For the first time in more than a decade, regulators have signaled that major changes to the HIPAA Security Rule may be forthcoming. Earlier this year, the U.S. Department of Health & Human Services (HHS) published a 289-page Notice of Proposed Rulemaking (NPRM), signaling a massive overhaul of the Security Rule of HIPAA’s existing data security requirements. The provisions of the rule replace today’s largely “flexible” framework with explicit cybersecurity duties: mandatory multi-factor authentication (MFA), written technology-asset inventories, patch-management deadlines measured in days, and 24-hour incident-reporting clocks. The proposal responds to a record surge in ransomware attacks and 100-million-record mega-breaches that have exposed the limitations of the 2003 rule. Telehealth providers - whose business models rely on cloud video APIs, distributed laptops, and third-party analytics - stand to feel the impact first.

How the Current Rule Works - and Where It Falls Short

Since 2003, covered entities and business associates have been required to implement “reasonable and appropriate” administrative, physical, and technical safeguards. This flexible standard allowed organizations to conduct their own risk analysis to determine what safeguards to employ to appropriately protect PHI, including, for example, whether encryption or MFA is necessary. OCR investigations show that many providers interpreted that discretion narrowly; repeated breach probes cite absent asset inventories, no penetration testing, and months-long patch cycles. HHS now believes that cyber threats have outpaced the rule’s flexibility.

While a Final Rule is not expected until later this year at the earliest, the Proposed Rule stands to place significant administrative and economic burdens on providers. Below, we outline some of the key changes in the Proposed Rule, outlining how your practice can get ahead of these changes and craft a strategic compliance plan to ensure a smooth transition to these new requirements.

The NPRM: Seven Landmark Changes

The Proposed Rule indicates significant changes to the HIPAA Security Rule, which would transform the Security Rule by providing specific, mandatory requirements for covered entities designed to modernize and strengthen existing practices for protecting ePHI. We outline some of the key changes below:

1. Abolishing the “Required” vs. “Addressable” Distinction for Specifications

Currently, the Security Rule distinguishes between implementation specifications that are “addressable” and “required.” Addressable specifications were designed to create flexibility for covered entities, allowing the entity to decide whether a measure was appropriate for their organization or implement an equivalent alternative that accomplished the same purpose as the original specification. The Proposed Rule would make nearly all specifications mandatory, meaning many entities would have to create new policies to ensure strict adherence to the Security Rule’s specifications.

2. Mandatory Encryption and Multi-Factor Authentication (MFA)

The proposed rule would make it a requirement to encrypt ePHI both while it's being stored ("at rest") and while it's being transmitted ("in transit"). It would also require the use of MFA for access to ePHI, with limited exceptions for certain legacy systems. This adds a critical layer of security, making it much harder for unauthorized users to access data even if a password is stolen. For remote clinicians, telehealth portals are explicitly within the scope, meaning many practices may need to adopt and implement new technologies to ensure compliance.

3. Enhanced Risk Analysis and Regular Audits

While the current Security Rule requires a risk analysis, the Proposed Rule would mandate a more detailed and documented process. This includes a thorough review of the technology assets that handle ePHI, identification of potential threats, and a vulnerability assessment. Additionally, the rule would require organizations to conduct a formal compliance audit at least once every 12 months to ensure compliance with all Security Rule standards.

4. Specific Requirements for Contingency and Incident Response

The Proposed Rule, if enacted as written, would add more specific instructions for how providers should plan for and respond to security incidents. This includes maintaining a written plan to restore lost ePHI and critical systems within 72 hours of an incident. It also requires the development of a technology asset inventory - a written list of laptops, servers, cloud containers, IoT devices, and applications that create, receive, maintain, or transmit ePHI - as well as a network map that shows how ePHI moves through the organization's systems. Both must be reviewed and updated regularly.

5. Vulnerability Scanning and Penetration Testing

To encourage a proactive approach to security, the Proposed Rule would require covered entities to perform vulnerability scans at least every six months. It would also mandate penetration testing - a simulated cyberattack - at least once every 12 months. These tests are designed to help identify and fix security weaknesses before they can be exploited by bad actors.

6. New, Explicit Requirements for Business Associates

The Proposed Rule would also place more explicit requirements on business associates. Under the Rule, business associates would be required to verify annually that they have implemented the necessary technical safeguards and provide a written analysis and certification to the covered entity of same. Business associates would also be required to notify covered entities within 24 hours of activating their contingency plans following a security incident.

7. Increased Documentation and Review

Finally, the Proposed Rule emphasizes the importance of documentation. It would require that all security policies, procedures, plans, and analyses be in writing and be reviewed and updated regularly. This is intended to provide clear evidence of compliance and help organizations stay on top of their security posture as technology and threats evolve.

HHS proposes a compliance grace period of 180 days after the final rule takes effect - only about six months to move from aspirational to operational.

Why Telehealth Providers Face Extra Pressure

These proposed changes carry particular weight for telehealth providers. Video visits push ePHI through a variety of environments, including home Wi-Fi networks, consumer webcams, and third-party cloud platforms, each presenting unique security challenges. If adopted in its current form, the new Security Rule would require that every one of these endpoints be included in a mandatory technology-asset inventory and covered by MFA. Further, new patch-management deadlines - 15 days for critical vulnerabilities and 30 for high-risk flaws - will require providers to stay vigilant about software updates, even when the code is managed by a vendor. Lastly, the 24-hour vendor-notice clause demands a much faster response time in the event of a platform outage or breach, necessitating more stringent business associate agreements (BAAs) and regular incident-response drills.

A Six-Step Head-Start Plan

While these changes are significant, providers have plenty of time to prepare for the future of cybersecurity and HIPAA compliance.

1. Launch an Asset-Inventory Census: Use automated discovery tools to scan your network for all devices and software that touch ePHI. Supplement this with manual verification, especially for clinician laptops and personal devices used for work.
2. Enable MFA for All ePHI Access: Start by implementing MFA for your highest-risk users - often physicians accessing records after hours. This allows you to test for any workflow friction and address it before a full-scale rollout.
3. Negotiate New SLAs in BAAs: Review all your agreements with business associates and negotiate new terms that include the 15- and 30-day deadlines for patch management and the 24-hour alert for security incidents.
4. Sketch a First-Draft Network Map: Create a visual diagram of your network that shows where ePHI is created, stored, and transmitted. Then, begin to pilot simple network segmentation, such as creating a separate VLAN for all telehealth video traffic.
5. Schedule a Penetration Test: Before the end of the year, schedule a penetration test to get a baseline of your current security posture. This will help you identify and remediate weaknesses and will get you ahead of the new annual requirement.
6. Revise Your Incident-Response Plan: Update your plan to reflect the new time-sensitive requirements. Ensure it includes procedures for one-hour credential termination and a 24-hour partner notice. Conduct tabletop exercises to test your team's ability to execute this plan effectively.

What Happens Next?

The public comment window closed in March of this year, generating over 4,000 submissions. OCR could publish a final rule as early as the first quarter 2026, after which point providers will have 180 days to prepare their practices for compliance. Providers that act now will avoid a scramble later,  positioning themselves as safer custodians of patient data.

Ready to develop a compliance plan to prepare? Our compliance experts know these regulations inside and out. Whether it’s reviewing a BAA for compliance under upcoming standards or developing new HIPAA policies and procedures, our attorneys are your trusted partners in helping you mitigate your legal risks and practice with confidence. Call us today.

‍