Key insights
The proposed HIPAA Security Rule would significantly expand technical cybersecurity requirements and reduce flexibility around how safeguards are implemented.
New requirements emphasize verification and validation, making security testing, vulnerability assessments, and penetration testing increasingly important components of compliance.
Organizations will need stronger documentation, more frequent risk analyses, and greater visibility into vendor and third-party security risks.
Preparing now can help reduce compliance gaps and avoid costly remediation efforts once the final rule is issued.
A sweeping update to the HIPAA Security Rule could be finalized in the coming months, putting health care organizations on a shorter runway to reevaluate how they secure electronic protected health information (ePHI).
In late 2024, the U.S. Department of Health and Human Services issued a notice to modernize the HIPAA Security Rule. While many organizations built their compliance programs around flexible implementation standards, regulators are signaling a move toward more prescriptive cybersecurity requirements designed to address today’s threat landscape.
The proposal comes amid a continued rise in ransomware attacks, third-party breaches, cloud security risks, and increasingly sophisticated cyber threats targeting health care organizations.
If finalized, this wouldn’t be a routine update. It would mark the most significant shift in HIPAA security expectations in more than a decade: A clear signal that regulators expect more consistency, more accountability, and more technical rigor across the board.
For organizations relying on flexibility in how safeguards against potential cyber threats are implemented, this change may require a closer look at what’s in place today and what may need to change quickly.
Key proposed changes to the HIPAA Security Rule
The proposed changes focus on several areas regulators believe require greater consistency across the health care industry.
Mandatory technical safeguards
Many safeguards historically considered “addressable” would effectively become required. The proposal includes stronger expectations around:
- Multifactor authentication (MFA)
- Encryption of ePHI at rest and in transit
- Anti-malware protections
- Network segmentation
- Access management controls
- Asset inventories and system tracking
For many organizations, the question will no longer be whether these controls should be implemented, but whether they are consistently deployed and functioning as intended.
Expanded risk analysis and risk management requirements
The proposal introduces more detailed requirements for conducting and documenting risk analyses. Organizations would need to maintain more comprehensive inventories of systems that create, receive, maintain, or transmit ePHI and perform recurring evaluations of cybersecurity risks.
This shift reflects a broader regulatory expectation that risk management be an ongoing operational process rather than a periodic compliance exercise.
Increased emphasis on security testing and validation
One of the most significant themes throughout the proposal is the need to validate security controls. Organizations may be required to conduct recurring technical assessments such as:
- Vulnerability assessments
- Penetration testing
- Security control testing
- Technical configuration reviews
- Incident response testing
- Disaster recovery and business continuity testing
Rather than relying solely on written policies, organizations will increasingly need evidence that controls are effective and capable of detecting, preventing, and responding to cyber threats.
Strengthened contingency planning and recovery requirements
The proposed rule places greater emphasis on resilience and recovery. Covered entities and business associates would be expected to demonstrate their ability to restore critical systems and recover ePHI following a cybersecurity incident.
Organizations should expect increased scrutiny around backup processes, recovery procedures, and testing of contingency plans.
Greater accountability for business associates and third parties
The proposal also reinforces responsibilities for business associates and third-party service providers that handle ePHI. As health care ecosystems become more interconnected, organizations will need stronger oversight of vendor security practices and better visibility into third-party risks.
What this means for health care organizations
The proposed changes move HIPAA compliance beyond policy development toward measurable cybersecurity performance. Organizations should expect regulators to focus increasingly on questions such as:
- Can you demonstrate critical controls are operating effectively?
- Have vulnerabilities been identified and remediated?
- Have security controls been independently tested?
- Can you recover operations after a cyber incident?
- Do you have documentation that supports compliance activities?
For many health care organizations, answering these questions confidently may require additional technical validation and testing
How to prepare before the HIPAA rule is finalized
To prepare for these changes, health care organizations should:
Review and update security policies — Proactively confirm all security policies and procedures are up to date and compliant with the new standards. Pay close attention to areas that may shift from flexible to required.
Conduct risk assessments — Regularly conduct risk assessments to identify and address potential threats and vulnerabilities, including risks tied to new technologies and evolving cybersecurity expectations.
Implement technical safeguards — Strengthen technical safeguards such as encryption, multifactor authentication, and anti-malware protection.
Train staff — Provide training on updated security practices and help team members understand their roles in protecting ePHI.
Stay informed — Keep up to date with the latest developments in cybersecurity and HIPAA regulations to support ongoing compliance.
Contact us
Is your health care organization ready for security rule changes? Complete the form below to connect with CLA.
Connect

Dan Resnick
Principal