The Proposed HIPAA Security Rule Update: What Healthcare Organizations Need to Know

After Spending Hours Studying the Proposed Changes

Over the past few weeks, I spent several hours digging through the proposed HIPAA Security Rule updates released by the Department of Health and Human Services (HHS).

If you work in healthcare IT, run a healthcare practice, or support healthcare organizations like we do at SingleWave Technologies, this update matters a lot.

This is the largest proposed overhaul of HIPAA security requirements in more than a decade, and it signals a clear shift in how regulators expect healthcare organizations to protect patient data.

TL;DR: After studying the proposed HIPAA updates, the big takeaway is that healthcare cybersecurity is moving from flexible guidelines to mandatory security controls like MFA, encryption, continuous monitoring, and stronger vendor accountability.

After reviewing the proposal and breaking it down for our team, here are the most important things you need to know.

Why HIPAA Is Being Updated

Healthcare has become one of the most targeted industries for cyberattacks.

Ransomware groups specifically target hospitals and clinics because the stakes are so high. If a hospital loses access to systems, patient care can literally stop.

At the same time, healthcare IT environments have become more complex. Most organizations now rely on cloud platforms, remote staff, third-party vendors, SaaS applications, and mobile devices.

HIPAA was written in a very different era of technology. These updates are essentially regulators saying the old minimum standards are no longer enough.

The Biggest Proposed HIPAA Security Changes

Here are the areas that stood out most as I reviewed the proposal.

Multi-Factor Authentication Will Likely Become Mandatory

One of the most straightforward changes is the move toward required multi-factor authentication.

In the past, MFA was considered a best practice but not strictly enforced under HIPAA. That is changing.

Under the proposal, MFA would be required for systems accessing electronic protected health information.

This includes systems like electronic health records, remote access systems, VPN connections, administrative accounts, and cloud applications that store patient data.

From a security standpoint, this change makes a lot of sense.

Most healthcare breaches still start the same way. A staff member’s password is compromised through phishing. Once attackers have that password, they can access systems.

MFA dramatically reduces that risk.

Encryption Will No Longer Be Optional

Another major shift involves encryption.

Historically, HIPAA treated encryption as an “addressable” safeguard, meaning organizations could decide whether to implement it as long as they documented their reasoning.

The proposed update moves encryption toward becoming mandatory.

Organizations will likely need encryption for data at rest, data in transit, cloud systems, and mobile devices or laptops that may contain patient data.

This aligns healthcare security with what most modern cybersecurity frameworks already require.

Addressable Controls Are Going Away

One of the more significant structural changes is the removal of the distinction between required and addressable safeguards.

Historically, HIPAA allowed organizations to justify why they did not implement certain controls. That flexibility is being reduced.

Many of those previously addressable safeguards will now become mandatory technical requirements.

This includes things like encryption controls, system monitoring, access tracking, security logging, and data integrity protections.

In simple terms, organizations will have less room to explain why they skipped certain security measures.

Logging and Monitoring Expectations Are Increasing

Another major theme throughout the proposal is visibility and monitoring.

Healthcare organizations will need stronger oversight of how systems and patient data are accessed.

This includes real-time audit logging, continuous monitoring of systems, tracking who accesses electronic protected health information, and automated alerts when suspicious behavior is detected.

Many organizations today do not have full visibility into these areas. Under the proposed rule, that will likely need to change.

Asset Inventories and Risk Assessments Become Ongoing

One thing the proposal emphasizes repeatedly is knowing what systems actually exist in your environment.

Organizations will need to maintain a complete inventory of systems that handle electronic protected health information.

This includes servers, workstations, laptops, mobile devices, cloud applications, SaaS platforms, and backup systems.

Risk assessments will also need to become ongoing activities rather than something performed occasionally for compliance purposes.

This moves HIPAA closer to modern cybersecurity frameworks that focus on continuous risk management.

Security Testing Will Become More Prescriptive

Another change involves more structured security testing requirements.

The proposal suggests that organizations will need to perform vulnerability scans every six months and conduct penetration testing at least once per year.

Annual compliance reviews are also expected.

The goal is to ensure organizations are actively identifying and fixing weaknesses before attackers can exploit them.

Incident Response Planning Will Be Required

Healthcare organizations will also need documented plans for responding to cybersecurity incidents.

These plans must outline how incidents are detected, who is responsible for responding, and how breaches are reported.

Organizations will need clear procedures for identifying potential security events, escalating incidents internally, containing threats, and notifying the appropriate parties if a breach occurs.

This ensures faster response times and more coordinated action when security incidents happen.

Vendors Will Be Held to Higher Standards

Another area receiving more attention in the proposed update is vendor accountability.

Business associates who handle patient data will be expected to demonstrate stronger security practices.

This means vendors may need to verify their security controls annually, provide documentation of their safeguards, and demonstrate compliance with the technical protections required under HIPAA.

This affects many organizations that support healthcare providers, including managed service providers, cloud vendors, IT consultants, and software platforms that process healthcare data.

Healthcare organizations will also need stronger vendor risk management processes.

The Biggest HIPAA Security Update Since 2013

These changes represent the largest update to the HIPAA Security Rule since the 2013 Omnibus Rule.

The healthcare cybersecurity landscape has changed dramatically over the past decade, and regulators are responding to that reality.

The direction is clear. Healthcare organizations will be expected to adopt stronger identity security, continuous monitoring, proactive risk management, and greater oversight of vendors.

Expected Timeline

The rulemaking process is still underway.

The proposed rule was released in December 2024. The year 2025 will be used for public comment and regulatory review.

The final rule is expected sometime between late 2025 and 2026. Once published, organizations will likely have a compliance window of twelve to twenty-four months to implement the new requirements.

What Healthcare Organizations Should Be Doing Now

Even though the rule has not been finalized, organizations should start preparing now.

The direction of the regulation is clear, and most of the controls being discussed are already considered standard cybersecurity practices.

Organizations should begin implementing multi-factor authentication across systems, ensuring sensitive data is encrypted both at rest and in transit, improving system logging and monitoring capabilities, and maintaining a clear inventory of all systems handling patient data.

They should also conduct regular vulnerability scans, review incident response procedures, and evaluate the security posture of vendors that access healthcare data.

From my perspective after spending time studying this proposal, the message from regulators is simple. Healthcare cybersecurity is moving from minimum compliance to real security expectations.

Organizations that begin preparing now will be in a much better position when the final rule is published.