The HIPAA Security Rule has not been meaningfully updated since 2013. In January 2025, the Department of Health and Human Services published a Notice of Proposed Rulemaking that would change that — substantially. The proposed overhaul reflects more than a decade of lessons from ransomware attacks, vendor breaches, and enforcement actions that exposed how widely the existing rule was being interpreted, misapplied, or ignored outright.
This is not a routine clarification. It is a structural rewrite of what healthcare organizations and their business associates are required to do to protect electronic protected health information (ePHI). Organizations that have relied on the old framework — particularly the distinction between "required" and "addressable" specifications — will need to assess their current posture against a materially different standard.
The Change That Affects Everyone: The End of "Addressable"
Under the current Security Rule, implementation specifications are divided into two categories: required (must be implemented) and addressable (must be implemented if reasonable and appropriate, or documented with a rationale for why not). In practice, "addressable" became a compliance escape hatch. Organizations routinely declined to implement encryption, multi-factor authentication, and audit controls — then documented their reasoning and moved on.
The proposed rule eliminates this distinction. Every implementation specification becomes required. There is no longer a documented-rationale alternative for controls that are now widely available, affordable, and considered baseline in every other regulated industry.
Current Rule
- Required vs. addressable specs
- Addressable = implement or document why not
- Encryption is addressable
- MFA is addressable
- Audit controls broadly defined
- Risk analysis format undefined
- Asset inventory not mandated
Proposed Rule
- All specifications required
- No documentation alternative
- Encryption required at rest and in transit
- MFA required
- Specific audit control requirements
- Risk analysis with defined required elements
- Technology asset inventory and network map required
What the Proposed Rule Specifically Requires
Beyond eliminating the addressable category, the proposed rule introduces specific new technical and administrative requirements. Organizations that have not previously been required to implement these controls will need to prioritize them.
New and Strengthened Requirements
- Technology Asset Inventory and Network Map: A documented, maintained inventory of all hardware and software that touches ePHI, along with a network diagram showing data flows — reviewed and updated at least annually
- Risk Analysis with Defined Elements: The risk analysis must now include specific elements identified in the rule — no more generic assessments that satisfy the letter but not the intent
- Multi-Factor Authentication: Required for all access to ePHI systems, with limited exceptions that must themselves be documented and justified
- Encryption: Required for ePHI at rest and in transit, removing the current ability to document a rationale for unencrypted storage or transmission
- Vulnerability Management: Regular vulnerability scans (at least every six months) and annual penetration testing
- Network Segmentation: Isolation of systems containing ePHI from systems that do not require access
- Anti-Malware Controls: Required on all systems handling ePHI, with documented configurations
- Backup and Recovery Verification: Testing of data restoration procedures, not just backup execution
- Audit Log Reviews: Documented review of access and activity logs, not just collection
- Incident Response Planning: Written plans with specific required elements, tested at least annually
- 72-Hour Internal Notification: Workforce members who discover a security incident must report it to the responsible party within 72 hours
- Business Associate Agreement Updates: BAAs must be reviewed and updated to align with the new requirements
Implications for Covered Entities
Covered entities — physician practices, clinics, hospitals, health plans, and healthcare clearinghouses — bear the primary compliance obligation under HIPAA. The proposed changes create a higher baseline across the board, but the practical impact depends heavily on organizational size and current security maturity.
Small and Independent Medical Practices
Small practices face the steepest challenge. Most have never conducted a formal risk analysis that would meet the new specificity requirements. Many lack written security policies at all. Encryption may not be configured across all systems. Access to EHR platforms is frequently managed with single-factor authentication using shared credentials.
The proposed rule does not exempt small providers. It does, however, acknowledge that implementation may look different for a solo practitioner than for a regional health system — but the requirements themselves apply regardless of patient volume or staff size.
Specialty Practices and Medical Spas
Specialty practices — behavioral health, pediatrics, oncology, aesthetic medicine — often handle sensitive data categories that amplify the consequences of a breach. Before/after photographs, mental health records, substance use treatment information, and reproductive health data all carry elevated exposure under state privacy laws in addition to HIPAA. The proposed Security Rule changes do not address data sensitivity directly, but the enforcement environment surrounding sensitive health data has become significantly more aggressive, making compliance with the updated Security Rule table stakes for any practice handling it.
Multi-Location Practices and Health Systems
Larger covered entities typically have more infrastructure in place but face complexity challenges: maintaining consistent controls across multiple locations, managing access for large workforces with varying roles, and ensuring that legacy systems — which may not support MFA or encryption without upgrades — are addressed within compliance timelines. The network segmentation requirement will require architectural review at organizations where clinical and administrative systems share the same network.
Implications for Business Associates
Business associates — organizations that create, receive, maintain, or transmit ePHI on behalf of covered entities — are directly subject to the HIPAA Security Rule. The proposed rule strengthens that obligation in several ways that will matter to vendors, contractors, and service providers across the healthcare ecosystem.
EHR Vendors and Health IT Companies
Software platforms that process ePHI must ensure their own technical controls — MFA support, encryption configuration, audit logging — are documented and aligned with the new requirements. Covered entities will increasingly require evidence of compliance as part of vendor due diligence.
Medical Billing and Revenue Cycle Companies
Billing companies receive claim data, patient demographics, and diagnosis codes — all ePHI. Many operate with minimal security infrastructure. The new requirements for encryption, MFA, and documented risk analysis apply fully.
IT Providers and Managed Services Firms
Any IT firm that manages infrastructure containing ePHI is a business associate. Many operate without BAAs in place at all. The proposed rule’s specificity around technical controls means IT providers will need to demonstrate — not just assert — that their configurations meet the standard.
Transcription, Answering, and Support Services
Third-party services that handle patient communications, clinical documentation, or scheduling data often underestimate their business associate status. The proposed rule’s asset inventory and risk analysis requirements apply from the point of ePHI access, not just storage.
Cybersecurity and Compliance Vendors
Firms providing security assessments, penetration testing, or compliance consulting to healthcare organizations may themselves be business associates depending on the scope of their access. This category must assess its own BA status before advising covered entities on theirs.
One critical implication for covered entities: the proposed rule makes clear that selecting a business associate is itself a risk management decision. Organizations will be expected to verify that business associates meet the updated requirements — not simply obtain a signed BAA and assume compliance.
The Size-Doesn’t-Excuse-You Problem
A persistent misconception in smaller healthcare organizations is that OCR focuses its enforcement on large health systems and that small practices operate beneath the enforcement radar. The data does not support this. OCR has investigated and settled cases against practices with fewer than ten employees. The Wall of Shame — HHS’s public breach notification portal — lists incidents from solo practitioners, single-location specialty practices, and small behavioral health providers.
What a HIPAA Enforcement Action Actually Costs
- OCR resolution agreements for small practices: $25,000 to $250,000+
- Mandatory corrective action plans — often two to three years of monitored compliance
- State attorney general investigations that can run parallel to OCR enforcement
- Patient notification obligations and associated reputational damage
- Cyber insurance claims denials when the breach results from a control that was required but not implemented
The proposed rule does not introduce a small-practice exemption. It does acknowledge that the specific implementation of some controls may vary with organizational size and complexity — but the obligation to implement them is the same.
How We Help Organizations Prepare
SPM Advisors is an advisory-only practice. We do not sell products. We do not have vendor partnerships that influence our recommendations. Our work is helping healthcare organizations and business associates understand exactly where they stand against the current and evolving HIPAA standard — and building programs that would withstand OCR scrutiny.
Our engagement approach is calibrated to organizational size. A four-person behavioral health practice does not need the same program architecture as a thirty-location health system. What it does need is a program that is real, documented, tested, and defensible — not a policy binder that has never been read.
What a HIPAA Security Rule Readiness Engagement Includes
- Gap Analysis Against the Proposed Rule: A structured assessment mapping your current controls against the new requirements — identifying what you have, what you are missing, and what documentation does not exist
- Technology Asset Inventory and Network Map: Building the foundational documentation the proposed rule requires and that most organizations lack
- Risk Analysis Remediation or Build: Either correcting an existing analysis that would not survive OCR scrutiny or conducting a new one that meets the proposed rule’s specificity requirements
- Policy and Procedure Development: Written policies that reflect how your organization actually operates — not generic templates that no one can follow
- Business Associate Program Review: Identifying your BA relationships, auditing existing BAAs, and establishing a vendor risk management process
- Technical Control Roadmap: A prioritized remediation plan for MFA, encryption, audit logging, and vulnerability management — sequenced for your budget and operational constraints
- Incident Response Planning: A written, tested plan that satisfies both the HIPAA requirement and the practical reality of what to do in the first 72 hours of an incident
- Ongoing Advisory Support: Quarterly reviews and compliance monitoring for organizations that want a security leader without the cost of a full-time hire
We work with independent physician practices, behavioral health providers, medical spas, specialty clinics, and the business associates that serve them — billing companies, IT firms, transcription services, and health tech vendors. Organization size does not determine whether we can help. It determines what the program looks like.
The Delay to July 2027 Does Not Change What You Need to Do
In mid-2025, HHS announced it was pushing back the compliance deadline for the final HIPAA Security Rule to July 2027. For organizations that had been bracing for an earlier effective date, this felt like relief. It should not be treated as permission to wait.
The delay is a function of regulatory process — comment periods, administrative review, coordination across agencies. It does not reflect any change in the underlying risk environment, the enforcement posture of OCR, or the real-world probability that your organization will experience a breach before July 2027. Ransomware groups do not observe regulatory timelines.
More importantly: the risk analysis is the foundation on which everything else is built. It tells you what systems hold ePHI, who has access to them, what controls are in place, and where the actual exposure lies. Every other requirement — encryption, MFA, network segmentation, incident response — flows from understanding what you are protecting and where the gaps are.
Organizations that conduct a thorough risk analysis now will make better decisions about where to invest in security improvements, which vendors pose the greatest risk, and what their realistic compliance roadmap looks like. Those that wait until 2027 will be compressing two years of program-building into a few months — with all the cost and disruption that entails.
Why the Risk Analysis Comes First
- You cannot close gaps you have not identified. The risk analysis is not a compliance document. It is a security management tool. Organizations that treat it that way make better decisions.
- It informs everything downstream. Asset inventory, access controls, vendor risk, incident response — all of it is built on what the risk analysis reveals.
- OCR enforcement does not wait for final rules. The existing Security Rule requires a risk analysis now. Documented deficiencies discovered in an OCR investigation are not excused by the fact that a new rule has not yet taken effect.
- Cyber insurers are paying attention. Underwriters increasingly require evidence of a completed risk analysis. Policies issued without one may include exclusions that apply at the worst possible moment.
- The final rule will arrive. The organizations that begin now will meet the 2027 deadline having built a real program — not a compliance sprint.
The delay to July 2027 is a gift of time. Organizations that use it well will have a documented, tested, defensible security program in place before enforcement begins. Those that treat it as an invitation to wait will find themselves in July 2026 trying to compress two years of foundational work into twelve months.
Start With a Risk Analysis — Know Where You Actually Stand
Schedule a confidential consultation. We will assess your current posture against the proposed Security Rule requirements, identify your highest-priority gaps, and give you a clear picture of what a realistic remediation program looks like — whether you engage us or not.
Schedule a HIPAA Readiness Consultation