HIPAA Security Rule update could come this month: What practices should be doing now

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is approaching a regulatory agenda target to finalize the first major overhaul of the HIPAA Security Rule’s cybersecurity framework since the rule’s original 2003 publication, and the practices that are best positioned for the change are not the ones waiting for the final text. They are the ones that have already started.

OCR issued the Notice of Proposed Rulemaking (NPRM) on Dec. 27, 2024, and the proposal was published in the Federal Register on Jan. 6, 2025. The agency's regulatory agenda has listed May 2026 as the target for final action, and OCR Director Paula M. Stannard told a Healthcare Information and Management Systems Society audience earlier this year that the agency had received more than 4,700 public comments and was working through them.

Whether the May timeline holds is genuinely uncertain. The Trump administration has not committed to advancing the rule in its current form, and several physician and hospital groups have asked for the proposal to be rescinded outright on cost-burden grounds.

What changes could be coming to the HIPAA Security Rule?

The proposed rule's central change is structural rather than additive. The current Security Rule distinguishes between "required" and "addressable" implementation specifications, with addressable safeguards giving regulated entities significant latitude to decide what was reasonable and appropriate for their environment. Addressable, however, never meant optional.

The proposed update would eliminate that distinction and make all implementation specifications required, with limited exceptions. For practices that have relied on the addressable framework to defer specific controls, that change alone is significant.

What cybersecurity requirements are drawing the most attention?

The new technical requirements that have drawn the most attention are mandatory multifactor authentication for systems that access electronic protected health information (ePHI), encryption of ePHI both at rest and in transit, technical controls to segment electronic information systems, annual security risk analyses with specific structural requirements and a 24-hour notification window for business associates to alert covered entities of contingency plan activation.

The HHS NPRM fact sheet has the full list, and several legal and compliance firms have published plain-language breakdowns aimed at smaller practices.

Why are physician groups pushing back on the HIPAA proposal?

The cost-burden objections from industry groups are not unreasonable on their face. Smaller and rural practices in particular have argued that the proposed rule's prescriptive technical controls would require investments they cannot easily absorb without offsetting payment relief. CHIME and other organizations have asked the administration to either rescind the proposal or substantially scale it back.

Whether OCR ultimately publishes the rule in close to its proposed form, narrows it or delays publication entirely, the underlying compliance trajectory is the same. OCR’s recent enforcement and guidance already put heavy emphasis on risk analysis and risk management.

Why does the proposed rule matter for medical practices?

For practices, the practical question is what to do now without knowing the final form of the rule. The strongest argument for moving early is that almost everything in the proposed rule reflects either current OCR enforcement priorities or established cybersecurity best practices.

A documented annual security risk analysis, multifactor authentication on systems that touch ePHI, encryption at rest, regular vulnerability scanning and an incident response plan that has actually been tested are not optional in the current threat environment, regardless of the rule's status.

What should practices do before the final HIPAA rule is released?

Practices that have not done a structured security risk analysis in the past 12 months should not wait for a rule to require one. The HHS Security Risk Assessment Tool, developed jointly by the Office of the National Coordinator for Health Information Technology and OCR, is free and structured to align with current Security Rule requirements. It will not produce a rule-ready compliance package on its own, but it provides a defensible starting point that smaller practices can complete with internal staff.

For practices working with third-party IT vendors or managed service providers, reviewing the business associate agreement and confirming what the vendor is actually responsible for, in writing, is the most useful step that can be taken before any final rule lands.