The HIPAA Security Rule Is Being Rewritten. Here’s What Changes If It Passes As Proposed.
The most significant overhaul to HIPAA’s Security Rule in over a decade would eliminate the flexibility most organizations currently rely on.
For more than a decade, the HIPAA Security Rule has operated on a principle of proportional flexibility. Certain safeguards are “required”, non-negotiable. Others are “addressable,” meaning an organization must assess whether the safeguard is reasonable and appropriate for its size and risk profile, and either implement it, adopt an equivalent alternative, or document why neither applies.
That framework has never meant these protections were optional. But it has allowed a small clinic and a large hospital system to meet the same underlying standard through very different means.
A proposed update under active regulatory review would substantially narrow that flexibility. If finalized as currently proposed, most “addressable” specifications would become firm requirements, with only limited exceptions. The practical effect: far less room to document an alternative approach, and far more obligation to implement specific, named technical controls.
What would become explicitly required
The proposal names specific controls that many organizations currently treat as best practice rather than mandate, including multi-factor authentication for ePHI access, encryption of data at rest and in transit, network segmentation, routine vulnerability scanning, and periodic penetration testing on defined cycles. Organizations would also be required to maintain a documented technology asset inventory and a network map showing how ePHI moves through their systems, both reviewed at least annually.
Business associate relationships would face tighter obligations as well, including more frequent verification that vendors have implemented required safeguards, rather than a one-time agreement signed at the start of the relationship.
Where this stands, and why it matters regardless of outcome
The proposal remains under regulatory review, and meaningful pushback exists, primarily around cost and implementation timelines for smaller and resource-constrained organizations. Whether it is finalized as written, modified, delayed, or withdrawn is genuinely uncertain.
What is not uncertain is the direction of travel. Current enforcement activity already emphasizes the same areas this proposal would formalize: documented risk analysis, access controls, and vendor accountability. Organizations waiting for final rule language before investing in these controls are, in practice, already behind where current enforcement expects them to be.
How to prepare without overcommitting to a moving target
- Build your technology asset inventory now. This is independently useful for security and operational purposes, regardless of how the rule is finalized.
- Apply MFA and encryption as a baseline, not a contingency. These are addressable today and likely required tomorrow, treat them as already required.
- Establish an annual business associate verification process. Don’t wait for a mandate to confirm vendors handling ePHI are meeting the safeguards they agreed to.
Regulatory uncertainty is not the same as low stakes. The safest assumption is that the direction of this proposal, more specificity, less flexibility, reflects where healthcare security is heading with or without a final rule.