The Office for Civil Rights at HHS published the long-awaited HIPAA Security Rule NPRM in the Federal Register on January 6, 2025. The proposed amendments are the first substantive update to the Security Rule since 2013 and respond directly to the volume and severity of healthcare breaches in the preceding decade. The comment window closed on March 7, 2025 with more than 4,000 stakeholder submissions. Despite industry pushback on cost and timing, the OCR has kept the rule on its regulatory agenda for May 2026 finalization. Covered entities and business associates working under the assumption that "nothing will change" are running out of runway; the proposed structure is detailed enough that readiness work can and should start now.
What is the headline change?
The NPRM removes the distinction between "required" and "addressable" implementation specifications. Under the current rule, an organization can decline to implement an addressable specification if it documents a reasonable alternative. Under the proposed rule, all implementation specifications become required, with a small set of named exceptions. That single change is the largest in twelve years. It eliminates the most common compliance shortcut — explaining why a control is "not reasonable and appropriate" — and forces every regulated entity to implement and document the full specification list. The corollary is that OCR investigators will no longer accept "we documented our addressable analysis" as the answer; they will look for evidence of implementation.
What new technical safeguards are proposed?
Several. Multi-factor authentication becomes explicit and broadly required for access to ePHI, removing the ambiguity that allowed many providers to rely on password-only access for clinical applications. Encryption at rest and in transit becomes a required implementation specification with limited exceptions. Vulnerability scanning is expected at least every six months and penetration testing at least every twelve months, with documented remediation timelines. Anti-malware controls become explicit. Network segmentation becomes a named expectation for in-scope environments. Backup and recovery requirements expand to include restoration testing and offline or otherwise tamper-resistant copies — a direct response to the ransomware pattern that dominated healthcare incidents in 2023-2025.
What new administrative safeguards are proposed?
The most consequential is the technology asset inventory requirement. The NPRM expects covered entities to develop and annually revise an accurate and thorough written asset inventory and network map of electronic information systems and all technology assets that may affect ePHI. That requirement, mirrored in NYDFS Part 500 and in the SP 800-171 control set, was previously implicit in the risk-analysis expectation but never spelled out. The NPRM also strengthens contingency planning, requiring restoration of critical systems within 72 hours and documented procedures for criticality analysis. Workforce training, audit log review cadence, and incident-response timelines are all named with greater specificity than the 2013 rule provided.
How does the business-associate verification change?
Under the NPRM, regulated entities must obtain written verification of the technical safeguards used by business associates and their subcontractors that create, maintain, or transmit ePHI on their behalf, at least every twelve months. The verification must address the specific safeguards required by the Security Rule. The practical impact: covered entities can no longer rely solely on Business Associate Agreement signatures and self-assertions. They must collect annual evidence — questionnaires backed by artifacts, third-party assessments, or equivalent — and document the review. Business associates are mirror-required to obtain the same verifications from their subcontractors. The chain of verification flows down the supply chain in a structure that resembles CMMC flow-down in the defense industrial base.
What is the realistic timeline if the rule is finalized in 2026?
The NPRM proposes a compliance date of 180 days after the effective date of the final rule. Assuming a final rule in mid-2026, that would target compliance in late 2026 or early 2027 for most provisions, with longer windows (potentially 18 to 24 months) for specific structural changes like the asset-inventory requirement. Industry comments asked for two to three years of phase-in; the OCR signaled some receptivity but did not commit to a specific extension. Organizations that wait for the final rule before starting work will, in practice, have six to nine months to deploy controls that take many quarters in healthcare environments — particularly MFA across clinical applications and asset inventory across affiliated provider networks.
# Pre-finalization readiness checklist for HIPAA Security Rule 2026
1. Inventory: build an authoritative ePHI asset inventory and network map
2. MFA: extend phishing-resistant MFA to all clinical and administrative access
3. Encryption: confirm at-rest and in-transit coverage for all ePHI repositories
4. Vulnerability program: 6-month scan cadence, 12-month pentest cadence
5. Backup and recovery: tamper-resistant copies, periodic restore tests
6. Business associate verification: annual evidence collection process
7. Segmentation: document and enforce network boundaries around ePHI
8. Incident response: 72-hour restoration target, named roles, tabletop cadence
9. Risk analysis: refresh against the new specification list, annually
10. Workforce: training updated to reflect MFA, ransomware, and phishing
How does this stack with other regulators healthcare faces?
Healthcare organizations sit under multiple regimes simultaneously. The FTC Health Breach Notification Rule applies to non-HIPAA personal health record vendors. State attorney general notifications follow date-of-discovery clocks varying by state. The SEC Item 1.05 disclosure rule reaches publicly traded healthcare providers and payers. CIRCIA, when finalized, will add a 72-hour CISA reporting clock for many healthcare entities classified as critical infrastructure. The proposed HIPAA Security Rule updates do not harmonize those clocks, but they raise the underlying control floor enough that an organization meeting them is in a better position to satisfy parallel obligations without scrambling. The asset-inventory expectation in particular shows up in every modern security regime — a single, current inventory satisfies HIPAA, NYDFS, SP 800-171, and is foundational evidence for CIRCIA and SEC disclosure.
How Safeguard Helps
Safeguard maintains the authoritative software and component inventory that the proposed HIPAA Security Rule expects for the ePHI environment, including SaaS, containers, and packaged applications, with continuous reconciliation rather than annual snapshots. Griffin AI ties every component to vulnerability, license, and patch posture data, supporting the proposed scan-and-remediation cadence with auditable evidence. TPRM workflows operationalize the business-associate verification cycle, collecting and refreshing technical-safeguard evidence from BAs and their subcontractors on the annual cadence the rule will require. Policy gates can also enforce encryption posture, MFA coverage on internal applications, and segmentation boundaries, producing the kind of integrated control evidence that OCR investigators are increasingly trained to look for during compliance reviews.