Why the HIPAA Security Rule Needed Updating
The HIPAA Security Rule was last substantively updated in 2013. In the 12 years since, the healthcare technology landscape has transformed completely. Electronic health records are now universal. Cloud infrastructure is standard. Remote work has become a permanent feature of healthcare administration. Mobile devices access protected health information routinely. The threat landscape has intensified dramatically.
The Security Rule's existing requirements were written at a level of abstraction that was intended to remain technology-neutral, but in practice created significant ambiguity about what organizations were actually required to implement. The proposed 2025 updates replace much of that ambiguity with specific technical requirements.
Key Changes in the 2025 Proposed Rule
Mandatory Encryption Requirements
The existing Security Rule treats encryption as an addressable specification, meaning organizations could choose not to implement it if they documented an equivalent alternative. The proposed update eliminates this flexibility for electronic protected health information at rest and in transit. Encryption becomes required, full stop. Organizations storing ePHI in unencrypted form on any system will need to remediate.
72-Hour Breach Notification Timeline
The current HIPAA breach notification rule requires notification to affected individuals and HHS within 60 days of discovering a breach. The proposed rule significantly shortens this to 72 hours for notification to HHS, and 30 days for notification to affected individuals. This aligns healthcare breach notification more closely with requirements under other frameworks like GDPR and certain state laws, but creates significant operational challenges for organizations that have not built breach response capabilities capable of operating on that timeline.
Annual Technical Safeguard Reviews
The proposed rule requires annual reviews of all technical safeguards, including an inventory of all technology assets that create, receive, maintain, or transmit ePHI. Many healthcare organizations do not currently maintain asset inventories at this level of completeness. Building and maintaining this inventory is an ongoing operational requirement, not a one-time project.
Multi-Factor Authentication Requirements
The proposed rule requires MFA for all access to systems containing ePHI. The existing rule's flexible addressable specification approach to authentication controls is replaced with a specific technical requirement that applies to all workforce members and business associates accessing ePHI systems.
Business Associate Contract Updates
The proposed rule requires updates to business associate agreements to reflect the new technical requirements. Healthcare organizations that have standardized BAA templates will need to review and update those templates once the final rule is published.
The proposed rule is not yet final. Organizations should treat the proposed requirements as directional guidance for where the rule is heading and begin gap assessment and remediation planning now, particularly for the encryption and MFA requirements which are likely to survive the rulemaking process intact.
Preparing for the Final Rule
- Conduct a current-state encryption inventory across all systems that store or transmit ePHI
- Assess your organization's capability to meet a 72-hour breach notification timeline
- Begin or complete an MFA rollout for all workforce members with ePHI access
- Build or update your technology asset inventory to include all ePHI systems
- Review business associate agreements against proposed BAA requirements
- Engage legal counsel to monitor the rulemaking process and final rule publication timeline