The Big Change
The HIPAA Security Rule hasn't been substantially updated since 2013. The 2026 Notice of Proposed Rulemaking (NPRM) changes everything.
The headline: "Addressable" safeguards become Required.Under the current rule, organizations can document why an "addressable" safeguard isn't necessary and implement an alternative. Under the NPRM, that option disappears. Every safeguard becomes mandatory.
What This Means in Practice
| Requirement | Current Rule | 2026 NPRM | |---|---|---| | Multi-Factor Authentication | Addressable | Required | | Encryption at Rest | Addressable | Required | | Vulnerability Scans | Not Specified | Every 6 Months | | Penetration Tests | Not Specified | Every 12 Months | | Risk Analysis | Required | Annual + Technology Map | | Compliance Audit | Not Specified | Annual |
The Timeline
The Penalty Structure
HIPAA penalties are severe and cumulative:
| Tier | Per Violation | Annual Cap | |---|---|---| | Did Not Know | $141 – $71,162 | $2.13M | | Reasonable Cause | $1,424 – $71,162 | $2.13M | | Willful Neglect (Corrected) | $14,232 – $71,162 | $2.13M | | Willful Neglect (Not Corrected) | $71,162 – $2.13M | $2.13M |
Criminal penalties can include up to 10 years imprisonment.
What To Do Now
The 63-Point Scanner
0nCore's HIPAA Scanner checks:
Plus 7 administrative attestation checks. Results include dual scoring (current law vs NPRM), prioritized remediation roadmap, and state-specific compliance overlays.
Scan your healthcare website for free at rocketopp.com/hipaa. 63 checks, 30 seconds, no PHI collected.