations continue to evolve.
