
HIPAA is changing in 2026, but the picture is far more complicated than the urgent headlines suggest. Some changes are real, finalized, and have deadlines that have already passed. Other changes were widely covered last year, then quietly vacated by a federal court ruling that most articles still have not updated to reflect. The big Security Rule overhaul that everyone is talking about is still proposed and may never be finalized in its current form. Knowing the difference matters, because preparing for the wrong rule wastes money, and ignoring the right ones creates real liability. For healthcare practices in Central Illinois, the right response to 2026 is neither panic nor inaction. It is steady security work, accurate documentation, and a clear-eyed view of what is actually required versus what is being talked about.
At a glance: The February 16, 2026 deadline to update Notices of Privacy Practices is real, but the rule that survived is the substance use disorder (Part 2) alignment, not the reproductive health protections most articles still describe. The reproductive health portion of the 2024 HIPAA Privacy Rule was vacated by a federal court in June 2025 and is no longer enforceable. Practices that already updated their NPPs with reproductive health language should consider removing it. The major 2026 Security Rule update is still a proposed rule. The Notice of Proposed Rulemaking was published in late 2024, the comment period closed in March 2025, and HHS missed its May 2026 target for finalization. The most-cited HIPAA deficiency in OCR enforcement actions remains inadequate risk analysis. This has been true for many years and is not changing. The right preparation is steady, ongoing security practice that holds up under audit. It is not last-minute compliance theater for rules that may shift again.
If you run a healthcare practice in Central Illinois and you have been reading articles about the 2026 HIPAA changes, you are probably encountering a mix of urgent deadlines, vague timelines, partially obsolete information, and conflicting interpretations. This is what we have sorted out, and what we recommend to the practices we work with.
What Is Actually Required Right Now?
Before talking about what is changing, it helps to know what is already in effect, because the answer is different from what most articles describe.
The February 16, 2026 deadline for updating Notices of Privacy Practices (NPPs) is real and has passed. But the rule that actually survived to that deadline is not the one most articles still reference. Two separate 2024 rulemakings both pointed at the February 2026 NPP deadline: a reproductive health privacy rule and an alignment between HIPAA and 42 CFR Part 2 (the regulations governing substance use disorder treatment records).
In June 2025, the U.S. District Court for the Northern District of Texas vacated most of the reproductive health rule in Purl v. HHS. The reproductive health provisions, including the attestation requirement many practices started preparing for, are no longer enforceable. HHS confirmed in a follow-up press release that covered entities are not required to implement the vacated provisions. Practices that already updated their NPPs to include reproductive health language should remove it, because it now describes a requirement that no longer exists.
The Part 2 alignment update did survive and is what the February 16, 2026 NPP deadline actually applies to. Every HIPAA-covered entity must have updated their NPP to reflect the substance use disorder confidentiality framework changes. If your practice has not done this, that is an immediate compliance gap with no ambiguity.
The HIPAA Security Rule, which governs the technical and administrative safeguards around electronic protected health information (ePHI), is what most of the 2026 conversation is actually about. The Security Rule itself has not changed yet. The version currently being enforced is the same one that has been in place for years. Risk analysis remains the most-cited deficiency in OCR enforcement actions, and that has been true for more than a decade.
So as of mid-2026, the practical state of affairs is: NPPs needed to be updated for substance use disorder confidentiality by February 16 (not for the vacated reproductive health rule), Security Rule technical requirements are unchanged from prior years, and the dramatic Security Rule overhaul is still proposed but not finalized.
What Is Actually Being Proposed?
The big 2026 HIPAA conversation centers on the Notice of Proposed Rulemaking (NPRM) that HHS published on December 27, 2024. The proposed changes would represent the most substantial overhaul of HIPAA security requirements since the original rule.
The largest proposed changes include:
- Elimination of “addressable” controls. Currently, certain HIPAA safeguards are “addressable,” meaning your practice can document a reason for not implementing them. The proposed rule would eliminate this flexibility for most controls, making them mandatory across the board.
- Mandatory encryption of ePHI at rest and in transit, regardless of organization size.
- Mandatory multi-factor authentication (MFA) for all systems accessing ePHI.
- Annual risk assessments and compliance audits with documented methodology and remediation tracking.
- Network segmentation to isolate ePHI systems from general business networks.
- 72-hour incident response capability with documented procedures and rehearsed plans.
- Annual penetration testing by qualified third parties.
- Asset inventories and network mapping that are kept current rather than static.
- Stricter business associate oversight, including written attestations and enhanced documentation.
These are the changes that healthcare IT consultants have been writing about urgently. Most articles treat them as essentially inevitable, with compliance dates in late 2026 or early 2027.
Why You Should Be Careful About Trusting That Timeline
Here is the part most articles skip. As of June 2026, the final rule has not been published.
HHS originally targeted May 2026 for finalization. That window has passed. The comment period on the NPRM closed in March 2025, and the agency has been working through the feedback since then. A coalition of over 100 hospital and healthcare provider groups submitted formal requests asking HHS to withdraw the proposal entirely, citing implementation costs, technical complexity, and concerns about the timeline. The Trump administration’s regulatory priorities are different from the Biden administration that proposed the rule, which adds uncertainty about whether and when the rule will be finalized.
None of this means the proposed changes will not happen. They probably will, in some form, eventually. But the confident 2026 deadlines you see in some articles are not actually backed by a finalized rule. The compliance timeline that most articles cite assumes the rule is published soon, with a 180 to 240 day grace period after publication. As of right now, the clock has not started.
For practice owners, this creates a strange situation. You should not ignore the proposed changes, but you also should not invest heavily in compliance work for a rule that may be modified or withdrawn. The right approach is to do the security work that is valuable regardless of whether the rule is finalized, and to position your practice to be ready when the final rule actually publishes.
What Should You Actually Be Doing Right Now?
The honest answer is that most of the proposed changes are security practices that healthcare organizations should already be doing. The proposed Security Rule update is mostly codifying what reasonable healthcare security has looked like for years. If your practice has implemented these controls already, the eventual final rule will require documentation work but probably not major new implementation.
Here is what we actually recommend to healthcare clients in Central Illinois:
Verify your Notice of Privacy Practices is current. The February 16, 2026 deadline applied to the substance use disorder (Part 2) alignment update. If your NPP has not been updated to reflect those changes, that is an immediate gap. At the same time, if you updated your NPP in anticipation of the reproductive health rule (which was vacated by a federal court in June 2025), the reproductive health language should be removed. NPP accuracy matters more than NPP urgency.
Conduct or update your HIPAA Security Risk Assessment. Inadequate risk analysis is the single most-cited deficiency in OCR enforcement actions, and this has been true for years. This is not a checkbox exercise. It is a written evaluation of where ePHI lives in your practice, what threats it faces, what controls are in place, and what gaps still exist. The free OCR/ONC Security Risk Assessment tool helps with the structure. Professional risk assessments typically cost $5,000 to $30,000 depending on practice complexity, but they produce documentation that survives an audit. Either way, the assessment must exist, must be dated, and must be reviewed at least annually.
Implement multi-factor authentication on everything. This is going to be mandatory eventually, and even before then, MFA is one of the most effective security controls a practice can implement. If your EHR, email, and remote access systems do not have MFA, the eventual rule will require it and your insurance carrier probably already does.
Verify encryption of ePHI at rest and in transit. Modern systems handle this by default in most cases, but practices using older infrastructure sometimes have gaps. Verify rather than assume.
Build a real incident response plan. A documented plan that has been rehearsed at least once by the people who would actually execute it. The 72-hour response window in the proposed rule is aggressive, but practices that have an actual plan can meet it. Practices relying on improvisation cannot. The IBM 2025 Cost of a Data Breach Report puts the average healthcare breach at $11 million, which is the most expensive category they track. The financial gap between practices with rehearsed response plans and practices without is measured in millions.
Review your business associate agreements. Every vendor who touches ePHI needs a current BAA, and your practice needs documentation that you are verifying their compliance posture rather than just trusting it. This is a practical area where proposed and final rules align: vendor oversight is going to get stricter regardless.
Document everything. OCR enforcement actions reliably focus on what practices can prove they did, not what they actually did. Written policies, documented procedures, dated assessments, and incident response records are the difference between defensible compliance and confident-but-undocumented compliance.
Why DIY HIPAA Compliance Is Harder Than It Looks
Most small healthcare practices try to handle HIPAA compliance internally. The practice administrator becomes the de facto compliance officer. The IT person who runs the EHR becomes the technical security lead. Documentation lives in a binder somewhere or on a shared drive that nobody updates.
This works until it does not. The patterns we see when small practices fail HIPAA audits are similar. The risk assessment is several years old or was never done. Policies exist but were not updated when systems changed. The incident response plan is theoretical because nobody has rehearsed it. The encryption status of various systems is assumed but never verified. The business associate agreements are signed but not actively managed.
None of this is incompetence. It is just the reality of trying to manage compliance alongside running a healthcare practice. The administrator and IT person are doing their actual jobs full-time, and compliance gets the attention left over. When OCR shows up, that gap becomes visible.
The practices we work with that have the cleanest compliance posture have one of two things: a dedicated compliance officer (rare in practices under 100 employees), or an IT partner who handles the security and documentation work as part of an ongoing relationship. Either approach works. Trying to do it ad hoc rarely does.
How Does Facet Approach Healthcare IT and HIPAA?
Facet has supported Central Illinois businesses for over 30 years, and our healthcare client base includes medical practices, dental practices, chiropractors, med spas, and behavioral and mental health providers across the region. Our approach to HIPAA is built around a recognition that good security and HIPAA compliance are mostly the same project. Practices with real security postures generally pass audits. Practices that treat compliance as a separate documentation exercise generally do not.
We handle the technical implementation: encryption verification, MFA deployment, network segmentation where needed, endpoint protection, backup and recovery testing, and the ongoing patching that keeps systems current. For the formal compliance pieces (risk assessments, policy documentation, business associate agreement management, incident response planning), we partner with independent third-party auditors rather than serving as both the implementer and the auditor. This avoids the conflict of interest that comes with self-attesting and produces documentation that holds up under OCR scrutiny.
Our healthcare IT services cover the operational side of running a practice. For practices specifically focused on HIPAA compliance support, our HIPAA-compliant IT services page covers what is included. For the broader framework on evaluating IT providers, see 7 questions to ask before signing.
The honest conversation with any prospective healthcare client starts with where the practice currently is on compliance, not where the IT provider’s service tier sits. The right level of support depends on what gaps actually exist and what the practice is trying to protect.
Frequently Asked Questions
Is the 2026 HIPAA Security Rule update finalized?
As of mid-2026, no. The Notice of Proposed Rulemaking was published in December 2024, the comment period closed in March 2025, and HHS missed its targeted May 2026 finalization date. A coalition of over 100 healthcare provider groups has asked HHS to withdraw the proposal. The eventual final rule may differ from what was proposed, and the timeline for finalization is not currently confirmed. Practices should prepare for the likely controls (MFA, encryption, annual risk assessment) but should not invest heavily in compliance work specifically for a rule that may shift.
What is the most common reason practices fail HIPAA audits?
Inadequate risk analysis is the single most-cited deficiency in OCR enforcement actions, and this has been true for more than a decade. The risk assessment must be documented, dated, and reviewed at least annually. Most failures involve either no risk assessment at all or one that is years out of date. Updating policies without updating the underlying risk assessment is one of the most common gaps practices have.
Should small practices do their own HIPAA risk assessment?
The free OCR/ONC Security Risk Assessment tool is genuinely useful for small practices and helps structure the work. The tool’s own documentation notes that completing it does not guarantee compliance. Most practices benefit from professional support to validate findings, document them properly, and translate them into a remediation plan.
Will MFA actually be required?
Multi-factor authentication is in the proposed Security Rule update as a mandatory control. Even before the rule is finalized, MFA is one of the most effective security controls available and is increasingly required by cyber insurance carriers. Practices that have not implemented MFA on EHR, email, and remote access systems should do so now regardless of regulatory timing. The financial cost of MFA is small. The risk of not having it is large.
How much does HIPAA compliance cost for a small healthcare practice?
The cost depends on practice size and current security posture, but typical small practices in Central Illinois budget $5,000 to $30,000 for a professional risk assessment, plus ongoing managed IT services that cover the technical security work. The hidden cost most practices underestimate is the cost of NOT being compliant. The IBM 2025 Cost of a Data Breach Report puts the average healthcare breach at $11 million, which is the most expensive category they track. Practices that treat HIPAA as ongoing security work rather than annual documentation theater spend less in total.
Ready to Talk About Where Your Practice Actually Stands?
If you are a healthcare practice in Central Illinois trying to figure out what the 2026 HIPAA changes mean for you specifically, the right conversation starts with where you currently are. We can walk through your existing security posture, identify the gaps that matter most, and help you build a plan that does not depend on guessing about regulatory timelines.
(309) 689-3900 | Schedule a conversation | info@facettech.com
For broader background, see our Healthcare IT in Central Illinois guide and our 7 questions to ask before signing blog.
Facet Technologies has provided IT services to Central Illinois businesses for over 30 years. Based in Peoria, we serve healthcare, manufacturing, agriculture, professional services, and government organizations across the region.
Ellie Shaw is the Director of Marketing at Facet and the author of Cyber Treats, Facet's biweekly newsletter featuring topics like IT news, cybersecurity updates, compliance advice, and anything tech. She has been a member of the Facet team full-time since 2016 and enjoys finding new ways to share resources and information about cybersecurity with others.
