Changes to the HIPAA Security Rule are coming. The Department of Health and Human Services’ Office for Civil Rights (OCR) recently confirmed that a final rule could be released as early as this month. The primary question now is the extent to which OCR will finalize the sweeping changes proposed under the previous administration.
As discussed below, OCR is likely to adopt many of the proposed core cybersecurity requirements, but I also expect it to add flexibilities into the final rule to address common concerns regarding cost and implementation burdens.
Background
The HIPAA Security Rule has not been meaningfully updated since 2013. Since then, electronic health records have become standard, cyberattacks against healthcare organizations have become increasingly common, and the healthcare threat landscape has evolved dramatically.
In January 2025, OCR issued a sweeping proposed rule to modernize the HIPAA Security Rule (“Proposed Rule”). The proposal drew strong opposition from healthcare entities and associations concerned about the significant compliance costs and operational burdens it would impose, particularly on small, rural, and safety-net providers. OCR received over 4,700 comments on the Proposed Rule.
Although many expected the Proposed Rule to stall under the current administration’s deregulatory approach, OCR has recently made clear that healthcare cybersecurity remains a priority and that a final rule is forthcoming. OCR’s 2025 enforcement activity alone underscores the continuing cybersecurity challenges facing the industry.
The Proposed Rule
The Proposed Rule is ambitious. Most notably, it would eliminate the distinction between “required” and “addressable” implementation specifications by converting most addressable specifications into mandatory requirements. This is arguably the most significant structural change in the proposal. Regulated entities would no longer be permitted to justify alternative safeguards in place of specific controls, significantly reducing flexibility, particularly for smaller and underfunded providers.
The Proposed Rule also includes several substantial new requirements, including:
- Risk Analysis. Regulated entities would be required to conduct more rigorous and thoroughly documented risk analyses and assess the risks associated with each technology asset that creates, receives, maintains, or transmits electronic protected health information (ePHI). While risk analysis is not new, the level of specificity far exceeds current requirements.
- Multi-factor authentication (MFA). MFA would be required for most access to ePHI, with limited exceptions. Commenters have focused heavily on the feasibility of implementing MFA within the proposed compliance timelines.
- The Proposed Rule would effectively mandate encryption of ePHI both at rest and in transit, eliminating current addressable flexibility. As with MFA, compliance timelines remain a significant concern.
- Technology Asset Inventory and Network Mapping. Regulated entities would be required to maintain an accurate and thorough written inventory and network map of electronic information systems and technology assets that store, process, or transmit ePHI, or that may otherwise affect the confidentiality, integrity or availability of ePHI.
- Network Segmentation and Patch Management. The proposal would require formal network segmentation, vulnerability scanning, and patch management programs subject to specific and potentially burdensome timelines
- Workforce Security/Termination. The Proposed Rule would require system access to be terminated within one hour after a workforce member’s termination. If the individual had access to another regulated entity’s ePHI, that entity must be notified within 24 hours of the termination.
- Enhanced Business Associate Oversight. Under the Proposed Rule, covered entities would need to verify (not just obtain assurances) that business associates have deployed required technical safeguards, through written analysis and certification by a qualified person, at least annually.
While many of these proposals reflect recognized cybersecurity best practices, several would be difficult for any regulated entity to implement and would be particularly challenging for small, rural, and safety-net providers.
One Size Does Not Fit All
The proposed rule drew significant criticism across the healthcare industry, particularly from organizations representing small, rural, and safety-net providers. Commenters argued that the proposed requirements would impose substantial, and in some cases unworkable, burdens on providers lacking the staffing, infrastructure, and resources necessary for compliance.
These concerns are legitimate. The challenge for OCR is balancing stronger cybersecurity standards against the risk of adopting requirements that push small, rural and safety-net providers toward non-compliance or, worse, out of business.
What to Expect in the Final Rule
There is strong bipartisan support for improving healthcare cybersecurity. Major cybersecurity incidents involving organizations such as Change Healthcare and Ascension Health have increased pressure on regulators to adopt stronger security standards.
That said, the final rule is not likely to mirror the Proposed Rule exactly. Given the more than 4,700 public comments submitted and the broader regulatory environment, I believe that several provisions are likely to be modified before the rule is finalized:
- MFA and Encryption Timelines. MFA and encryption requirements are broadly supported, but commenters raised significant concerns about implementation timelines and legacy systems. I expect these requirements to remain, but with extended compliance periods and possibly limited exceptions.
- Patch Management. I anticipate that HHS will adopt the basic standard in the Proposed Rule but will offer less rigid compliance timeframes.
- Flexibilities for Small, Rural and Safety-Net Providers. This is perhaps the area most likely to see meaningful adjustment. Whether through tiered requirements, exemptions, or extended compliance timelines, I expect that the final rule will offer more flexibility for small, rural and safety-net providers.
- Business Associate Verification. The proposed verification requirements are operationally complex, particularly for cloud service provider relationships. While enhanced oversight requirements will likely remain, I expect additional flexibility to address practical implementation challenges.
Practical Steps To Take Now
Regulated entities should focus now on strengthening existing security programs and ensuring compliance with the current HIPAA Security Rule. Key steps include:
- Risk Analysis. Review and update any risk analysis performed more than 12 months ago or conduct a new one if no documented analysis exists or one has not been completed within the last three years. Ensure the analysis addresses the elements OCR has long expected.
- A well-documented risk analysis is the foundation of any HIPAA Security program.
- OCR offers a free tool to assist organizations in conducting a compliant risk analysis.
- DMC Law hosted a webinar in February 2025 demonstrating how to use the tool. Contact us if you would like a link to the video.
- Prioritize MFA and Encryption. These are highly effective controls and are highly likely to appear in the final rule.
- Create a Technology Asset Inventory. Create a detailed inventory of all hardware, software, and systems that create, receive, maintain, or transmit ePHI. A complete inventory is necessary to conduct a proper risk analysis, even under the current rule. Examples of assets:
- Computers, laptops, smartphones, printers, copiers
- Email and texting platforms
- Billing systems
- Telehealth platforms
- Practice management information or systems
- Document storage systems (Microsoft 365, Google Workspace, Box, etc.)
- Review Business Associate Relationships. Conduct a business associate audit to identify all current business associates and to locate current business associate agreements in preparation for making changes under the final rule.
Conclusion
The final HIPAA Security Rule will likely look different from the Proposed Rule, but heightened cybersecurity expectations are clearly coming. Organizations that take steps now to strengthen core security practices will be better positioned for both current OCR enforcement and future compliance obligations.