2026 HIPAA Security Rule Updates: What OB/GYN Practices Must Do Now

The 2026 HIPAA Security Rule update — published in January 2026 and effective 180 days after publication — is the most significant overhaul of HIPAA security requirements since the original Security Rule was finalized in 2003. For OB/GYN practices that outsource billing, understanding what changed is critical: you are responsible for ensuring your business associates comply.

What Changed: The Biggest Updates

1. All Specifications Are Now Mandatory

Under the previous HIPAA Security Rule, safeguards were divided into "required" and "addressable" specifications. Required specifications had to be implemented. Addressable specifications had to be implemented OR documented with a reason why they were not.

The 2026 rule eliminates the "addressable" category. All 24 implementation specifications — previously including those previously called "addressable" — are now mandatory. This means practices can no longer document a reason for not implementing multi-factor authentication, encryption, or access controls.

2. Phishing-Resistant MFA Is Required

The 2026 rule explicitly requires multi-factor authentication for accessing systems containing ePHI. More importantly, it specifically mandates phishing-resistant MFA — meaning:

• ›SMS-based one-time passwords (OTP) no longer satisfy the MFA requirement
• ›FIDO2 hardware keys (YubiKey, Titan Key) are compliant
• ›TOTP authenticator apps (Google Authenticator, Authy) are compliant
• ›SMS codes are explicitly not sufficient

For OB/GYN practices using a billing company's client portal, your business associate must implement FIDO2 or TOTP MFA for all portal access — and must document this in your Business Associate Agreement.

3. Ransomware Response Plan Mandatory

The 2026 rule requires covered entities and business associates to maintain a documented ransomware incident response plan that includes:

• ›Detection and analysis procedures
• ›Containment and eradication steps
• ›Recovery from immutable backups
• ›Post-incident review and notification protocols

The plan must be tested annually and updated after any ransomware incident.

4. Immutable Audit Logs Required

Under the previous rule, audit log requirements were partially "addressable." The 2026 rule makes audit logging mandatory and adds a requirement that audit logs be stored in an immutable format — Write Once Read Many (WORM) storage — to prevent tampering or deletion.

Audit logs must be retained for a minimum of 6 years, with hot storage of at least 90 days.

5. Encryption Is Now Mandatory

While encryption was already considered best practice and effectively required by most HIPAA guidance, the 2026 rule explicitly mandates:

• ›AES-256 encryption for ePHI at rest
• ›TLS 1.3+ for ePHI in transit
• ›Key management documentation and rotation schedules

6. BAA Updates Required

Because the rule changes what business associates are required to implement, all existing Business Associate Agreements must be reviewed and updated to reflect the new mandatory requirements. BAAs that reference the old "addressable vs. required" framework may not be sufficient under the 2026 rule.

What OB/GYN Practices Must Do

Audit Your Business Associates

Every vendor that touches your ePHI — billing company, EHR vendor, clearinghouse, transcription service — is a business associate under HIPAA. You are responsible for ensuring they comply with the 2026 rule.

Questions to ask your billing company:

• ›How is ePHI encrypted at rest and in transit?
• ›What MFA method is required for portal access?
• ›Where are audit logs stored and in what format?
• ›Do you have a documented ransomware response plan?
• ›When was your BAA last updated?

Update Your BAAs

Request updated BAAs from all business associates that reflect the 2026 mandatory requirements. If a business associate cannot provide a compliant BAA or cannot answer basic questions about their security controls, that is a material risk to your practice.

Implement Internal Controls

Even if you don't access billing systems directly, your practice systems — EHR, patient portal, scheduling system — also handle ePHI and must comply with the 2026 rule. Common gaps in OB/GYN practices:

• ›Staff accessing EHR with shared passwords (violates access control requirements)
• ›No formal workforce training documentation for the past 12 months
• ›PHI transmitted via regular email (not encrypted in transit)
• ›No formal security risk assessment conducted in the past year

Conduct a Security Risk Assessment

The HIPAA Security Rule has always required an annual security risk assessment. Under the 2026 rule, this assessment must be more comprehensive and must specifically address:

• ›Ransomware exposure
• ›MFA gaps
• ›Encryption status for all systems and data flows
• ›Audit log completeness

What We Do at OBGYNBillingPro

OBGYNBillingPro was built to meet the 2026 HIPAA Security Rule from the ground up:

• ›AES-256 encryption at rest (AWS KMS)
• ›TLS 1.3+ for all data in transit
• ›FIDO2/TOTP MFA mandatory for all portal access — SMS-only is prohibited
• ›WORM audit logs with 90-day hot storage and S3 Glacier archiving
• ›Files uploaded via S3 pre-signed URLs only — ePHI never passes through our application server
• ›Zero PHI in application logs, error tracking, or analytics
• ›Documented ransomware response plan, tested annually
• ›BAA provided before any ePHI is shared, updated to reflect 2026 requirements

If you're evaluating a billing partner or reviewing your current billing company's HIPAA posture, these are the questions to ask — and these are the answers you should expect.