The New HIPAA Security Rule Is Coming: Here’s What You Need to Know

Healthcare organizations are facing the most sweeping updates to the HIPAA Security Rule since 2013. The proposed rule would replace the current flexible, “addressable” framework with mandatory, prescriptive cybersecurity requirements. What’s more, OCR has kept the rule’s finalization on its official regulatory agenda for May 2026, with a compliance window of approximately 240 days after finalization. These changes will require healthcare organizations to rethink their cybersecurity approach to all IT, IoT, IoMT, and OT devices, and reconsider the solutions they rely on to maintain compliance.

What’s Changing: Key Provisions of the Proposed HIPAA Rule

1. Most “Addressable” Safeguards Become Mandatory

The single largest structural change is the elimination of the distinction between “required” and “addressable” implementation specifications. Under the current rule, organizations can document why a particular control is not reasonable or appropriate and implement an alternative. The proposed rule makes virtually all safeguards mandatory, with only narrow exceptions. As RubinBrown noted in their analysis, this shift moves HIPAA from a flexible framework to one with prescriptive, enforceable standards.

2. Stronger and More Detailed Risk Analysis

Organizations must conduct more comprehensive security risk analyses, including a full inventory of all systems handling ePHI, identification of vulnerabilities and threats, documentation of likelihood and impact, and regular updates and review cycles. This is a significant expansion: while risk analysis has always been a HIPAA requirement, OCR enforcement actions have consistently cited inadequate risk analysis as the most common compliance failure. The proposed rule aims to eliminate ambiguity about what a sufficient risk analysis looks like.

3. Formal Technology Asset Inventory

Entities must maintain a complete technology asset inventory with data flow maps showing where ePHI moves through the environment, and update both annually. This requirement did not explicitly exist before. OCR states that regulated entities cannot understand the risks to their ePHI without a complete understanding of these assets, and that the inventory forms the foundation for a thorough and accurate risk analysis.

4. Written Policies, Procedures, and Documentation

All security safeguards must be documented, regularly reviewed, tested, and updated. The rule emphasizes formal written documentation as compliance evidence — creating policies and procedures for technical controls is not enough. The controls must be implemented, deployed, and proven to be working as expected through testing.

5. Annual Security Compliance Verification

Organizations must periodically verify that safeguards are deployed and functioning. Business associates may need to certify compliance annually. The proposed rule requires regulated entities to conduct a compliance audit at least once every 12 months to ensure adherence to Security Rule requirements.

6. Mandatory Encryption

Encryption for ePHI at rest and in transit would become required rather than addressable. This aligns with the NIST Cybersecurity Framework and the HHS Cybersecurity Performance Goals (CPGs) published in 2023. However, the encryption mandate poses a particular challenge for healthcare organizations with legacy medical devices and intermediate systems that may not support modern encryption protocols – many organizations will likely need to document these as exceptions with compensating controls.

7. Mandatory Multi-Factor Authentication (MFA)

MFA would be required for system access, privileged accounts, and remote access to ePHI systems. This is one of the Essential Cybersecurity Performance Goals identified by HHS and reflects industry best practices already in place at many organizations.

8. Vulnerability Scanning and Penetration Testing

The proposed rule establishes minimum testing frequencies for the first time: vulnerability scans at least every six months and penetration tests at least annually. Testing must be conducted by qualified persons with appropriate knowledge of generally accepted cybersecurity principles. These frequencies represent a floor – organizations must increase testing frequency when risk assessments identify higher threats or when significant environmental changes occur.

9. Network Segmentation

Network segmentation is explicitly required as a safeguard to limit ePHI exposure and prevent lateral movement during breaches. CBIZ has noted that the rule requires organizations to separate IT and operational technology environments logically – for example, EHR systems should not share network segments with connected devices like surveillance cameras or IoT systems. Organizations must document their segmentation strategies, continuously monitor effectiveness, and regularly test that segmentation controls are functioning as intended.

10. Anti-Malware Protection

Systems handling ePHI must deploy malware detection, protection mechanisms, and monitoring. These are explicitly called out as required safeguards — a significant change for connected medical devices and IoT systems that often cannot run traditional endpoint protection agents.

11. Configuration Management

Entities must implement formal processes for secure configuration, patch management, and removal of unnecessary software. This aligns HIPAA with modern security frameworks like NIST and reflects the reality that misconfigurations and unpatched systems are among the most commonly exploited vulnerabilities in healthcare environments.

12. Incident Response Planning

Organizations must maintain formal incident response procedures, including breach detection capabilities, mitigation and recovery steps, and written procedures for testing and revising response plans. Critical systems and data must be recoverable within 72 hours of a disruption.

13. Backup and Contingency Planning

The rule strengthens requirements for backups of ePHI, disaster recovery, and emergency operations. Business associates must notify covered entities within 24 hours of activating a contingency plan — a significant acceleration from current notification expectations.

14. Workforce Training and Awareness

Organizations must train staff on cybersecurity threats, phishing, social engineering, and incident reporting procedures. While workforce training has always been a HIPAA requirement, the proposed rule adds specificity around the topics that must be covered.

15. Stronger Business Associate Oversight

The proposed rule expands expectations for business associates, making them directly liable for HIPAA compliance. Covered entities must obtain written verification of business associate technical safeguards at least every 12 months. Subcontractors of business associates are also directly subject to HIPAA requirements. As Epstein Becker Green observed in their analysis, this verification must be written by a subject matter expert with appropriate cybersecurity knowledge and experience.

What’s Next for Healthcare Organizations

The proposed HIPAA Security Rule represents the most significant shift in healthcare cybersecurity regulation in over a decade. While some provisions may evolve before the final rule is published, the direction is clear: mandatory, measurable controls are replacing the flexibility that organizations have relied on for years. Healthcare organizations should use this window to assess where they stand today against these 15 requirements – particularly in areas like asset inventory, network segmentation, and vulnerability management, where building the right foundation takes time.

At Asimily, we’re tracking this rulemaking closely and will continue to share updates as the final rule takes shape. If you have questions about how these changes affect your connected device environment, we’re here to help.