HIPAA 'Addressable' vs 'Required' Safeguards: Will the Distinction Be Eliminated by 2026?

Overview of HIPAA Security Rule Safeguards

The HIPAA Security Rule protects electronic protected health information (ePHI) through administrative, physical, and technical safeguards. Historically, some implementation specifications were “required,” while others were “addressable,” allowing entities to choose reasonable alternatives if a measure was not appropriate. In a January 6, 2025 Notice of Proposed Rulemaking (NPRM), HHS/OCR proposed eliminating this addressable-versus-required distinction to clarify that entities must meet both the standards and their implementation specifications. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2025-01-06/pdf/2024-30983.pdf))

In practice, the proposal would move the rule toward clearer, more prescriptive implementation specifications—without removing all scalability. OCR emphasized that flexibility would remain in how you meet requirements, not whether you meet them. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2025-01-06/pdf/2024-30983.pdf))

Implications of Eliminating Addressable vs Required Distinction

If finalized, every implementation specification would be mandatory. This would tighten expectations around areas that were often treated as optional, and it would affect day-to-day security operations, purchasing decisions, documentation, and audits. For example, risk analysis would still guide how you deploy controls, but documentation of “why not” in lieu of action would largely disappear. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2025-01-06/pdf/2024-30983.pdf))

For your compliance program, the shift means accelerating work on access control, multi-factor authentication, encryption at rest and in transit, and recurring verification of safeguards. These changes are designed to raise baseline cybersecurity hygiene and strengthen the overall security posture across regulated entities. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html?utm_source=openai))

Mandatory Encryption Requirements for ePHI

Scope and standards

The NPRM would elevate encryption from an addressable measure to a standard: encrypt all ePHI at rest and in transit using “prevailing cryptographic standards,” and update methods as standards evolve. You would also need to review and test related technical controls at defined intervals. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2025-01-06/pdf/2024-30983.pdf))

Limited exceptions

• Technology limitations: a documented, time-bound migration plan where current assets cannot meet prevailing cryptographic standards. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2025-01-06/pdf/2024-30983.pdf))
• Individual right of access: an individual explicitly requests unencrypted transmission after being informed of the risks, and your systems are not jeopardized. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2025-01-06/pdf/2024-30983.pdf))
• Emergencies: encryption is infeasible during an event that adversely affects your systems; compensating controls must be in place and reviewed. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2025-01-06/pdf/2024-30983.pdf))
• Certain FDA-regulated medical devices: narrowly tailored exceptions with patching and other manufacturer conditions. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2025-01-06/pdf/2024-30983.pdf))

Multi-Factor Authentication Implementation

Where MFA applies

The proposal would require multi-factor authentication (MFA) for users accessing technology assets within relevant electronic information systems, coupled with unique-password requirements and stronger authentication controls. This aims to reduce compromise from single-factor credentials. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2025-01-06/pdf/2024-30983.pdf))

Exceptions and compensating controls

• Technology does not support MFA, with a documented plan to migrate. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2025-01-06/pdf/2024-30983.pdf))
• MFA infeasible during emergencies, with compensating controls consistent with contingency and emergency access procedures. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2025-01-06/pdf/2024-30983.pdf))
• Specified FDA-regulated medical devices under defined conditions. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2025-01-06/pdf/2024-30983.pdf))

Implementation tips

Prioritize high-risk access paths first, align factors to your risk analysis, harden account lifecycle processes (joiner/mover/leaver), and enforce unique, non-default passwords. As you expand MFA coverage, coordinate with vendors and clinical teams to minimize disruption to care. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2025-01-06/pdf/2024-30983.pdf))

Technology Asset Inventories and Network Mapping

What to inventory and map

The NPRM would require maintaining an accurate technology asset inventory (hardware, software, data, and hosted services) and a network map showing where ePHI resides and how it flows across systems and connections, including business associates as applicable. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html?utm_source=openai))

Maintenance cadence

You would need to review and update both the inventory and network map on an ongoing basis—at least every 12 months and whenever environmental or operational changes affect ePHI. These artifacts then inform risk analysis and access control decisions. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2025-01-06/pdf/2024-30983.pdf))

Compliance Preparation for Healthcare Organizations

Near-term priorities

• Refresh your enterprise risk analysis to focus on ePHI data flows; validate access control design, including role-based access and emergency access procedures.
• Close encryption gaps for ePHI at rest and in transit; verify configurations, keys, and cipher suites against current standards.
• Stand up an organization-wide MFA program; eliminate default passwords, enforce unique credentials, and strengthen privilege-change workflows.
• Build or refine your technology asset inventory and network map; integrate discovery tools and align them with incident response and change management.
• Assess business associate security; plan for contract updates and right-to-audit language as needed.
• Exercise response plans, test backups (including offline copies), and train your workforce on new authentication and access control expectations.

Measuring progress

Set quarterly targets tied to concrete outcomes (for example, percentage of systems with encryption at rest, MFA coverage across applications, completeness of asset records). Use these metrics to demonstrate improved security posture and inform your board and executive leadership.

Timeline and Finalization of Proposed Changes

What has happened so far

• Dec 27, 2024: OCR announced proposed updates to the HIPAA Security Rule. Jan 6, 2025: the NPRM was published in the Federal Register. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html?utm_source=openai))
• Comment period closed March 7, 2025. ([downloads.regulations.gov](https://downloads.regulations.gov/HHS-OCR-2024-0020-4555/attachment_1.pdf?utm_source=openai))

What to expect in 2026

As of March 13, 2026, OCR has not issued a final rule; the NPRM remains pending. If and when a final rule is published, it would be effective 60 days after publication, with a standard compliance date 180 days after the effective date. Additional transition time would be available to update existing business associate agreements (generally up to one year after the effective date or earlier upon renewal). Plan your program assuming these statutory timelines. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html?utm_source=openai))

Conclusion

The proposal signals a decisive move toward mandatory, modern safeguards—encryption at rest and in transit, multi-factor authentication, comprehensive access control, and living maps of your ePHI ecosystem. Even before finalization, closing known gaps now will reduce breach risk, simplify eventual compliance, and materially strengthen patient trust. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2025-01-06/pdf/2024-30983.pdf))

FAQs.

What is the difference between addressable and required safeguards under HIPAA?

“Required” implementation specifications must be implemented as written. Historically, “addressable” specifications allowed you to determine if a control was reasonable and appropriate in your environment; if not, you could implement an equivalent alternative and document your rationale. The NPRM proposes to eliminate this distinction and make implementation specifications mandatory if finalized.

How will elimination of addressable safeguards affect compliance?

If finalized, you would no longer rely on “document-and-defer” approaches. Instead, you would be expected to implement the specified controls (for example, encryption at rest and in transit, multi-factor authentication), with only narrow, defined exceptions. Your risk analysis would continue to guide how you implement controls—not whether you implement them.

When will the new HIPAA Security Rule changes take effect?

As of March 13, 2026, the changes have not been finalized. If a final rule is issued, it would typically become effective 60 days after publication, with a standard compliance date 180 days after the effective date and added time to update business associate agreements.

What steps should healthcare organizations take to prepare for the 2026 updates?

Begin closing gaps now: complete an ePHI-focused risk analysis, deploy encryption at rest and in transit, expand multi-factor authentication, refresh access control policies, build your technology asset inventory and network map, and prepare to update business associate agreements. These actions improve your security posture today and position you for a smoother transition if the rule is finalized in 2026.