The 2025 HIPAA Security Rule updates, taking effect in 2026, introduce the first major overhaul to HIPAA's technical safeguard requirements in 13 years.[2] The updated rule eliminates the distinction between "addressable" and "required" safeguards, making multi-factor authentication (MFA), encryption, vulnerability scanning, and incident response planning mandatory for all covered entities and business associates—including law firms that handle electronic protected health information (ePHI).[2]
Who's Involved
The Office for Civil Rights (OCR), part of the Department of Health and Human Services, is enforcing the updated rules.[2] Law firms handling medical records in personal injury, mass tort, workers' compensation, and medical malpractice cases are directly affected as business associates under HIPAA.[2] Compliance obligations also extend to vendors, cloud storage providers, IT contractors, and case management platforms through updated Business Associate Agreements (BAAs).[2]
Key Requirements and Timeline
Practical compliance demands include MFA on all systems touching ePHI, AES-256 encryption for stored medical records, end-to-end encryption for email transmission, annual risk assessments, annual penetration testing, and biannual vulnerability scans.[2] A separate compliance deadline of February 16, 2026, required updates to Notices of Privacy Practices addressing substance use disorder treatment records.[8][10] The Security Rule itself is expected to be finalized in May 2026, though some compliance obligations are already in effect.[6]
Why It's Newsworthy
This represents a significant enforcement shift closing compliance loopholes that previously allowed organizations to document why they skipped fundamental protections like MFA and encryption—practices that contributed to major healthcare breaches.[2] For law firms, enforcement ramps up as the same security standards now applied to hospitals extend across the entire business associate chain.[2]