2026 HIPAA Changes Roundup: Every Regulatory Change That Matters

By ComplyCreate Editorial Team  ·  Published Apr 24, 2026  ·  12 min read  ·  Updated continuously

2026 has been an active year for HIPAA regulation. From a sweeping proposed overhaul of the Security Rule to new reproductive health protections now in effect, to Part 2 amendments and state law developments — the regulatory landscape has shifted significantly. This roundup covers every change that matters for covered entities and business associates, with status indicators for what's final, proposed, or pending.

1. HIPAA Security Rule Overhaul — Proposed Rule

HHS published an NPRM in January 2025 that would substantially overhaul the HIPAA Security Rule for the first time since 2003. The proposed changes would make several currently "addressable" implementation specifications into mandatory requirements, including:

• Multi-factor authentication (MFA): Required for all remote access to ePHI systems and for privileged accounts
• Annual security risk analysis: Explicitly required annually (the current rule requires periodic analysis but does not specify a frequency)
• Network segmentation: Required to isolate ePHI systems from general corporate networks
• Encryption of ePHI: Required for all ePHI at rest and in transit (currently "addressable" meaning it can be documented as infeasible)
• Vulnerability scanning and penetration testing: Required on a defined schedule (quarterly scanning, annual pen testing)
• Incident response testing: Required annual testing of incident response plans
• Technology asset inventory: Comprehensive documented inventory of all ePHI systems

The Final Rule is expected in late 2026 with a compliance phase-in period. Covered entities and business associates should begin gap assessments now, as the proposed changes will require significant investment for organizations that rely on currently "addressable" alternatives.

2. Reproductive Health Privacy Rule — Final (Effective December 2024)

The HIPAA Privacy Rule to Support Reproductive Health Care Final Rule prohibits covered entities and business associates from using or disclosing PHI to investigate or impose liability on patients, providers, or others for seeking, obtaining, providing, or facilitating lawful reproductive health care.

Key requirements now in effect:

• Covered entities may not respond to law enforcement requests for PHI related to lawful reproductive care without a court order — the previous public interest exception does not apply in this context
• Covered entities must update their Notice of Privacy Practices to describe the new reproductive health privacy protections
• A new attestation requirement applies when certain categories of PHI are requested: the requesting party must attest that the PHI will not be used for reproductive health investigations

If you haven't updated your Notice of Privacy Practices since December 23, 2024, you are out of compliance and should update it immediately.

3. 42 CFR Part 2 February 2026 Final Rule — Final

SAMHSA's February 2026 Final Rule amended Part 2 to allow combined patient consent for treatment, payment, and health care operations (TPO) disclosures, clarified HIE participation, and reinforced the anti-criminalization provisions. See our full Part 2 analysis for details.

4. TEFCA and Interoperability — Implementation Updates

The Trusted Exchange Framework and Common Agreement (TEFCA), administered by ONC, became operational with initial QHINs (Qualified Health Information Networks) certified in late 2023. In 2026, TEFCA participation has grown, and health systems are increasingly connecting via QHINs for interstate data exchange.

HIPAA implications of TEFCA participation:

• QHINs participating in TEFCA are treated as business associates or health care component of a covered entity — BAAs are required with all QHIN participants
• Individual access services (IAS) under TEFCA allow patients to direct access to their records — covered entities must be prepared to respond
• Part 2 programs must ensure QHIN participation agreements account for Part 2 restrictions on SUD records

5. AI and Health Data — Emerging Guidance

HHS has signaled forthcoming OCR guidance on the use of artificial intelligence in healthcare that involves PHI. Key areas expected to be addressed:

• When AI vendor agreements require BAAs — particularly for AI models trained on or accessing PHI
• Accountability for AI-generated health information in designated record sets
• De-identification standards for PHI used to train AI models
• Patient rights to explanation of automated decisions that significantly affect their care

Organizations deploying AI tools that access PHI should ensure BAAs are in place with AI vendors now, before formal guidance establishes mandatory requirements.

6. Civil Money Penalty Inflation Adjustments — In Effect

HIPAA civil money penalties are adjusted annually for inflation under the Federal Civil Penalties Inflation Adjustment Act. The 2026 adjusted maximums are:

7. State Privacy Law Developments

Several states enacted or implemented new health privacy laws in 2025–2026 that impose requirements beyond HIPAA. See our HIPAA vs. State Privacy Laws guide for state-specific details. Key 2026 state developments:

• Washington: My Health MY Data Act enforcement has expanded. Covered entities operating in Washington must comply with consent requirements for any collection of consumer health data.
• Nevada: SB 370 (Consumer Health Data Privacy) took effect January 2026, imposing consent requirements for health data collection similar to Washington's MHMD Act.
• Minnesota: HF 1 health data provisions effective July 2025 extend privacy protections to a broad category of "consumer health data" beyond traditional PHI.
• Multiple states: Reproductive health data protection statutes enacted in 2023–2024 continue to interact with HIPAA's new reproductive health rule, creating a complex multi-layered framework for providers in these states.