Non-Lawyers Summary
This post explains the proposed HIPAA Security Rule overhaul in plain English. HHS is trying to make healthcare cybersecurity less flexible and more mandatory, especially around basics like MFA, encryption, and vendor reporting. It is an important proposal, but it is still not the final rule.
The Cold Open
It was February 21, 2024, and the lights were still on at Change Healthcare's data centers when everything went dark.
Without warning, ransomware cut through the network of the nation's largest health payment clearinghouse — a company so embedded in U.S. healthcare infrastructure that it processed one-in-three patient records. Pharmacies couldn't fill prescriptions. Hospitals couldn't submit claims. Physicians couldn't get paid. The attack spread like a hemorrhage across the entire system.
And then came the number: more than 100 million patient records compromised. The largest healthcare data breach in American history.
What the investigation would reveal wasn't just technical failure. It was a compliance failure hiding in plain sight — years of choosing flexibility over security, "addressable" controls over mandatory ones, documented alternatives over real encryption. For nearly two decades, the HIPAA Security Rule had given healthcare organizations an escape hatch. Change Healthcare walked right through it.
What happened next would define healthcare compliance for decades. In January 2025, HHS published the most sweeping overhaul of the HIPAA Security Rule since the original framework took effect in 2005. The era of optional security was over.
Overview
For nearly two decades, the HIPAA Security Rule operated largely unchanged — a 2003 framework governing electronic protected health information (ePHI) in a world that predated smartphones, cloud computing, and ransomware as an industry. In January 2025, HHS published the first major proposed overhaul of the Security Rule's core standards. The proposed changes eliminate the most significant flexibility provisions (the "addressable" standard) and impose mandatory technical controls — including multi-factor authentication and encryption — that many covered entities have historically avoided. For healthcare lawyers, compliance officers, and health system counsel, this NPRM represents the most significant shift in HIPAA Security Rule compliance obligations since the original rule took effect in 2005.
Key Concepts
HIPAA Coverage — The Invisible Net
Here is what most healthcare executives don't fully appreciate: the compliance net extends far beyond the hospital walls.
Covered entities:
- Health plans (insurance companies, HMOs, employer-sponsored health plans)
- Healthcare clearinghouses (entities that process health data between standard and non-standard formats)
- Healthcare providers who conduct any HIPAA-covered electronic transactions (billing, eligibility verification, etc.)
Business associates:
- Any entity that performs functions on behalf of a covered entity that involve creating, receiving, maintaining, or transmitting ePHI
- Examples: EHR vendors, cloud hosting providers, billing companies, medical transcription services, law firms handling PHI, accountants with PHI access
Subcontractors of business associates: Also covered — the chain extends down through the vendor stack.
Scale: Approximately 1.5–2 million covered entities and business associates nationwide.
The Change Healthcare breach illustrated exactly why this matters. The breach didn't happen inside a hospital. It happened at a vendor — a clearinghouse that processed data on behalf of thousands of covered entities, none of which had meaningful visibility into its security posture.
What Is ePHI?
Electronic Protected Health Information — any individually identifiable health information created, received, maintained, or transmitted in electronic form. Includes: diagnoses, treatment records, prescriptions, lab results, insurance information, appointment history, and any demographic data that links to health status when combined.
In the wrong hands, ePHI is more valuable on the dark web than a credit card number. A credit card can be cancelled. A medical record cannot.
The Escape Hatch That Swallowed the Law
The original 2003 Security Rule divided its safeguards into two categories:
- Required: Must implement as specified — no flexibility
- Addressable: Must implement OR document why an equivalent alternative was used
On paper, "addressable" sounded reasonable. In practice, it became the greatest compliance loophole in healthcare cybersecurity.
Many covered entities — particularly smaller hospitals, physician groups, and their vendors — skipped specific controls including encryption by documenting that an "alternative measure" was used. The "alternative measure" was often less secure than the control it replaced. The documentation was often a template. The review was often annual at best.
The 2025 NPRM eliminates this distinction entirely. Every control. Mandatory. No alternatives.
The 2025 NPRM — Eight Provisions That Changed Everything
Published: January 6, 2025, at 90 Fed. Reg. 898 Comment period: Closed March 7, 2025 Final rule: Not published as of April 2026 — pending
Change 1: The End of Addressable — No More Escape Hatch
ALL Security Rule standards become mandatory. There is no longer any pathway to avoid a specific control by substituting an "equivalent alternative." If the final rule includes a control, covered entities must implement it.
This is the structural shift that makes everything else possible. The other seven changes matter because there is no longer a way to document around them.
Practical impact: Organizations that documented "addressable" alternative controls for encryption, multi-factor authentication, or other technical safeguards will need to implement the now-mandatory controls when the final rule takes effect.
Change 2: Multi-Factor Authentication — The Control That Should Have Been Mandatory in 2003
Proposed: MFA is required for ALL electronic access to ePHI.
Currently: Authentication requirements exist but MFA is not explicitly mandated — covered entities could satisfy the authentication requirement with passwords alone.
Exception: Emergency access scenarios with compensating controls — the final rule will define narrow exceptions for clinical emergencies where MFA cannot be practically implemented in time.
Consider what "passwords alone" meant in practice: shared credentials. Default passwords never rotated. Nurses logging in from workstations that stayed authenticated across shifts. Vendors with remote access using combinations that hadn't changed in years.
Ransomware actors discovered healthcare was a target-rich environment precisely because credential theft was so easy and MFA was so rare.
Practical impact: Every user — clinical staff, administrative staff, remote workers, vendors — accessing ePHI must use MFA. This is a significant operational change for health systems that have not already mandated MFA enterprise-wide.
Change 3: Encryption — The Standard Everyone Avoided
Proposed: Encryption of all ePHI at rest AND in transit — no longer addressable.
Currently: Encryption is "addressable" — covered entities can document an alternative control instead of encrypting.
This is the provision that made regulators grit their teeth for twenty years. Unencrypted laptops containing thousands of patient records. Unencrypted backup tapes shipped offsite in cardboard boxes. Database servers storing ePHI in plaintext because "the network perimeter is secure." For two decades, all of this was arguably compliant under the addressable framework.
Practical impact: Unencrypted laptops, unencrypted backup drives, unencrypted database storage containing ePHI — all must be encrypted. Unencrypted transmission of ePHI over networks must be remediated.
Breach notification intersection: The HIPAA Breach Notification Rule (unchanged in the 2025 NPRM) exempts breaches of properly encrypted ePHI where the encryption key was not also compromised. Once encryption becomes mandatory, covered entities that comply will automatically benefit from this safe harbor. Compliance becomes self-reinforcing.
Change 4: The Asset Inventory Mandate — Know What You Have Before You Lose It
Proposed two new mandatory annual documents:
- Technology asset inventory: Written list of all electronic information systems that create, receive, maintain, or transmit ePHI
- Network map: Visual representation of how ePHI moves through the entity's systems
Both must be reviewed and updated at least annually. Both must accurately reflect the current state of systems — not the state at the time of last update.
This provision exists because of a pattern OCR investigators saw repeatedly in breach investigations: organizations could not identify which systems contained ePHI, could not trace how data moved between systems, and therefore could not accurately determine breach scope.
Why it matters: The asset inventory and network map are prerequisites for effective breach scope assessment. OCR investigators will use these documents in enforcement proceedings to assess whether breach scope was properly determined.
Change 5: Vulnerability Scanning and Penetration Testing — Now on the Calendar
Proposed:
- Vulnerability scanning: at least every 6 months
- Penetration testing: at least every 12 months
Currently: The risk analysis requirement mandates periodic assessment but does not specify frequency or require technical testing.
Annual penetration testing and semi-annual vulnerability scanning become compliance line items, not optional best practices. These must be documented and results must inform remediation.
But there's a harder truth underneath the regulation: a penetration test you don't act on is worse than no test at all. It creates a documented record of known vulnerabilities and gives regulators a roadmap to negligence.
Change 6: 72 Hours — The Ransomware Clock
Proposed: Covered entities must be able to restore critical systems within 72 hours after a security incident.
Currently: The contingency plan requirement mandates backup and recovery capabilities with no specific restoration timeframe.
This provision was written with one word in mind: ransomware. The 72-hour restoration target forces covered entities to design and test their backup and recovery capabilities against a concrete benchmark.
Note: This is a restoration capability requirement, not a reporting obligation. It is separate from CIRCIA's 72-hour reporting requirement. Both can apply simultaneously to the same incident — the CIRCIA clock is ticking while IT is scrambling to restore systems.
Change 7: The 24-Hour Vendor Clock — No More Slow Notifications
Proposed: BAAs must be updated to require business associates to notify covered entities within 24 hours of discovering a security incident — regardless of whether the incident constitutes a HIPAA breach.
Currently: HITECH requires breach notification but specific BAA timing for security incidents (as opposed to confirmed breaches) is less defined.
This is the provision that the Change Healthcare breach made inevitable. The covered entity cannot manage an incident it doesn't know about. A vendor that discovers a breach and spends days internally investigating before notifying the covered entity costs that covered entity incident response time it can never recover.
Practical impact: BAA templates will need revision. Law firms and compliance teams that maintain standard BAA language must update their templates when the final rule takes effect.
Change 8: Annual Security Rule Compliance Audit — Not Optional
Proposed: Covered entities must conduct and document an annual Security Rule compliance audit — distinct from the existing risk analysis requirement.
The difference matters:
Two separate ongoing obligations:
- Risk analysis (existing): assess likelihood and impact of threats to ePHI confidentiality, integrity, and availability
- Compliance audit (proposed): assess whether current practices satisfy Security Rule requirements
The risk analysis asks: what could go wrong? The compliance audit asks: are we actually doing what the law requires? These are different questions. Covered entities have historically conflated them, using risk analysis as a proxy for compliance. The NPRM makes clear they are not interchangeable.
Existing Breach Notification (Unchanged in 2025 NPRM)
The Breach Notification Rule (45 CFR Part 164, Subpart D) was NOT modified in the 2025 NPRM. Current rules remain in effect:
| Obligation | Timeline | Recipient |
|---|---|---|
| Notify affected individuals | Within 60 days of discovery | Affected individuals |
| Notify HHS (large breaches ≥500) | Within 60 days of discovery | HHS — published on "Wall of Shame" website |
| Notify HHS (small breaches <500) | Within 60 days of year-end | HHS annual log |
| Media notice | Same as individual notice | Prominent media in affected state (if ≥500 state residents) |
| Business associate → covered entity | Without unreasonable delay; ≤60 days | Covered entity |
Enforcement — The Numbers That Should Terrify You
Enforcing agency: HHS Office for Civil Rights (OCR) — primary HIPAA enforcement authority
Also authorized: State attorneys general (may bring HIPAA enforcement actions under HITECH)
Civil penalties:
| Culpability tier | Per violation | Annual cap |
|---|---|---|
| Did not know | $100–$50,000 | $1.9M (inflation-adjusted) |
| Reasonable cause | $1,000–$50,000 | $1.9M |
| Willful neglect — corrected | $10,000–$50,000 | $1.9M |
| Willful neglect — not corrected | $50,000 | $1.9M |
Enforcement track record: OCR has collected $37M+ in HIPAA settlements since 2008. Largest settlements average $5M+. Change Healthcare breach (Feb 2024, 100M+ affected) is expected to drive the largest OCR enforcement action in history.
But here is what those numbers don't capture: HIPAA enforcement operates on a per-violation basis, and a "violation" can mean each affected patient record. One breach. One hundred million records. The math becomes existential.
Comparison: HIPAA Security Rule vs. Other Frameworks
| Control | HIPAA (Proposed) | NIST CSF 2.0 | ISO 27001 | DFS 23 NYCRR 500 | EU NIS2 |
|---|---|---|---|---|---|
| MFA | Mandatory (proposed) | Recommended | Best practice | Mandatory (existing) | Required |
| Encryption | Mandatory (proposed) | Recommended | Best practice | Mandatory (existing) | Required |
| Pen testing | Annual (proposed) | Recommended | Recommended | Annual (existing) | Required |
| Asset inventory | Annual (proposed) | Required | Required | Required | Required |
| Incident response | Required | Required | Required | Required | Required |
| Restoration target | 72 hours (proposed) | No specific target | RTO based on BIA | No specific target | No specific target |
Practitioner Takeaways
1. Audit every existing BAA before the final rule takes effect. The enhanced 24-hour security incident notification requirement will require BAA updates. Health system counsel should inventory all existing BAAs, identify those that lack the new notification language, and develop a remediation plan for vendor outreach. Waiting until final rule publication creates a compliance crunch.
2. The encryption mandate closes the biggest existing compliance gap. Many smaller covered entities have relied on the "addressable" alternative documentation to avoid encrypting laptops, backup drives, and databases. When encryption becomes mandatory, these organizations face both a compliance remediation project AND retroactive breach risk — past incidents involving "unencrypted" devices may be reevaluated under the new mandatory standard.
3. MFA is already operationally necessary — compliance is the argument, not the reason. For health systems that have not yet mandated MFA, the NPRM provides the regulatory forcing function. But MFA should have been standard practice regardless — credential theft is the #1 vector in healthcare breaches. Use the NPRM as leverage to accelerate implementation decisions that are already operationally justified.
4. The 72-hour restoration requirement should drive backup architecture review. "We can restore critical systems in 72 hours" is now a proposed compliance requirement, not an aspirational target. Health system counsel should ask IT leadership: have we actually tested this? The answer in most organizations is no. Counsel should recommend tabletop exercises and documented recovery tests before the final rule takes effect.
5. Document the compliance gap now — before OCR comes calling. The Change Healthcare breach (100M+ records, Feb 2024) will produce a major OCR enforcement action that will set precedent for the new Security Rule standards. Covered entities that have already documented their compliance gap assessment, remediation plans, and implementation timelines will be in a substantially stronger enforcement defense posture than those that have not.
Quiz
See: artifacts/quizzes/quiz-01i.md
Test your knowledge
Ready to check what stuck?
10 questions — cases, statutes, and the practical move for each. Takes 5 minutes.