The 2026 HIPAA Security Rule: What Every Law Firm Handling Medical Records Must Do Now

The average cost of a U.S. healthcare data breach reached $10.22 million in 2024. More than 375 million individuals were affected by healthcare breaches in 2025. And the federal framework meant to prevent those breaches has not been updated in 13 years.

That changes in 2026. The Department of Health and Human Services is finalizing the first major overhaul of the HIPAA Security Rule since 2013, with a final rule expected by May. The catalyst is clear: the Change Healthcare breach in February 2024—which compromised the records of 192.7 million people—exposed how badly the existing framework had fallen behind.

This isn't an incremental update. The new rule eliminates the distinction between "addressable" and "required" safeguards that allowed organizations to document why they chose not to implement a control instead of actually implementing it. Under the updated rule, multi-factor authentication, encryption, vulnerability scanning, and incident response planning are mandatory for every covered entity and business associate—including law firms that handle electronic protected health information.

Why Now: The Breach Crisis That Forced HHS to Act

The Change Healthcare breach was the tipping point. A single ransomware attack in February 2024 compromised 192.7 million patient records—the largest healthcare data breach in U.S. history. The company lacked multi-factor authentication on critical systems. Under the existing HIPAA Security Rule, MFA was merely "addressable," meaning Change Healthcare could document its decision not to use it and remain technically compliant.

The broader trend is equally stark. Business associates—vendors, contractors, and service providers with access to ePHI—accounted for 77% of breached records in 2024. The supply chain, not the hospital, has become the primary attack surface.

HHS cited these systemic failures as the rationale for closing the addressable loophole and moving every major safeguard to mandatory status. The message: document-based compliance is no longer sufficient.

What's Changing: Old Rules vs. New Rules

Multi-Factor Authentication

MFA moves from addressable to mandatory for all systems that access, store, or transmit ePHI. The Change Healthcare breach demonstrated the cost of treating MFA as optional. Under the new rule, every user accessing ePHI—whether a hospital administrator, a vendor, or a paralegal at a law firm—must authenticate through at least two factors.

Encryption Standards

The updated rule specifies encryption requirements that the 2013 version left vague. AES-256 encryption is required for data at rest. TLS 1.2 or higher is required for data in transit. End-to-end encryption is required for any email containing ePHI—standard TLS between mail servers is no longer sufficient.

Incident Response and Recovery

Covered entities and business associates must be able to restore critical systems within 72 hours of a disruption. Business associates must notify their covered entities within 24 hours of activating a contingency plan. Annual technology asset inventories and network maps are required to support these timelines.

What This Means for Law Firms

Any law firm that receives, stores, or transmits electronic protected health information qualifies as a business associate under HIPAA. That includes firms handling medical records in personal injury, mass tort, workers' compensation, and medical malpractice cases. The 2026 rule applies to business associates with the same force it applies to hospitals and insurers.

Given that business associates were the source of 77% of breached records in 2024, HHS is signaling that downstream entities can no longer treat HIPAA compliance as the covered entity's problem.

Practical Requirements for Firms

MFA on every system touching ePHI. Case management platforms, cloud storage, email accounts, and any vendor portal where paralegals access medical records must require multi-factor authentication. Password-only access will be a compliance violation.

Encrypted storage and transmission. Medical records stored on local servers, cloud drives, or case management systems must use AES-256 encryption. Sending records by email requires end-to-end encryption—not just server-to-server TLS.

Updated Business Associate Agreements. Every BAA between a law firm and its record retrieval vendors, cloud storage providers, IT contractors, and case management platforms should be reviewed. The new rule introduces specific obligations around breach notification timelines and contingency planning that existing BAAs likely do not address.

Annual risk assessments. The updated rule requires annual security risk assessments, annual penetration testing, and biannual vulnerability scans. Firms should budget for these as recurring operational costs.

Network segmentation. Systems containing ePHI must be segmented from general network traffic. A paralegal's workstation used to browse the internet and access medical records on the same flat network will not satisfy the new requirements.

The Compliance Timeline

The compliance window is tighter than it appears. Large-scale IT changes—deploying MFA across a firm, encrypting existing storage, segmenting networks—require procurement, testing, and training. Firms that wait for the final rule to begin planning will face compressed timelines and higher costs.

The Bottom Line

The 2026 HIPAA Security Rule is the most significant change to healthcare data security regulation in over a decade. It closes the loopholes that allowed organizations to skip fundamental protections like MFA and encryption—loopholes that directly contributed to the largest healthcare breach in history.

For law firms that handle medical records, the message is straightforward: the same security standards that apply to hospitals now apply to every business associate in the chain. Compliance is no longer about checking boxes on a self-assessment. It requires demonstrable, audited controls on every system that touches electronic protected health information.

Sources: DSALTA — 2026 HIPAA Security Rule Changes, ComplianceHub — HHS Proposes Major HIPAA Amendment, RubinBrown — HIPAA Security Rule Changes 2025-2026, JD Supra — Major HIPAA Security Rule Changes, Privacy Rights — 2025 Data Breach Report, DeepStrike — Healthcare Data Breaches 2025.

This article is for informational purposes only and does not constitute legal or medical advice. Consult with qualified professionals for advice specific to your situation.