In January 2025, the U.S. Department of Health and Human Services (HHS) proposed significant updates to the HIPAA Security Rule. These changes aim to enhance the cybersecurity of electronic protected health information (ePHI) across the health and human services sector. With cyber threats on the rise and health and human services organizations increasingly targeted by ransomware and experiencing data breaches, this regulatory update could not be more timely.
The proposed rule, titled HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information, reflects a shift toward greater accountability and proactive defense. For healthcare executives, the message is clear: begin preparing now or risk falling behind.
Understanding What Is Changing
Mandatory Security Safeguards
One of the most impactful changes is the removal of the flexibility around “addressable” safeguards. Under the current rule, certain controls are categorized as “addressable,” giving organizations discretion based on their size, capabilities, and risk profile. The proposed update eliminates this option, making nearly all technical and administrative safeguards mandatory unless explicitly exempt.
Encryption of ePHI is no longer a recommendation. It is a requirement for both data at rest and in transit, ensuring that patient information is protected during storage and transfer. Multi-factor authentication (MFA) is also mandated for all access to ePHI, significantly raising the bar for identity verification and access control.
Security assessments are being formalized and required on a defined schedule moving from once every three years to once a year. Healthcare organizations must now conduct vulnerability scans at least every six months and perform penetration testing annually. These activities will help organizations identify and remediate security gaps before they can be exploited. Additionally, network segmentation practices must be implemented to limit access to sensitive information and reduce the impact of potential intrusions.
Strengthened Administrative Controls
Beyond technology, the new rule places a greater emphasis on administrative rigor. Organizations are now expected to develop and maintain comprehensive incident response plans. These plans must be documented, include clear workflows for escalation and response, regular testing and provide training to all relevant staff.
Annual security compliance audits will also be required, serving as a formal mechanism to evaluate adherence to the HIPAA Security Rule. These audits are no longer optional or internal exercises. They must be actionable and evidence-based.
The responsibilities of business associates are also expanding. All business associates must provide written, annual verification that they have implemented the required safeguards to protect ePHI. This provision underscores the importance of vetting third-party partners and enforcing clear cybersecurity expectations through contract language.
What This Means for Healthcare Organizations
Operational and Financial Implications
The financial impact of these changes will be significant. The HHS has estimated that first-year compliance across the industry could cost up to $9 billion. While that figure may seem daunting, it represents a necessary investment in protecting critical infrastructure and patient trust while avoiding potential fines and business disruption.
Mid-sized and community healthcare providers may feel this burden most acutely. The new requirements will demand investment in upgraded systems, external cybersecurity assessments, staff training, and continuous monitoring tools. However, organizations that plan early will be better positioned to spread these costs strategically and avoid rushed implementations.
Risks of Delaying Action
Waiting until the rule becomes final to begin your response will almost certainly put your organization at a disadvantage. The threat landscape continues to evolve rapidly with the continued use of bad actors utilizing AI. Cybercriminals are becoming more sophisticated, and regulatory scrutiny is increasing. Non-compliance could result in regulatory penalties, increased liability in the event of a breach, and damage to your organization’s reputation.
Healthcare has already seen a 93 percent year-over-year increase in cyberattacks, according to a 2024 report from the American Hospital Association. This reality makes proactive preparation not just a matter of compliance, but of operational continuity and patient safety.
How to Begin Preparing for HIPAA Compliance Now
Assess Your Current Security Posture
Begin with a comprehensive, organization-wide risk assessment to identify where your current security program falls short of the proposed HIPAA requirements. Prioritize areas such as encryption, MFA deployment, incident response planning, and security testing.
Update Policies and Train Your Teams
Use the assessment findings to update your security policies and procedures. Ensure they reflect the new mandatory requirements and can stand up to audit scrutiny. Equally important is workforce training. All staff must understand their roles in preventing and responding to cybersecurity incidents.
Upgrade Infrastructure and Engage Business Associates
Implement necessary technological upgrades, including endpoint security, encryption protocols, and identity access management systems. At the same time, work with your legal and compliance teams to review contracts with business associates. These agreements must now include annual attestation of HIPAA compliance and security safeguards.
Taking the Lead Before the Rule Becomes Law
The HIPAA Security Rule update represents more than a regulatory shift; it is a strategic inflection point for healthcare organizations. Leaders who act early will be positioned not only to meet new compliance standards but also to reduce enterprise risk, safeguard patient data, and strengthen long-term operational resilience.
Relying on a reactive approach will leave organizations scrambling to catch up. Instead, now is the time to lead with a thoughtful, proactive strategy that aligns cybersecurity with business objectives and prepares your organization for what’s ahead.
At Hartman Executive Advisors, we work alongside healthcare executives to develop and implement cybersecurity and compliance programs tailored to their organization’s needs. Our team of healthcare, IT, and cybersecurity experts provides end-to-end guidance, from risk assessments and policy development to technology enablement and executive reporting.
Do not wait for the final rule to take effect. Begin planning today. Contact Hartman Executive Advisors to schedule a conversation about your cybersecurity and data protection needs.
