The First Major Security Rule Rewrite in Two Decades
When HHS finalized the original HIPAA Security Rule in 2003, the average healthcare organization's technology footprint consisted of on-premise servers, desktop workstations, and a single firewall. Cloud infrastructure, remote workforce, mobile devices, and third-party API integrations were not yet the center of gravity for healthcare operations. The rule held up longer than most expected — but the breach data from 2020 through 2025 made a compelling case that the framework needed to catch up with the threat landscape.
In January 2025, HHS published a Notice of Proposed Rulemaking (NPRM) that proposed the most substantive changes to the HIPAA Security Rule since its original issuance. The comment period closed, and as of 2026, covered entities and business associates should be treating the proposed requirements as the direction of travel — because the final rule, when issued, will give organizations limited time to come into compliance, and the gap between the proposed standard and current practice is significant for many organizations.
The Core Shift: From "Addressable" to Required
The most consequential structural change in the proposed rule is the treatment of "addressable" implementation specifications. Under the 2003 framework, addressable specifications allowed covered entities to assess whether a given safeguard was reasonable and appropriate and, if not, to implement an equivalent alternative or document why neither was necessary. In practice, "addressable" frequently became a synonym for "optional" — particularly for smaller organizations that lacked the resources or expertise to make a well-documented case either way.
The NPRM proposes to eliminate this flexibility for a significant set of technical safeguards, making them required with no addressability exception:
- Encryption of ePHI at rest and in transit. Under the proposed rule, encryption is required — not addressable. For organizations still relying on unencrypted email for anything touching PHI, or storing ePHI on unencrypted endpoints, this is not a theoretical future obligation.
- Multi-factor authentication. MFA for all workforce members accessing ePHI systems is proposed as a required safeguard. The NPRM specifically covers remote access and network login. Exceptions would require explicit documentation and HHS approval in limited contexts.
- Network segmentation. The proposed rule requires covered entities to segment ePHI systems from the rest of the network. Flat networks — where a compromised workstation can reach every server — would no longer meet the standard.
- Vulnerability scanning. Regular vulnerability scanning of systems that handle ePHI is proposed as required, with defined scanning frequency requirements. The NPRM references alignment with NIST standards for scan cadence.
- Penetration testing. Annual penetration testing is proposed as a required safeguard for covered entities above defined thresholds. This is a new requirement with no precedent in the 2003 rule.
New Documentation and Planning Requirements
Beyond the technical safeguards, the proposed rule strengthens the documentation framework in ways that will require operational changes for most organizations:
Technology asset inventory. Covered entities would be required to maintain a current, accurate inventory of all technology assets that touch ePHI — hardware, software, and network devices. The inventory must be updated within defined timeframes when assets are added, changed, or retired. For organizations managing dozens of endpoints and cloud services, this moves from a "good idea" to an auditable requirement.
Network map. A current network diagram documenting ePHI data flows, network segments, and external connections is proposed as a required artifact. The diagram must be kept current and made available to HHS upon request.
Written security plans. The NPRM would require a more formalized written security plan that goes beyond the existing risk analysis requirement — it must address how identified risks will be managed, resourced, and tracked over time. This is closer to what NIST calls a "System Security Plan" than to a traditional HIPAA risk management policy.
72-hour restoration capability. The proposed rule would require covered entities to demonstrate the ability to restore critical systems within 72 hours of a disruption. Backup programs that have never been tested against this standard will need to be validated.
Business Associate Requirements Tighten
The proposed rule places significantly greater obligations on the relationship between covered entities and their business associates. Two provisions stand out:
BA security attestation. Covered entities would be required to obtain written attestation from business associates confirming their compliance with specific Security Rule requirements. A signed BAA is no longer sufficient — the proposed rule would require operational evidence of the BA's security posture, updated annually.
Notification timelines tighten. The NPRM proposes that business associates notify covered entities of Security Rule violations (not just breaches) within 24 hours of discovery. Current requirements for breach notification are 60 days. This compresses the timeline for incident response coordination substantially.
What the Timeline Looks Like
The NPRM comment period closed in early 2025. As of mid-2026, a final rule has not yet been published, but the regulatory posture has shifted. OCR has signaled in enforcement actions and public guidance that the NPRM reflects its current interpretation of adequate technical safeguards — meaning organizations that lack MFA, encryption, and documented vulnerability management are already on the wrong side of the enforcement trend, regardless of when the final rule is issued.
When the final rule does publish, covered entities should expect a compliance deadline of 180 days to two years depending on organization size. Historically, HHS has used tiered compliance dates — larger covered entities get the shorter window. Small practices and solo providers often receive additional time, but rarely as much as they need when starting from zero.
How to Use This Window
Organizations that treat the NPRM as a roadmap rather than a future threat will be in a substantially stronger position when the final rule lands. The practical steps that move you toward compliance with the proposed requirements are also the steps that reduce breach risk today:
- Audit your MFA coverage. Map every system that accesses ePHI and document which ones require MFA. Gaps in this audit become the implementation backlog.
- Build your asset inventory now. The proposed requirement is for a current, maintained inventory. Building it from scratch under a deadline is the worst time to do it. Every system, every endpoint, every cloud service — start the list today.
- Document your network. A current network diagram is the foundation for network segmentation analysis. If your IT vendor or MSP does not have one on file, that is the first request.
- Test your backup restoration. The 72-hour restoration requirement cannot be asserted — it must be demonstrated. Schedule a restore test against real recovery time objectives and document the result.
- Review your BA relationships. For each business associate, ask: do we have a signed BAA, and do we have any evidence of their security posture? The second question is the new standard. A vendor questionnaire, SOC 2 report, or third-party assessment fulfills it.
The Bigger Picture
The 2025 NPRM is not an isolated regulatory event. It reflects a broader shift in how federal agencies approach healthcare cybersecurity — from a compliance-documentation model to an operational-security model. The proposed requirements align closely with frameworks like NIST CSF, CISA guidance, and the cyber insurance underwriting criteria that are already reshaping what coverage is available and at what price.
Organizations that align their security programs with the proposed rule are not just preparing for a regulatory deadline. They are building the program that cyber insurers are increasingly requiring, that covered-entity contracts are increasingly demanding, and that OCR investigators are increasingly expecting to find when they open an investigation.
See Where You Stand
HIPAA Security Suite maps your current program against Security Rule requirements — including the proposed updates — and shows you the gaps in plain language. The platform covers MFA status, credential exposure, network security monitoring, vendor management, and documentation requirements in a single dashboard built for covered entities.
Schedule a walkthrough to see how your current posture compares to the proposed requirements, or take our 3-minute readiness quiz to identify the highest-priority gaps.