What’s Changing in 2026
The HIPAA Security Rule overhaul, expected to finalize in 2026 with a 180-day compliance window, eliminates the old distinction between “required” and “addressable” safeguards. Multi-factor authentication, encryption, and network segmentation move from recommended to mandatory for every covered entity, not just hospitals with dedicated IT teams.
That shift matters for insurance, not just compliance. Cyber underwriters are increasingly pricing policies around exactly these controls. A practice with MFA and encrypted backups in place typically underwrites more favorably than one without, and a practice that can’t show these controls at all may find fewer carriers willing to quote it at any price. Getting ahead of the compliance deadline and the underwriting conversation is the same task now, not two separate ones. Standard protection for your office and equipment doesn’t touch this exposure at all, which is exactly why cyber sits as its own line rather than an afterthought bolted onto a property policy.
Industry associations have pushed back on the timeline, arguing that smaller practices without dedicated IT staff need longer than 180 days to overhaul infrastructure that’s been running the same way for a decade. That pushback probably won’t change the outcome much. What it does signal is that carriers are already adjusting underwriting standards ahead of the final rule, not waiting for it.