Understanding the Proposed Security Rule Updates Still Pending in 2025 

In January 2025, the U.S. Department of Health and Human Services (HHS) released one of the most sweeping cybersecurity proposals ever introduced for the healthcare sector. Published in the Federal Register on January 6, 2025, the proposed update to the HIPAA Security Rule aims to modernize protections for electronic Protected Health Information (ePHI) and reduce the impact of increasingly frequent cyberattacks on healthcare organizations. 

Although the rule is still in the proposed stage, with the public comment period having closed on March 7, 2025, experts had anticipated the final rule would be released before the end of 2025, with phased compliance dates shortly thereafter. Notably, the OCR has included a review of the proposed changes in its official regulatory update for May 2026. The timeline could shift based on several factors, including the administration’s regulatory priorities, the complexity and volume of submitted comments, and any subsequent revisions to the rule.  

In a letter dated December 8, 2025, a coalition of 57 hospitals and health systems urged HHS Secretary Robert F. Kennedy Jr. to withdraw the proposed HIPAA security update, arguing it would impose unsustainable financial and operational demands.

In the meantime, here is an overview of the proposed update—and what covered entities and business associates should be preparing for now. 

A Major Shift: Making All Implementation Specifications Mandatory 

One of the most significant changes in the proposal is the elimination of the distinction between “required” and “addressable” implementation specifications. According to the Federal Register Notice of Proposed Rulemaking (NPRM), nearly all implementation specifications would become mandatory, narrowing flexibility and creating a much more uniform baseline for healthcare cybersecurity. 

PrivaPlan notes that this shift would limit regulated entities’ “flexibility of approach”, forcing organizations to fully implement safeguards that previously allowed customized, risk-based alternatives. 

Strengthening Administrative Safeguards 

Enhanced Risk Analysis Requirements

The proposal significantly expands the risk analysis standard by requiring: 

• A technology asset inventory identifying every information system, device, and application that creates, receives, maintains, or transmits ePHI. 
• A network map showing how ePHI flows through systems. 
• Annual review of both the inventory and the network map. 
• A more granular assessment of reasonably anticipated threats, vulnerabilities, likelihood of exploitation, and risk levels. 

 

These enhancements are designed to give organizations a far clearer view of where ePHI lives—and how it may be exposed. 

Annual Security Risk Analysis

A new requirement would mandate annual audits of compliance with every Security Rule standard and implementation specification. Covered Entities would also have to verify Business Associate audits, creating a higher level of accountability across the data ecosystem. 

Workforce Training and Sanctions

To strengthen organizational security culture, HHS proposes required workforce training and sanctions for non-compliance. 

Technical Safeguards: Modern Cybersecurity Controls Become Required 

Encryption for ePHI at Rest and in Transit

All ePHI—without exception—must be encrypted both in transit and at rest using secure encryption algorithms. This includes any transmission over mobile devices, which must fully comply with technical safeguard requirements before use. 

Mandatory Multi-Factor Authentication (MFA)

MFA would become required for all systems containing ePHI, with only limited exceptions. 

Network Segmentation 

To prevent attackers from moving laterally across a network during an incident, organizations would be required to implement network segmentation for systems containing ePHI. 

Vulnerability Management Requirements

Organizations must conduct: 

• Vulnerability scans twice per year 
• Annual penetration tests and other security tests, with documentation 
• Continuous remediation and verification of vulnerabilities found 

 

Anti-Malware Protections 

Deployment of anti-malware is explicitly required, reflecting modern threat realities. 

Incident Response & Contingency Planning: A 72-Hour Recovery Goal 

Written Contingency Plans and Incident Response Procedures 

Organizations must maintain a detailed, written contingency plan with specific procedures for detecting, responding to, and recovering from cybersecurity incidents. 

72-Hour Recovery Requirement 

Perhaps the most ambitious requirement: Covered Entities and Business Associates must be able to restore critical electronic systems and ePHI within 72 hours of a cyber incident. This aligns with the growing need for healthcare resilience amid ransomware and infrastructure outages. 

Business Associate Notification Obligations 

Business Associates must notify Covered Entities when they activate their contingency plan, ensuring timely coordination during incidents. 

What Healthcare Organizations Should Be Doing Now 

Even though the rule is still being proposed, organizations should begin preparing immediately if they haven’t already.  Key readiness steps include: 

• Building a comprehensive technology asset inventory 
• Mapping ePHI movement across systems 
• Evaluating encryption readiness for all systems 
• Implementing or expanding MFA 
• Assessing network segmentation needs 
• Reviewing incident response and backup capabilities to meet the 72-hour recovery goal 
• Conducting vulnerability scans and penetration tests 
• Reviewing Business Associate workflows, documentation, and audit capability 

 

“There is corporate value for healthcare organizations, especially those that are HIPAA-regulated, to incorporate cybersecurity best practices into their processes now,” said David Ginsberg, President of PrivaPlan Associates. “Let’s listen to the recommendations. This is a wake-up call. If it’s not enforced today, it will be soon.”

Earlier this year,  Ginsberg and Jay Lamb, CEO and founder of CorePLUS Technologies, provided valuable insights into the proposed changes to the HIPAA Security Rule and the implications for healthcare organizations. With technology evolving rapidly and cybersecurity threats becoming more sophisticated, these updates aim to enhance compliance, data protection, and overall security in the healthcare sector. Watch the webinar.

The proposed HIPAA Security Rule update represents a major modernization effort, shifting healthcare cybersecurity toward stronger, more prescriptive standards. While still pending, the direction is clear: HHS is raising the baseline for protecting ePHI. Learn more in this article: Strengthening ePHI Security: Insights on the Latest HIPAA Rulemaking.

Covered Entities and Business Associates who have been actively preparing—by strengthening asset inventories, encryption, MFA, network segmentation, testing, and contingency planning—will be far better positioned when the final rule arrives.