If you are opening a medical practice in 2026, you have a rare advantage that established practices do not: you can build your security program correctly the first time. The federal government is in the middle of the biggest HIPAA cybersecurity overhaul in two decades, and retrofitting an existing practice to meet it is painful and expensive. Building it in from day one costs almost nothing extra — it is mostly a matter of choosing the right systems and flipping the right switches before your first patient walks in.
What is actually changing — and what its status is
On January 6, 2025, the HHS Office for Civil Rights (OCR) published a Notice of Proposed Rulemaking in the Federal Register to strengthen the HIPAA Security Rule. The comment period closed in March 2025, and as of mid-2026 the rule is still proposed, not final — OCR continues to list finalization on its regulatory agenda. That status matters for your timeline, but it should not change your plans. The proposal codifies what good practices and cyber-liability insurers already expect, and once it is finalized, compliance windows under discussion run roughly 180 days to two years from publication. A practice opening now should treat the proposed baseline as the standard it builds toward, because retrofitting later is the expensive path.
The headline change is the end of "addressable" safeguards. Under the current rule, encryption and similar controls are "addressable" — you can decline them if you document why. The proposal makes nearly all of these specifications mandatory, with only narrow exceptions. Concretely, the proposed baseline includes: encryption of electronic protected health information (ePHI) at rest and in transit; multi-factor authentication; network segmentation; vulnerability scanning at least every six months and penetration testing at least once every 12 months; a written incident-response plan that is tested annually; defined response timelines (including restoring critical systems within 72 hours of certain events); and annual documented compliance audits. HIPAA compliance for a new practice in 2026 is no longer a binder of "good enough" policies — it is a set of technical controls you either turned on or did not.
Choose systems and vendors that already clear the bar
Your single most consequential cybersecurity decision when opening a medical practice is which platforms hold your data. Before signing anything, ask each vendor — your EMR, billing system, cloud fax, secure messaging, email host, backup provider, and IT support — three questions: Does the product encrypt data at rest and in transit by default? Does it enforce multi-factor authentication for every user? And will you sign a Business Associate Agreement (BAA)? If the answer to any of those is no, keep looking. The kind of platform you want is one where encryption and MFA are built in and on by default, not features you bolt on.
The BAA is non-negotiable and free. Every vendor that creates, receives, maintains, or transmits ePHI on your behalf must sign one before you send them a single record. Build a one-page vendor inventory at launch listing each tool, what data it touches, and whether the BAA is signed and on file. This list doubles as the asset map the proposed rule expects you to maintain — and it takes an afternoon when you have five vendors, versus weeks once you have twenty-five and cannot remember which ones touch PHI.
Turn on MFA and encryption everywhere — on opening day
Multi-factor authentication is the highest-value control you will deploy, and it is essentially free. Enable it on your EMR, email, billing portal, clearinghouse, cloud storage, and every administrative account. Use an authenticator app or hardware key rather than SMS codes where the option exists. Do this during setup, before staff develop habits around password-only logins — changing it later means retraining everyone and fielding the inevitable "why is this so annoying" complaints.
For encryption, two moves cover most of your exposure. First, turn on full-disk encryption on every device that could ever hold ePHI — laptops, desktops, tablets, and phones. The tools are built into modern operating systems and add no cost; an encrypted laptop that gets stolen is a lost asset, while an unencrypted one is a reportable breach. Second, confirm that email containing PHI is encrypted in transit, and adopt secure-messaging or a patient portal for anything sensitive rather than plain email. Set these defaults before you hire, so encryption is simply how your practice operates rather than a policy you have to enforce.
Segment your network: guests do not belong on the clinical side
Network segmentation sounds like enterprise IT, but for a small practice it is genuinely simple. Your clinic equipment — workstations, the EMR connection, networked devices, your backup target — lives on one private network. Your waiting-room guest Wi-Fi lives on a completely separate one, ideally a "guest network" feature your router already has. Patients, sales reps, and personal phones connect to the guest side and can never reach a clinical machine. Ask your IT setup person to put clinical devices on their own VLAN or physically separate network and to lock down which devices may join it. Doing this at install costs a single configuration step; doing it after you are wired and live means re-cabling and downtime.
Set up tested, recoverable backups
Most of your core data will live in cloud systems your vendors back up, but you are still responsible for being able to recover. Follow a simple rule: keep at least one encrypted backup copy off-site, and one that is isolated so ransomware cannot reach it. The part practices skip is testing — a backup you have never restored from is a hope, not a backup. Before opening, do one full test restore and confirm the data comes back intact, then schedule that test on a recurring basis. The proposed rule's 72-hour restoration expectation for critical systems is only achievable if you have rehearsed the recovery, not just configured the backup.
Write a simple incident-response plan before your first patient
You do not need a fifty-page document. You need a two-page plan that answers, in plain language: who is in charge when something goes wrong, what counts as a security incident, the first three containment steps, who to call (your IT support, your attorney, your cyber-liability carrier), and the breach-notification clock. Under current HIPAA rules you must notify affected individuals and HHS, and business associates must notify you within 60 days of discovery — bake those timelines into the plan. The proposal also adds defined internal response timelines, so write the 72-hour restoration goal into your plan now. Then do the thing the rule will require anyway: test it once before you open, even as a fifteen-minute tabletop walkthrough with your staff. A plan you have read aloud once is worth ten you have only filed.
Budget for the scanning and testing the rule expects
The new technical requirements carry real, recurring costs you should put in your launch budget rather than discover later. Plan for vulnerability scanning at least twice a year and a penetration test at least annually — for a small practice these are commonly available as a packaged service, and budgeting a modest annual line item for security assessments alongside your other professional services keeps you ahead of the requirement. Add an annual compliance audit and a security risk analysis, which the Security Rule already requires today. The practices that get hurt are the ones that treat security testing as optional until a breach or an insurer's questionnaire forces it; building a recurring line item into your year-one budget makes new practice HIPAA setup a planned expense instead of an emergency one.