2026 HIPAA Security Rule: What Florida Practices Must Do
The 2026 HIPAA Security Rule eliminates addressable safeguards and mandates MFA, encryption, and 72-hour recovery. Here's how to prepare your practice.
The average healthcare data breach now costs $9.8 million. Florida ranks among the worst-hit states for healthcare breaches year after year. And the federal government just rewrote the rules for how every medical practice in the country must protect patient data.
The 2026 HIPAA Security Rule update is the most significant overhaul of healthcare cybersecurity requirements in over a decade. The word “addressable” — the loophole that let practices skip safeguards they deemed too expensive or complex — is gone. Nearly every security control is now mandatory.
If you run a medical practice, dental office, surgical center, or any organization that handles protected health information (PHI) in South Florida, this affects you directly. Here is exactly what changed, when you need to comply, and what to do about it.
Key Takeaways
- All safeguards are now mandatory. The distinction between “required” and “addressable” is eliminated. Encryption, MFA, and network segmentation are no longer optional.
- 72-hour system recovery is now a regulatory requirement — not a best practice.
- Business associates face 24-hour incident reporting and annual verification of technical safeguards.
- Violation penalties increased in January 2026, with small practice settlements ranging from $182,000 to $800,000.
- The compliance deadline is expected in late 2026 or early 2027, but organizations should start preparing now. The changes are substantial and cannot be implemented overnight.
What’s Changing in the 2026 HIPAA Security Rule
HHS published the Notice of Proposed Rulemaking (NPRM) in December 2024. The public comment period closed in March 2025, and the final rule is expected by May 2026. Once published, covered entities will have 180 to 240 days to comply.
The core shift: everything is required now. The old framework let organizations evaluate whether a safeguard was “addressable” — meaning they could document why it wasn’t reasonable for their situation and implement an alternative. That flexibility is gone. Here are the specific mandates.
Mandatory Encryption of All ePHI
Every piece of electronic protected health information must be encrypted at rest and in transit. No exceptions. No alternative measures. No “we use password protection instead” workarounds.
This means:
- Full-disk encryption on every workstation, laptop, and server storing patient data
- TLS encryption for all data transmitted over networks, including internal traffic
- Encrypted email for any communications containing PHI
- Encrypted backups — unencrypted backup tapes or drives are now a violation waiting to happen
For practices still running unencrypted laptops or sending PHI over standard email, this is a significant infrastructure change.
Multi-Factor Authentication — No Exceptions
MFA becomes mandatory for all users accessing systems that contain ePHI. Not just remote access. Not just administrators. Everyone — front desk staff, nurses, physicians, billing teams.
This applies to:
- EHR systems (Epic, Cerner, athenahealth, eClinicalWorks)
- Practice management software
- Email accounts that handle patient communications
- Cloud storage and file-sharing platforms
- Remote desktop and VPN connections
The days of a shared password taped to a monitor in the back office are officially over. Practices will need to deploy MFA solutions that balance security with clinical workflow efficiency — because a physician who can’t log in during a patient visit is a real problem.
72-Hour System Recovery Mandate
Here’s where it gets interesting for Florida practices specifically.
The new rule requires covered entities to demonstrate the ability to restore critical systems within 72 hours of any incident — ransomware, hardware failure, natural disaster, or anything else.
For South Florida, this intersects directly with hurricane season. A Category 4 storm that floods your server room, kills power for days, and displaces your staff doesn’t exempt you from this requirement. You need tested, documented disaster recovery procedures that can bring your EHR, billing, and scheduling systems back online within three days regardless of what caused the outage.
This means:
- Cloud-based or geo-redundant backups stored outside your facility (and outside the hurricane zone)
- Tested recovery procedures — not just backups that exist, but backups you’ve actually restored from
- Documented recovery time objectives (RTOs) for every critical system
- A business continuity plan that accounts for facility loss, staff displacement, and extended power outages
In our experience working with South Florida healthcare organizations, fewer than 20% have actually tested a full system recovery. The ones who have often discover their backups don’t work the way they expected. Test now, not during a crisis.
Biannual Vulnerability Scans and Annual Penetration Testing
Vulnerability scanning every six months and full penetration testing every twelve months are now required — not recommended, not best practice, but auditable compliance requirements.
This is a significant lift for practices that have never performed either. A vulnerability scan identifies known security weaknesses across your network, applications, and devices. A penetration test simulates an actual attack to see if those weaknesses can be exploited.
Both must be documented with findings, remediation plans, and evidence of follow-through.
24-Hour Business Associate Incident Reporting
Business associates — including IT providers, billing companies, cloud vendors, and EHR hosts — must now report security incidents to covered entities within 24 hours of discovery.
This is a dramatic tightening. Previously, there was no strict federal timeline for BA-to-CE incident notification. The new rule puts your vendors on the clock.
What this means for your practice: you need to know who your business associates are, confirm they can meet this requirement, and have a documented process for what happens when you receive a notification.
Annual Written Verification of BA Safeguards
Once a year, covered entities must obtain written verification from every business associate confirming that required technical safeguards are in place. A signed BAA is no longer enough. You need documented proof that your vendors are actually implementing what the agreement requires.
This is vendor management at a level most practices have never done. It means auditing your BA relationships, collecting compliance attestations, and maintaining records that demonstrate due diligence.
The Timeline — When You Need to Be Ready
Here’s the full compliance calendar for 2026:
| Date | What Happened / What’s Coming |
|---|---|
| Feb 16, 2026 | Privacy Rule updates took effect (reproductive/behavioral health data, Notice of Privacy Practices updates) |
| Jan 28, 2026 | Updated HIPAA violation penalty amounts took effect |
| May 2026 | Expected finalization of the Security Rule |
| Jul-Aug 2026 | Expected effective date (60 days after publication) |
| Late 2026 - Early 2027 | Full compliance deadline (180-240 days after publication) |
One important note: The Trump administration issued a regulatory freeze in January 2025 that created some uncertainty around the final rule’s timeline. Some provisions may be modified in the final version. However, every compliance expert and legal advisory we’ve seen recommends preparing for the full scope of requirements as proposed. Waiting for the final text to start preparing is a losing strategy — these changes are too substantial to implement in 180 days if you’re starting from scratch.
What This Means for South Florida Medical Practices
Florida has unique risk factors that make these changes especially urgent:
Florida is a top target for healthcare breaches. The state consistently ranks among the worst-affected for healthcare data breaches nationwide. In recent years, Florida-based organizations including Medusind (a billing company with 700,000+ individuals affected) and multiple practice management companies have experienced significant breaches.
Hurricane season meets the 72-hour recovery mandate. South Florida’s annual hurricane threat makes the disaster recovery requirement more than a compliance checkbox. Practices in Miami-Dade, Broward, and Palm Beach counties need recovery plans that assume facility damage, prolonged power loss, and staff unable to reach the office. This likely means cloud-based infrastructure rather than on-premises servers that can be destroyed by storm surge.
A large elderly and Medicare population means more PHI at risk. South Florida’s disproportionately large senior population means practices here handle higher volumes of sensitive health data per capita. More PHI means more exposure, more audit scrutiny, and higher penalties when something goes wrong.
Practice size doesn’t matter. HHS has been explicit: the size of your practice is irrelevant to your compliance obligations. A solo practitioner in Coral Gables faces the same requirements as a 200-physician health system. The difference is resources — which is exactly why smaller practices need an experienced healthcare IT partner to share the burden.
Updated HIPAA Violation Penalties in 2026
As of January 28, 2026, penalty amounts increased across all tiers:
| Tier | Culpability | Minimum Per Violation | Maximum Annual |
|---|---|---|---|
| 1 | Did Not Know | $145 | $36,505 |
| 2 | Reasonable Cause | $1,461 | $146,053 |
| 3 | Willful Neglect (Corrected) | $14,601 | $365,052 |
| 4 | Willful Neglect (Not Corrected) | $73,014 | $2,190,294 |
These are per-violation amounts. A single breach can involve thousands of individual violations.
Real-world context: Small practice settlements in recent enforcement actions have ranged from $182,000 to $800,000. For a five-physician practice doing $3 million in annual revenue, an $800,000 penalty is potentially fatal. And that’s before you factor in breach notification costs, legal fees, patient lawsuits, and reputational damage.
The cost of compliance is a fraction of the cost of non-compliance. Every time.
How to Prepare Your Practice Now
You don’t need to wait for the final rule to start getting ready. Here’s the action plan we walk through with our compliance clients:
1. Conduct a Formal Risk Assessment If you haven’t done a documented HIPAA risk assessment in the past 12 months, start here. Map every system that touches ePHI, identify vulnerabilities, and document your findings. This is the foundation everything else builds on.
2. Deploy MFA Across All Systems Start with your EHR and email, then expand to practice management software, cloud platforms, and remote access. Choose solutions that minimize disruption to clinical workflows — your physicians need to authenticate quickly between patient rooms.
3. Encrypt Everything Audit every device and system for encryption status. Full-disk encryption on all endpoints, TLS for all network traffic, encrypted email for PHI communications, and encrypted backups. No gaps.
4. Test Your Disaster Recovery Don’t just have backups — test them. Run a full recovery drill. Can you restore your EHR within 72 hours? Can you do it if your building is inaccessible? If the answer is no, your backup strategy needs work. Consider HIPAA-compliant cloud infrastructure with geo-redundant replication outside the hurricane zone.
5. Audit Your Business Associates List every vendor with access to PHI. Verify BAAs are current. Confirm each vendor can meet the 24-hour incident reporting requirement. Start collecting written verification of their security controls.
6. Schedule Vulnerability Scans Engage a qualified security firm or your cybersecurity provider to conduct vulnerability scans now and plan for biannual recurrence. Budget for annual penetration testing.
7. Document Everything The new rule emphasizes documentation at every turn. Risk assessments, policies, training records, recovery test results, BA verifications — if it’s not documented, it didn’t happen as far as HHS is concerned.
Why Small Practices Can’t Afford to Wait
We hear it from practices every week: “We’re too small to be a target.” The data says otherwise. 43% of cyberattacks target small and mid-size organizations. And HHS has made it clear that enforcement applies equally regardless of practice size.
The real challenge for small practices isn’t willingness — it’s resources. A five-person medical office doesn’t have a CISO, a compliance team, or an IT department. But the 2026 rule doesn’t care. The requirements are the same whether you have 5 employees or 5,000.
This is exactly where a managed IT partner with healthcare expertise makes the difference. Instead of hiring a full-time compliance officer ($120,000+), a security analyst ($95,000+), and an IT director ($140,000+), you get all of those capabilities through a single healthcare IT partnership at a fraction of the cost.
Here’s what we tell our South Florida healthcare clients: the practices that start preparing now will have a smooth compliance transition when the final rule drops. The ones that wait will be scrambling — and scrambling is when mistakes happen, shortcuts get taken, and auditors find gaps.
Don’t wait for the final rule to start preparing. The requirements are clear enough to act on today. If your practice needs help understanding where you stand and what it will take to get compliant, schedule a healthcare IT assessment with our team. No cost, no pressure — just a clear picture of your compliance posture and a roadmap for what comes next.