HIPAA Security Rule 2026: What Engineers Must Automate Now
The HIPAA Security Rule NPRM (2026) adds 15 new cybersecurity requirements. Most compliance articles explain them in legal language. This one explains them in code.
vlayer automates the code-detectable controls — the technical safeguards under §164.312 and the NPRM requirements a static scan can actually verify. The rest are organizational (process, policy, and evidence a scanner can't produce), and this post is explicit about which is which. Here's what each one means for your CI/CD pipeline.
The 9 requirements you can automate today
1. Multi-Factor Authentication (HIPAA-MFA-001)
Rule: All access to ePHI must enforce MFA. No exceptions.
What vlayer checks: Login and auth endpoints that don't verify an MFA token or claim.
// Fails: login without MFA verification
export async function POST(req: Request) {
const { email, password } = await req.json();
const user = await authenticate(email, password);
const token = jwt.sign({ userId: user.id }, SECRET);
return Response.json({ token });
}
CRITICAL HIPAA-MFA-001
Authentication endpoint does not enforce multi-factor authentication
File: app/api/auth/login/route.ts:2
HIPAA: 45 CFR §164.312(a)(2)(i)
2. Encryption at Rest (HIPAA-ENC-REST-001)
Rule: All ePHI must be encrypted with AES-256 or stronger at rest.
What vlayer checks: Database connections without encryption, PHI in localStorage/cookies, unencrypted backups.
// Fails: database without encryption config
const pool = new Pool({
connectionString: process.env.DATABASE_URL,
ssl: false, // ePHI stored without encryption at rest
});
CRITICAL HIPAA-ENC-REST-001
Database connection has SSL disabled — ePHI may be unencrypted at rest
HIPAA: 45 CFR §164.312(a)(2)(iv)
3. Session Timeout (HIPAA-SESSION-001)
Rule: Sessions must auto-expire within 15 minutes of inactivity.
// Fails: session maxAge set to 24 hours
const session = {
maxAge: 86400000, // 24h — exceeds HIPAA 15-min requirement
secure: true,
};
HIGH HIPAA-SESSION-001
Session timeout exceeds HIPAA 15-minute idle requirement
HIPAA: 45 CFR §164.312(a)(2)(iii)
4. Immediate Access Revocation (HIPAA-REVOKE-001)
Rule: When a user is deactivated, all their active sessions and tokens must be invalidated immediately.
What vlayer checks: User deactivation/deletion code that doesn't include token revocation logic.
5. Breach Notification (HIPAA-BREACH-001)
Rule: Automated breach detection with 24-hour notification capability.
What vlayer checks: Security error handlers without breach notification integration.
6. Network Segmentation (HIPAA-SEGMENT-001)
Rule: PHI services must be network-segmented from non-PHI services.
What vlayer checks: CORS origin: * on PHI endpoints, missing VPC/subnet configuration.
7. Technology Asset Inventory (HIPAA-ASSET-001)
Rule: Maintain an inventory of all systems that process or store ePHI.
What vlayer checks: Scans for database connections, storage services, and third-party integrations to auto-generate an asset inventory.
8. ePHI Flow Mapping (HIPAA-FLOW-001)
Rule: Document how ePHI flows through your system — input, processing, storage, output.
What vlayer checks: Traces PHI data paths through your codebase and generates a flow map.
9. Vulnerability Scanning (HIPAA-PENTEST-001)
Rule: Automated vulnerability scanning must be integrated into CI/CD.
What vlayer checks: Presence of scanning tools (Dependabot, Snyk, Trivy) in your CI configuration.
HIGH HIPAA-PENTEST-001
No automated vulnerability scanning detected in CI/CD configuration
HIPAA: 45 CFR §164.308(a)(8)
How to check the automatable requirements in one command
npx verification-layer scan ./src
vlayer checks the 9 code-detectable HIPAA 2026 requirements on every scan. The remaining requirements are out of scope for static code analysis — things like asset inventory, penetration testing, risk assessments, security training, third-party (BAA) risk management, and backup/contingency operations require organizational process and evidence that no scanner can generate. vlayer provides templates to help you document those, but it does not claim to verify them.
npx verification-layer templates list
The enforcement date is coming. Automate what you can now and document the rest.