On December 27, 2024, the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) published a Notice of Proposed Rulemaking (89 FR 101540) that would overhaul the HIPAA Security Rule at 45 CFR Part 164 for the first time since 2013. The proposal eliminates the distinction between "required" and "addressable" specifications, mandates a written technology asset inventory, requires network map updates every 12 months, and adds explicit obligations for business associates that touch protected health information. Comments closed on March 7, 2025, and OCR has signaled an effective date 60 days after the final rule with a 180-day compliance period — putting most covered entities on a path to comply in mid-2026. For software-heavy healthcare technology vendors, the supply chain implications deserve close attention.
What Is Changing in the Security Rule?
The NPRM rewrites §164.308 (administrative safeguards), §164.310 (physical), §164.312 (technical), and §164.314 (business associate contracts). Addressable specifications become required, written policies are mandatory across the board, and new provisions add multi-factor authentication at §164.312(h), encryption of ePHI at rest and in transit at §164.312(a)(2)(iv) and (e), and vulnerability scanning every six months plus penetration testing every 12 months at §164.308(a)(8). The proposed §164.308(a)(1) technology asset inventory is the control most directly aligned with software supply chain management.
When Do the New Requirements Take Effect?
The proposed compliance timeline is 240 days after the final rule is published — 60 days to the effective date plus a 180-day compliance period — with a one-year extension for specific business associate agreement amendments. If the final rule publishes in late 2025, most covered entities and business associates will need to be compliant by mid- to late-2026. OCR has explicitly stated it will treat the enforcement start date as a hard cutover; there is no "good faith" window as there was during the 2013 Omnibus Rule transition.
How Does the Technology Asset Inventory Apply to Software?
Proposed §164.308(a)(1)(ii)(A) requires a written inventory that identifies the technology assets that create, receive, maintain, or transmit ePHI, updated at least every 12 months and after any change that could materially affect security. The preamble at 89 FR 101576 is explicit that software components, including open-source libraries and firmware, are in scope — a clear alignment with NIST SP 800-161r1 and the FDA's premarket SBOM expectations for medical devices. The preamble also references CISA's 2023 SBOM guidance as an acceptable implementation model. Entities that already generate CycloneDX or SPDX SBOMs for their healthcare software will have most of the asset-inventory evidence already produced.
What Is New for Business Associates?
Proposed §164.314(a)(2)(i)(C) requires that the business associate notify the covered entity within 24 hours of activating its contingency plan in response to a security incident. Proposed §164.308(b)(4) requires an annual written verification from the business associate that technical safeguards are in place, signed by an individual with authority. Where the business associate provides software, the verification package effectively requires an SBOM, vulnerability management summary, and evidence that MFA, encryption, and patch-management controls are operational. HIPAA's flow-down has always been contractual, but the 2024 proposal makes the attestation evidentiary.
What Are the Penalties for Non-Compliance?
HITECH tiered penalties, adjusted annually for inflation under 45 CFR 102.3, range from USD 141 per violation at Tier 1 (no knowledge) to USD 2,134,831 per identical violation per calendar year at Tier 4 (willful neglect, not corrected). In 2024 OCR announced a USD 4.75 million settlement with Montefiore Medical Center and a USD 1.3 million settlement with Green Ridge Behavioral Health, both involving technical safeguard failures tied to insider or ransomware exposures. State attorneys general also have independent enforcement authority under HITECH §13410(e) — Indiana, Massachusetts, and New York have all brought HIPAA-derivative actions in the last 24 months.
How Does This Intersect With the FDA and State Breach Laws?
FDA's Refuse-to-Accept authority at 21 USC 360n-2, effective March 29, 2023 and expanded in October 2023 guidance, already requires SBOMs for cyber devices in premarket submissions. The HIPAA NPRM extends parallel expectations to the covered entities and business associates that operate those devices. State laws complicate the picture: Texas HB 300, California CMIA at Cal. Civil Code §56.101, and New York SHIELD Act each impose their own breach-notification timelines that run concurrently with the HIPAA 60-day clock at §164.404(b). A single ransomware event can trigger federal, state, and contractual reporting within hours.
How Safeguard Helps
Safeguard produces NTIA-conformant CycloneDX SBOMs that satisfy the proposed §164.308(a)(1) asset-inventory obligation for every piece of ePHI-handling software, updated automatically on each release. Reachability analysis powered by Griffin AI narrows the vulnerability scan findings required by §164.308(a)(8) to the components whose vulnerable functions are actually invoked, cutting remediation noise while keeping the audit trail complete. TPRM workflows track business associate attestations on the §164.308(b)(4) annual cadence, and policy gates enforce MFA, encryption, and patch-timeline controls directly in CI/CD. Compliance mapping across HIPAA, HITRUST CSF v11, and NIST SP 800-66r2 consolidates evidence into a single export so audit and OCR inquiries can be answered in days, not weeks.