THOUGHTS

The HIPAA Security Rule could catch up to digital reality this year

June 22, 2026

Bold graphic on a navy background: “13 YEARS is a scary long cybersecurity gap.” The HIPAA Security Rule’s last major update was in 2013.

Small and solo practices: it’s way past time for you to catch up too!

HIPAA is the 1996 federal law that outlines the standards health practices follow in protecting their patients’ private information (their protected health information, or PHI). It includes a “Security Rule” with requirements for administrative, technical, and physical safeguards for patient data.

The last major update to that Security Rule was in 2013. 13 years is… a very long time, technically speaking.

This means some big cybersecurity holes are about to be closed. For example:

As of right now, a clinician doesn’t need to encrypt patient records.

As of right now, a clinician doesn’t need a tested backup-and-recovery plan.

How? The 2013 rule let clinicians label safeguards like these “addressable” — compliance-speak that, in practice, too often meant “optional, as long as you wrote down a reason to skip it.” Yikes.

If the proposed changes are enacted, these holes and many others will get closed. It’s actually a really, really good thing if they do. We need to protect PHI.

This isn’t final yet. The proposal is being debated and could be changed or withdrawn. But if it’s enacted, practitioners will have little time to comply with some major changes to how they handle PHI.

And whether or not it’s enacted, don’t you WANT your patients’ PHI to be secure?

Small and solo practices (psychologists, counselors, family practitioners): use this as an opportunity to level up your cybersecurity practices. Do it now. Don’t wait for the rule to land.

I wrote a cheat sheet on the possible changes just for you: the people who don’t have a hospital system’s tech department to work it all out.

Get it here:

2026 HIPAA Security Changes Cheat Sheet, first-page preview

Download my free 2026 HIPAA Security Changes Cheat Sheet. It’s a plain-English, three-page reference to the biggest changes coming in 2026 for healthcare practices. What’s changing, why it matters, and what to do about it. Includes a to-do list and a worksheet so you can audit exactly how each one affects your practice. No enterprise security team required. (You don’t have one, and you don’t need one.)

Verifying you’re a human…

WORK WITH SEAN

Good ideas don’t implement themselves.

When something here resonates, let’s figure out how to put it to work.

BOOK A CALL

15 min · no pitch