The Security Rule is getting its most significant update in over a decade

In late 2024, HHS published a Notice of Proposed Rulemaking (NPRM) that would substantially update the HIPAA Security Rule for the first time since 2013. If finalized, these changes will affect every covered entity and business associate — and independent practices will feel the impact most acutely.

The amendments reflect a threat environment that has changed dramatically since the current rule was written. Ransomware, AI-powered attacks, and the shift to cloud-based systems have exposed gaps that the existing framework was never designed to address.

Key changes independent practices should prepare for

MFA becomes mandatory

The proposed rule would require multi-factor authentication for all systems that access ePHI. This is currently an "addressable" specification, which means practices can choose an alternative if they document why. Under the new rule, that flexibility disappears.

What to do now: Enable MFA on your EHR, email, cloud storage, and any system that stores or transmits patient data. Most modern platforms support it at no additional cost.

The required/addressable distinction goes away

The current Security Rule distinguishes between "required" and "addressable" implementation specifications. Addressable does not mean optional — it means the practice can implement an equivalent alternative if documented. But many practices have treated it as optional.

The proposed amendments would make all specifications required, eliminating the ambiguity that has allowed practices to skip controls like encryption.

Encryption becomes mandatory

Under the current rule, encryption is addressable. Under the proposed amendments, encryption of ePHI at rest and in transit would be required without exception.

What to do now: Verify that full-disk encryption is enabled on all workstations, laptops, and mobile devices. Confirm that email containing PHI uses TLS encryption. Ensure backups are encrypted.

Risk assessments must be more specific

The proposed rule would require risk assessments to include a written technology asset inventory, a network map showing how ePHI moves through systems, and specific identification of threats to each asset.

This is a significant step up from the current requirement, which many practices satisfy with a general questionnaire. The ePHI data flow mapper helps build the kind of asset-level visibility the new rule would demand.

Incident response timelines tighten

The proposed amendments would require business associates to notify covered entities within 24 hours of activating a contingency plan — ensuring that practices learn about vendor-side incidents fast enough to respond. The existing 60-day window for covered entities to notify HHS of breaches affecting 500 or more individuals remains unchanged under this NPRM.

That change alone would transform business associate oversight from a paperwork exercise into an operational necessity.

Business associate oversight increases

The proposed rule would require covered entities to verify — not just trust — that their business associates have adequate security controls. Annual certification from BAs may become standard.

What this means for independent practices

Large health systems have compliance departments that will absorb these changes into existing programs. Independent practices will need to build new capabilities:

• MFA deployment across all systems
• Encryption verification for every device and data pathway
• A documented technology asset inventory
• A tested incident response plan with defined roles and timelines
• Active BA oversight rather than passive BAA storage

The practices that start preparing now will be ahead of the compliance curve when the final rule is published. The ones that wait will face a compressed timeline and higher costs.

How to prepare

1. Assess your current baseline — The free HIPAA assessment identifies the gaps that matter most under both the current and proposed rules.
2. Map your ePHI environment — Use the data flow mapper to build the asset-level inventory the new rule would require.
3. Enable MFA everywhere — This is the single highest-impact change you can make today, regardless of when the rule finalizes.
4. Build continuous compliance — Patient Protect tracks compliance readiness in real time and adapts as regulatory requirements evolve.