2026 HIPAA Security Rule update: what every small practice must do now

Advisory Alert — HIPAA Security Rule

Most six-person practices assume HIPAA enforcement targets hospital networks and large regional health systems. That assumption has always been wrong. The 2026 Security Rule updates make it more expensive to hold.

The updated HIPAA Security Rule eliminates the "addressable" category that allowed small covered entities to defer controls like multi-factor authentication and encryption. Every practice—regardless of headcount—must implement the same baseline technical safeguards, document the work, and keep that documentation available for audit. Penalties are tiered by culpability and assessed per violation category per calendar year.

What changed—and why a six-person office is affected

The original HIPAA Security Rule, written in 2003, divided safeguards into two categories: required and addressable. Addressable meant a covered entity could skip a control if it documented a reasonable alternative or concluded the control did not apply to its environment. Many small offices used that language to defer encryption, multi-factor authentication, and formal vulnerability management for the better part of two decades.

HHS's 2025 rulemaking removes that distinction, with compliance obligations running into 2026. Every covered entity—a six-person dental practice, a solo physician's office, a small behavioral health group—must implement the same baseline controls as a large hospital network. Practice size may shape how you implement a control. It no longer determines whether you must.

The six things your office must complete

1. Conduct and document a formal risk analysis

A written risk analysis has always been a required element of the Security Rule. The updated rule adds specificity. You must inventory every system that creates, receives, maintains, or transmits electronic protected health information (ePHI), map how that data moves through your environment, identify threats and vulnerabilities, and assign documented risk ratings. This is a recurring obligation—update it whenever your technology or workflows change materially, not only when an audit is approaching.

2. Deploy multi-factor authentication

MFA is a baseline requirement for any user account with access to ePHI. In a Microsoft 365 Business Premium environment, this means enabling MFA for every Microsoft account and for any third-party application connected to patient data. Business Premium includes Conditional Access policies through Microsoft Entra ID that can enforce MFA at every sign-in. The capability is included in your license. It is not enabled by default.

3. Encrypt ePHI at rest and in transit

Encryption moves from addressable to required. ePHI must be encrypted wherever it is stored—on workstations, laptops, mobile devices, and in cloud storage—and protected in transit across any network. Business Premium includes BitLocker for device encryption and TLS for email and file transfer. The gap most small offices miss: workstations and laptops that are not enrolled in Microsoft Intune device management and therefore have BitLocker disabled or in an unverified state.

4. Maintain tested, restorable backups

The updated rule requires documented backup procedures and evidence that backups can actually be restored. A note that data is synced to OneDrive does not satisfy this requirement if your office has never run a recovery test. A compliant backup strategy includes at least one copy that a ransomware event cannot alter or delete—commonly called an immutable or offline copy. Business Premium's built-in cloud storage is a starting point, not a complete solution, for most small practices.

5. Audit every business associate agreement

Any vendor that handles ePHI on your behalf must have a signed business associate agreement (BAA) on file before that relationship begins. Pull your current vendor list and match it against signed BAAs. Common gaps: billing platforms, EHR vendors, cloud fax services, appointment scheduling applications, and your IT or cybersecurity provider if they can access systems containing patient data. A vendor processing ePHI without a signed BAA creates direct regulatory exposure for your practice. Make this an annual review, not a one-time exercise.

6. Build and maintain a documentation trail

Regulators do not assume compliance; they require proof. Maintain written policies covering access control, device management, breach response, and workforce training. Log who reviewed those policies and when. Record your risk analysis dates, backup test results, and BAA review cycles. If OCR contacts your practice, documentation is what separates a correction plan from a civil monetary penalty.

What are the penalties for a small practice that ignores this?

HIPAA civil monetary penalties are tiered by culpability. Violations caused by willful neglect—where a practice knew about a requirement and took no action—carry the highest penalty levels, assessed per violation category per calendar year. A practice that has simultaneously neglected MFA, encryption, and documentation faces multiple penalty categories running concurrently. State attorneys general also hold independent authority to pursue HIPAA enforcement actions, which means two separate enforcement channels apply to your office regardless of its size or revenue.

Does Microsoft 365 Business Premium cover these requirements?

Business Premium provides a solid technical foundation: MFA via Entra ID, BitLocker device encryption, Microsoft Defender for Business endpoint protection, and basic data loss prevention capabilities. It does not configure itself. The gap between default Microsoft 365 settings and HIPAA-compliant settings is significant and well-documented by auditors.

Conditional Access policies, device enrollment through Intune, audit logging, and data retention configurations must be deliberately set by a dedicated team that knows your environment and understands where the Security Rule requirements intersect with the platform's controls. If your practice runs Business Premium through a managed IT provider, request written confirmation that your configuration meets the 2026 Security Rule baseline. That confirmation is itself a documentation artifact for your compliance file.

The 2026 updates do not invent new obligations. They close the gaps small practices have treated as discretionary for over twenty years. The practices that will face penalties are those that continue to treat HIPAA as a large-organization problem.

Frequently asked questions

Does the size of my practice reduce my HIPAA Security Rule obligations?

No. Every covered entity is subject to the same Security Rule requirements. The 2026 updates remove the flexibility that previously allowed small practices to defer controls like MFA and encryption. Practice size may affect how you implement a control, but it does not affect whether you must implement it.

Can Microsoft 365 Business Premium satisfy the updated encryption and MFA requirements?

Business Premium includes the technical components—BitLocker, Entra ID MFA, and TLS—that can satisfy these requirements when properly configured. Default Microsoft 365 settings are not the same as compliant settings. Conditional Access policies, device enrollment, and data protection configurations require deliberate setup by someone familiar with both the platform and the HIPAA requirements.

Which vendors require a business associate agreement?

Any vendor that creates, receives, maintains, or transmits ePHI on your behalf is a business associate and must sign a BAA before that relationship begins. Common gaps include billing platforms, EHR vendors, cloud fax services, appointment scheduling applications, and your IT or cybersecurity provider if they can access systems containing patient data.

What happens if OCR audits our practice and we have no documented risk analysis?

The absence of a documented risk analysis is itself a violation. If a breach also occurred, the missing analysis elevates the culpability tier, which increases the applicable penalty range. OCR treats absent documentation as evidence of noncompliance, not a neutral fact.

When does our practice need to be fully compliant with the 2026 Security Rule updates?

Compliance timelines are established in the final rule published by HHS. Regardless of the formal deadline, building a compliant program—risk analysis, MFA deployment, encryption verification, BAA audits, and a documentation trail—takes considerably longer than most small offices expect. Starting now is the responsible course.