HIPAA’s Proposed Security Rule Update: What You Need to Know

Status of the Proposal

On December 27, 2024, the HHS Office for Civil Rights (OCR) released the proposed rule for public comment. The comment period closed on March 7, 2025, with over 4,600 comments.  Industry observers expect a final rule in Q4 2025 or early 2026. Once finalized, covered entities and business associates will likely be given a 24-month implementation window. However, many organizations are already conducting gap assessments and evaluating the potential operational and financial implications.

The draft rule reflects feedback from prior OCR audits and incident investigations. It also signals a shift toward regulatory expectations aligned with today’s cybersecurity threats—ransomware, supply chain vulnerabilities, insider risks, and cloud misconfigurations.

Key Changes to the HIPAA Security Rule

1. Formalized Risk Management Requirements
   The new rule mandates a documented, recurring risk management process. Organizations must perform risk analyses annually or when introducing significant changes to their systems. Risk treatment decisions must be documented, with clear rationale tied to controls selection. Simply acknowledging risks without action will not meet expectations.
2. Authentication and Access Controls
   Organizations must implement role-based access and multi-factor authentication (MFA) for all workforce members with access to ePHI. The rule outlines specific requirements for identity verification and session timeout configurations. These provisions close long-standing gaps in enforcement by eliminating ambiguity.
3. Security Incident Preparedness and Reporting
   Entities must maintain and test detailed security incident response plans. Reporting windows have been tightened—incidents suspected of involving ePHI must be escalated internally within 24 hours. This means faster triage and more robust decision-making procedures are now regulatory priorities.
4. Audit Logging and Data Integrity Verification
   Audit logs must track data access, alteration, and deletion events. Organizations must implement integrity controls that can detect unauthorized modifications. This is particularly critical for cloud-based systems, where visibility into infrastructure is often limited.
5. Expanded Business Associate Responsibilities
   Business associates are subject to the same requirements as covered entities, and contracts must reflect this equivalency. Additionally, covered entities will bear increased accountability for verifying that their partners maintain effective safeguards. This may include audit rights, ongoing risk assessments, and breach response coordination procedures.
6. Enhanced Workforce Training Requirements
   The rule elevates training requirements from a checkbox exercise to a critical risk control. Annual HIPAA training is no longer sufficient. Organizations must tailor training based on role and risk exposure and include testing and validation mechanisms to ensure retention and application.

Broader Impacts Across the Healthcare Ecosystem

The proposed updates will ripple across healthcare delivery, healthcare technology, digital therapeutics, AI-enabled platforms, and insurance sectors. Investors and executive leaders must prepare for new capital and compliance risk.

Startups and growth-stage companies should consider the implications on product design, cloud architecture, and go-to-market strategies. Building HIPAA-aligned security from the ground up will be more cost-effective than retrofitting controls later.

Large health systems and payers face the challenge of scaling controls across legacy infrastructure and distributed business units. The rule encourages centralization of oversight, with clear escalation pathways and executive ownership of risk.

Additionally, boards of directors may need to adopt formal cybersecurity oversight mechanisms. This could include board-level committees focused on compliance and security, or designated liaisons between legal, IT, and risk functions.

How to Prepare Now

1. Perform a Readiness Assessment
   Map your current security practices against the proposed changes. Identify gaps in documentation, technical controls, and governance practices. Pay close attention to areas like incident response, MFA coverage, and vendor oversight.
2. Update Business Associate Agreements (BAAs)
   Review and revise existing contracts to clarify shared responsibilities. Incorporate language around incident notification timelines, audit access, and risk assessment expectations.
3. Brief Leadership and Allocate Budget
   Ensure executives understand the scope of the rule and the implications for strategic planning and budgeting. Consider a multi-phase compliance roadmap that prioritizes high-risk gaps.
4. Improve Cybersecurity Hygiene Now
   Many of the changes align with NIST and other best practices already in use across other industries. Implementing stronger identity management, encryption, and monitoring controls today will accelerate compliance later.
5. Engage Expert Guidance
   Compliance with the HIPAA Security Rule requires collaboration across legal, technical, and operational domains. Organizations with lean teams or high complexity will benefit from third-party advisors who understand both regulation and enterprise security.

Partner with GrowthPoint to Build a HIPAA-Ready Program

The proposed HIPAA Security Rule update raises the stakes for data protection in healthcare. Waiting for finalization may expose your organization to operational, reputational, and legal risk. GrowthPoint Tech Advisors offers experienced guidance to help covered entities and business associates prepare now. We specialize in risk governance, security architecture, vendor compliance, and board reporting. Contact GrowthPoint to help strengthen your HIPAA readiness and protect your future.