The 2026 HIPAA Security Rule Overhaul: What Every MSP Must Do Before the Deadline
The biggest HIPAA update in a decade is being finalized now. Encryption, MFA, and penetration testing are all becoming mandatory. Here's exactly what changes, when it takes effect, and how MSPs should prepare their healthcare clients.
The Biggest HIPAA Update in a Decade Is Here
If you manage healthcare clients, this is the most important compliance development of the year.
The Department of Health and Human Services (HHS) is finalizing a complete overhaul of the HIPAA Security Rule — the first major rewrite since 2013. The proposed rule was published in January 2025, the comment period closed, and the final rule is expected to be published in mid-2026 with compliance deadlines following 180 days later.
This isn't a minor tweak. The update eliminates the distinction between "addressable" and "required" implementation specifications, making controls that many organizations treated as optional now explicitly mandatory. For MSPs serving healthcare, this means your clients' compliance programs need a significant upgrade — and they're going to need your help.
Here's everything that's changing, what the timeline looks like, and exactly what you should be doing right now.
What's Changing: The Key Updates You Need to Know
1. "Addressable" Is Dead — Everything Is Now Required
This is the single biggest change. Under the current rule, certain safeguards are labeled "addressable," meaning organizations can choose alternative measures or document why a safeguard isn't reasonable. In practice, many small healthcare providers used this as a loophole to avoid implementing controls they considered too expensive or complex.
Under the new rule, every specification is required. There are limited exceptions for certain situations, but the default expectation is full implementation. No more wiggle room.
What this means for your clients: Controls they've been "addressing" by documenting why they don't need them — things like encryption at rest, audit logging, and network segmentation — now need to be fully implemented.
What this means for you as an MSP: Every client gets the same baseline. This actually simplifies your compliance program because you're not managing different implementation levels per client.
2. Encryption Is Mandatory Everywhere
The new rule requires encryption of all electronic Protected Health Information (ePHI) — both at rest and in transit. No exceptions, no alternative measures.
Specific requirements:
- All ePHI must be encrypted at rest on endpoints, servers, and storage devices
- All ePHI must be encrypted in transit (TLS 1.2 or higher)
- Encryption keys must be managed with documented procedures
- Full-disk encryption on any device that touches ePHI (laptops, workstations, mobile devices)
- Cloud storage containing ePHI must use encryption with customer-managed keys where possible
What to check now:
- Are all client workstations running BitLocker or FileVault? Is it enforced via MDM/RMM?
- Is email encryption in place for messages containing PHI?
- Are databases encrypted at rest? (Not just the disk — application-level encryption)
- Are backup files encrypted?
- Is TLS enforced on all web applications handling ePHI?
3. Multi-Factor Authentication (MFA) Is Now Mandatory for All ePHI Access
Under the current rule, MFA isn't explicitly required. That changes. The new rule mandates MFA for any system, application, or service that accesses ePHI.
Specific requirements:
- MFA required for all users accessing systems containing ePHI
- MFA required for remote access (this was already common, but now codified)
- MFA required for administrative/privileged access
- Phishing-resistant MFA methods are recommended (FIDO2, hardware keys) but not yet mandated
- MFA cannot be bypassed — no "trusted network" exceptions
The MSP opportunity: Many small practices have MFA on their Microsoft 365 accounts but nowhere else. EHR systems, practice management software, billing platforms, file shares — all of these need MFA now. This is a concrete, billable project for every healthcare client.
4. Annual Penetration Testing and Biannual Vulnerability Scans
The new rule introduces explicit requirements for security testing that didn't exist in the original 2003/2013 rule:
- **Penetration testing:** Required annually, conducted by qualified personnel
- **Vulnerability scanning:** Required every 6 months at minimum
- **Results must be documented** and remediation tracked
- Testing must cover all systems that process, store, or transmit ePHI
What this means for MSPs:
- You need a pen testing partner or capability (most MSPs don't do this in-house)
- Vulnerability scanning can be done with tools you likely already have (Nessus, Qualys, etc.)
- Every test needs documentation: scope, findings, severity, remediation plan, remediation verification
- This is another billable service line — annual pen tests typically run $5,000–$15,000 per client
5. 72-Hour Restoration and 24-Hour Breach Notification to Business Associates
The new rule tightens incident response requirements significantly:
- **Restore critical systems within 72 hours** of a disruption (this is new — no specific timeframe existed before)
- **Notify business associates within 24 hours** of discovering a breach (currently 60 days for covered entities to notify HHS)
- Documented and tested incident response plans are required (not just "have a plan" — it must be tested)
- Annual tabletop exercises or simulations are expected
The backup and DR angle: Your clients' backup and disaster recovery strategy needs to demonstrably meet the 72-hour restoration requirement. This means documented RTOs, tested restores, and evidence that it actually works — not just "we have backups in the cloud."
6. Technology Asset Inventory and Network Mapping
The new rule requires covered entities to maintain:
- A **complete inventory of technology assets** that create, receive, maintain, or transmit ePHI
- A **network map** showing how ePHI flows through the organization
- Both must be **updated at least annually** and whenever significant changes occur
For MSPs: This is what you already do (or should be doing) with your RMM and documentation tools. The difference is that it now needs to be formalized, tied specifically to ePHI, and presented in a compliance-ready format. Asset discovery tools and network mapping become compliance evidence, not just operational tools.
7. Business Associate Agreement (BAA) Overhaul
BAAs must now include specific technical requirements, not just general obligations:
- BAAs must specify the security controls the business associate implements
- Business associates (including MSPs) must verify their own compliance annually
- Covered entities must verify that BAs are meeting their obligations
- MSPs who handle ePHI are business associates — your own compliance program needs to be airtight
Critical for MSPs: If you manage infrastructure for healthcare clients, you ARE a business associate. You need your own compliance program, your own risk assessments, and you need to be able to demonstrate compliance to your clients.
Timeline: When Does This Take Effect?
| Milestone | Expected Date |
|---|---|
| Proposed Rule Published | January 2025 |
| Comment Period Closed | March 2025 |
| Final Rule Published | Mid-2026 (expected May–July) |
| Compliance Deadline | 180 days after final publication |
| Likely Compliance Date | **Late 2026 or Q1 2027** |
Why you should act now: 180 days sounds like a lot, but implementing encryption across all endpoints, deploying MFA to every ePHI system, setting up vulnerability scanning, scheduling pen tests, updating BAAs, and documenting everything takes time. MSPs who wait for the final rule to start will be scrambling.
The MSP Action Plan: What to Do Right Now
Phase 1: Assess (This Month)
For every healthcare client, answer these questions:
1. **Encryption:** Is ePHI encrypted at rest and in transit everywhere? Including endpoints, backups, email, databases, and cloud storage?
2. **MFA:** Is MFA enabled on every system that touches ePHI? Not just Microsoft 365 — EHR, practice management, billing, file shares, VPN?
3. **Asset inventory:** Do you have a complete list of every device and system that touches ePHI?
4. **Network map:** Is there a documented diagram showing how ePHI flows through the organization?
5. **Incident response:** Is there a written, tested incident response plan that meets the 72-hour restoration requirement?
6. **BAA status:** Is your BAA with each client current? Does it need to be updated with specific technical controls?
Phase 2: Remediate (Next 60–90 Days)
Priority order (highest risk first):
1. **Deploy MFA everywhere** — Start with EHR systems and any application without MFA. Use conditional access policies to enforce rather than rely on user compliance.
2. **Encrypt everything** — Enforce BitLocker/FileVault via RMM. Enable TLS on all web apps. Verify database encryption. Encrypt backup files.
3. **Set up vulnerability scanning** — Deploy scanning on a biannual schedule. Document baseline results and start remediation.
4. **Update incident response plans** — Document 72-hour restoration procedures. Schedule a tabletop exercise with each client.
5. **Build asset inventories** — Export from your RMM, cross-reference with client records, tag ePHI-touching assets.
6. **Schedule penetration testing** — Line up a qualified pen testing firm now — they'll be booked solid once the final rule drops.
Phase 3: Document and Monitor (Ongoing)
- Generate compliance evidence reports monthly
- Track remediation progress for each gap identified
- Maintain audit-ready documentation for each client
- Monitor for compliance drift (new devices, configuration changes, expired controls)
- Update BAAs with specific technical requirements
How to Talk to Your Healthcare Clients About This
Your clients are going to hear about the HIPAA changes from their attorneys, insurance brokers, and industry publications. You want to be the one who brings it up first — it positions you as the expert and creates a natural conversation about expanding services.
The email you should send this week:
> Subject: Important HIPAA Security Rule Changes Coming — Here's What You Need to Know
>
> Hi [Client Name],
>
> I wanted to give you a heads-up about significant changes to the HIPAA Security Rule that are being finalized this year. The updated rule makes several security controls mandatory that were previously optional, including encryption, multi-factor authentication, annual penetration testing, and 72-hour system restoration.
>
> The compliance deadline will be approximately 180 days after the final rule is published, likely putting it in late 2026 or early 2027.
>
> I've already started reviewing your current security posture against the new requirements. I'll have a gap assessment ready for you by [date] so we can plan any necessary changes well ahead of the deadline.
>
> Happy to discuss further if you have questions.
This does three things: positions you as proactive, creates urgency, and opens the door to a compliance engagement.
The Revenue Opportunity for MSPs
The HIPAA overhaul isn't just a compliance burden — it's a significant revenue opportunity if you're positioned correctly:
| Service | Typical Pricing |
|---|---|
| HIPAA Gap Assessment (new requirements) | $2,500–$5,000 per client |
| MFA Deployment (beyond M365) | $1,000–$3,000 per client |
| Encryption Audit + Remediation | $1,500–$4,000 per client |
| Annual Penetration Test Coordination | $5,000–$15,000 per client |
| Ongoing Compliance Monitoring | $300–$500/month per client |
| Incident Response Plan Development | $2,000–$5,000 per client |
| BAA Review and Update | $500–$1,500 per client |
A single 20-provider medical group could represent $15,000–$30,000 in project revenue plus $300–$500/month in ongoing monitoring. Multiply that across your healthcare client base.
What This Means for MSPs Who Are Also Business Associates
Don't forget: you need to comply too. If you handle ePHI on behalf of your clients (managing their servers, backing up their data, administering their email), you are a business associate under HIPAA.
The new rule's requirements apply to you directly:
- Your own systems need MFA, encryption, vulnerability scanning, and pen testing
- You need your own documented risk assessment and incident response plan
- You need to be able to demonstrate compliance to your clients
- Your BAAs need to reflect the specific controls you implement
The credibility angle: An MSP that can say "we've already updated our own compliance program for the new HIPAA requirements, and here's how we're going to help you do the same" has a massive advantage over competitors who haven't even read the proposed rule.
Key Takeaways
1. **The HIPAA Security Rule overhaul is real and imminent.** The final rule is expected mid-2026 with a 180-day compliance window.
2. **"Addressable" is going away.** Encryption, MFA, pen testing, and vulnerability scanning are all becoming explicitly mandatory.
3. **Start assessing now.** Don't wait for the final rule — the requirements are clear from the proposed rule, and getting ahead gives you a competitive advantage.
4. **This is a revenue opportunity.** Healthcare clients need help, and they'll pay for it. MSPs who lead with compliance will win and retain these accounts.
5. **You need to comply too.** As a business associate, the same rules apply to your own organization.
The MSPs who act on this now — before the final rule drops, before their competitors catch up, before their clients start panicking — will be the ones who capture the revenue and build the relationships that last.
*Need to track HIPAA compliance across all your healthcare clients from a single dashboard? Start your free trial of Nuronus — run gap assessments, generate audit-ready reports, and monitor compliance drift automatically across every framework including the updated HIPAA Security Rule.*
#HIPAA #HIPAASecurityRule #HIPAACompliance #HIPAAUpdate2026 #MSP #ManagedServiceProvider #HealthcareCompliance #ePHI #MFA #Encryption #CyberSecurity #ComplianceForMSPs #HIPAAForMSPs #HealthcareIT #SecurityRule #ComplianceAutomation
Ready to Add Compliance Services to Your MSP?
Start your 14-day free trial and see how Nuronus makes compliance management simple.
Start Free TrialNuronus Team
MSP Compliance Experts