The U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), has proposed the most significant update to the HIPAA Security Rule since 2013. Issued in December 2024, the proposed changes reflect a growing regulatory focus on cybersecurity resilience and address long‑standing gaps observed during HIPAA enforcement actions across the healthcare industry.
While the rule has not yet been finalized, its direction is clear: healthcare organizations and business associates should expect more prescriptive security requirements, stronger documentation expectations, and increased accountability for protecting electronic protected health information (ePHI).
Why the HIPAA Security Rule Is Being Revisited
Cyberattacks targeting healthcare organizations continue to increase in frequency, sophistication, and operational impact. OCR investigations consistently identify the same underlying issues—insufficient risk analyses, incomplete system inventories, unmanaged access controls, and undocumented security practices.
In response, HHS has signaled that the existing, largely flexible framework is no longer sufficient on its own. The proposed updates are intended to modernize the HIPAA Security Rule so that it more closely reflects today’s threat landscape, technology environment, and regulatory expectations.
A Shift Toward Clearer, More Prescriptive Requirements
One of the most notable elements of the proposed rule is a move away from the long‑standing distinction between “required” and “addressable” safeguards. Under the proposal, nearly all implementation specifications would become mandatory, with limited and clearly defined exceptions.
In addition, organizations would be expected to maintain written documentation supporting:
- Security policies and procedures
- Risk analyses and risk management plans
- Technical, administrative, and physical safeguard implementation
This change reflects a continued OCR enforcement trend: if a security control or process cannot be demonstrated through documentation, regulators may treat it as not implemented.
Key Areas of Focus in the Proposed Update
Although the final rule may evolve, several themes are unlikely to change and warrant attention now:
Enhanced Risk Analysis and Risk Management
OCR has reiterated that a comprehensive, accurate, and regularly updated Security Risk Analysis is foundational to HIPAA compliance. The proposed rule emphasizes tying risk analysis results directly to documented mitigation activities rather than treating the assessment as a one‑time exercise.
Technology Asset Inventories and ePHI Flow Mapping
Organizations would be required to maintain a complete inventory of systems and technologies that create, receive, maintain, or transmit ePHI, along with network diagrams or data flow maps that clearly show how ePHI moves throughout the environment. These materials would need to be reviewed and updated on a recurring basis and upon significant system changes.
Stronger Technical Safeguards
The proposed rule introduces clearer expectations around baseline cybersecurity practices, including:
- Encryption of ePHI at rest and in transit
- Multi‑factor authentication for systems accessing ePHI
- More disciplined access management, monitoring, and system logging
These controls are already considered standard practice across many industries and are increasingly viewed by regulators as minimum expectations rather than aspirational goals.
Expanded Business Associate Accountability
Business associates and subcontractors would face tighter requirements, including more formal assurance of security control implementation. Covered entities will likely need to revisit business associate oversight processes, contract language, and due diligence practices.
Practical Implications for Healthcare Organizations
Even though the rule is not yet final, OCR has maintained it on its regulatory agenda, and healthcare organizations should not assume that significant requirements will be reversed. Waiting for final publication before acting may leave organizations with limited time to respond.
Organizations that are proactive now are better positioned to:
- Reduce enforcement and compliance risk
- Improve operational resilience against cybersecurity events
- Demonstrate compliance maturity to regulators, payers, and partners
Practical next steps may include refreshing HIPAA Security Risk Analyses, formalizing documentation, validating asset inventories, and reassessing incident response and business associate management processes.
How Dean Dorton Can Help
Dean Dorton works with healthcare organizations and business associates to assess current HIPAA Security Rule compliance, identify gaps aligned to emerging regulatory expectations, and develop practical roadmaps for remediation.
Our approach integrates compliance, risk management, and cybersecurity best practices—helping organizations prepare not only for regulatory change, but also for the operational realities of today’s threat environment.
