The HIPAA Security Rule has long served as the cornerstone of healthcare data protection in the United States, setting the standards for safeguarding electronic protected health information (ePHI). Since its inception in 2003, the rule has required covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. However, the threat landscape has evolved dramatically, and in March 2025, the U.S. Department of Health and Human Services (HHS) proposed significant updates to modernize the rule and strengthen healthcare cybersecurity.

A Brief Refresher on the HIPAA Security Rule

The current Security Rule, administered by the HHS Office for Civil Rights, applies to covered entities such as hospitals, clinics, and health plans, as well as their business associates. It establishes three primary safeguard categories:

  • Administrative safeguards: Policies, procedures, and workforce training to manage the selection and use of security measures.
  • Physical safeguards: Facility access controls, workstation security, and device management.
  • Technical safeguards: Access controls, audit controls, integrity protections, and transmission security for ePHI.

While the rule offers flexibility by allowing organizations to tailor controls based on size, complexity, and capabilities, critics have argued that this flexibility can lead to inconsistent enforcement and outdated practices.

Proposed 2025 Updates to the Security Rule

On March 14, 2025, HHS issued a Notice of Proposed Rulemaking (NPRM) outlining major enhancements designed to address modern threats and close persistent security gaps. Key proposed requirements include:

  • Comprehensive Asset Inventory: Maintain an up-to-date inventory of all information systems, devices, and software that create, receive, maintain, or transmit ePHI.
  • Multi-Factor Authentication (MFA): Require MFA for all remote and privileged user access to systems containing ePHI.
  • Encryption Standards: Mandate encryption of ePHI at rest and in transit, with clearly defined acceptable encryption protocols.
  • Incident Response and Reporting: Implement a formal, documented incident response plan that includes containment, eradication, recovery, and post-incident review procedures.
  • Network Segmentation: Isolate systems that store or process ePHI from non-essential networks to reduce attack surfaces and lateral movement risks.
  • Risk Analysis Modernization: Update risk analysis methodologies to reflect emerging threats, including ransomware and AI-driven attacks.

Compliance Timelines and Enforcement Considerations

If adopted, most provisions will include a 24-month compliance period, giving healthcare organizations until 2027 to meet the new standards. However, HHS has signaled that certain “high-impact” requirements, such as MFA and encryption, could be prioritized for earlier compliance due to their critical role in preventing breaches.

Enforcement will remain with the HHS Office for Civil Rights, which has increased its investigative activity in response to record-breaking breach reports. In 2024, OCR collected over $50 million in HIPAA-related settlements and penalties, underscoring the financial and reputational stakes for non-compliance.

Strategic Considerations for Healthcare Leaders

  • Board-Level Oversight: Treat the HIPAA Security Rule update as an enterprise risk management priority, not just an IT project.
  • Resource Allocation: Budget now for security technologies and skilled personnel required to meet the new mandates.
  • Vendor Management: Ensure business associates are prepared to comply, as their failures can trigger covered entity liability.
  • Gap Analysis: Conduct a formal assessment to identify where current safeguards fall short of the proposed requirements.
  • Change Management: Integrate security improvements into operational workflows to ensure sustainability and adoption.

The Path Forward

The proposed HIPAA Security Rule updates represent the most significant regulatory shift in healthcare cybersecurity in over two decades. For leaders, the message is clear: waiting until final adoption to act will put your organization at a strategic disadvantage. By beginning preparations now—strengthening authentication, securing infrastructure, and modernizing risk management—healthcare organizations can reduce both compliance risk and the likelihood of costly data breaches.

Receive the latest news in your email
Table of content
Related articles