By Joe Rafanelli | Published on April 2nd, 2026 |
Whether you operate a healthcare company or an insurance organization and your clinical, claims, and administrative data is still being fed through a Visual Fox Pro (VFP) or VB6 application, this article is non-negotiable. The 2026 HIPAA security rule update is anticipated to be finalized by May of this year. Once that occurs, all safeguards that were previously “addressable” will become mandatory. Your legacy application almost certainly cannot meet the new requirements.
I have conducted HIPAA compliance-focused migration assessments for my Healthcare clients since February of this year. I have identified a consistent pattern among healthcare organizations; they know the deadline is coming, they know their legacy systems are a problem, but they grossly underestimate the amount of work required to achieve compliance.
In January of 2025, the proposed rule was published by HHS. It is anticipated that the proposed rule will be finalized in the spring of 2026. As such, HHS will eliminate the distinction between required and addressable safeguards. Currently, covered entities may not implement certain controls based on their documentation of a rationale. Such flexibility will be eliminated.
Several firms, including Medcurity, CBIZ, and PBMares have provided detailed breakdowns of the key mandates of the proposed rule. All ePHI must be encrypted at rest and in transit. Multi-factor authentication (MFA) will be required for all systems that access electronic protected health information (ePHI); annual security risk assessments with documented remediation plans must be conducted by each organization.
Each covered entity must perform vulnerability scanning every six months, as well as annual penetration testing. Incident notification timelines must be tightened to 72 hours. And systems must be capable of being restored within 72 hours of a security incident.
Microsoft discontinued support of Visual FoxPro in 2007. Similarly, Microsoft ended mainstream support of VB6 in 2008. Both platforms do not receive security patches. Additionally, neither platform natively supports modern encryption protocols. Furthermore, neither platform can implement multi-factor authentication without substantial custom middleware which itself presents a security risk.
When I am assessing a VFP application in operation in a Healthcare environment, I typically find ePHI stored in DBF files on a local network share with no encryption at rest. Additionally, I find authentication implemented through a single username/password combination – no MFA, no role-based access control, no session timeout. Moreover, I never identify an audit trail which would satisfy HIPAA’s documentation requirements. Finally, I never identify any mechanism to restore the system within 72 hours because no modern disaster recovery framework provides support for either of these platforms.
As stated above, while covered entities were able to document gaps in their legacy applications and argue those gaps were “addressable,” those arguments will vanish when the current rule becomes enforceable. All gaps become violations.
IBM’s 2025 Cost of a Data Breach Report found that the average U.S. breach now costs $10.22 million — a record high. Healthcare remains the most expensive industry for breaches, a position it has held for over a decade. Health-ISAC reported a 55% surge in healthcare cyber incidents in 2025, and HHS enforcement actions continue to accelerate. This month alone, HHS settled with MMG Fusion over a breach that exposed 15 million patient records.
HIPAA penalties range from $141 to $2.13 million per violation category per year. Class action lawsuits are compounding those numbers – ApolloMD just settled a breach lawsuit for $4.02 million. According to IBM’s data, ransomware-related class actions have increased 600 percent since 2019. A legacy application that cannot encrypt data cannot authenticate users and cannot recover after an outage is not a calculated risk – it is an open invitation.
At Innovatix, we have successfully migrated VFP and VB6 applications for clients in Healthcare, insurance and medical billing. The process was designed around compliance from day one. The target platform — modern .net — natively supports AES-256 encryption, integrates with Azure Active Directory for MFA, provides comprehensive audit logging and deploys to cloud infrastructure with built-in disaster recovery and automated backup.
Our DataMorph tool automatically converts VFP database structures to SQL Server with full data integrity validation. CodeMorph automates code conversion. Our CodeAuto AI accelerator compresses migration timelines by 60-80 percent. And our Dazzle 3.0 .Net foundation framework provides architectural scaffolding ensuring the migrated application meets enterprise security standards from the first deployment.
The migrated application does not only pass a HIPAA audit — it is built to pass every future audit, because the underlying platform receives continuous security updates/patch management/framework improvements from Microsoft.
OCR has made its position clear — legacy systems are not exempt from HIPAA requirements. In a 2021 cybersecurity newsletter, OCR specifically reminded covered entities that legacy systems & devices must be assessed & risks to ePHI reduced to a low & acceptable level. The 2026 rule turns that guidance into an enforceable mandate.
If your organization is still processing patient data, claims data, or billing data through a VFP or VB6 application, the compliance conversation is no longer about whether to migrate — it is about how quickly you can migrate before you become the next enforcement headline.
