The HIPAA Security Rule Notice of Proposed Rulemaking (NPRM) takes a stronger, more prescriptive approach to cybersecurity in healthcare. If finalized, it will prompt healthcare providers, health plans, clearinghouses, and their business associates to significantly enhance documentation, controls, threat detection, and response capacity related to ePHI. Although it could entail increased costs and operational complexity, the ultimate goal is to fortify patient data protection and healthcare system resilience.
Avertium recommends gaining an early understanding of the changes and how they will affect your organization, as well as beginning to integrate new policies and procedures into your HIPAA compliance program today. Let’s take a deeper look at what the NPRM is and what it means for your HIPAA compliance program.
The Department of Health and Human Services (HHS) reported a sharp rise in cybersecurity incidents, with breaches more than doubling from 2018 to 2023 and affecting more than 1000% more individuals. Clearly, the current Security Rule hasn't kept pace with technology, compliance trends, or escalating threats. These shortcomings underscore vulnerabilities in healthcare systems, as the OCR identified recurring “common deficiencies” during investigations that require targeted fixes.
Proposed on December 27, 2024, by the Office for Civil Rights (OCR) within HHS and published in the Federal Register on January 6, 2025, the HIPAA Security Rule Notice of Proposed Rulemaking is a landmark proposal that aims to modernize HIPAA's security standards for electronic protected health information (ePHI) for the first time in more than a decade.
The Office for Civil Rights (OCR) is currently reviewing more than 2,800 comments submitted by various stakeholders during the public comment period. The target date for finalizing the rule is May 2026, according to OCR’s regulatory agenda. If the rule is finalized as proposed, entities will have approximately 240 days to achieve compliance.
HIPAA Security Rule NPRM ushers in a new era of healthcare cybersecurity and compliance, signaling a decisive shift toward mandatory, prescriptive standards that will transform how organizations protect patient data and ensure regulatory resilience.
Unified “Required” Standard: All implementation specifications would become mandatory, eliminating the “addressable” vs. “required” flexibility and allowing few exceptions.
Documentation Requirements: Regulated entities must formalize and maintain written policies, procedures, plans, and analyses covering each Security Rule domain.
Tech Asset Inventory & Data Flow Mapping: Annual inventories of hardware, software, and media handling ePHI are required, coupled with a network map tracking ePHI movement. Updates are necessary when systems change or ePHI data flows change.
Enhanced Risk Assessment: The NPRM specifies more detailed risk analysis steps—identifying threats, vulnerabilities, documenting controls, assessing likelihood and impacts—making the process more prescriptive. This includes required vulnerability scanning every six months at a minimum, and annual network penetration testing.
Incident Response & Recovery: Organizations must formalize incident response plans, restore critical systems within 72 hours, prioritize and document system recovery of critical systems, and conduct annual compliance audits of all implemented technical controls.
Technical Controls: Mandatory encryption of ePHI at rest and in transit (subject to narrow exceptions), required multi-factor authentication, regular vulnerability scans, penetration tests, and backup controls.
Operational Impact
The operational impact of the HIPAA Security Rule NPRM is significant, marking a shift from flexible to prescriptive standards that require much tighter controls. Organizations will need to overhaul their documentation processes, conduct annual audits, establish clear incident recovery timelines, and enforce technical protocols such as multi-factor authentication (MFA), encryption, vulnerability scans, and penetration testing.
Financial & Resource Burden
Financially, the burden is substantial, with estimated compliance costs ranging from $9 to $9.3 billion in the first year alone. This has led industry groups, including CHIME and NHCA, to urge rescinding the NPRM due to the high costs and the strain it would place on providers, particularly smaller organizations.
For many healthcare organizations, the financial and resource burden of these requirements will be notable. Increased spending on cybersecurity tools, compliance audits, and workforce training will be necessary, while staffing needs may also rise to address more rigorous documentation and technical mandates. Smaller practices, in particular, may need to seek external support or shared solutions to meet the heightened standards efficiently.
Risk Management & Patient Trust
From a risk management perspective, strengthening cybersecurity measures is expected to reduce data breaches and protect sensitive patient health information (PHI) from misuse throughout a patient’s life. Enhanced incident response capabilities, such as the requirement to restore critical systems within 72 hours, are designed to limit disruptions in care, thereby supporting patient safety and trust.
Strategic & Competitive Advantage
Strategically, organizations that proactively align with the NPRM’s framework can demonstrate robust risk management and resilience, potentially gaining a competitive edge. The process of creating required documentation, network maps, and inventories will also lay the groundwork for more advanced cybersecurity programs in the future.
Proactively understanding and preparing for the coming changes is key to seamlessly integrating these new practices into your operations. Here’s what you can do today to ready yourself:
Healthcare companies can start preparing for the proposed HIPAA Security Rule changes by taking a proactive, structured approach. First, conduct a gap analysis comparing current security practices to the NPRM requirements, focusing on areas like encryption, multi-factor authentication, and incident response. Building a comprehensive asset inventory and mapping ePHI data flows will be critical, as these are new mandatory elements.
Organizations should also update or create written policies and procedures for all security standards, ensuring they are well-documented and auditable. Strengthening risk management programs by performing detailed risk assessments and implementing mitigation strategies will help meet the more prescriptive requirements. Additionally, companies should invest in technical safeguards such as vulnerability scanning, penetration testing, and secure backup systems.
Preparing an incident response plan that includes restoring critical systems within 72 hours and conducting annual drills will be essential. Finally, budgeting for compliance costs and training staff on new security protocols will ensure readiness and minimize disruption when the rule is finalized.
Avertium’s HIPAA Certification Program (HCP) helps organizations operationalize HIPAA requirements, moving beyond one-off compliance audits to a continuous, proactive approach. The program delivers:
Achieve and maintain compliance with integrated independent risk assessments, remediation guidance, and Trustmark certification that validates adherence to HIPAA Privacy, Security, and Breach Notification Rules while offering ongoing support and quarterly updates to ensure continuous compliance.
Related Resource: