HIPAA Encryption Requirements 2026: Addressable Is Dead
HIPAA encryption in 2026 — the addressable loophole is closing, AES-256 at rest, TLS 1.2+ in transit, and what to deploy while the Final Rule is still pending.
Current HIPAA law lets you skip encryption. Not in words, but in effect. The Security Rule’s encryption provisions are “addressable” — meaning you can deploy them, or document why you didn’t and what you did instead. That documentation path was designed as flexibility for 2003-era operators without practical encryption options. In 2026 it’s an operational loophole that hundreds of practices are relying on and thousands more haven’t examined closely.
The proposed 2026 HIPAA Security Rule Final Rule closes that loophole. Encryption becomes required rather than addressable. AES-256 for data at rest, TLS 1.2+ for data in transit, no documentation path out. The rule remains proposed as of mid-2026 — the spring 2026 publication target came and went, roughly 4,700 public comments are still under review, and industry pressure to modify or withdraw the proposal is significant. But every downstream signal — cyber insurance carrier expectations, customer due diligence questionnaires, third-party assessor bars — is moving toward the mandatory-encryption posture whether or not the Final Rule publishes on the original timeline.
This is the deeper read on HIPAA encryption for mid-size practices in 2026 — what current law requires, what the proposed rule would add, the four scopes where encryption actually needs to be deployed, the deployment patterns that work in practice, and the discipline that gets you audit-ready even before the Final Rule publishes. It pairs with our HIPAA audit preparation 90-day checklist (sibling spoke #1), the HIPAA BAA requirements playbook (sibling spoke #2), and the 2026 HIPAA Security Rule updates for Florida practices cluster hub.
Key Takeaways
- The “addressable” documentation path is going away under the proposed Final Rule. Encryption becomes required, not optional-with-documentation.
- AES-256 at rest, TLS 1.2+ in transit are the technical minimums the proposed rule specifies. AES-128 is still acceptable under current law; upgrade on refresh cycles.
- Encryption operates across four scopes: data at rest, in transit, backups + portable devices, and email. Full-disk encryption (BitLocker, FileVault) covers only one of the four.
- Business associate encryption is your encryption. The BAA and the BA’s technical safeguards discipline determine whether your covered PHI is actually encrypted.
- The audit-ready pattern is: encryption everywhere it belongs, documented in the SRA, verified with the BA, and tested in the incident response runbook. The Final Rule uncertainty doesn’t change this discipline; it just clarifies the timeline.
The Regulatory Reality — Where Encryption Stands in Mid-2026
Understanding the current state matters because operators keep asking whether the encryption changes everyone is talking about are in force.
Current enforceable law. The 2013 HIPAA Omnibus Rule’s Security Rule provisions remain the enforcement baseline. Encryption at rest and encryption in transit are both classified as “addressable” — meaning covered entities and business associates can implement them, or document why they’ve implemented an equivalent alternative. The addressable-vs-required distinction has always been narrower than operators assume: OCR has consistently interpreted “addressable” to mean “if it’s reasonable and appropriate for your organization, you must implement it,” not “optional.” But the documentation path has existed and been used.
The January 2025 NPRM. The Notice of Proposed Rulemaking published January 6, 2025 proposes eliminating the “addressable” designation entirely for most Security Rule safeguards including encryption. Under the proposed rule: encryption is required for all ePHI at rest and in transit, with limited documented exceptions requiring equivalent alternative measures. AES-256 is specifically named as the standard for data at rest, TLS 1.2 or higher for data in transit. Once the Final Rule publishes, covered entities and business associates get 180-240 days to comply.
Status as of mid-2026. The spring 2026 publication window that HHS had signaled came and went. Approximately 4,700 public comments are still under review. A coalition of 100+ hospital and provider groups has publicly asked HHS to withdraw the proposal, citing implementation cost and operational burden — including specific concerns about encryption cost for smaller practices. Industry analysts still expect 2026 publication, but the specific timing is uncertain and the possibility of withdrawal or material modification remains real.
What operators should assume. Every downstream signal — cyber insurance carrier expectations, healthcare enterprise customer due diligence, third-party assessor bars, state healthcare privacy laws — is moving toward mandatory encryption whether or not the Final Rule publishes on schedule. Practices that deploy encryption to the proposed-rule standard now will absorb the effort naturally. Practices that wait until the Final Rule publishes will be scrambling in a compressed 180-day window.
The Four Encryption Scopes
Encryption in HIPAA-relevant contexts operates across four scopes. A comprehensive posture addresses all four; a partial posture (only full-disk encryption, for example) has meaningful gaps.
1. Data at rest
PHI stored on any medium — production databases in EHR/PM/billing systems, backup archives, file shares, cloud storage, individual workstations and laptops, portable devices (external drives, USB keys, medical imaging archive drives), phones and tablets with any PHI cache.
Deployment patterns. Full-disk encryption on every workstation and laptop (BitLocker on Windows, FileVault on Mac). Database encryption enabled on the EHR/PM production system (usually a configuration your EHR vendor manages). Cloud storage encryption enabled by default in AWS/Azure/GCP HIPAA-eligible services. Portable device encryption enforced through device management (Intune, Jamf).
Common gaps. Legacy servers with unencrypted databases. Personal laptops used for after-hours work. Portable backup drives without encryption. USB keys with PHI in the finance director’s desk.
2. Data in transit
PHI moving across networks — between client applications and the EHR server, between the practice and cloud services, in HL7 interfaces to lab systems, in DICOM connections to imaging systems, in integrations with payer clearinghouses, in patient portal traffic, in remote-worker VPN traffic.
Deployment patterns. TLS 1.2 minimum (1.3 preferred) enforced on every network transmission. Web-facing systems using proper certificate management (not self-signed, not expired). HL7 and DICOM connections tunneled through TLS or VPN. Remote worker VPN using modern encryption standards (IKEv2 or WireGuard preferred over legacy PPTP or L2TP).
Common gaps. Internal-network traffic between application servers left unencrypted because “it’s inside the firewall.” Legacy HL7 connections running plaintext because the vendor doesn’t offer TLS. Self-signed certificates on internal web applications that browsers ignore.
3. Backups and portable devices
Backup infrastructure, media, and portable devices deserve their own scope because the failure modes are distinct — backup infrastructure gets targeted specifically by ransomware, and portable devices are the highest-volume lost-device-incident category.
Deployment patterns. Backup destinations with encryption at rest enabled (AWS S3 with SSE-KMS, Azure Blob with encryption, dedicated backup vendors with documented encryption). Backup data encrypted in transit to the destination. Portable devices (external drives, backup tapes if still used) with hardware or software encryption. Air-gapped or immutable backups for ransomware defense. Regular backup restoration testing to verify encrypted backups actually decrypt.
Common gaps. Backups stored on the same infrastructure as production (ransomware takes both). Encrypted backups where the encryption keys are stored with the backups (encryption without key separation is theatrical). Portable backup drives with no encryption. Retention policies that let encrypted PHI backups accumulate forever.
4. Email and clinical communication
PHI transmitted via email or clinical messaging platforms.
Deployment patterns. Enterprise email encryption on Microsoft 365 (Purview Message Encryption) or Google Workspace (S/MIME) for clinical communication involving PHI. Dedicated healthcare email encryption gateway (Paubox, Virtru, Zix, ProofPoint) for higher volume or workflow needs. Secure clinical messaging platforms (TigerConnect, Klara, OhMD) for patient communication.
Common gaps. Clinicians emailing PHI from personal accounts. Patient communication over standard SMS. Automated appointment reminders sent through non-HIPAA-eligible platforms. Voicemail systems that transcribe clinical messages to unencrypted email.
The Business Associate Encryption Gap
Your encryption is only as strong as the encryption your business associates deploy. When your EHR vendor stores PHI on their servers, their encryption is your encryption. When your billing service processes patient data, their encryption is your encryption. When your cloud provider hosts your workloads, their encryption at rest and in transit is your encryption at that layer.
The BA verification pattern proposed under the 2026 NPRM would formalize this — requiring BAs to annually verify (in writing, by a subject-matter expert) that they’ve deployed the required technical safeguards. Even before the Final Rule publishes, the discipline is worth adopting.
Practical BA encryption verification: request SOC 2 Type II reports (which document encryption at the control level). Request HITRUST certification if the BA has it. For high-risk BAs (EHR, cloud providers, large-volume claims processors), request annual written attestation from the BA’s security officer specifically covering encryption at rest, in transit, and in backups. For BAs that push back on providing documentation, see the BAA playbook — this is diligence signal.
The 5 Encryption Gaps That Recur
Patterns in denied claims, breach forensic reports, and third-party HIPAA assessments:
- Unencrypted backups. The most common — production data is encrypted but the backups aren’t, or use weaker encryption, or are stored without key separation.
- Unencrypted portable devices. External drives, USB keys, laptops used off-hours. High-volume lost-device incident category.
- Cleartext email. Clinical communication (referrals, lab results, patient follow-ups, insurance disputes) sent over standard email without encryption enforcement.
- Self-signed or expired TLS on internal apps. Practice-internal web tools (schedulers, room management, minor internal reporting apps) that were stood up without proper certificate management. Browser TLS warnings get clicked through by staff.
- Cloud storage without encryption enforced. SharePoint, Google Drive, Dropbox — the practice signed up for the enterprise tier that supports HIPAA-eligible use but didn’t actually enable the encryption controls or execute the cloud provider’s BAA.
Each of these is preventable. Each is what surfaces first when preparation was rushed or absent.
What to Do This Quarter Regardless of Final Rule Timing
The audit-defensible posture doesn’t wait for the Final Rule to publish.
This month:
- Inventory encryption across the four scopes. Document what’s deployed where, and what’s not.
- Identify the gaps that would be findings under either current addressable-with-documentation standards OR the proposed mandatory standards. Prioritize the gaps that fail both.
- Update the Security Risk Analysis to reflect the current encryption posture.
This quarter:
- Deploy encryption to close the top-priority gaps identified in the inventory. Target the recurring failure modes above.
- Request encryption documentation from your top 5 highest-risk business associates (EHR, cloud provider, billing service, imaging archive, patient portal).
- Update BAA templates for new business associate relationships to include annual verification language.
- Test backup restoration end-to-end. Verify encrypted backups actually restore.
This year:
- Complete a HIPAA-focused encryption audit (self-assessed or external). Document deployment across all four scopes for every system that touches PHI.
- Update all business associate agreements at renewal to include current encryption expectations and annual verification requirements.
- Build the encryption evidence collection into the annual Security Risk Analysis refresh cycle so it’s a recurring practice, not a one-time project.
What BASG Does for Healthcare Encryption Programs
BASG deploys encryption discipline as part of every healthcare engagement — as an MSP that serves as business associate to healthcare covered entities, we operate our own environment to the standards the Final Rule would formalize, and we help our clients close the gaps that surface in encryption inventories.
Our healthcare IT services engagements typically include an encryption audit across the four scopes as an early workstream — because the audit surfaces the gaps that would otherwise become findings in the next OCR interaction, third-party assessment, or cyber insurance renewal. Our cybersecurity services work builds the operational discipline around encryption — key management, certificate management, backup encryption testing, portable device policy enforcement, email encryption deployment. Our industry compliance engagements integrate encryption evidence into the broader HIPAA readiness posture we help clients maintain across audit prep, BAA governance, and Security Risk Analysis refresh.
If your practice hasn’t inventoried its encryption posture across the four scopes recently, or if the Final Rule uncertainty has surfaced the question of readiness, get in touch for a 30-minute encryption gap review. We’ll walk through the current state, identify the gaps most likely to become findings under either current or proposed standards, and propose a remediation path that doesn’t depend on Final Rule timing. The encryption discipline that satisfies OCR is the same discipline that reduces breach probability, keeps cyber insurance carriers underwriting favorably, and closes the gaps most audits find first. There’s no scenario where deploying it now is wasted work.


