The 2026 HIPAA Security Rule Overhaul: What Fort Worth Healthcare Practices Need to Know

The U.S. Department of Health and Human Services is expected to finalize the biggest update to the HIPAA Security Rule since 2013 as early as next month. If your Fort Worth healthcare practice handles electronic protected health information (and if you are in healthcare, you do), this affects you directly. The proposed changes eliminate the loophole that has allowed practices to skip security controls by documenting why they chose not to implement them. That era is ending.

This is not a minor tweak. The proposed rule introduces mandatory encryption, required multi-factor authentication, annual compliance audits, technology asset inventories that now include AI tools, and a 72-hour incident reporting window. For practices that have been running on a "compliant on paper" approach, the gap between what the old rule allowed and what the new rule demands is significant. Here is what you need to understand and what to start doing now.

What Is Actually Changing in the HIPAA Security Rule

No More "Addressable" Safeguards

The current HIPAA Security Rule divides security measures into two categories: "required" and "addressable." The required ones are mandatory. The addressable ones give practices the option to evaluate whether the safeguard is reasonable and appropriate, and if they decide it is not, they can document why and move on without implementing it.

In practice, "addressable" has become a loophole. We see this regularly when we audit new healthcare clients in the Fort Worth area. Practices that were told by their previous IT provider that certain security controls were "addressable" and therefore optional. Encryption at rest? Addressable. Automatic logoff? Addressable. Audit controls? Addressable.

The proposed 2026 rule eliminates this distinction entirely. Every safeguard becomes required, with very limited exceptions that must be formally documented and justified. According to the HHS fact sheet on the proposed rule, the intent is to remove the ambiguity that has allowed organizations to treat security as optional under the current framework.

Mandatory Encryption, No Exceptions Worth Counting On

Under the new rule, encryption of ePHI becomes mandatory both at rest and in transit. The proposed standards are specific: AES-256 for data at rest and TLS 1.2 or higher for data in transit. For email containing ePHI, end-to-end encryption will be required, meaning standard TLS between mail servers is no longer sufficient.

This is a big deal for smaller practices. Many Fort Worth home health agencies, hospice providers, and assisted living facilities are still sending patient information via regular email and storing files on local machines without full-disk encryption. Under the current rule, they could document a reason for not encrypting. Under the new rule, they encrypt or they are out of compliance.

If your practice is running Microsoft 365, the good news is that the tools to do this are already in the platform. The bad news is that most practices have not turned them on. We routinely find M365 environments where BitLocker is not enforced on devices, where email encryption policies are not configured, and where SharePoint and OneDrive data sits unencrypted at rest because nobody set the policies during initial setup.

Multi-Factor Authentication Becomes Required

MFA for all systems that access ePHI is moving from best practice to federal requirement. Not SMS-based codes (which are vulnerable to SIM swapping), but phishing-resistant authentication methods. Microsoft Authenticator with number matching, FIDO2 security keys, or certificate-based authentication.

If your practice is still logging into patient records, email, and cloud systems with just a username and password, the clock is ticking. According to IBM's 2025 Cost of a Data Breach report, compromised credentials remain the most common initial attack vector in healthcare breaches. MFA is the single most effective control for preventing it.

Annual Compliance Audits and Penetration Testing

The proposed rule requires formal compliance audits at least once every 12 months. Not the self-assessment checklist your practice fills out once a year and files away. A documented audit of your security posture, your policies, your technical controls, and your risk management program.

Additionally, the rule introduces requirements for annual penetration testing and biannual vulnerability scanning. For many small practices, this is entirely new territory. Your IT provider should be conducting these assessments already, but the new rule puts specific timelines and documentation requirements around them.

---

Need help preparing for the new HIPAA Security Rule? IT Integrations provides HIPAA compliance support for Fort Worth healthcare practices and the surrounding DFW area. Call us at (817) 808-1816 or contact us for a free IT assessment.

---

What This Means for Fort Worth Healthcare Practices Specifically

Fort Worth's healthcare landscape is different from a major hospital system in Dallas or Houston. The practices we work with are home health agencies covering Tarrant and Parker counties, hospice providers with distributed staff, assisted living facilities in Weatherford and Aledo, dental offices, and primary care clinics. These are businesses with 10 to 100 employees, tight margins, and limited IT staff (often none at all beyond their MSP).

The HIPAA Security Rule update was written with large health systems in mind, but it applies equally to a 15-person home health agency in Benbrook and a 2,000-bed hospital in the medical center. The compliance burden does not scale down just because the practice does.

That means Fort Worth practices need to think about this differently than large enterprises. A hospital system has a CISO, a compliance officer, and an internal audit team. A home health agency in Burleson has an office manager who also handles HR, billing, and the Wi-Fi password. The requirements are the same. The resources are not.

This is where the right IT partner matters. The practices that come through this transition smoothly will be the ones that start preparing now, not the ones that wait for the final rule to drop and then scramble.

The Technology Asset Inventory Requirement (and Why AI Makes It Harder)

One of the most significant new requirements is the technology asset inventory. Under the proposed rule, every covered entity must maintain a current, comprehensive inventory of all technology assets that create, receive, maintain, or transmit ePHI. This includes hardware, software, cloud services, and, critically, AI tools.

This is where the shadow AI problem meets federal regulation head-on. If your employees have connected ChatGPT plugins, AI browser extensions, or third-party transcription tools to your Microsoft 365 environment, those are now technology assets that access ePHI. Under the new rule, they need to be inventoried, assessed for risk, and either formally approved or removed.

We wrote about this in detail last week. The short version: most practices have more AI tools touching their data than they realize, and most IT providers are not looking for them. The new HIPAA rule means finding and documenting every one of those tools is no longer just a good idea. It is a compliance requirement.

The proposed rule also requires a network map showing how ePHI moves through your systems. For a practice using cloud-based EMR, Microsoft 365, a patient portal, a billing platform, and a handful of third-party integrations, mapping that data flow is not trivial. It requires someone who understands both the technology and the compliance framework.

What We See When We Audit Healthcare Practices (and What the New Rule Will Not Tolerate)

After 20 years of working with Fort Worth healthcare practices, the patterns are consistent. Here is what we find in almost every new client engagement, and what the updated HIPAA Security Rule will specifically call out:

Security risk assessments that are years out of date. The current rule requires regular risk assessments, but "regular" was never defined with a hard number. Many practices did one when they first set up their compliance program and never updated it. The new rule requires annual assessments with documented methodology and findings.

Business associate agreements from vendors that no longer exist. Healthcare practices sign BAAs with their EMR vendor, their billing company, their shredding service. But vendors get acquired. The company you signed with in 2019 might be owned by a different parent company with different data handling practices. Under the new rule, BAA review and vendor risk management become more formalized.

Encryption that was set up once and never verified. A previous IT provider turned on BitLocker three years ago, but nobody checked whether it is still enforced on every device. New machines got added without the policy. The laptop the office manager takes home every night is not encrypted. Under the new rule, encryption verification becomes part of the required audit cycle.

No audit logging, or logging that nobody reviews. The proposed rule requires not just that audit logs exist, but that they are reviewed regularly. Most practices we audit have logging turned on somewhere but no process for reviewing it. The logs exist. Nobody looks at them. Under the new rule, that gap becomes a documented compliance failure.

Admin accounts that should have been revoked years ago. Former IT providers, former employees, former consultants. We routinely find Microsoft 365 environments with global admin accounts that have not been used in years but still have full access to everything. The new rule's access control requirements will make this a citable finding.

Frequently Asked Questions

When does the new HIPAA Security Rule take effect?

The final rule is expected to be published as early as May 2026. Based on the proposed timeline, covered entities will have approximately 180 to 240 days from publication to comply, which puts the compliance deadline somewhere between November 2026 and January 2027. That sounds far away but it is not. If your practice needs to implement encryption, MFA, asset inventories, and annual audit processes from scratch, six to eight months goes fast.

Does this apply to small healthcare practices or just hospitals?

It applies to every covered entity and business associate, regardless of size. A 10-person home health agency in Fort Worth has the same compliance obligations as a major health system. The proposed rule does allow for some consideration of organization size when evaluating the reasonableness of specific controls, but the core requirements (encryption, MFA, annual audits, asset inventory) are not optional for anyone.

What happens if we are not compliant by the deadline?

OCR (the Office for Civil Rights, the enforcement arm of HHS) has been increasing its enforcement activity. In early 2026, OCR settled with a healthcare software company over a breach that exposed 15 million patient records. The root cause cited was failure to conduct a security risk analysis. The corrective action plan runs three years under OCR monitoring. Penalties for HIPAA violations range from $100 to $50,000 per violation, with a maximum of $2.07 million per calendar year per violation category. For a breach triggered by noncompliance with the new rule, the financial and operational consequences are real.

Our current IT provider says we are HIPAA compliant. How do we know?

Ask for documentation. Specifically: your most recent security risk assessment (with the date), a complete inventory of all technology assets that access ePHI, a list of every BAA on file with current vendor names, your encryption policy and evidence of enforcement, and your incident response plan. If your provider cannot produce all of these within a week, what you have is not compliance. It is a checkbox on an invoice. If you want a second opinion, we offer free IT assessments for Fort Worth healthcare practices.

Next Steps

The new HIPAA Security Rule is not a surprise. HHS published the proposed rule in late 2024, and the healthcare industry has had time to prepare. The practices that will be in the best position are the ones that start now, not the ones that wait for the final rule and hope the deadline is generous.

Start with three things: get a current security risk assessment done, audit your technology assets (including every AI tool with access to patient data), and verify that encryption and MFA are actually enforced across every system that touches ePHI. If your current IT provider cannot do all three, it is time for a conversation with one who can.

Ready to prepare for the 2026 HIPAA Security Rule? IT Integrations provides HIPAA compliance support, cybersecurity, and AI integration and governance for Fort Worth healthcare practices and the surrounding DFW metro. Call (817) 808-1816 or schedule a free IT consultation today.