The 2026 HIPAA Security Rule Overhaul: Operational Realities for Rural Health Care Organizations

The HIPAA Security Rule is about to undergo its most significant revision since 2013. The proposed changes published in the Federal Register on January 6, 2025 add new requirements on top of existing obligations that many organizations already find difficult to maintain with current staffing and budgets. These are not just technical changes. They are documentation, verification, and process requirements that will demand sustained attention from leadership, IT, and compliance functions simultaneously.

For rural health care organizations already managing day-to-day operations with limited personnel, these additions represent a meaningful increase in administrative and technical workload.

Here is the plain-English breakdown of what is changing, what it means for your vendors, what it means for your organization, and the operational realities rural facilities will need to navigate.

The Language: Understanding the Shift from "Addressable" to "Required"

Before diving into the changes, we need to clarify something that has caused confusion for over two decades.

Under the current HIPAA Security Rule, implementation specifications fall into two categories: "required" and "addressable." Required means exactly what it sounds like. You must implement it.

"Addressable," however, does not mean optional. It never has.

What "addressable" actually means under the current rule is this: you must assess whether the specification is reasonable and appropriate for your environment. If it is, you implement it. If it is not, you must document why it is not reasonable and appropriate, and then implement an equivalent alternative measure that achieves the same protective purpose. The only scenario where you implement nothing is when the standard can be met without the specification and no reasonable alternative exists. Even then, you document that decision.

In other words, "addressable" was never a free pass. It was a structured decision-making process with documentation requirements.

The current rule at 45 CFR 164.306(d)(3) spells this out explicitly.

The problem? According to HHS, "some regulated entities proceed as if compliance with an addressable implementation specification is optional." This interpretation gap has created significant inconsistency across the industry, with organizations in similar circumstances reaching different conclusions about what safeguards they needed to implement. The lack of clear guidance left compliance teams to interpret requirements largely on their own, and those interpretations have varied widely.

The proposed rule eliminates this distinction entirely. Nearly all implementation specifications would become required, with only limited, specific exceptions. It is worth noting that the final rule, when issued, may be modified based on industry feedback and administration priorities. However, the direction of travel is clear.

Key Terms You Will Encounter:

• Covered Entity: Health plans, health care clearinghouses, and most health care providers who transmit health information electronically. If you are a rural hospital, clinic, or health care provider billing Medicare or Medicaid, you are almost certainly a covered entity.

• Business Associate: Any person or organization that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity. This includes your EHR vendor, your billing company, your IT managed service provider, and many others.

• Electronic Protected Health Information (ePHI): Any protected health information that is created, stored, transmitted, or received electronically. For a deeper understanding of what constitutes PHI, see our guide on what is considered protected health information.

• Implementation Specification: The specific actions or procedures a regulated entity must take to meet a HIPAA Security Rule standard.

What the Proposed Rule Changes for Vendors (Business Associates)

Business associates are about to face significantly more prescriptive requirements. For covered entities, this creates a corresponding increase in oversight responsibility. Compliance is not simply a matter of working with vendors who are secure. It requires being able to verify and document that security on an ongoing basis.

Mandatory Security Documentation: The proposed rule requires business associates to maintain detailed, written documentation of their security measures. This includes technology asset inventories listing every system that handles ePHI and network maps showing how data flows through their systems. These documents must be reviewed at least annually.

For covered entities, this means requesting and reviewing this documentation, not just assuming it exists.

Encryption Without Exception: Encryption of ePHI at rest and in transit would become explicitly required. The current rule makes encryption "addressable," allowing organizations to document why they did not implement it. The proposed rule eliminates this flexibility.

Faster Incident Reporting: Business associates would face tighter timelines for reporting security incidents to covered entities. The proposed rule suggests 24-hour notification requirements for certain incidents.

Patch Management Timelines: The proposed rule includes specific expectations for addressing vulnerabilities. This directly impacts vendor-delivered systems where manufacturers claim their platforms cannot be updated. This is common across health care environments: medication dispensing systems like Omnicell, PACS and imaging platforms, laboratory information systems, and specialized clinical applications. Many of these vendors have historically resisted patching or charged significant fees for updates, citing stability concerns or certification requirements.

What This Means Operationally: Your vendors may need to raise prices to meet these requirements. More importantly, you need to evaluate whether your current vendors can meet these standards at all, and whether you have the internal capacity to verify their compliance. A vendor who cannot demonstrate encryption, maintain proper documentation, or patch systems promptly becomes a liability to your organization. But identifying that gap requires someone with the time and expertise to ask the right questions and evaluate the answers.

Summary of Key Proposed Requirements for Business Associates:

• Written asset inventories and network maps, reviewed annually
• Encryption of all ePHI at rest and in transit
• 24-hour incident notification to covered entities (for certain incidents)
• Documented patch management processes with defined timelines

What the Proposed Rule Changes for Health Care Organizations (Covered Entities)

For covered entities, the proposed changes touch nearly every aspect of your security program.

Everything Becomes Required: The elimination of "addressable" specifications means you can no longer document why you chose not to implement certain safeguards. Encryption, multi-factor authentication, audit controls, and other previously flexible requirements become mandatory.

For many organizations, this shift requires revisiting decisions made years ago under different interpretations of the rule.

Multi-Factor Authentication (MFA): MFA for all systems containing ePHI would become required with only limited exceptions. If your staff currently logs into your EHR with just a username and password, that changes.

In smaller environments, MFA deployment is often handled informally or in phases. The proposed rule would require formal implementation across all ePHI systems.

72-Hour Recovery Requirement: The proposed rule includes specific requirements for contingency planning, including written procedures to restore critical systems and data within 72 hours of a cybersecurity incident. For guidance on disaster recovery planning specific to rural health care, see our Disaster Recovery Planning Guide.

Many organizations have informal recovery processes that work in practice but lack the documentation the proposed rule would require.

Asset Inventory and Network Mapping: Covered entities would need to maintain a complete inventory of all technology assets that handle ePHI, plus documented network maps showing data flows. These must be updated at least annually or whenever significant operational changes occur.

For organizations where IT responsibilities are distributed across multiple roles, compiling and maintaining this documentation requires coordination that may not currently exist.

Annual Security Testing: The proposed rule requires regular testing of security measures, including vulnerability scanning and penetration testing.

Workforce Sanctions: New specifications require written policies for sanctioning workforce members who violate security policies, plus documentation of any sanctions applied.

Summary of Key Proposed Requirements for Covered Entities:

• All ePHI encrypted at rest and in transit
• Multi-factor authentication on all systems with ePHI
• Written 72-hour recovery procedures for critical systems
• Complete technology asset inventory, updated annually
• Network maps documenting ePHI data flows
• Annual vulnerability scanning and penetration testing
• Documented workforce sanction policies and enforcement

The Medical Device Problem: When Vendors Hide Behind FDA Certification

Here is where things get complicated for health care organizations, who often find themselves caught between vendor claims and regulatory expectations.

Many medical device vendors claim they cannot patch their systems because doing so would require FDA recertification. This excuse has persisted for years, leaving hospitals and clinics running vulnerable, unpatched medical equipment while believing they have no choice.

This claim is largely false.

The FDA has published explicit guidance addressing this exact issue. In their fact sheet titled "The FDA's Role in Medical Device Cybersecurity", the FDA directly debunks this myth:

"Myth: Medical device manufacturers can't update medical devices for cybersecurity.

Facts: Medical device manufacturers can always update a medical device for cybersecurity. In fact, the FDA does not typically need to review changes made to medical devices solely to strengthen cybersecurity."

The FDA's "Postmarket Management of Cybersecurity in Medical Devices" guidance further clarifies that routine cybersecurity updates and patches, meaning changes to increase device security or remediate vulnerabilities, are generally considered device enhancements that do not require premarket review.

The FDA actually expects manufacturers to make postmarket updates and patches available. The Consolidated Appropriations Act of 2023 (specifically Section 3305, which added Section 524B to the FD&C Act) now requires manufacturers of "cyber devices" to "design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches." This is federal law, not guidance. Manufacturers must make patches available on a regular cycle for known vulnerabilities, and "as soon as possible out of cycle" for critical vulnerabilities.

Why This Matters for the HIPAA Proposed Rule: The proposed HIPAA Security Rule includes specific expectations for patch management timelines. When the new requirements say you must patch systems within defined timeframes, you cannot accept "FDA certification" as an excuse from vendors.

This puts health care organizations in the position of refereeing between what vendors claim and what regulators actually require. That requires understanding both sets of requirements well enough to push back effectively.

If a vendor tells you they cannot patch a medical device for cybersecurity, ask them to show you the FDA guidance that prevents them. They will not be able to, because that guidance does not exist. What exists is FDA guidance explicitly stating they can and should patch.

For more information on current HIPAA patching requirements, see our article on HIPAA Software Patching Requirements.

The Shrinking Space for Vendor Exemptions: HIPAA does not currently have a formal process for exemption requests based on vendor limitations. Organizations have sometimes treated vendor claims as de facto exemptions, documenting that a system "cannot be patched" or "cannot support encryption" and moving on. With the proposed changes making nearly all specifications required rather than addressable, that approach becomes significantly harder to defend.

The direction of regulatory change suggests that vendor limitations will carry less weight as an excuse for non-compliance going forward. The transitional accountability that organizations have relied on, where pointing to a vendor's constraints provided some cover, appears to be diminishing. If your security posture depends on exemptions you have granted yourself based on what vendors told you, that posture may need re-evaluation.

The Alignment Between FDA and HIPAA: The reality is that FDA and HIPAA requirements have always been aligned on the fundamental point: systems that handle patient data should be secure, maintained, and patched. The FDA has never prevented security patching. HIPAA has always required reasonable safeguards. What the proposed HIPAA changes and the FDA's Section 524B requirements do is make this alignment explicit and harder to ignore.

The days of playing one regulatory framework against another, or hiding behind misunderstandings of either, are coming to a close.

The Operational Realities for Rural Health Care Organizations

Rural health care facilities operate within constraints that shape how these proposed requirements will actually play out in practice.

Role Compression: Many rural critical access hospitals operate with a single IT person who also handles facilities, biomedical equipment, and half a dozen other responsibilities. That person may be approaching retirement after decades of building and maintaining systems. The proposed requirements for documentation, testing, and monitoring assume dedicated resources that do not reflect how work actually gets divided in smaller organizations.

Budget Constraints: HHS estimates first-year compliance costs around $9 billion across all regulated entities, with annual costs of approximately $6 billion in subsequent years. Those costs will hit rural facilities proportionally harder than large health systems with dedicated compliance departments and economies of scale.

Vendor Dynamics: Large health systems can negotiate with vendors from a position of leverage. A 25-bed critical access hospital does not have the same ability to demand encryption, patching commitments, or compliant business associate agreements. Vendors know this.

Legacy Infrastructure: Rural facilities often run older systems because replacement costs are prohibitive. The proposed encryption and MFA requirements may force difficult decisions about systems that cannot support modern security measures and cannot be easily replaced.

Connectivity: Cloud-based security tools assume reliable internet connectivity. Many rural areas still struggle with broadband access, making some compliance approaches impractical regardless of budget.

What Organizations Are Doing Now

The proposed rule is not yet final. The comment period closed on March 7, 2025, and the final rule remains on OCR's regulatory agenda for May 2026, though experts describe this timeline as aspirational. OCR received approximately 5,000 comments, many of them critical of the cost and rigidity of the proposed requirements. Delays or modifications are common in rulemaking, especially following administration transitions. A 180-day compliance window would follow publication of any final rule, potentially pushing full implementation into late 2026 or 2027 depending on when the rule is actually issued. Some provisions may be softened in the final version based on industry feedback.

However, the direction is clear, and preparation now reduces disruption later.

Conducting Gap Analyses: Organizations are reviewing current security measures against the proposed requirements. Where do they stand on encryption, MFA, asset inventories, network documentation, and backup/recovery capabilities?

Evaluating Vendors: This means requesting documentation from business associates about their security practices. Can they demonstrate encryption? Do they have documented patch management processes? Are their business associate agreements current?

Challenging Medical Device Vendors: When vendors claim they cannot patch or update systems due to FDA certification, organizations are asking them to provide the specific FDA guidance supporting that claim. The FDA fact sheet linked above is a useful reference.

Reviewing Enterprise Licensing: Modern security features like BitLocker encryption, Windows Defender for Endpoint, and Conditional Access policies require appropriate licensing. Many rural facilities are paying for Microsoft licensing that does not include the security tools they need, or they are missing out on programs like Microsoft's Rural Hospital Program (also known as the Rural Health Resiliency Program) that could provide enterprise-grade capabilities at reduced cost. These programs can include nonprofit pricing, discounted or free security tools, Windows 10 Extended Security Update (ESU) extensions, cybersecurity assessments, and training resources. Over 700 rural hospitals have participated in similar Microsoft initiatives. For more information on enterprise licensing benefits, see our article on Enterprise Licensing for Health Care Organizations. Program details are subject to change, with eligibility criteria set by Microsoft. Rural facilities should verify current eligibility directly through Microsoft or resources like the "Data on Urban and Rural Hospitals" database.

Considering External Support: The proposed requirements assume ongoing security monitoring, regular testing, and rapid incident response. For many rural organizations, completing these steps requires coordination across IT, compliance, vendors, and leadership. Sustaining that coordination internally, particularly with compressed roles and competing priorities, is difficult.

The Bottom Line

The proposed HIPAA Security Rule changes are significant, but they are not unreasonable. Most of what the rule proposes reflects security practices that responsible organizations should already be following. Encryption, MFA, patching, and documentation are not cutting-edge concepts. They are baseline expectations in any industry handling sensitive data.

The challenge for rural health care is not that these requirements are unfair. It is that implementing and maintaining them requires sustained effort across multiple functions, with documentation and verification that many organizations have not formalized.

The health care sector faces increasing cybersecurity threats. Rural facilities are not exempt from those threats simply because they are small or resource-constrained. Attackers do not check bed counts before deploying ransomware.

Understanding what is coming gives you time to prepare.

---

This article is for informational purposes only and does not constitute legal or compliance advice. Covered entities and business associates should consult qualified legal counsel or compliance professionals before making decisions pertaining to HIPAA or IT infrastructure.

---

About visuaFUSION Systems Solutions

visuaFUSION Systems Solutions is a Microsoft CSP Partner that works with rural health care organizations navigating IT complexity. Our team sees these challenges across critical access hospitals and rural clinics daily through our HealthNet managed services, which provide enterprise-grade IT capabilities through a cost-sharing model designed for the operational realities of smaller facilities.

Leveling the IT Playing Field for Rural Health Care Organizations

For questions about this article or to discuss how these proposed changes intersect with your organization's situation, reach out at info@visuafusion.com or (308) 708-7490.