HIPAA is about to change for the first time in more than a decade. If you administer a medical practice, a small hospital, or a Taft-Hartley health and welfare fund, the rules you're operating under today will not be the rules you're operating under twelve months from now. The window to prepare is open. Unlike most regulatory clocks, this one comes with a precise deadline: 240 days from publication of the final rule.
This piece explains what HIPAA requires today, what's almost certainly changing in May 2026, and what the practical preparation work looks like.
The fact that gets missed
Most HIPAA guidance is written for clinics and hospitals. That's where most of the covered entities live. But a category of organization that often doesn't realize it's subject to HIPAA — and very often is — is the union health and welfare fund.
Taft-Hartley plans that provide health benefits to union members are health plans under HIPAA. So are union-sponsored EAP programs handling mental health and substance abuse data. If your local administers benefits to members and their families, you handle protected health information, and the obligations apply. The penalties for getting it wrong apply too.
If that describes your organization and you've been operating on the assumption that HIPAA is something hospitals worry about, that's the first thing to fix.
What HIPAA actually protects
Protected Health Information — PHI — is anything that identifies an individual combined with anything about their health, treatment, or payment for care. The textbook examples are obvious: a patient chart, a lab result, a billing statement, a claims record.
The non-obvious examples are where most small organizations get in trouble. A voicemail to a patient that references a procedure. A fax cover sheet with a diagnosis visible. A photo of a whiteboard taken during a staff meeting. A spreadsheet emailed to a personal account "just to work on at home." A text message between two providers about a patient by name. A claims status email to a member's spouse who isn't on the authorization. All of these are PHI, and all of them are subject to the same rules as the patient chart.
Privacy Rule and Security Rule, briefly
HIPAA has two operational rules that matter day to day.
The Privacy Rule governs who can see what. It defines what counts as PHI, what disclosures are permitted, what notices patients and members are entitled to, and how individuals access and amend their own records.
The Security Rule governs how electronic PHI is protected — administrative practices, physical safeguards, and technical controls. This is the rule that's about to change.
The three safeguard buckets
The Security Rule organizes its requirements into three categories.
Administrative safeguards are the policies and processes: workforce training, role assignment, sanctions for violations, periodic risk analysis. The paper side of the program.
Physical safeguards are the controls on the physical environment: locked offices, badge access, paper disposal, device inventory, secure workstation placement. The building side.
Technical safeguards are the controls on the systems themselves: encryption, access controls, audit logs, automatic logoff, integrity verification. The IT side.
Every covered entity is expected to implement all three. The proposed changes coming in 2026 affect the technical safeguards most heavily.
Business Associate Agreements
Any organization that handles PHI on your behalf is a business associate, and you need a written agreement with each one. The list is longer than most administrators realize: the billing service, the IT managed service provider, the cloud EHR vendor, the AI scribe vendor, the document shredding company that picks up your paper records, the cloud storage provider where backups live.
A Business Associate Agreement isn't a formality. It allocates liability. If a breach happens at a vendor and you don't have a BAA in place, you eat the breach yourself.
For union health funds: the third-party administrator that processes claims, the pharmacy benefit manager, the consultant who runs your annual actuarial review, the cloud platform where eligibility data is stored — all business associates, all need current BAAs. The agreement signed in 2008 when the fund first went digital is almost certainly out of date. It should be reviewed and probably replaced.
The risk analysis nobody does
Of every requirement in the HIPAA Security Rule, the one cited most often in enforcement actions is the risk analysis. OCR's ongoing Risk Analysis Initiative has produced a finding under this provision in every major enforcement action since it began.
A risk analysis is a documented assessment of where your ePHI lives, who has access to it, what could go wrong, how likely each scenario is, and what controls you have in place to address it. It is not a checklist. It is not a vendor-provided document with your logo pasted on it. It is a real exercise that ends in writing.
Most small practices and most small union funds don't have one. Most could complete the first version in a focused week. Almost none will, until the audit letter arrives.
What's changing in May 2026
On January 6, 2025, the Department of Health and Human Services published a Notice of Proposed Rulemaking to overhaul the Security Rule for the first time since 2013. The comment period closed in March 2025, with nearly 5,000 comments submitted. The Office for Civil Rights' regulatory agenda lists the final rule for May 2026.
The structural change is the most consequential one in twenty years. Under the current rule, some implementation specifications are "required" and others are "addressable" — the addressable ones can be skipped if the entity documents a justification. The proposed rule eliminates that distinction. Everything becomes required, with narrow exceptions.
The technical requirements becoming mandatory include:
- Multi-factor authentication on every system that touches ePHI
- Encryption of ePHI at rest and in transit, as a standalone standard
- Network segmentation
- A written technology asset inventory and network map, reviewed annually
- Enhanced risk analysis with threat-vulnerability pairs tied to that inventory
- Vulnerability scanning every six months
- Annual penetration testing
- Critical patches within 15 days, high-severity patches within 30
- A 72-hour recovery time objective and 48-hour recovery point objective
- An annual compliance audit
Once the final rule publishes, organizations get 60 days to the effective date and another 180 days to comply. Two hundred and forty days total. That window is shorter than most multi-year IT budget cycles, which is why HHS has been signaling the changes for two years rather than springing them on the sector.
It is possible the final rule will be softer than the proposed version. Industry feedback pushed back hard on several provisions, and the final rule is being drafted under a different administration than the one that proposed it. But the direction is clear, and the safer assumption is that the major technical controls will land roughly as proposed.
How organizations actually get fined
A useful exercise: read through recent OCR enforcement actions and notice the patterns.
Lost or stolen unencrypted laptops show up repeatedly. So does texting PHI between colleagues on personal devices. The absence of a risk analysis on file is the most common single finding. Dismissed employees with active logins to clinical or claims systems comes up regularly. Ransomware incidents where the organization had no tested backup are increasingly featured.
For union funds specifically, the pattern is slightly different: business associate agreements that were never executed, or were executed once and never updated, are a recurring source of liability when a third-party administrator gets breached. The fund pays the fine even though the breach happened somewhere else.
Breach notification
If a breach affects 500 or more individuals, the organization has to notify the affected individuals, HHS, and prominent media in the affected jurisdiction — all within 60 days. Smaller breaches are logged and reported annually.
The 60-day clock starts when the organization discovers the breach, not when it confirms what was taken. The temptation to delay notification until forensics is complete is understandable and dangerous. The clock keeps running while the lawyers debate.
A quarterly approach
For an organization that's starting from behind, a calendar-quarter cadence is realistic.
In the first quarter, complete or update the risk analysis. This is the foundation. Everything else gets built on top of it.
In the second quarter, audit every vendor with access to PHI and confirm each has a current Business Associate Agreement. Update or execute new agreements as needed. Pay attention to the agreements that have been in place the longest — they are the ones most likely to be out of date.
In the third quarter, enforce multi-factor authentication on every system that touches ePHI: email, EHR, billing platform, claims platform, cloud storage, remote access. If a system can't support MFA, document the compensating controls and the migration plan.
In the fourth quarter, run a tabletop exercise simulating a realistic incident — a ransomware encryption of the EHR, a stolen laptop with claims data on it, a phishing-driven business email compromise targeting the practice manager. Include leadership, IT, counsel, and whoever handles patient or member communications. Document what worked and what didn't.
The clock is already started
The proposed rule has been on the agenda for two years. The May 2026 target is not a guess. The 240-day compliance window will feel short when it arrives, and organizations that start preparing after the final rule publishes will be playing catch-up against organizations that started a year earlier.
The first step is the one most organizations skip: a risk analysis you'd be comfortable handing to an auditor. Once that document exists, everything else has a place to plug into. Without it, every other control is a guess at what matters and a hope that what you're spending money on is what an auditor would have asked you to spend money on.
Start with the risk analysis. Build from there.
