HIPAA 2026 NPRM: 17 New Security Rule Requirements for Healthcare Websites

The HHS Office for Civil Rights published a Notice of Proposed Rulemaking on December 27, 2024, that adds 17 new requirements to the HIPAA Security Rule. These take effect in 2026 once the final rule is published. Here is the complete list, cited to 45 CFR, with what each one means for your website.

What Changes Materially

The biggest shift: most "addressable" specifications are becoming "required." If you've been documenting an addressable specification as "we considered it and chose not to implement," that defense disappears in 2026.

The 17 New Requirements

Authentication & Access (5 requirements)

1. Mandatory Multi-Factor Authentication (164.312(d) amended) MFA is required for all access to electronic Protected Health Information. Phishing-resistant methods (FIDO2/WebAuthn passkeys) preferred over SMS or TOTP. SMS-based MFA may receive partial credit but is no longer sufficient on its own.

2. Account Lockout (164.312(d) new spec) Automatic lockout after a defined number of failed authentication attempts. Documentation of the threshold and response procedure required.

3. Session Timeout (164.312(a)(2)(iii) clarified) Maximum session duration must be explicitly documented and enforced via session timeout. The previous "automatic logoff" requirement is now quantified.

4. Account Inventory (164.308(a)(3) new spec) Maintain a current inventory of all accounts with ePHI access, refreshed at minimum quarterly. Inactive accounts must be disabled within 72 hours.

5. Privileged Access Documentation (164.308(a)(3)(ii)(B)) Role-based access control documented and reviewed annually with sign-off.

Encryption (4 requirements)

6. Mandatory Encryption at Rest (164.312(a)(2)(iv) amended) Moves from "addressable" to "required." All ePHI at rest must use NIST-approved cryptographic algorithms — AES-256 with proper key management is the de facto standard.

7. Mandatory Encryption in Transit (164.312(e)(2)(ii) amended) Moves from "addressable" to "required." TLS 1.2 minimum, TLS 1.3 preferred. SHA-1 and weak cipher suites prohibited.

8. Key Management Program (164.312(a)(2)(iv) new spec) Documented key rotation cadence, secure key storage (HSM or KMS), and key recovery procedures.

9. Cryptographic Module Validation (164.312(a)(2)(iv)) FIPS 140-2/140-3 validated cryptographic modules required for federal-data-touching systems.

Audit & Integrity (3 requirements)

10. Immutable Audit Logs (164.312(b) amended) Audit logs must be tamper-resistant — typically WORM-compliant storage (S3 Object Lock, Glacier, Splunk WORM, etc.).

11. Log Retention Minimum (164.316(b)(2)(i) clarified) 6 years for documentation. Audit logs themselves should be queryable for at least 365 days; the 6-year minimum applies to retention but not necessarily to hot storage.

12. Quarterly Log Review (164.308(a)(1)(ii)(D) new spec) Documented log review at minimum quarterly, with sign-off and identified anomalies.

Resilience (2 requirements)

13. 72-Hour Restoration Test (164.308(a)(7)(ii)(D) new spec) Disaster recovery must be tested annually with documented evidence that systems containing ePHI can be restored within 72 hours.

14. Asset Inventory (164.308(a)(7)(ii)(E) new spec) Maintain a current inventory of all assets that create, receive, maintain, or transmit ePHI. Refresh at minimum annually.

Incident Response & Patching (3 requirements)

15. Patch Management Timelines (164.308(a)(5)(ii)(B) amended) Critical patches must be applied within 14 days; high-severity within 30; medium within 90. Documented exceptions required.

16. Vulnerability Scanning Cadence (164.308(a)(8) new spec) Minimum monthly external vulnerability scanning. Annual penetration testing.

17. Incident Response Testing (164.308(a)(6)(ii) amended) Incident response plan must be tested annually with documented results and remediation actions.

What This Means for Your Website

Most of these requirements have a direct website-level signal:

Requirement	Website-level signal
Mandatory MFA	MFA presence on dashboard login (PUB-05 + DASH-05)
Encryption in transit	TLS 1.2+, HSTS preload, no mixed content
Session timeout	Session cookie attributes (Secure, HttpOnly, SameSite)
No exposed config	No /.env, /.git, /backup, /phpinfo.php, /dump.sql exposed
Patch management	No EOL software disclosure, no version headers
Audit logging	Server-side logging headers, security.txt

The RocketOpp HIPAA scanner runs all of these as passive observations. Free 51-point scan, $149-$899 paid tiers for AI-written reports with the 2026 NPRM overlay highlighting which findings are currently OK but will become required.

Timeline

Dec 27, 2024 — NPRM published (60-day comment period)
Mar 7, 2025 — Comment period closed
Q3 2026 (estimated) — Final rule expected
Effective date — 240 days after final rule (so likely late 2026/early 2027)
Compliance deadline — Typically 1 year after effective date for covered entities

Recommended Next Steps

Run the free 51-point scan against your public site and dashboard to baseline current posture.
Pull the Tier 3 NPRM overlay report ($499) to see which findings are 2026-only requirements.
Update your Risk Analysis (164.308(a)(1)(ii)(A)) to reference the NPRM. The Risk Analysis is the single most-cited deficiency in OCR settlements — it must be current.
Document an MFA rollout plan if you don't have universal phishing-resistant MFA today.
Audit log retention + immutability is the cheapest big-impact upgrade. WORM storage in S3 is sub-$10/month.

The penalty tiers under the proposed rule: $137 to $2,067,813 per violation, capped at $2,067,813 per violation type per year. The 2026 enforcement window is when these figures actually apply.

Scan your site free at rocketopp.com/hipaa — results in 60 seconds, paid reports in 15 minutes.