By 2026, encrypting electronic protected health information (ePHI) is no longer optional - it’s mandatory.
The Department of Health and Human Services (HHS) has eliminated the "addressable" classification, requiring all healthcare providers to implement encryption for data at rest and in transit.
This change reflects the growing threat of cyberattacks, with breaches increasing by 102% from 2018 to 2023, impacting over 167 million individuals in 2023 alone.
Key updates include:
Mandatory encryption standards: Providers must use NIST-approved methods, such as AES-128 (or higher) for data at rest and TLS 1.2+ for data in transit.
Behavioral health providers face stricter rules: Compliance with both HIPAA and 42 CFR Part 2 is required by February 16, 2026.
Access controls tightened: Multi-factor authentication (MFA) is now required, and access revocations must occur within 24 hours of role changes.
Short compliance timeline: Once the final rule is published (expected May 2026), organizations have only six months to comply.
Delaying implementation could result in severe penalties, with fines ranging from $145 to $2.19 million per violation. Early preparation - upgrading systems, conducting risk analyses, and adopting compliant software - is critical to meeting these new requirements.
Before the changes slated for 2026, encryption under HIPAA operates within a flexible framework.
The HIPAA Security Rule classifies encryption as an "addressable" implementation specification within its technical safeguards (45 CFR §164.312) [6].
This doesn’t mean encryption is optional. Instead, organizations must either implement encryption or document a reasonable justification for using an alternative approach.
When it comes to protecting electronic protected health information (ePHI), there are two main scenarios to consider: data at rest and data in transit.
Data at rest refers to stored ePHI, while data in transit involves ePHI being transmitted over networks [6]. Encryption for both scenarios must align with guidelines from the National Institute of Standards and Technology (NIST). For data at rest, NIST SP 800-111 applies, while data in transit follows standards like SP 800-52, SP 800-77, or SP 800-113.
The minimum recommended encryption standard is AES 128-bit, though many organizations now adopt 192-bit or 256-bit encryption for greater security. Interestingly, if encrypted ePHI is lost or stolen but the decryption key remains secure, the incident is not considered a notifiable breach under the HIPAA Breach Notification Rule [6].
Let’s break down how encryption works differently for stored data versus data in motion.
Encryption for data at rest focuses on safeguarding information stored on physical devices, such as patient databases, backup drives, or laptops, from unauthorized access.
This aligns with HIPAA’s "Access Controls" requirements. On the other hand, encryption for data in transit protects information as it moves between locations, ensuring compliance with the "Transmission Security" standard, which aims to prevent unauthorized interception during transmission.
Understanding the "addressable" classification of encryption is key. While encryption is not outright mandatory, the term "addressable" doesn’t mean it can be ignored. As Steve Alder, Editor-in-Chief of The HIPAA Journal, explains:
"The HIPAA encryption 'rules' are addressable implementation specifications, which means covered entities and business associates do not have to comply with them if they are not 'reasonable and appropriate [...]' and an equivalent alternative measure is implemented instead" [6].
If an organization opts for an alternative to encryption, it must conduct a thorough risk analysis
and document its rationale.
This documentation must also outline the equivalent security measures implemented and be retained for at least six years.
However, as cybersecurity threats grow more sophisticated, finding alternatives that match encryption’s protective capabilities has become increasingly challenging. This reality is driving the Department of Health and Human Services (HHS) to consider making encryption mandatory in the future.
HIPAA Encryption Requirements: 2025 vs 2026 Compliance Changes
The cybersecurity rules for healthcare are tightening up in 2026.
The Department of Health and Human Services (HHS) is removing the flexibility that once existed in its Security Rule (45 CFR §164.312). Encryption will now be mandatory across the board for all regulated entities, with no room for alternative measures. As Andrea Palm, Deputy Secretary of HHS, explained:
"The increasing frequency and sophistication of cyberattacks in the health care sector pose a direct and significant threat to patient safety." [4]
For behavioral health providers, this means encryption is no longer optional for protecting electronic protected health information (ePHI), whether it’s stored or in transit. Providers are required to follow NIST standards, use multi-factor authentication (MFA) for access, and implement strict encryption key management protocols [3][6].
Every piece of stored ePHI - whether it’s in a patient database, on a mobile device, or in a backup system - must now be encrypted to meet NIST SP 800-111 standards [6].
The minimum acceptable encryption level is AES 128-bit, but AES 192-bit or 256-bit is strongly recommended for added security [6][9]. Legacy systems that rely on outdated methods like basic password protection are no longer compliant. Providers must also ensure that encryption keys and backup data are stored separately to prevent simultaneous compromise [3].
Under the 2021 HITECH Act amendment (HR 7898), organizations following a recognized NIST framework may qualify for a 12-month penalty waiver if they can demonstrate compliance [6].
When it comes to transmitting ePHI, providers must now comply with NIST SP 800-52 standards [6]. This applies to all forms of electronic communication, including telehealth sessions, emails, and file transfers. Telehealth platforms, for instance, must use TLS 1.2 or higher to meet these encryption standards [6][9].
To ensure ePHI remains unaltered during transmission, additional safeguards like checksums, hashing algorithms, and digital signatures are now required [9].
Providers are also encouraged to use HIPAA-compliant email archiving systems that store immutable, read-only copies of communications for added data integrity [6]. Furthermore, cloud and email service providers must sign Business Associate Agreements and support the required encryption standards [6].
The new rules also focus heavily on encryption key management. Following NIST guidelines, providers must securely store encryption keys separately from encrypted data and require MFA for accessing both ePHI and encryption keys [6][9]. Access controls are stricter too - organizations must revoke or update access within 24 hours when an employee's role changes or they leave the organization [3][5].
In addition, providers need to maintain a detailed inventory of technology assets and a network map that tracks ePHI movement. These documents must be updated at least annually, and organizations are required to conduct a compliance audit every 12 months to ensure they’re meeting all updated standards [3].
|
Requirement |
Previous Status |
2026 Update Status |
|---|---|---|
|
Encryption (At Rest/Transit) |
Addressable |
Required [3] |
|
Multi-Factor Authentication |
Not Explicitly Required |
Required [3] |
|
Access Revocation Timeline |
"Reasonable/Appropriate" |
Within 24 Hours [3] |
|
Compliance Audits |
Periodic |
Every 12 Months [3] |
|
Vulnerability Scanning |
Not Explicitly Required |
Every 6 Months [3] |
For behavioral health providers, transitioning to compliance can be streamlined by using platforms like Opus Behavioral Health EHR, which offer built-in encryption, key management, and other tools designed to meet these rigorous HIPAA requirements.
The journey toward mandatory encryption began on December 27, 2024, when the Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) to update the HIPAA Security Rule.
This NPRM was officially published on January 6, 2025, with a public comment period that closed on March 7, 2025 [3][5]. The final rule is expected to be published in May 2026, and it will take effect 60 days later, likely in July 2026. These dates mark a critical timeline for organizations preparing for encryption requirements.
Another important deadline is the February 16, 2026 requirement to update the HIPAA Notice of Privacy Practices (NPP) to reflect revised protections for Substance Use Disorder (SUD) records.
This update applies to all HIPAA-covered entities handling SUD records from Part 2 programs, even if they are not Part 2 programs themselves [10][11].
After the final Security Rule becomes effective in July 2026, regulated entities will have a six-month window to implement necessary upgrades. This makes January 2027 the deadline for achieving full compliance.
Steve Alder, Editor-in-Chief of The HIPAA Journal, emphasized the importance of early preparation:
"OCR will provide sufficient notice before any 2026 HIPAA changes take effect, and a grace period before they start to be enforced, but a lot of work will need to be done" [2].
Organizations that delay preparations until the final rule is published may find themselves under intense pressure to meet the tight compliance deadlines. Acting now can help avoid last-minute challenges and ensure a smoother transition.
|
Milestone |
Date |
|---|---|
|
NPRM Published in Federal Register |
January 6, 2025 [5] |
|
Comment Period Ended |
March 7, 2025 [5] |
|
Part 2 Rule/NPP Update Deadline |
February 16, 2026 [10] |
|
Final Rule Publication (Anticipated) |
May 2026 |
|
Effective Date (Anticipated) |
July 2026 (60 days post-publication) |
|
Full Compliance Deadline (Anticipated) |
January 2027 (6-month grace period) |
Older systems present a significant obstacle to meeting the 2026 encryption requirements.
Many behavioral health facilities still rely on outdated systems that lack the processing power needed to support modern cryptographic standards like TLS 1.3 for data in transit or AES-256 for data at rest [12][13]. These older systems simply can't handle the demands of current security protocols.
Performance issues add to the difficulty. Full-disk encryption (FDE) can cause delays during boot-up, hibernation, and when accessing large files [13]. In fast-paced clinical settings, where quick access to patient records is essential, these delays can disrupt workflows and impact care delivery.
Specialized medical devices used in behavioral health settings often create additional challenges.
Some of these devices are technically incapable of supporting encryption. In such cases, providers must use compensating controls like network isolation and microsegmentation to safeguard electronic protected health information (ePHI) [12].
There's also the risk of human error when using virtual disk encryption (containers). If staff inadvertently save ePHI to unencrypted locations, sensitive data could be exposed unless systems are configured to default to encrypted containers [13].
These limitations highlight the importance of adopting integrated security solutions that work seamlessly within existing workflows.
Encryption works best when paired with other security measures in a layered defense strategy.
For example, encryption should be combined with multi-factor authentication (MFA), intrusion detection systems, and strong access controls.
The 2026 updates now require phishing-resistant MFA for accessing ePHI, moving away from less secure methods like SMS-based authentication. Systems must also ensure that ePHI is only decrypted after successful authentication. To further enhance security, sessions should automatically terminate after a set period of inactivity, re-encrypting the data [12][13].
Network segmentation is another critical component. Using techniques like microsegmentation and VLANs can isolate systems that store ePHI, limiting the damage attackers can do in the event of a breach [12].
Combining encryption with MFA, network segmentation, and regular vulnerability assessments strengthens the overall security framework required by the 2026 HIPAA updates.
Modern software platforms offer a practical way to tackle these challenges.
Behavioral health providers can simplify encryption and compliance by using platforms specifically designed for HIPAA requirements.
For instance, Opus Behavioral Health EHR integrates encryption for both data at rest and in transit, using NIST-validated algorithms to minimize manual encryption management. The platform's telehealth features also employ modern encryption protocols to secure video sessions, and its automated workflows ensure that ePHI defaults to encrypted storage, reducing the risk of human error.
When choosing software solutions, prioritize platforms that use NIST-validated algorithms and FIPS 140-2 or 140-3 validated cryptographic modules [7][8].
This provides a "safe harbor", meaning that if a device is lost or stolen but the data is properly encrypted with secure keys, it often avoids triggering the costly and reputation-damaging HIPAA breach notification process [7][8]. Additionally, ensure your software vendor signs a Business Associate Agreement (BAA) to formalize compliance responsibilities [13].
Automated compliance monitoring tools can also play a key role. These tools can detect system anomalies or configuration changes that might lead to compliance violations, addressing potential issues before they escalate [13].
Under the proposed rules, organizations must also have written procedures in place to restore electronic systems and data within 72 hours of a loss [3].
The Office for Civil Rights (OCR) updates HIPAA penalties annually to account for inflation. For 2026, this adjustment uses a multiplier of 1.02598 on the base penalty amounts [14].
Violations are categorized into four tiers based on the level of responsibility and intent, with fines ranging from $145 to $2,190,294, depending on the severity of the infraction.
|
Penalty Tier |
Culpability Level |
Minimum per Violation |
Maximum per Violation |
Annual Statutory Cap |
|---|---|---|---|---|
|
Tier 1 |
Reasonable Efforts / Lack of Knowledge |
$145 |
$73,011 |
$2,190,294 |
|
Tier 2 |
Lack of Oversight / Reasonable Cause |
$1,461 |
$73,011 |
$2,190,294 |
|
Tier 3 |
Willful Neglect (Corrected <30 days) |
$14,602 |
$73,011 |
$2,190,294 |
|
Tier 4 |
Willful Neglect (Not Corrected) |
$73,011 |
$2,190,294 |
$2,190,294 |
Currently, the OCR applies a Notice of Enforcement Discretion, lowering annual caps for Tiers 1-3 to ~$36,505, ~$146,053, and ~$365,052 [14][16].
However, these reduced caps are discretionary and could be revoked at any time, exposing providers to the full statutory limits. For instance, in February 2025, Warby Parker, Inc. faced a $1,500,000 penalty for deficiencies in risk analysis, management, and monitoring, while BayCare Health System settled for $800,000 due to unauthorized access to medical records [14][18].
When determining penalty amounts, the OCR evaluates several factors, such as the duration of the violation, the number of individuals impacted, the type of data exposed, prior violations, financial status, and cooperation during investigations [18].
Importantly, correcting violations within 30 days can move a case from Tier 4 to Tier 3, significantly lowering penalties [14].
Additionally, organizations that demonstrate 12 months of compliance with recognized security frameworks like NIST may qualify for reduced penalties under a 2021 HITECH Act amendment [6]. This structured approach reflects the OCR’s increasingly stringent enforcement strategy.
The OCR’s updated penalty structure signals a stricter regulatory environment, with less room for flexibility. Encryption, once optional in certain cases, is now mandatory.
Previously, providers - particularly in behavioral health - could argue against encryption if deemed impractical. That option is no longer available [3][17]. Without encryption, violations are likely to escalate from Tier 1 (lack of knowledge) to Tiers 3 or 4 (willful neglect), leading to steeper fines [3][16].
Recent enforcement actions emphasize the OCR’s focus on risk analysis and management failures. For instance, in March 2025, Health Fitness Corporation paid $227,816 and agreed to a two-year corrective action plan after ePHI was exposed due to a server misconfiguration and inadequate risk analysis [16].
Similarly, in April 2025, Northeast Radiology settled for $350,000 over deficiencies in enterprise-wide risk analysis and management [16].
The healthcare industry faces mounting scrutiny as breach reports continue to climb. Between 2018 and 2023, breach reports surged by 102%, with hacking and ransomware incidents rising 89% and 102%, respectively.
In 2023 alone, large breaches affected 167 million individuals [15]. OCR Director Melanie Fontes Rainer addressed these challenges, stating:
"addresses current and future cybersecurity threats" and "would require updates to existing cybersecurity safeguards to reflect advances in technology and cybersecurity" [4].
The OCR is urging Congress to increase HIPAA penalties further, aiming to strengthen deterrents against evolving cyber threats [14].
The 2026 HIPAA encryption updates mark a significant shift, making encryption mandatory for both data at rest and in transit.
Behavioral health providers now have a 180-day compliance window after the final rule is published, while the February 16, 2026, Part 2 deadline adds urgency for SUD treatment centers to align their record-keeping practices with updated HIPAA standards [1][2].
Preparation isn’t optional - it’s essential. Providers should begin by conducting gap analyses, cataloging their technology assets, and confirming that legacy systems can handle modern encryption protocols like AES-256.
Older systems that fall short of these requirements may need to be replaced. Taking these steps early can help providers reduce risks and avoid last-minute scrambles.
The stakes couldn’t be higher. In 2023 alone, healthcare breaches impacted over 167 million individuals [4], and by 2024, the average cost of a breach had climbed to $9.8 million [19].
Proper encryption not only satisfies legal requirements but also provides a critical safeguard, offering safe harbor protections that can prevent the financial and reputational fallout of a breach [6].
Strong encryption doesn’t just check a compliance box - it builds resilience into operations. Opus Behavioral Health EHR simplifies this transition with built-in AES-256 encryption, multi-factor authentication, automated audit logs, and a HIPAA-compliant infrastructure. This all-in-one solution removes the burden of manual implementation, ensuring providers stay aligned with evolving regulations.
To avoid penalties and maintain patient trust, providers must upgrade systems, enforce multi-factor authentication, and adopt HIPAA-compliant technologies without delay.
Failing to meet the 2026 HIPAA encryption requirements can result in hefty penalties. Civil fines range from $145 to $2,190,294 per violation, depending on how negligent the organization was. On top of that, intentional violations can bring criminal penalties, including steep fines and even jail time.
Behavioral health providers must stay informed about these regulations - not just to avoid penalties, but to protect the sensitive data of their patients.
The latest HIPAA encryption requirements emphasize the need for behavioral health providers to encrypt all electronic protected health information(ePHI).
This applies to data that is stored, transmitted, or accessed remotely. By encrypting ePHI, providers can ensure that sensitive patient information remains confidential and secure, reducing the risk of unauthorized access and cyberattacks.
For behavioral health providers, adhering to these encryption standards is essential - not only to comply with HIPAA regulations but also to maintain patient trust. Beyond meeting legal requirements, implementing strong encryption practices enhances overall data security, which is increasingly critical in today’s digital healthcare landscape.
Healthcare organizations need to get ahead of the 2026 HIPAA encryption updates by starting with a comprehensive risk assessment.
This step is crucial to pinpoint any weaknesses in current data protection strategies. It's essential to ensure that all electronic Protected Health Information (ePHI) - whether stored or transmitted - is encrypted using strong, reliable standards. For example, AES-256 is recommended for encrypting data at rest, while TLS 1.3 should be used for securing data in transit.
Another critical step is adopting strong key management practices.
Utilizing tools like Hardware Security Modules (HSMs) can safeguard encryption keys effectively. Beyond the technical measures, organizations must also update internal policies and provide staff with training on the new encryption requirements.
What may have been optional safeguards in the past could now become mandatory, so proper preparation is key.
Lastly, staying updated on guidance from the Department of Health and Human Services (HHS) is vital. Investing in automation tools, such as encryption management systems and workflows, can also simplify compliance efforts while minimizing risks.
These proactive measures will help healthcare providers navigate the upcoming changes with confidence.