Updated HIPAA Security Rule Pen Test Requirements: What’s New and How to Comply

Mandatory Annual Penetration Testing

What’s new

The updated HIPAA Security Rule would require you to perform penetration testing of relevant electronic information systems at least once every 12 months, or more frequently if your risk analysis indicates a higher cadence. Testing must be performed by a qualified person and focus on protecting electronic protected health information (ePHI). As of April 14, 2026, these requirements are proposed and pending finalization; planning and implementation should begin now to avoid compliance gaps. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

How to comply

• Define penetration testing protocols that align with your risk analysis, ePHI data flows, and business impact.
• Scope tests to internet-facing assets, internal segments housing ePHI, remote access paths, and high-risk apps.
• Set clear rules of engagement that minimize ePHI exposure and require a Business Associate Agreement where applicable.
• Translate findings into prioritized remediation plans, track closure, and feed outcomes back into risk management.

Bi-Annual Vulnerability Scanning

What’s new

You must conduct automated vulnerability scanning at least every six months, or on a schedule dictated by your risk analysis—whichever is more frequent. You are also expected to monitor authoritative sources for new vulnerabilities and remediate in concert with patch management. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

How to comply

• Cover external, internal, cloud, and wireless environments; use authenticated scans for depth.
• Run scans after major changes and at regular intervals; treat results as a vulnerability assessment, not just a list.
• Prioritize by exploitability and ePHI impact, assign owners, and verify fixes with rescans.

Qualified Personnel for Testing

Who qualifies

Under the proposal, a “qualified person” has appropriate knowledge and experience with accepted cybersecurity principles and methods to ensure the confidentiality, integrity, and availability of ePHI. In practice, look for demonstrated offensive security experience and recognized credentials (for example, OSCP, GIAC GPEN/GXPN) or equivalent expertise. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Selecting and managing providers

• Require documented methodologies, sample deliverables, and evidence handling standards that minimize ePHI exposure.
• Execute BAAs where testing may access ePHI; define data retention and destruction timelines.
• Ensure testers are independent of day-to-day system administration to improve objectivity.

Implementing Multi-Factor Authentication

What’s new

The update would mandate multi-factor authentication (MFA) across technology assets in relevant electronic information systems, with narrow exceptions and requirements for compensating controls and migration plans where MFA is temporarily infeasible. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

How to comply

• Prioritize MFA for privileged accounts, remote access, EHR platforms, and systems that create, receive, maintain, or transmit ePHI.
• Adopt SSO to streamline user experience; use phishing-resistant factors where feasible.
• Document any exception, implement compensating controls, and set a time-bound migration plan.

Encryption for ePHI Protection

What’s new

The proposal would require you to encrypt all ePHI at rest and in transit using prevailing encryption standards, replacing the prior flexibility with limited exceptions where technology constraints exist and documented compensating measures are in place. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

How to comply

• At rest: enable full-disk encryption on laptops and workstations, database/file encryption for servers, and robust key management.
• In transit: enforce modern protocols for APIs, apps, and email; segment and secure VPNs and remote access paths.
• Governance: catalog cryptographic controls, keys, and rotations; validate configurations in change management.

Maintaining Technology Asset Inventory

What’s new

You must maintain an accurate, written technology asset inventory and a current network map of electronic information systems and all technology assets that can affect ePHI, including those of business associates where they impact your environment. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

How to comply

• Record identifiers, versions, accountable owners, and locations; update upon changes and as part of routine reviews.
• Use automated discovery to reduce blind spots and tie inventory fields to risk analysis and access controls.
• Map ePHI data flows to ensure scanning, testing, and encryption controls are complete and effective.

Compliance Documentation Practices

What to document

• Risk analysis, vulnerability assessment and scanning results, penetration testing protocols and reports, and remediation tracking.
• MFA coverage, encryption standards in use, asset inventory and network maps, workforce training, and incident/backup evidence.

Retention and review cadence

Keep required documentation for six years, make it available to responsible personnel, and review and update it at least annually and after material changes. Build an “audit-ready” evidence library that aligns to your cybersecurity safeguards and controls. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Bottom line: the Updated HIPAA Security Rule Pen Test Requirements emphasize measurable, recurring security activities—annual pen tests, bi-annual scanning, universal MFA, mandatory encryption, and rigorous asset inventories—so you can prove, not just assert, that ePHI is protected.

FAQs.

What are the new HIPAA penetration testing frequency requirements?

Penetration testing must occur at least once every 12 months, or more frequently if your risk analysis supports a tighter cadence, and it must be conducted by a qualified person. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Who qualifies to perform HIPAA penetration testing?

A qualified person has appropriate knowledge and experience with accepted cybersecurity methods that ensure the confidentiality, integrity, and availability of ePHI. Many organizations look for proven offensive security experience and industry-recognized certifications or equivalent expertise. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

How does multi-factor authentication enhance ePHI security?

MFA adds a second factor beyond passwords, drastically reducing the success of credential theft and phishing. By requiring something users have or are—in addition to something they know—MFA blocks many unauthorized logins even when passwords are compromised.

What documentation is needed to prove HIPAA compliance?

Maintain your written risk analysis, scan and pen-test reports with remediation evidence, asset inventory and network maps, MFA and encryption configurations, policies and procedures, training logs, and backup/restore tests. Retain documentation for six years and review it at least annually and after significant changes. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))