What HIPAA IT controls does a Hawaii medical practice need in 2026?

At minimum, a Hawaii medical practice needs the current HIPAA Security Rule technical safeguards: access controls with unique user IDs, audit logging, integrity controls, encryption of ePHI at rest and in transit, automatic logoff, and emergency access procedures. In 2026, practical implementation also requires multi-factor authentication on every system that touches ePHI, endpoint detection and response on all devices, written incident response and backup recovery procedures, and a current risk analysis. OCR cites missing or stale risk analyses more than any other deficiency.

Has the new HIPAA Security Rule been finalized as of June 2026?

No. The HHS Office for Civil Rights published the Notice of Proposed Rulemaking on January 6, 2025 and set a May 2026 target for the final rule. That target passed without publication, and as of June 2026 OCR has not confirmed a revised timeline. The proposal remains under review with over 4,700 public comments. Hawaii practices should track the docket and prepare for the proposed controls now, because OCR enforcement of existing rules already mirrors the proposal.

Will MFA be required for Hawaii medical practices under the updated HIPAA Security Rule?

Yes, if the rule is finalized as proposed. The NPRM converts MFA from an addressable specification to a required one for every system that accesses, stores, or transmits ePHI — EHR systems, billing platforms, scheduling, imaging archives, remote access, and cloud storage. Phishing-resistant MFA (FIDO2, passkeys, certificate-based) is preferred. SMS-based MFA is still better than no MFA but is being deprecated. Practices should deploy MFA now rather than wait for the final rule.

How long will Hawaii medical practices have to comply once the new HIPAA Security Rule is finalized?

The NPRM proposes a 180-day compliance window after the final rule is published in the Federal Register. For a typical Hawaii medical practice that has not deployed MFA, encryption-at-rest, or a current asset inventory, 180 days is not a comfortable runway — it is roughly the minimum time to scope the work, budget it, procure tooling, deploy across endpoints, train staff, and produce the documentation OCR will want to see in a complaint investigation.

What does OCR cite most often in HIPAA enforcement actions against medical practices?

Risk analysis deficiencies. OCR’s January 2026 Cybersecurity Newsletter named risk analysis as the most frequently cited Security Rule failing in resolution agreements, and the pattern goes back over a decade. Closely behind: missing or out-of-date business associate agreements, inadequate access controls (shared accounts, no role-based access), and incomplete encryption of ePHI. A current, documented, technology-asset-driven risk analysis is the single highest-value compliance investment.

How much does HIPAA-compliant IT cost a Hawaii medical practice?

A typical 10 to 25 user Honolulu medical practice should budget $225 to $300 per user per month for HIPAA-aware managed IT, plus license costs for the EHR, Microsoft 365 Business Premium (about $22 per user per month), and an EDR platform. Add roughly $10,000 to $25,000 in year one for risk analysis, policy documentation, gap remediation, and BAA reviews. We break the underlying ranges down in our 2026 managed IT pricing post for Hawaii.

Are Hawaii medical practices a real target, or is HIPAA enforcement mostly large health systems?

Both are real. OCR enforcement has historically focused on health systems with breach notifications, but small and mid-sized practices have been the largest growth area in ransomware incidents for the past three years. A breach at a 15-person Honolulu clinic triggers the same Security Rule analysis, the same patient notification obligations under 45 CFR 164.404, and often state-level enforcement under Hawaii’s breach notification statute (HRS Chapter 487N) on top.

Healthcare · HIPAA compliance

HIPAA IT controls for Hawaii medical practices: what’s required in 2026

A Hawaii medical practice in 2026 needs the current HIPAA Security Rule technical safeguards plus the controls OCR is already enforcing as the floor: multi-factor authentication on every system that touches ePHI, encryption at rest and in transit, endpoint detection and response on all devices, a current and documented risk analysis, audit logging, written incident response procedures, and tested backups. The proposed Security Rule update would make most of these explicit requirements. Below is what is required today, what the pending rule would add, and the order Honolulu clinics should tackle the work in.

The short version. The HIPAA Security Rule update NPRM, published in the Federal Register on January 6, 2025, missed its May 2026 final-rule target and remains unfinalized as of June 2026. OCR is, however, citing the proposal’s controls (MFA, encryption, risk analysis discipline) in current enforcement actions. Hawaii medical practices should deploy the proposed controls now — not wait for the final rule, which carries only a 180-day compliance window once published.

Published June 17, 2026 · HI Tech Hui · ~10 min read

The current HIPAA Security Rule technical safeguards

Under the existing HIPAA Security Rule (45 CFR Part 164, Subpart C), every Hawaii covered entity — medical practices, dental practices, behavioral health clinics, imaging centers, labs — must implement the following technical safeguards. These are not new in 2026; they have been law since 2005 and are what OCR enforces today:

Access control — unique user identification, emergency access procedure, automatic logoff, encryption and decryption.
Audit controls — hardware, software, and procedural mechanisms that record and examine activity in systems containing or using ePHI.
Integrity controls — mechanisms to ensure ePHI is not improperly altered or destroyed.
Person or entity authentication — verify the identity of anyone or anything seeking access to ePHI.
Transmission security — integrity controls and encryption for ePHI in motion.

Several of these specifications are currently labeled “addressable,” which means a covered entity may document why a specific implementation is not reasonable and appropriate and implement an equivalent measure instead. The pending NPRM removes that distinction. The full text of the current rule is on the HHS Security Rule page.

What the 2026 NPRM would add (when finalized)

The Notice of Proposed Rulemaking that OCR published on January 6, 2025 is the most significant Security Rule update in over twenty years. As of the publication date of this post, the final rule has not been issued — OCR’s May 2026 target passed without publication. The proposal’s headline changes are:

End of “addressable” vs “required” distinction — nearly every safeguard becomes mandatory.
Mandatory MFA on every system that accesses, stores, or transmits ePHI. Phishing-resistant MFA (passkeys, FIDO2, certificate-based) is preferred; we covered the migration in our piece on phishing-resistant authentication via Entra passkeys.
Encryption of ePHI at rest and in transit — required, not addressable. FIPS-validated cryptographic modules where applicable.
Detailed technology asset inventory — not a spreadsheet of laptops, but a documented map of every system, application, and data flow involving ePHI.
Risk analyses with explicit threat-vulnerability pairs tied to the asset inventory.
Vulnerability scanning every six months and annual penetration testing.
72-hour Recovery Time Objective and 48-hour Recovery Point Objective for disaster recovery.
Annual compliance audits against the Security Rule.
Tighter Business Associate Agreements, with annual written verification of BA security controls.

The compliance window once the final rule is published is 180 days. That is not generous for a small Hawaii practice starting from zero on MFA and encryption-at-rest. Some of the public commentary — more than 4,700 comments — pushed for longer windows or rule withdrawal, including from major systems like Cleveland Clinic and Yale New Haven. OCR has not signaled which way the final rule will land.

The order Hawaii practices should tackle the work in

If your Honolulu practice does not yet have the proposed controls in place, the practical order of operations — not the regulatory order — looks like this. Each step builds on the last:

1. Asset and data-flow inventory (weeks 1-2)

You cannot risk-analyze what you cannot list. Every workstation, server, mobile device, EHR, billing system, secure messaging platform, scheduling system, imaging modality, fax appliance, cloud storage tenant, and BA-managed system that touches ePHI gets inventoried with owner, location, data sensitivity, and a documented data flow. This document is the foundation of everything else.

2. MFA on every ePHI system (weeks 2-6)

Roll MFA out in this order: Microsoft 365 admin accounts first, all user accounts second, EHR accounts third, then remote access (VPN, RDP, remote support tools), then any third-party SaaS that touches ePHI. Push to phishing-resistant methods (passkeys, FIDO2 keys, or Microsoft Authenticator number-matching) wherever the system supports it. SMS-based MFA is better than nothing but is being deprecated industry-wide.

3. Encryption at rest and in transit (weeks 4-8)

BitLocker on every Windows endpoint with Intune key escrow. FileVault on every Mac. Mobile device encryption enforced via MDM. TLS 1.2 minimum (1.3 preferred) for all data in transit. Confirm cloud storage tenants are encrypted at rest by the provider with customer-managed keys where the EHR vendor supports it. Document the cryptographic modules in use.

4. EDR on every endpoint (weeks 6-8)

Endpoint detection and response on every workstation, server, and managed device. Named tooling — CrowdStrike, SentinelOne, or Microsoft Defender for Endpoint — with central reporting to a SOC. We monitor client environments through our in-house SOC for exactly this reason; for healthcare, alerting needs to land with someone who can act on it 24/7.

5. Risk analysis (weeks 8-12)

A current, written risk analysis with threat-vulnerability pairs tied to your asset inventory. OCR’s January 2026 Cybersecurity Newsletter named risk analysis as the most frequently cited Security Rule deficiency in resolution agreements. Use a methodology — NIST SP 800-30 is the conventional reference. Update annually and after any material change to systems or services.

6. Backup, recovery, and incident response (weeks 10-14)

3-2-1 backup architecture with immutability on at least one copy, tested quarterly — not just “the backup ran last night.” A written incident response plan with named roles, escalation contacts, and a tabletop exercise on the calendar. Recovery objectives documented; the proposed rule’s 72-hour RTO and 48-hour RPO are reasonable targets even before they become mandatory.

7. BAA inventory and refresh (weeks 12-16)

Every vendor that touches ePHI needs a current, signed Business Associate Agreement. The proposed rule will require annual written verification of BA security controls. Get ahead of that now: build the BA inventory, refresh stale agreements, and add a security questionnaire to your annual vendor review.

How Hawaii-specific factors change the math

Hawaii medical practices face the same Security Rule as mainland practices, but the operational context is different in three ways that affect IT planning:

On-island response. A ransomware incident on a Friday night requires people on island. Pure-remote MSPs cannot physically isolate infected machines or restore from offline media. Healthcare incident response in Hawaii must include on-island capability.
State law overlay. Hawaii’s breach notification statute (HRS Chapter 487N) applies on top of HIPAA. Notifications to affected patients and to the state Office of Consumer Protection can be required even when HIPAA notice timelines have not been reached.
Workforce mobility. Travel between offices, neighbor-island clinics, and clinician home offices is common. Conditional access policies and MDM matter more here than in a single-office mainland practice. Persistent connection assumptions break in Hawaii.

The cost framework for HIPAA-aware managed IT in Hawaii sits at the upper end of the standard managed IT pricing we covered in the 2026 pricing breakdown for Honolulu businesses — expect $225 to $300 per user per month for a compliance-driven engagement.

What OCR is enforcing right now (regardless of the final rule)

The proposed rule has not been finalized, but OCR has not been quiet. Recent enforcement patterns relevant to Hawaii practices:

Risk analysis deficiencies remain the single most-cited Security Rule failing in resolution agreements.
Missing or stale Business Associate Agreements draw consistent citations, especially as practices add cloud-based EHRs and AI scribes.
Shared user accounts and missing audit logging show up in nearly every breach investigation.
Lack of MFA on remote access is now treated as a baseline failure even though it is technically still “addressable.”
Encryption gaps on portable devices (laptops, USB drives) trigger breach reporting that healthier controls would have prevented entirely.

The takeaway is that the proposed rule is not academic. OCR is treating its provisions as expected baseline care even before the rule is finalized. The closer your practice gets to the proposal now, the smaller the year-of-finalization scramble will be.

The compliance documentation Hawaii practices commonly lack

Most Hawaii medical practices we see for the first time have similar gaps in documentation, not necessarily in controls. The controls may be present; the paperwork is not. Common missing artifacts:

Current written risk analysis with threat-vulnerability pairs.
Technology asset inventory mapped to ePHI flow.
Written sanction policy and workforce security policies.
Incident response plan with named roles and contact lists.
BAA inventory with renewal dates and security questionnaires.
Audit log retention and review procedures.
Backup recovery test results from the past 12 months.
Training records for workforce security awareness.

This is the documentation OCR asks for in an investigation. The investigation often begins with a complaint or breach notification triggered by an event that the controls themselves would have prevented — which is why control deployment and documentation discipline are inseparable.

What to do this quarter

Practical 90-day plan for a Hawaii medical practice that wants to be defensible against both current OCR enforcement and the eventual final rule:

Complete an asset and ePHI data-flow inventory.
Deploy phishing-resistant MFA on all admin accounts and remote access; SMS or TOTP MFA everywhere else as an interim step.
Verify BitLocker/FileVault on every endpoint and confirm Intune key escrow.
Confirm EDR is deployed and monitored 24/7 with named escalation.
Produce a written risk analysis or refresh the most recent one against the new inventory.
Refresh the BAA inventory and chase down any missing or stale agreements.
Run a tabletop exercise of your incident response plan; document the gaps you find.

None of this list is novel. All of it is what OCR expects to see when it opens a file on your practice. Most of it is also what a competent managed IT provider should be doing already — the test for any Hawaii MSP claiming healthcare expertise is whether they can show you their template artifacts, not just promise them. The buyer-side framework for vetting that claim is in our evaluation framework for Honolulu MSPs, and the broader compliance landscape is in our CMMC vs SOC 2 vs HIPAA comparison for Hawaii SMBs.

Sources

Building a HIPAA control program for a Hawaii practice? HI Tech Hui provides managed IT, cybersecurity, and 24/7 monitoring through our in-house SOC with HIPAA-aware tooling and documentation. Contact us for a no-pressure scoping conversation.

Ready when you are

Let’s scope your IT & security plan.

Talk with a Honolulu-based engineer about managed IT, cybersecurity, or a 24/7 SOC handoff. We’ll review your current environment, identify the highest-impact gaps, and outline a clear next step — with no obligation.

Schedule an assessment Call (808) 206-8549