The Department of Health and Human Services Office for Civil Rights published a Notice of Proposed Rulemaking on January 6, 2025, proposing the most significant update to the HIPAA Security Rule since it was originally adopted in 2003.

Key Proposed Changes

No More “Addressable” Specifications

The current HIPAA Security Rule distinguishes between “required” and “addressable” implementation specifications. Addressable specifications let organizations implement alternatives if they document why the specification is unreasonable. The proposed rule eliminates this distinction entirely, making all specifications required with only specific, limited exceptions.

Mandatory Encryption

Encryption of ePHI would become a required safeguard, both at rest and in transit, for any system handling electronic protected health information. This is a major shift for organizations that previously treated encryption as addressable.

Multi-Factor Authentication

The proposed rule would mandate MFA across all access points to ePHI. This applies to all workforce members accessing systems containing electronic protected health information.

Incident Reporting

Business associates would be required to report security incidents within 24 hours of discovery to covered entities, a significant acceleration from current practice.

Additional Requirements

The proposal also includes annual technology asset inventories and network mapping, vulnerability scanning at least every six months, penetration testing at least annually, patch management within defined timelines based on criticality, backup and recovery testing at least annually, and written security policies reviewed and updated annually.

Industry Reaction

The 60-day public comment period concluded on March 7, 2025, with HHS receiving over 4,000 comments. Response has been mixed.

Healthcare industry associations have voiced significant opposition, arguing the changes impose unsustainable financial and operational demands. In December 2025, a coalition of 57 hospitals and health systems urged HHS Secretary Robert F. Kennedy Jr. to withdraw the proposed update. Small and rural healthcare providers have raised particular concerns about the cost of mandatory encryption and MFA implementation.

Current Status

Despite pushback, OCR has kept the rule’s finalization on its official regulatory agenda for May 2026. If finalized, there will be a six-month grace period for compliance, meaning enforcement would begin in late 2026 or early 2027.

The administration change has introduced additional uncertainty. It remains unclear whether the current HHS leadership will prioritize finalization or modify the proposed rule in response to industry feedback.

Preparing Now

Regardless of the final rule’s timeline, the proposed changes signal where HIPAA enforcement is heading. Healthcare organizations would be wise to conduct a gap analysis against the proposed requirements, begin planning for universal encryption of ePHI at rest and in transit, evaluate MFA deployment across all ePHI access points, document current asset inventories and network maps, and review incident response procedures for 24-hour reporting readiness.