The 2026 HIPAA Security Rule Update: Mandatory Encryption and MFA
Author: Lourdes Rojas, Founder & CEO, Eunoia Consulting Co. Published: June 10, 2026.
The 2026 HIPAA Security Rule converts encryption of ePHI at rest and in transit, multi-factor authentication for all ePHI access, and 72-hour breach notification from addressable to mandatory requirements. Healthcare and veterinary practices that treated these as optional measures must now implement them as hard requirements before enforcement timelines arrive. This article explains what changed, the compliance deadlines, and a practical preparation roadmap.