More than half of the largest healthcare breaches in the last decade began with weak access controls or unpatched systems. That pattern is why the HIPAA 2025 update targets the Security Rule first. Part 1 reviewed how repeated breaches and delayed access exposed the gaps in HIPAA’s framework. Building on that foundation, Part 2 explains how the new Security Rule closes those gaps by making encryption, multifactor authentication, recovery testing, and vendor oversight mandatory rather than optional.
Why change now for healthcare security?
OCR moved from flexibility to measurability because voluntary safeguards have not kept pace with real-world threats. Breaches more than doubled over five years, and ransomware caused direct patient care disruptions. Regulators judged that “addressable” safeguards left too much discretion, producing uneven results across the industry.
The shift also reflects broader pressure. For example, other industries already follow strict rules like the FTC Safeguards Rule and PCI DSS 4.0. Healthcare lagged behind, despite handling some of the most sensitive data. OCR is now demanding evidence-based compliance to close that gap.
From addressable to required: what actually shifts
For two decades, HIPAA classified most protections as “addressable.” That often led smaller organizations to treat them as optional. The NPRM removes that distinction. Nearly every safeguard would now be mandatory, with documentation required for each specification.
Annual self-audit becomes mandatory
Entities would need to conduct documented Security Rule compliance reviews at least every 12 months, covering every standard and specification. This annual review is a formal audit, not an informal check. Organizations must retain evidence of how each safeguard was tested and whether it was effective.
Policy review cycles
The NPRM also requires that all administrative, technical, and physical safeguard policies be reviewed at least once every 12 months. This closes the loophole of policies sitting unchanged for years. Covered entities will need to prove not only that policies exist, but that they are examined, updated, and re-approved on a recurring basis.
Documentation moves from policy on paper to proof in practice
In the past, binders of policies often satisfied audits. The NPRM proposes a different standard: proof that safeguards work. That includes restore test results, training records, vulnerability scan reports, and annual audit documentation. Paper alone is no longer enough.
Evidence is the new compliance currency
OCR is shifting from policies on paper to proof of effectiveness. Covered entities and business associates must retain evidence that safeguards actually work in practice. Examples include:
- Results from contingency restore tests.
- Logs from vulnerability scans and annual evaluations.
- Records of access terminations with timestamps.
- Attendance rosters from workforce security training.
The NPRM also introduces a formal compliance audit requirement: entities must conduct and document a Security Rule audit at least once every 12 months. This audit must cover every standard and implementation specification, with written evidence of what was tested and how gaps were addressed. Regulators will expect no
What does a defensible administrative program look like?
A defensible program is one that demonstrates awareness, preparation, and accountability across systems, vendors, and workforce. OCR will expect documented evidence, not promises.
Asset inventories and network maps that stay current
Organizations must maintain updated inventories of hardware, software, and electronic media that handle ePHI. These inventories must be paired with network maps showing how data flows, including entry and exit points. Both must be reviewed annually and updated when changes occur.
Risk analysis scope now includes vendor threats
The NPRM extends risk analysis to vendors and subcontractors, recognizing that third parties are frequent breach entry points. Covered entities must identify vendor risks and document how those risks are addressed.
Contingency planning with tested restores and a 72-hour target for critical systems
The NPRM proposes written contingency procedures designed to restore critical systems within about 72 hours. But not every system must meet that timeframe. A criticality analysis must identify which systems are truly critical for patient care and prioritize them for recovery.
Criticality analysis: central to contingency planning
A criticality analysis ranks all ePHI systems by importance. Patient-facing systems like EHRs or imaging servers may be top priority, while back-office systems may allow longer downtime. The 72-hour recovery target applies only to the systems identified as critical. Organizations must run annual restore tests to show that recovery plans work for critical systems.
Workforce controls, training, and sanctions
The NPRM emphasizes documented workforce controls. Training must include system access, authentication, and incident response. Organizations must apply sanctions consistently when violations occur.
It also introduces a new 24-hour rule for workforce access changes: covered entities and business associates must notify designated parties within 24 hours when workforce access is modified or terminated. This ensures auditors can verify that access is removed quickly and reported promptly.
Sanctions and accountability culture
The NPRM elevates workforce sanction policies into enforceable safeguards. Organizations must document not only that sanctions exist, but that they are reviewed annually and applied consistently.
A defensible accountability program links three elements:
- Training that sets clear expectations.
- Monitoring that detects violations.
- Sanctions that are enforced and documented when rules are broken.
OCR will expect records of disciplinary actions when workforce members violate access or security requirements. For compliance officers, this requires closer integration with HR to ensure policies are fair, consistently enforced, and ready for external review.
Which technical safeguards rise to baseline?
OCR has grouped proposed changes into clear technical categories. These changes shift many once-optional practices into required baselines.
Access controls
Multifactor authentication (MFA):
MFA would be required for systems storing ePHI, as well as all privileged and remote access. The proposal allows flexibility in methods, including tokens, mobile apps, or biometrics, provided they meet security standards.
Segmentation and least privilege:
Entities must segment networks, disable unused ports, and enforce least privilege access. This limits the spread of intrusions.
Data protection
Encryption by default:
The NPRM proposes encryption for all ePHI at rest and in transit. Exceptions exist only where infeasibility is documented with compensating controls.
-
Example methods include AES-256 for data at rest and TLS 1.3 for data in transit.
-
These are examples, not mandated specifications.
System hardening
The NPRM stresses configuration management:
- Maintain secure baselines for systems.
- Remove unnecessary software and services.
- Ensure anti-malware tools are deployed and regularly updated.
- Document periodic reviews to confirm systems remain in a hardened state.
Patch and vulnerability management:
- Critical vulnerabilities: fix within 15 days.
- High vulnerabilities: fix within 30 days.
- Interim controls must be applied when full remediation is delayed.
Ongoing monitoring
Organizations must retain audit logs, review them regularly, and act on the findings. OCR expects organizations to prove that logs are not only captured but also checked.
- Logs should include system access, authentication attempts, and security events. In addition, reviews should occur at set intervals, with findings documented.
- Reviews should occur at set intervals, with findings documented.
- Repeatable procedures must exist for handling alerts.
Incident response and reporting
The NPRM requires every covered entity and business associate to maintain a written incident response plan. These plans must define how incidents are reported internally, escalated, contained, and resolved. Ad hoc responses are no longer acceptable.
Plans must be reviewed and tested at least once every 12 months, with results documented and the plan updated as needed. Documentation should demonstrate that alerts from monitoring systems feed into repeatable response steps and that those steps are exercised regularly. In practice, OCR will expect organizations to show not just that logs are collected, but that they drive a consistent, documented response process.
How will business associates and health plans be held accountable?
OCR has expanded accountability for third parties because many breaches start with vendors or plan sponsors. As a result, covered entities must take a more active role in oversight.
Annual BA verification and 24-hour contingency notices
Business associates must now provide annual certifications that confirm they have implemented required safeguards. Covered entities must track and retain these certifications every year. A one-time BAA will no longer suffice.
In addition, business associates must notify covered entities within 24 hours if they activate a contingency plan due to a security incident affecting ePHI.
Therefore, covered entities will need to:
- Amend contracts to include these obligations.
- Collect and track certifications annually.
- Monitor downstream subcontractors for compliance.
- Keep evidence ready to show OCR during reviews.
If an entity fails to track annual certifications, regulators could take enforcement action against the covered entity as well as the vendor.
Plan sponsor obligations and formal plan amendments
Group health plans must also amend plan documents to extend Security Rule safeguards to plan sponsors that handle ePHI. Furthermore, plan sponsors must notify the plan within 24 hours if they activate their contingency plan. This mirrors the business associate notification rule and ensures that upstream entities stay informed promptly.
Annual self-audit and recurring policy reviews
A distinct requirement of the NPRM is the annual self-audit. Entities must review compliance with each safeguard at least once every 12 months. These audits must be documented, with evidence of what was tested, how it was tested, and the outcome.
In addition, all safeguard policies must undergo an annual policy review cycle. Policies must be formally re-examined, updated if necessary, and retained for auditors. This ensures that policies evolve alongside technology and threats.
Cost, staffing, and audit pressure
The NPRM carries an estimated cost of $9 billion in the first year and about $6 billion annually thereafter. However, over five years, the total adds up to roughly $33 billion. According to the IBM 2024 Cost of a Data Breach Report, healthcare continues to face the highest average breach cost among all sectors.
Budget scenarios for small practices vs large systems
- Small and rural providers may struggle most. Costs for penetration tests, MFA upgrades, and asset inventories may exceed available budgets.
- Large systems must contend with scale. Standardizing MFA, segmentation, and audits across dozens of facilities multiplies the cost and complexity.
OCR’s revived audit program and likely points of scrutiny
OCR has already signaled a stronger audit culture, with more preemptive reviews. Likely areas of scrutiny include:
- Documentation of risk analyses.
- Evidence of annual audits and policy reviews.
- Restore test results for critical systems.
- Vendor certification tracking.
Recognized security practices and cross-framework alignment
The HIPAA Security Rule update does not exist in isolation. Under the 2021 HITECH amendment, OCR must consider whether an organization has adopted “recognized security practices” when making enforcement decisions. These include the NIST Cybersecurity Framework and the 405(d) Health Industry Cybersecurity Practices.
This creates a clear incentive for providers to align their security programs with established frameworks. Investments in controls that satisfy PCI DSS 4.0, the FTC Safeguards Rule, or CMMC 2.0 can also strengthen HIPAA compliance. Documenting adoption of recognized practices for at least 12 months builds a stronger defense posture and gives organizations evidence that OCR is required by law to weigh during enforcement.
What regulators have signaled about enforcement timelines
The proposal allows 180 days after finalization to comply. While hospital associations have asked for extensions, OCR has not promised grace periods. Early preparation is the safest course.
Practical roadmap for the next 180 days after a final rule
If OCR finalizes the rule in late 2025, entities may have only six months to comply. Here’s a staged roadmap.
0 to 30 days
- Form a compliance task force with IT, compliance, legal, and clinical roles.
- Begin a gap analysis against NPRM requirements.
- Update BAA templates to reflect new obligations.
30 to 90 days
- Deploy MFA on ePHI, privileged, and remote access systems.
- Begin encryption projects for data at rest and in transit.
- Establish asset inventories and network maps.
- Identify critical systems for contingency planning.
90 to 180 days
- Conduct vulnerability scans and schedule annual evaluations.
- Train staff on updated access and termination rules.
- Perform restore drills for critical systems.
- Complete the first annual self-audit with evidence files.
FAQs
1. Are there exceptions to the encryption requirement?
Yes, but they are narrow. Entities must document infeasibility and apply compensating controls.
2. What types of MFA are acceptable?
Methods vary: password plus token, password plus app, or biometrics. Behavioral biometrics may be used if compliant with security standards.
3. Does annual testing mean penetration tests are required?
No. Annual evaluations may include penetration tests, but do not mandate them. Vulnerability scans must occur at least every six months.
4. Must every system be recovered within 72 hours?
No. The 72-hour proposal applies only to systems identified as critical in a documented criticality analysis.
5. What if a business associate resists annual verification?
Covered entities remain responsible. Contracts must be amended, and certifications must be tracked annually.
6. Will OCR allow more than 180 days for compliance?
The proposal specifies 180 days. While extensions are requested, no additional time has been promised.
At-a-glance checklist
- Form a compliance team
- Conduct gap analysis
- Update BAAs with annual verification and notification clauses
- Deploy MFA across ePHI, privileged, and remote access
- Encrypt ePHI at rest and in transit
- Maintain asset inventories and network maps
- Perform criticality analysis and design a 72-hour recovery plan
- Schedule vulnerability scans and annual evaluations
- Review all safeguard policies annually
- Complete and document annual self-audit
Preparing Now for a Stricter Audit Culture
The HIPAA 2025 Security Rule overhaul represents more than a technical upgrade. It marks a cultural reset in how healthcare organizations prove they are protecting patient information. Regulators will no longer accept written policies that gather dust. They want evidence that encryption is in place, that restore drills work, and that access is removed within hours when staff depart.
For providers, the choice is simple: build defensible programs now or face a stricter audit culture later. Organizations that act early can reduce the likelihood of breaches and demonstrate to OCR that they are already aligned with established frameworks such as PCI DSS 4.0, the FTC Safeguards Rule, and CMMC 2.0. These frameworks are not optional extras; they are the benchmarks against which enforcement will be measured.
Costs will rise, especially for smaller practices, but so will the cost of inaction. With breach expenses averaging millions of dollars per incident, investment in compliance is also an investment in patient safety and financial resilience. Hospitals that standardize MFA, encryption, and vendor oversight now will save themselves the chaos of retrofitting controls under regulatory pressure.
The Security Rule is only part of the story. Compliance does not stop at technical safeguards. In Part 3, the focus shifts to patients themselves, with reforms to the Privacy Rule and Patient Rights Update. Shorter timelines, fee transparency, and new rights to direct data to apps will reshape daily interactions between patients and providers.
