Team Lighthouse Guild Raises Funds for Adaptive Athletics at TD Five Boro Bike Tour, with Sponsorship from STIG
May 5, 2026
Executive summary
The U.S. Department of Health and Human Services, through the Office for Civil Rights, issued a Notice of Proposed Rulemaking on December 27, 2024, to update the HIPAA Security Rule for the first time since 2013. The proposal is designed to make HIPAA security requirements more specific, more prescriptive, and more aligned with current cyber risk in healthcare. As of May 2026, HHS still describes the initiative as an NPRM, meaning the proposal has not yet replaced the current Security Rule, which remains in effect until a final rule is issued.
At a high level, the proposed rule would shift HIPAA security compliance away from broad, flexible standards and toward explicit cybersecurity control expectations. The proposal would eliminate much of the ambiguity that organizations have historically relied on, especially by removing the distinction between “required” and “addressable” implementation specifications and replacing it with a model in which implementation specifications are generally required, subject only to limited exceptions.
The proposal is also notable because it connects cybersecurity directly to patient safety, care continuity, and operational resilience. HHS justified the update by pointing to the rapid rise in healthcare cyberattacks, including ransomware and hacking incidents, and by citing a 102% increase in large breach reports from 2018 to 2023 and a 1002% increase in the number of individuals affected during that period. HHS also noted that more than 167 million individuals were affected by large breaches in 2023 alone.
Why HHS is proposing the change
The current HIPAA Security Rule was written as a flexible, scalable framework. That flexibility has been one of its strengths, but HHS now appears to view it as insufficient for today’s threat landscape. In the proposal, HHS says the rule must be updated to address changes in how healthcare is delivered, the sharp increase in breaches and cyberattacks, common compliance failures OCR has seen in investigations, evolving cybersecurity best practices, and court decisions affecting enforcement.
In practical terms, HHS is signaling that organizations handling ePHI should no longer expect HIPAA compliance to be satisfied by minimal documentation and loosely defined safeguards. The proposal reflects a policy judgment that core controls such as multifactor authentication, encryption, vulnerability scanning, incident response planning, and documented asset visibility should be treated as baseline expectations rather than optional or selectively implemented measures.
The proposed updates in plain English
The proposal can be understood as six major shifts.
1. From flexible standards to more mandatory controls
The single biggest structural change is the removal of the longstanding distinction between “required” and “addressable” implementation specifications. Under the proposal, implementation specifications would generally become mandatory, with only narrow exceptions. That means organizations would have much less discretion to decide whether a control is “reasonable and appropriate” to omit or substitute.
2. From general documentation to written evidence of compliance
HHS proposes written documentation for all Security Rule policies, procedures, plans, and analyses. It also says those materials should be reviewed, tested, and updated regularly. This is a major operational change because it would require organizations not only to implement safeguards, but also to maintain evidence that the safeguards were designed, reviewed, and functioning as intended.
3. From abstract risk analysis to asset-based risk management
The proposal would require regulated entities to develop and maintain a technology asset inventory and a network map showing the movement of ePHI throughout electronic information systems. Those materials would need to be updated on an ongoing basis, at least annually, and whenever changes in the environment or operations may affect ePHI. HHS also proposes more explicit requirements for risk analysis, including review of the inventory and network map, identification of threats, identification of vulnerabilities and predisposing conditions, and assessment of risk levels based on likelihood and impact.
4. From basic security hygiene to defined technical safeguards
The proposal would expressly require encryption of ePHI at rest and in transit, with limited exceptions; the use of multifactor authentication, with limited exceptions; vulnerability scanning at least every six months; penetration testing at least annually; network segmentation; anti-malware protection; removal of extraneous software; and disabling network ports in line with the organization’s risk analysis. This would bring HIPAA much closer to current cybersecurity control frameworks and sector expectations.
5. From generic contingency planning to measurable resilience
HHS proposes stronger incident response and contingency planning obligations. Organizations would need written security incident response plans and procedures, written procedures for testing and revising those plans, an analysis of the criticality of systems and assets for restoration prioritization, and written procedures to restore certain systems and data within 72 hours following a loss. The message is clear: resilience and recovery are becoming central compliance expectations, not secondary operational concerns.
6. From passive vendor reliance to active business associate oversight
The proposal significantly tightens obligations involving business associates and subcontractors. It would require business associates to verify annually for covered entities that required technical safeguards have been deployed, through a written expert analysis and certification. It would also require business associates to notify covered entities, and subcontractors to notify business associates, of contingency plan activation without unreasonable delay and no later than 24 hours after activation.
Key proposed changes at a glance
|
Area
|
What HHS proposes
|
|---|---|
|
Compliance structure
|
End the “required vs. addressable” split for implementation specifications, making them generally required with limited exceptions
|
|
Documentation
|
Written policies, procedures, plans, analyses, and regular review/testing
|
|
Asset visibility
|
Technology asset inventory and network map, updated at least annually and after material changes
|
|
Risk analysis
|
More specific written risk analysis tied to assets, threats, vulnerabilities, and risk levels
|
|
Access/security events
|
Notify certain regulated entities within 24 hours when workforce access to ePHI or certain systems changes or is terminated
|
|
Incident response
|
Written incident response plans, reporting procedures, plan testing, and plan revision procedures
|
|
Recovery
|
Written procedures to restore certain systems and data within 72 hours; restoration prioritization analysis
|
|
Technical controls
|
MFA, encryption at rest/in transit, anti-malware, configuration controls, port disabling, removal of extraneous software
|
|
Testing
|
Vulnerability scans at least every 6 months; penetration tests at least annually
|
|
Architecture
|
Network segmentation and separate backup/recovery controls
|
|
Auditing
|
Compliance audit at least once every 12 months
|
|
Vendor oversight
|
Annual business associate safeguard verification and 24-hour contingency activation notification
|
What the proposal would mean for covered entities and business associates
If finalized in substantially similar form, the proposal would likely increase compliance costs, governance burden, and technical implementation demands across the healthcare ecosystem. Small and mid-sized providers may feel the impact most acutely because the proposal expects more formalized cybersecurity programs, better documentation, more frequent testing, and tighter third-party oversight. At the same time, the proposal may reduce ambiguity by giving organizations a clearer picture of what OCR expects during investigations and audits.
For security teams, the proposed rule effectively pushes HIPAA closer to a control-based model familiar from NIST-style cybersecurity programs. For legal and compliance teams, it raises the importance of defensible written records, documented decision-making, and evidence that technical controls are regularly assessed. For procurement and vendor management teams, it elevates the role of business associate monitoring from contract administration to active assurance.
Status and timing
The NPRM was published in the Federal Register on January 6, 2025, and comments were due by March 7, 2025. HHS’s current regulatory initiatives page still identifies the item as a proposed rulemaking initiative, indicating that the proposal has not yet been finalized as of May 2026. Until a final rule is issued and becomes effective, the current HIPAA Security Rule remains in force.
Strategic interpretation
This proposal is not just a technical amendment. It is a regulatory statement that healthcare cybersecurity is now inseparable from patient safety, enterprise resilience, and vendor risk management. HHS is effectively telling the market that organizations should be able to identify where ePHI lives, explain how it is protected, detect weaknesses on a routine basis, recover quickly from disruption, and prove all of that in writing. HHS NPRM Overview HHS Fact Sheet
The policy direction also suggests that OCR may expect a higher level of maturity even before a final rule is issued. Although the proposal is not yet binding, the controls HHS highlights in the NPRM and fact sheet provide a strong signal about what regulators increasingly view as reasonable baseline security in healthcare.
Recommended preparation steps now
A prudent organization does not need to wait for finalization to begin preparing. The most practical next step is to perform a gap assessment against the proposal’s major themes: asset inventory, network mapping, written risk analysis, MFA, encryption, vulnerability management, penetration testing, incident response, recovery timelines, annual compliance auditing, and business associate verification. Because many of these controls are already recognized as good cybersecurity practice, early preparation can improve security posture even if the final rule changes in some respects.
Leadership teams should also treat this as a governance issue rather than only an IT issue. The proposal implies the need for cross-functional ownership spanning privacy, security, compliance, legal, operations, procurement, and executive leadership. Organizations that can document decisions, assign accountability, and measure recovery readiness will be better positioned whether the rule is finalized as proposed or revised before adoption.
Conclusion
The proposed updates to the HIPAA Security Rule would represent the most significant cybersecurity expansion of HIPAA in more than a decade. The proposal would make the rule more explicit, more operational, and more measurable, especially in the areas of documentation, asset visibility, risk analysis, technical safeguards, resilience, and third-party oversight. Even though the proposal is not yet final, it already serves as a clear roadmap for where healthcare cybersecurity regulation is headed.
