Maryland healthcare providers face some of the strictest HIPAA enforcement in the country, combined with proposed 2026 rule updates that would make MFA and encryption effectively mandatory. Here is what your practice needs to know and do.
Maryland is home to one of the country's most active healthcare ecosystems — Johns Hopkins, University of Maryland Medical System, and thousands of private practices, dental offices, mental health providers, and specialty clinics. All of them handle protected health information. All of them face HIPAA obligations. And in 2026, those obligations are getting stricter.
What Is Changing in HIPAA in 2026
HHS has proposed significant updates to the HIPAA Security Rule that Maryland healthcare providers need to prepare for now — even before they take effect.
- MFA becomes effectively mandatory: The proposed rules would move MFA from an addressable specification to a required safeguard for all systems accessing ePHI.
- Encryption requirements tighten: Encryption at rest and in transit would be required for all ePHI, removing the "addressable" classification that some organizations have used to avoid implementing it.
- 72-hour breach notification: The proposed timeline shortens breach notification to HHS from 60 days to 72 hours for breaches affecting 500+ individuals.
- Annual penetration testing: The proposed rules would require annual penetration testing of systems containing ePHI.
The 8 Technical Safeguards Every Maryland Practice Needs Now
- Unique user accounts: Every person accessing systems with patient data must have their own named account — no shared logins.
- MFA on all ePHI systems: Microsoft 365, EHR systems, telehealth platforms, and remote access all require MFA.
- Full disk encryption: Every laptop, desktop, and mobile device that can access patient data must be encrypted.
- Audit logging with 6-year retention: All access to ePHI must be logged and retained for six years minimum.
- Email encryption: Any email containing patient information must be encrypted in transit.
- Automatic screen lock: Workstations in clinical areas must lock automatically after inactivity.
- Documented risk assessment: Annual risk assessment identifying threats to ePHI is required by regulation.
- Incident response plan: A documented plan for responding to breaches, including notification procedures.
The Cost of HIPAA Non-Compliance
HHS Office for Civil Rights settled 28 HIPAA enforcement actions in 2025, totaling over $12 million in penalties. Maryland healthcare providers have been among the enforcement targets. Penalties range from $100 to $50,000 per violation category per year, with annual maximums of $1.5 million per category.
Beyond regulatory penalties, a healthcare data breach costs an average of $10.9 million in total impact — the highest of any industry according to IBM's Cost of a Data Breach report.
How CloudTechForce Supports Maryland Healthcare Providers
CloudTechForce has supported 30+ healthcare organizations across North America with HIPAA-compliant managed IT since 2017. Our [healthcare IT services](/healthcare-it-services) cover all required technical safeguards, annual risk assessments with documented remediation plans, EHR and EMR system support, and full Business Associate Agreement execution.
Our [managed security services](/managed-security-services) add 24/7 SOC monitoring, EDR, and incident response capability — essential for meeting the enhanced breach detection requirements in the proposed 2026 HIPAA rules.
Contact us at cloudtechforce.com/free-assessment for a free HIPAA gap assessment for your Maryland practice.
