For decades, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule has served as the baseline for protecting electronic protected health information (ePHI). However, the healthcare sector’s reliance on digital systems has skyrocketed, and so has the sophistication of cyber threats targeting it. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a highly anticipated Notice of Proposed Rulemaking (NPRM) outlining significant updates to the rule.
Designed to modernize the rule, the proposal shifts the framework from a flexible, sometimes ambiguous set of guidelines to a more prescriptive, highly operational standard. For covered entities and business associates, these changes are not just administrative. They would require operational adjustments across IT, compliance and governance.
The fallout from major attacks has proven that breaches in healthcare don’t just compromise data, they disrupt patient care and threaten lives. HHS recognized that the existing standards– particularly the high number of “addressable” implementation specifications– were often misinterpreted as optional. As a result, they are no longer sufficient to safeguard ePHI against modern threats.
The OCR has kept the finalization of the rule on their roadmap for May 2026. If published on schedule, it will trigger a compliance countdown, likely a 180-day grace period, meaning new enforcement could begin by November 2026.
Key Takeaways
- The HIPAA Security Rule updates propose stricter standards for protecting ePHI, addressing technology against modern cyber threats.
- Organizations must create a mandatory Technology Asset Inventory to track where ePHI is handled and to support risk management.
- Multi-Factor Authentication (MFA) becomes a requirement, necessitating universal deployment across relevant systems.
- Enhanced audit trails and system logs must be actively monitored and protected from tampering to ensure data security.
- Covered entities need to revise Business Associate Agreements and compliance processes to meet updated technical requirements.
Table of contents
The following summarizes a few key updates and their practical consequences for your operations.
1. Mandatory Technology Asset Inventories
- Proposed Change: The proposal introduces a new standard requiring a “Technology Asset Inventory” (Proposed 45 CFR § 164.308(a)(1)(i)). Organizations must map and inventory all technology assets, identifying exactly where ePHI is created, received, maintained or transmitted.
- Operational Change: Build and Maintain a Dynamic Asset Inventory
Operationally, IT and compliance teams must collaborate to build an exhaustive, dynamic Technology Asset Inventory. This means deploying automated discovery tools to track hardware, software, cloud services and medical devices that touch ePHI. This inventory must be integrated into your procurement and decommissioning workflows so it remains continuously up to date.
2. Stricter Risk Analysis
- Proposed Change: The proposed rule adds greater specificity, requiring that the risk analysis be continuously updated to reflect changes in the environment, rather than serving as a static, check-the-box annual exercise (Proposed 45 CFR § 164.308(a)(2)(i)). It mandates explicit tracking of vulnerabilities and threats mapped directly to the new asset inventory.
- Operational Change: Rethink Risk Analysis
The annual risk assessment must evolve into a continuous risk management program. Risk analysis needs to be directly tied to the newly mandated asset inventory, ensuring that risk is assessed at the individual system and component level.
3. Multi-Factor Authentication (MFA)
- Proposed Change: MFA moves from being an industry best practice to a strict regulatory requirement. The proposed rule adds a specific definition for MFA (Proposed 45 CFR § 164.304) and requires its deployment across relevant systems, particularly for remote access and administrative accounts (Proposed 45 CFR § 164.312(f)(1)).
- Operational Change: Roll Out MFA Universally
If your organization relies on single-factor authentication for internal systems or legacy applications, those days are over. Operationally, you must audit all access points and deploy MFA. You will need to evaluate MFA solutions that balance security with clinical workflow efficiency, ensuring that doctors and nurses are not hindered by unworkable login requirements during patient care.
4. Enhanced Audit Trails and System Logs
- Proposed Change: The proposed rule introduces strict requirements for “Audit Trail and System Log Controls” (Proposed 45 CFR § 164.312(d)(1)). Organizations must not only collect logs but actively monitor, protect against tampering and retain these logs for specific periods to ensure they are available for analysis in the event of a security incident.
- Operational Change: Upgrade Logging and Monitoring Capabilities
Audit logs can no longer be an afterthought. You will need to ensure that system activity reviews are automated where possible, that logs are stored in a way that prevents tampering and that security teams are actively reviewing these logs for anomalous behavior.
5. Updated Definitions and Business Associate Alignments
- Proposed Change: The rule modernizes several definitions. For instance, “Access” is expanded to include “deleting” and “transmitting” data (Proposed 45 CFR § 164.304). Additionally, Business Associates will have tighter obligations to verify their compliance with technical safeguards back to Covered Entities annually (Proposed 45 CFR § 164.314(a)(1)).
- Operational Change: Revise Business Associate Agreements (BAAs) and Third-Party Risk Management
Third-party risk is a focal point of the proposed changes. Procurement and legal teams will likely need to revise BAAs to reflect the new technical requirements. Covered entities must operationalize a process for obtaining verification of compliance from their business associates every 12 months. This means moving beyond simple self-attestation questionnaires and potentially requiring third-party audit reports from vendors.
Update Policies, Procedures, and Training
Security Awareness Training will need to be reviewed and updated to reflect new policies on MFA, data deletion and phishing. Compliance teams must rewrite their overarching Information Security Policies to strip out “addressable” language where HHS has now made controls strictly “required.” Furthermore, your Incident Response and Contingency Plans must be updated to align with the rigorous requirements for data backup and system recovery within specific timeframes.
The Road Ahead
The public comment period for these proposed changes closed on March 7, 2025 (90 FR 898). As HHS reviews these comments and prepares to issue a final rule, covered entities cannot afford to wait. The proposed 180-day compliance period is an aggressive timeline to fully operationalize these changes.
