Skip to content
English - United States
Submit a Ticket Go To Customer Portal
  • There are no suggestions because the search field is empty.

Data Security Update: What are the Proposed Updates to the HIPAA Security Rule?

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

 

Introduction

This article discusses the details of the December 27, 2024 proposal to revise the HIPAA Security Rule, issued by the Department of Health and Human Services (HHS).

What are the Proposed Modifications to the HIPAA Security Rule?


The Security Rule currently consists of administrative, physical, and technical safeguards. Covered entities and business associates must adopt these. On December 27, 2024, HHS issued a Notice of Proposed Rulemaking (NPRM) to revise the HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information.

Details of the NPRM are provided below.

HHS’ Proposed Modifications to the HIPAA Security Rule: An Overview

The proposed modifications to the HIPAA Security Rule call for standards and actions that are required (as opposed to what the current rule has – a mix of required and addressable standards). The proposed new rule calls for regular compliance measures (e.g., many proposed requirements must be met on an annual basis, which is currently not the case). The proposed new rule also calls for evidence of policies, procedures, plans, and analyses, and in general evidence that requirements have been met, in writing.

HHS’ Proposed Modifications to the HIPAA Security Rule: Required v. Addressable - Gone?

Currently, the Security Rule contains a series of standards, such as the facility access controls standard and the device and media controls standard. Many standards contain “implementation specifications,” which are measures for how to implement the standard. When a standard contains implementation specifications, the language “implementation specifications” appears in the text of the standard.

Implementation specifications are required or addressable.

If an implementation specification is required, the word “Required” appears in parentheses after the title of the implementation specification. If an implementation specification is addressable, the word “Addressable” appears in parentheses after the title of the implementation specification.

What is the General Rule for Required Standards?

When a specific standard includes required implementation specifications, a covered entity or business associate must implement the implementation specifications.

What is the General Rule for Addressable Standards?

When a specific standard includes addressable implementation standards, a covered entity or business associate must assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information.

Then, after the assessment, the covered entity or business associate must implement the implementation specification if it is reasonable and appropriate to do so. If the covered entity or business associate has determined that implementing the implementation specification is not reasonable and appropriate, the covered entity or business associate must document why it would not be reasonable and appropriate to implement the implementation specification. Then, the covered entity or business associate must implement an equivalent alternative measure if it is reasonable and appropriate to do so.

What Changes Do the Proposed Modifications to the HIPAA Security Rule Make?

The proposed modifications eliminate the “required vs. addressable” distinction. All standards in the proposed new rule are required.

What Is Required Under the Proposed Modifications to the HIPAA Security Rule?

Under the proposed update to the Security Rule, covered entities and business associates must (among other requirements):

1. Develop and revise a technology asset inventory and a network map that illustrates the movement of ePHI throughout their electronic information system(s) on an ongoing basis.

2. Conduct a risk analysis with a written assessment that includes (among other things) a review of a a technology inventory and network map; identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI; identification of potential vulnerabilities to relevant electronic information systems; and an assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.

3. Notify certain HIPAA-regulated entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.

4. Meet enhanced contingency planning requirements, including: establishing written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours; and implementing written procedurs for testing and revising security incident response plans.

5. Conduct what HHS calls a “compliance audit” at least once every 12 months to ensure their compliance with the Security Rule requirements.

6. Encrypt ePHI at rest and in transit, with limited exceptions.

7. Deploy multi-factor authentication (MFA).

8. Perform a vulnerability scan at least every 6 months and a penetration test at least once every 12 months.

9. Perform network segmentation.

10. Review and test the effectiveness of certain security measures at least once every 12 months.

How Often Must the Proposed New Security Rule's Requirements be Met?

As stated above, a number of the requirements must be met on a regular basis. For example, the “compliance audit” requirement must be met at least every 12 months. The vulnerability scanning requirement must be met at least every six months.

What are the Documentation Requirements Under the Proposed New Security Rule?

The proposed new rule places a strong emphasis on “showing your work”: the new rule requires written documentation of all Security Rule policies, procedures, plans, and analyses.

HHS’ Proposed Modifications to the HIPAA Security Rule: What Happens Next?

A copy of the proposed modifications to the HIPAA Security Rule can be found here (the text of the proposed new rule can be found at pp. 354-393). A press release announcing the proposed modifications to the HIPAA Security Rule can be found here.

The proposed new rule is just that - a proposal - and will not become law unless and until it becomes a Final Rule. There is no specific deadline by which the proposed rule must become final. If the rule does become final (this is not guaranteed), the Final Rule may be different, perhaps significantly, from the proposed one. 

UPDATE:


On April 6, 2026, at a HIPAA Summit, OCR Director Paula Stannard spoke about the proposed rule. 

Director Stannard acknowledged interest groups' claims that the proposed rule would be burdensome to implement. She also noted that OCR has not finished its review of the 4,700+ comments OCR received that commented on the proposal. 

"I can't say much about what we will end up doing on it, and after we review the comments, the Trump administration may have a different view [than the Biden administration, which issued the proposed rule] on the burdens and benefits of the proposed change, because the proposal-making is quite lengthy," Stannard said.

Stannard also noted, "I've heard complaints about the costs and burdens that would be imposed by the security proposed modifications, but I want to encourage you not to overlook the very high cost of doing nothing," "A successful cyberattack can cost far more in terms of reputation - the need to pay ransom, remediation of your systems, [credit monitoring] protection for those whose protected health information was accessed, potential civil liability - and investors knocking at your door asking for documents and initiating an investigation," she said.

Stanndard noted that the current rule's "addressable" standards are not optional. "In practice, regulated entities, especially small and medium sized entities, have treated addressable implementation specifications as optional, and this means that they have not done it," she said. "This has resulted in much more lax security. PHI encryption is a good example under the current security rule."

"It was understandable when we first adopted the Security Rule in 2003 encryption technology was not available. It was very expensive, and for many entities, it may not have been reasonable and appropriate," she said. That's no longer always the case, she said. "It's quite likely that......encryption would now be a reasonable and appropriate measure to adopt in most instances, and that should already be implemented."

A final action for the proposed rulemaking is still anticipated for May of 2026 on HHS OCR's regulatory agenda, although the final acton is subject to being pushed back to a later date - it is possible if not probable that final action will not be taken in May of 2026. Even if a revised Security Rule would be issued in, say, 2026, HHS would almost certainly give covered entities and business associates several months (if not longer) to bring themselves into compliance


Compliancy Group will provide updates as they are announced. If and when the Security Rule is revised, we will revise the content in The Guard accordingly.