The HIPAA Security Rule was written in 2003. In technology years, that's a generation and a half ago. The 2024 update, being enforced throughout 2026, is the most significant overhaul since the original rule. It acknowledges that telehealth exists, that remote work is the norm, and that 'encryption at rest' isn't sufficient when your staff logs in from coffee shops.
For small telehealth practices, this is not a minor regulatory refresh. The enhanced requirements affect how you authenticate users, how you encrypt PHI, how you manage devices, and how you document everything. If your infrastructure hasn't been updated for these requirements, you are already out of compliance.
The 5 Things That Changed
1. Multi-Factor Authentication Is Now Required
The original Security Rule required 'access control,' which most organizations satisfied with username and password. The updated rule explicitly requires multi-factor authentication for any workforce member accessing PHI remotely. This is not a 'should' or a 'consider.' It is required.
- MFA must be enforced for admin access, clinical access, and any role that touches PHI
- SMS-based MFA is acceptable but authenticator apps or hardware keys are strongly preferred
- MFA requirements extend to business associates; your vendors must also enforce MFA
2. Encryption Requirements Expanded
The old rule required PHI to be encrypted 'at rest and in transit.' The updated rule clarifies what this means and raises the bar. Encryption must use current NIST-approved algorithms (AES-256 is the effective standard). Keys must be managed securely. And for higher-risk environments, field-level encryption is becoming the expected practice.
If your telehealth platform encrypts the database file but not individual PHI fields within records, you meet the minimum bar but not the new best-practice standard. Expect regulators to move toward field-level encryption as the default expectation over the next few years.
3. Asset Inventory Is Mandatory
You must maintain a current inventory of all systems, devices, and software that touch PHI. This was implied before; it's explicit now. The inventory must include: what the asset is, who owns it, what PHI it touches, when it was last patched, and who has access to it.
For a small clinic, this sounds burdensome because it is. The practical implication: every laptop, every tablet, every phone used to access your telehealth system needs to be tracked. BYOD (bring your own device) approaches are still allowed but must be documented and secured.
4. Enhanced Audit Logging
The updated rule requires more comprehensive audit trails. Every access to PHI, every modification, every export must be logged with user, timestamp, and action detail. Logs must be retained for six years and must be tamper-evident (meaning an attacker can't modify logs to hide their tracks).
Most off-the-shelf EHR systems and telehealth platforms have basic audit logging. The 2026 standard requires immutable, comprehensive logs. If your platform's audit trail can be edited or deleted, it doesn't meet the new requirements.
5. Remote Workspace Requirements
The original Security Rule assumed workforce members accessed PHI from a physical office. The updated rule addresses the reality of remote and hybrid clinical staff. Organizations must now document and enforce policies around: secure home network requirements, screen privacy in shared spaces, device disposal procedures, and use of personal devices for work.
What Small Practices Need to Do Now
- Enforce MFA on every system that touches PHI: Your telehealth platform, EHR, email system, and any admin tools. If a vendor doesn't support MFA, replace them
- Document your encryption approach: Know what's encrypted at rest, what's encrypted in transit, and what algorithms are used. Request this information from every vendor in writing
- Create an asset inventory: List every device, system, and software application that touches PHI. Update quarterly. This is a compliance artifact you may need to produce during an audit
- Verify audit logging capabilities: Confirm your platforms log every PHI access, retain logs for six years, and the logs cannot be modified by normal users
- Write a remote workspace policy: Even if it's one page. Specify home network security expectations, screen privacy rules, device requirements, and acceptable locations for clinical work
- Train your workforce annually: Document the training. Include the new requirements specifically
Common Compliance Gaps We See in Small Practices
- Shared admin accounts: Multiple staff using the same login makes audit logs useless. Every user needs their own credentials
- Legacy EHRs without MFA: Some older EHRs simply don't support MFA. This is now a compliance gap that must be addressed, even if it means migrating systems
- Unencrypted backups: Your database is encrypted, but your nightly backup to a cloud storage bucket is not. This is a common oversight that regulators look for
- No documented vendor risk assessment: The rule requires you to assess the security practices of vendors handling PHI. Most small practices skip this entirely
- Personal email for clinical communication: Staff forwarding PHI to personal email accounts to 'work from home' is an immediate compliance violation
- Missing Business Associate Agreements: Every vendor that touches PHI needs a BAA. If you don't have one for every vendor, you have a compliance gap
What Penalties Look Like Under the Updated Rule
HIPAA penalties are tiered by culpability. The updated rule preserves the tiered structure but increases enforcement frequency and scrutiny for telehealth-specific violations:
- Tier 1 (unknowing violation): $100-$50,000 per violation, $25,000-$1.5M annual cap
- Tier 2 (reasonable cause): $1,000-$50,000 per violation
- Tier 3 (willful neglect, corrected): $10,000-$50,000 per violation
- Tier 4 (willful neglect, not corrected): $50,000+ per violation, up to $1.5M annually
The per-violation math matters. If a breach exposes 1,000 patient records and you lacked required MFA, that can be 1,000 violations. Penalties compound quickly.
How to Evaluate Your Telehealth Platform's Compliance
When evaluating whether your current telehealth platform meets the 2026 standard, ask the vendor these specific questions in writing:
- What encryption algorithm is used for PHI at rest, and is it applied at the field level or only at the database level?
- Is MFA enforced for all user roles, and what MFA methods are supported?
- What is your audit log retention policy, and can logs be modified or deleted by administrators?
- How do you verify that your own infrastructure meets HIPAA encryption and access control requirements?
- Will you sign a Business Associate Agreement, and does it specifically address the 2026 Security Rule updates?
- In the event of a security incident affecting our data, what is your notification timeline and process?
If the vendor can't answer these questions clearly and in writing, they are a compliance risk for your practice.
The Thimble Hub Approach to Compliance
We built Thimble Hub with the updated HIPAA Security Rule requirements baked in from the beginning. Field-level AES-256-GCM encryption. MFA enforced for all admin and clinical roles. Six-year immutable audit trails. Automated compliance testing that runs on every deployment. BAAs included with every plan.
This isn't a compliance checklist we fill out annually. It's architectural. We built the platform assuming the 2026 rules would be the baseline, so upgrading was not required. If you're evaluating whether your current platform can meet these requirements, or whether yours was built to satisfy the old 2003 rule, that's an important question to answer.
Run a Compliance Gap Check
If you're not sure whether your current telehealth infrastructure meets the 2026 HIPAA Security Rule requirements, book a call. We'll walk through the updated requirements and show you where Thimble Hub addresses each one.
Book a Compliance Review →Frequently Asked Questions
- When do the updated HIPAA Security Rule requirements go into effect?
- The updated Security Rule was published in 2024 and is being enforced throughout 2026. Organizations should already be compliant with all requirements. Audits and enforcement actions under the new rules are active.
- Do I need MFA for every employee at my clinic?
- Yes, for anyone who accesses PHI. This includes clinical staff, admin staff, billing, and anyone else with login credentials to systems containing patient data. Front desk staff and external contractors are also included.
- What's the difference between database encryption and field-level encryption?
- Database encryption protects the entire database file from unauthorized access at the storage level. Field-level encryption protects individual data fields within records, so even if someone gains database access, individual PHI fields remain encrypted. Field-level is the emerging best practice.
- Can I still use BYOD (personal devices) for clinical work under the new rules?
- Yes, but you must document and enforce BYOD policies that include device security requirements, acceptable use, disposal procedures, and remote wipe capabilities. Informal BYOD is no longer acceptable.
- How do I know if my telehealth vendor is HIPAA compliant under the 2026 rule?
- Ask them in writing: what encryption they use, whether MFA is enforced, how audit logs are protected, and whether they'll sign an updated BAA that specifically references the 2024 Security Rule changes. A compliant vendor can answer these questions clearly and quickly.