+ 1 (866) 764-2259 cs@conferencestime.com
Healthcare

Anticipated Changes to HIPAA in 2026

Feb 19, 2026, 01:00 PM EST
60 Minutes
Live Webinar
24 Days Left
Mark R. Brengelman
Mark R. Brengelman

The rapidly evolving regulatory environment for health information privacy and security, driven by heightened federal scrutiny, major rulemaking initiatives, and the intensification of cyber threats targeting the healthcare sector – this has all lead to anticipated changes for 2026.  Against these anticipated changes, the direction of the new Presidential administration and its pro-business and anti-regulatory perspective may prevail.

This signals that covered entities and business associates should expect more prescriptive requirements, more expansive enforcement, and significantly higher expectations for technical rigor.

The U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) have indicated that their long-planned Security Rule modernization remains on track, with finalization expected in 2026.

Unlike the current flexible, risk-based structure adopted in 2003, the proposed rule introduces specific and mandatory technical safeguards, such as stricter encryption requirements, required multifactor authentication, mandated vulnerability and penetration testing, improved patch management practices, enhanced workforce training provisions, and clearer expectations around incident response and system monitoring.

The message is unambiguous: the era of broad discretion in HIPAA security 

implementation is ending, and organizations will need concrete, demonstrable controls rather than high-level policies.

Enforcement activity is also expanding, most notably through OCR’s newly delegated authority to enforce the confidentiality protections governing substance use disorder (SUD) treatment records under 42 C.F.R. Part 2.

This shift brings Part 2, long considered one of the most stringent privacy frameworks in the U.S., squarely into OCR’s enforcement portfolio. Entities that operate SUD treatment programs or hold Part 2 records now face potential civil monetary penalties, compliance reviews, and corrective action plans similar to those used in HIPAA enforcement.

While HHS declined to fully align Part 2 with HIPAA’s security requirements, organizations that are subject to both regimes must nevertheless apply robust technical safeguards to ensure that highly sensitive SUD information is adequately protected against cyber risk.

The third major theme is escalating enforcement pressure stemming from the healthcare sector’s ongoing vulnerability to ransomware and other cyberattacks. OCR has launched initiatives specifically targeting inadequate or superficial security risk analyses (SRAs), a requirement that remains the backbone of HIPAA’s risk-based approach even ahead of the new rule.

Regulators are signaling that cursory, checklist-style assessments are no longer acceptable. At the same time, OCR continues aggressive enforcement of the patient right-of-access standard and is increasing expectations around compliance with reproductive health information protections and interoperability rules that took effect in late 2024.

Taken together, these developments reflect a broader regulatory posture: more prescriptive standards, more consistent enforcement, and an emphasis on measurable, accountable security practices. Healthcare organizations must prepare for a compliance environment characterized by short implementation timelines, heightened documentation expectations, and increasing penalties for failure to modernize.

Areas Covered in the Session:-

  • Regulatory Context: Why Significant Changes Are Coming
  • Why These Changes Matter for Daily Clinical Practice
  • New Expectations Under the Modernized HIPAA Security Rule
  • HIPAA Security Rule Modernization: Legal Requirements Practitioners Must Know
  • Expanded Enforcement: OCR’s Heightened Focus on Individual Responsibility
  • Cybersecurity Expectations and Ransomware Response
  • Practical Compliance Steps for Practitioners to Reduce Legal Risk

Background:-

Upcoming changes to HIPAA security and privacy guidelines for healthcare practices and practitioners.  Changes include stricter enforcement, stricter ransom and malware attack preventions, and stricter confidentiality measures.

Why should you Attend?

Learn about the upcoming HIPAA privacy and security changes that may affect your practice that are anticipated in 2026.

Who will Benefit?

Healthcare practitioners and practices operating in 2026 and going forward.

Choose Your Training Options

Need a Order Form?

Find More Healthcare

Brian L. Tuttle
HIPAA Is Changing in 2026 — Are You Ready for What’s Coming?
January 30, 2026 1:00 PM EST 90 Min
Lynn M. Anderanin
Medicare Telehealth Coverage in the 2026 Physician Fee Schedule Final Rule
February 04, 2026 01:00 PM EST 60 Min
Dr. Irina Koyfman
2026 Updates and Best Practices for CCM and RPM
February 12, 2026 01:00 PM EST 60 Min
Laura A. Dixon
Emergency Services and EMTALA Obligations CMS Hospital Conditions of Participation 2026
February 18, 2026 01:00 PM EST 60 Min
William Mack Copeland
Paying and Receiving Payments for Referrals - You Can Go to Jail, Here is Why
February 25, 2026 01:00 PM EST 60 Min

Plan Your Learning

with
Event Calender

Explore Calendar
Meet Your Expert
Mark R. Brengelman
Mark R. Brengelman

Mark R. Brengelman became interested in law when he graduated with both Bachelor’s and Master’s degrees in Philosophy from Emory University in Atlanta. He earned a Juris Doctorate from the University of Kentucky College of Law.  Mark became an Assistant Attorney General in Kentucky in the area of administrative and professional law as the assigned counsel and prosecuting attorney to numerous health professions licensure boards.

He retired from the state government, became certified as a hearing officer, and opened his own law practice, including working as a legislative agent (lobbyist).

As a frequent participant in continuing education, Mark has been a presenter for over thirty national and state organizations and private companies as the:

Kentucky Bar Association
Kentucky Office of the Attorney General
National Attorneys General Training and Research Institute, and
Federation of Associations of Regulatory Boards.
This also includes multiple, national healthcare organizations, including:

Association of State and Provincial Psychology Boards
Federation of State Boards of Physical Therapy
National Council of State Boards of Nursing
National Association of State Emergency Medical Services Officials
National Association of State Contractors Licensing Agencies, and
American Association of Veterinary State Boards

Mark was the founding presenter for “Navigating Ethics and Law for Mental Health Professionals,” a continuing education training approved by five Kentucky mental health licensure boards.  He also founded “The Kentucky Code of Ethical Conduct:  Ethical Practice; Risk Management, and; the Code of Ethical Conduct” as an approved, state-mandated continuing education for social workers offered as a video-on-demand.

Mark has now worked for all three branches of state government has worked since June 2018 as the Enforcement Counsel for the Kentucky Legislative Ethics Commission, an independent regulatory body that oversees 138 elected state legislators and nearly 800 registered lobbyists.  Continuing as an ethics attorney, Mark is also the contract counsel for the Ethics Commission of the Louisville Metro Government, a city and county merged government, the largest city in Kentucky, and the 45th largest metropolitan statistical area in the United States.

Mark focuses on representing health care practitioners before licensure boards and in other professional regulatory matters and representing children as Guardian ad Litem and parents as Court Appointed Counsel in confidential child dependency, neglect, and abuse proceedings and termination of parental rights proceedings in family court.