HIPAA Security Rule Updates Driven by Cybersecurity Risks

The proposed modification to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule (“the Rule”), released December 27, 2024, contains the most sweeping updates to the Rule since 2013.  

Recent data breaches indicate the need to review the Rule and to dramatically enhance cybersecurity requirements for electronic protected health information (ePHI). 

The single largest change in the proposed Rule is the elimination of the distinction between "required" and "addressable" safeguards, making all implementation specifications mandatory, with limited exceptions.  Under the current rule controls that are addressable allow consideration of risk or cost in implementation, with proper documentation. 

It is expected the modified rule will become final in May 2026. With a 240-day window to compliance, organizations should start to start a plan for compliance.  

Who must comply with HIPAA security rule:

The HIPAA Security Rule applies to:

• Covered Entities (CEs): health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically
• Business Associates (BAs): individuals or organizations that create, receive, maintain, or transmit PHI on behalf of a covered entity
• Subcontractors of BAs: also directly subject to HIPAA

The proposed rule expands expectations for business associates, including new verification, documentation, and contingency‑plan requirements.

Other key provisions of the proposed HIPAA security rules changes and controls:

• Comprehensive written documentation of all security policies, procedures, plans, and analyses is mandated.
• Covered entities and business associates within the healthcare sector would be required to maintain and annually update a technology asset inventory and network map, conduct detailed security risk analyses tied to those inventories, and enforce access controls.
• Security incident response and restoration are required within 72 hours.
• Required technical controls include encryption of ePHI in transit and at rest, multi-factor authentication, biannual vulnerability scans, annual penetration testing and network segmentation.
• Finally, it imposes new verification requirements on business associates making them directly liable for HIPAA compliance, confirming adherence to safeguards and contingency plans within 24 hours of activation.

As this is a proposed rule issued through a Notice of Proposed Rulemaking from the prior administration, it is possible some of these provisions may change or be delayed by the Department of Health and Human Services.  

The chart below lists the proposed implementation specifications and how they compare to the current rule.

Proposed HIPAA Security Rule Specification Comparison

 

Specification & Description	Current Status	Proposed Status	Change
Risk Analysis & Risk Management (annual, detailed); Written, detailed annual risk analysis referencing asset inventory and network map; risk management plan documented.	Required	Required	No change
Technology Asset Inventory & Network Map; Written inventory of technology assets and a network map of ePHI data flows; updated at least annually and upon changes.		Required	New requirement for Covered Entity (CE) and Business Associate (BA)
Assigned Security Responsibility; Designation of a security official with documented duties and authority.	Required	Required	No change
Workforce Security (clearance/authorization & termination within 1 hour); Written policies for granting/terminating access; access terminated within one hour of separation.	Addressable	Required	Access termination time requirement is new
Information Access Management; Documented policies and procedures governing role-based access to ePHI	Addressable	Required	Now Required
Security Awareness Training; Formal, documented training program for all workforce members	Addressable	Required	New workforce members must receive training within 30 days.
Incident Response & Reporting (72-hour restoration objective); Documented incident response plan; procedures to restore affected systems and ePHI within 72 hours; annual incident reviews	Required	Required	Restoration required within 72 hours. Incident reviews every 12 months.
Contingency Plan (backup, disaster recovery, emergency operations, criticality analysis); Documented contingency planning including criticality analysis to prioritize restoration; BA must notify covered entity within 24 hours of plan activation	Required	Required	BA must notify CE within 24 hours of activation
Evaluation (annual compliance audit); Annual documented evaluation/audit of Security Rule compliance		Required	New requirement for CE and BA
Business Associate Oversight (annual verification & 24-hour contingency activation notice); BA and subcontractors provide annual written verification of deployed technical safeguards; BA must notify CA within 24 hours of activating contingency plan.		Required	New Requirement
Facility Access Controls; Controls to limit physical access to systems and facilities containing ePHI; documented.	Addressable	Required	Controls must be documented
Workstation & Device Security; Policies for secure workstation use/configuration; device security documented.	Addressable	Required	Controls must be documented
Device & Media Controls; Procedures for disposal, reuse, and movement of hardware/media containing ePHI.	Required	Required	Controls must be documented
Access Control (unique IDs, emergency access, automatioc logoff; Documented access control mechanisms including unique IDs,, emergency access procedures, and automatic logoff	Addressable	Required	Controls must be documented
Multi-Factor Authentication (MFA); MFA required for all access to systems containing ePHI		Required with limit exceptions	New requirement. Limited exception
Audit Controls; Systems to record an examine activity in systems that contain or use ePHI documented	Required	Required	Controls must be documented
Integrity Controls; Technical measures to guard against improper alteration or destruction of ePHI; documented.	Addressable	Required	Controls must be documented
Person/Entity Authentication; Mechanisms to verify identity before granting access to ePHI; strengthen via MFA	Addressable	Required	MFA required
Transmission Security (encryption in transit and at rest); Encryption required for ePHI in transit and at rest; limited exceptions must be documented.	Addressable	Required with limited exceptions	Now required
Vulnerability Management (scans & pen testing); Scan for vulnerabilities at least every six months and conduct penetration tests annually; test effectiveness of certain measures annually.		Required	New requirement
Configuration Management & Secure Deployment; Establish and deploy technical controls for consistent configuration of relevant systems; verify ongoing operation of controls.		Required	New requirement
Backup & Recovery Controls;  Separate technical controls to protect backups and recovery systems for ePHI and relevant systems.	Addressable	Required	Procedures to ensure recovery of relevant systems within 72 hours
Group Health Plan Safeguards; Formal safeguards and documentation for PHI used by group health plans.		Required	New requirement
Comprehensive Written Documentation & Retention; All policies, procedures, analyses, inventories, maps, audits, incident reviews, contingency plans, BA verifications must be documented and retained.	Required	Required	Verification of BA's and subcontractors

HIPAA compliance window: What healthcare organizations should expect

The proposed HIPAA Security Rule marks a major shift toward stronger, more uniform cybersecurity expectations across the healthcare sector. By making security measures mandatory and introducing stricter technical and documentation requirements, the rule raises the bar for how organizations must protect ePHI. Although details may change before the new HIPAA security rule is issued in May 2026, the direction is clear and the 240 day compliance window will come quickly. 

Next steps for healthcare organizations

To prepare for the 2025–2026 HIPAA Security Rule updates, organizations should begin planning now. Organizations should evaluate their current HIPAA Security Rule compliance posture against the proposed requirements. 

How RubinBrown Can Help 

RubinBrown helps healthcare organizations make sense of the evolving HIPAA Security Rule and understand what the 2025–2026 updates mean for their operations. Our team works with providers to assess current practices, identify gaps, and strengthen both cybersecurity controls and required documentation. We focus on practical, sustainable improvements, whether that involves refining risk analysis processes, updating policies, or preparing for expanded business associate oversight.

Our goal is to provide organizations with clarity and confidence as they plan for the new requirements and build a stronger, more resilient security posture.