The biggest change to HIPAA security requirements in over a decade is on the table. If your business creates, receives, or stores electronic protected health information (ePHI) — which covers almost every healthcare provider — it is worth understanding now, before it lands.
First, the most important point: this is a proposed rule, not a final one. Here is where things stand and what to do about it.
Where the rule is right now
The Office for Civil Rights (OCR) at the US Department of Health and Human Services issued a Notice of Proposed Rulemaking to modernize the HIPAA Security Rule. It was announced in late December 2024 and formally published in the Federal Register on 6 January 2025, with the public comment period closing on 7 March 2025.
As of mid-2026, OCR has not issued a final rule. It remains on the regulatory agenda, with finalization frequently discussed for around mid-2026 — but it could still be delayed, changed, or withdrawn. The proposal drew heavy industry pushback, and at least one coalition has formally asked OCR to withdraw it. In short: take it seriously and prepare, but do not treat the proposed requirements as law yet.
What the proposal would change
The current Security Rule splits safeguards into "required" and "addressable." Addressable controls give organizations room to weigh cost and risk before deciding how — or whether — to implement them. The single biggest proposed change would remove that distinction and make almost every safeguard mandatory, with only limited exceptions. There would no longer be a documentation pathway to skip a control.
Alongside that, the proposal would introduce a set of concrete technical requirements, including:
- Encryption of ePHI both at rest and in transit, in most cases.
- Multi-factor authentication for systems that access ePHI.
- A maintained, regularly updated inventory of technology assets and a network map.
- Risk analyses tied directly to that asset inventory.
- Regular vulnerability scanning and penetration testing.
- Stricter incident response and recovery timelines, including a proposed requirement to restore certain systems within 72 hours.
- Stronger oversight of business associates, with written verification that safeguards are in place.
If finalized as proposed, organizations would have a 240-day window from publication to comply.
Why this matters even before it's final
The direction of travel is clear: regulators are tired of "addressable" being used as a reason to defer basic security, and they are moving toward prescriptive, mandatory controls. Whether the final rule arrives this year or later, the things it asks for — encryption, MFA, an asset inventory, a real risk analysis, tested backups — are already considered good practice and already show up in OCR investigations and breach settlements. Preparing now is low-regret.
A practical readiness checklist
You do not need to wait for the final rule to make sensible progress:
- Encrypt ePHI on laptops, servers, mobile devices, and in transit. If anything is unencrypted, start there.
- Turn on multi-factor authentication for email and any system that touches patient data.
- Write down what you have — a simple, current inventory of the devices, systems, and vendors that handle ePHI.
- Do a real risk analysis against that inventory, not a generic template.
- Test your backups and write a clear incident response plan, including who does what and how fast.
- Review your business associate agreements and check that your vendors actually protect the data you share with them.
For a small or mid-size provider, this can feel overwhelming — but most of it is straightforward once someone maps it out for you. That is the kind of work we do at a fixed, published price, entirely online: assess where you are, show you the gaps, and update your policies so you are ready for whatever the final rule requires.
Want to know where your business stands against the proposed HIPAA Security Rule? Book a Discovery Call and we'll give you an honest assessment and a clear plan — and if you don't need us, we'll say so.
This article is general information, not legal advice, and reflects the proposed rule as of mid-2026. The rule is not final and may change. We confirm the current position as part of every project.
