Constangy Cyber Advisor 

In response, on December 27, 2024, the Office for Civil Rights of the U.S. Department of Health and Human Services initiated a Notice of Proposed Rulemaking to the Security Rule of the Health Insurance Portability and Accountability Act. The Proposed Rule is intended to update and strengthen data security and compliance requirements to help ensure that health care entities, health plans, and others providing health care protect the security of individuals’ health information.

On January 6, 2025, the OCR formally published the Proposed Rule in the Federal Register, and the comment period closed on March 7, 2025. The OCR has indicated that the rule remains on its regulatory agenda for finalization in May 2026. If finalized as proposed, compliance with the Final Rule is likely to be required within 240 days from the date of the publication in the Federal Register, or sometime in early 2027.

HIPAA changes reflect wider data privacy trends

Tracking with other legislative and regulatory initiatives, the objectives of the Proposed Rule are to reduce health care entities’ reliance on informal, discretionary, and ad hoc approaches to compliance. Proposed administrative changes include eliminating the distinction between “required” and “addressable” specifications, mandating written security documentation, and requiring ongoing technology asset inventories and network mapping. Required technical safeguards would become more explicit, including multi‑factor authentication, encryption of ePHI at rest and in transit, and enhanced access controls. The OCR also proposes to clarify measures that health care entities should take with respect to physical safeguards, such as cloud infrastructure and remote work.

Compliance and enforcement implications for providers and vendors

 If the provisions of the Final Rule are substantially similar to those in the Proposed Rule, it would raise the bar for demonstrating compliance with the HIPAA Security Rule. Under the proposed framework, incomplete documentation or informal practices will be harder to defend, particularly where an entity cannot show consistent, enterprise-wide governance. Organizations with mature, well-documented security programs will be better positioned to adapt, while others may need to reassess foundational compliance structures.

Hospitals and provider groups face a heightened risk of regulatory scrutiny due to operational complexity and the potential for a direct impact on patient care. The OCR has emphasized that cyber incidents increasingly disrupt clinical operations, which may amplify enforcement scrutiny where safeguards are inadequate or poorly documented. Business associates and subcontractors—particularly cloud service providers, Electronic Health Record vendors, and managed service providers—can also expect expanded scrutiny. The Proposed Rule reinforces that downstream vendors are integral to HIPAA security compliance.

More requirements, more organizations

 The Final Rule has the potential to pull more organizations into the orbit of HIPAA compliance. Entities on the fringes of the health sector, or otherwise handling health data more tangentially, may find themselves subject to the new requirements.

Additionally, the OCR appears to be engaging more with entities that have not historically been understood to fall clearly within its jurisdiction. For example, the Proposed Rule included a notice of Tribal consultation, reflecting the OCR’s position that HIPAA compliance interacts in unique ways within certain healthcare contexts. Although the OCR has recognized the need for tailored engagement and support for Tribal entities, data governance for many Tribal organizations raises broader concerns related to sovereignty, self-determination, and control over Tribal member information.

Whether and how a final Security Rule will meaningfully accommodate these considerations remains an open question, underscoring the importance of continued dialogue and careful compliance planning within Tribal healthcare systems to protect self-determination practices. Taken in conjunction with expanding requirements in recent data privacy regulation, and heightening accountability for all entities that handle health data, organizations cannot afford to minimize the impact of potential changes under a Final Rule.

Preparing for a new era of (health) data regulation

The Proposed Rule reflects a clear shift toward more prescriptive, mandatory, and auditable cybersecurity requirements. These requirements are in line with the requirements or expectations of other regulators as the business sector grapples with cyberattacks. Early action by covered entities and business associates will enable better positioning to manage risk, avoid operational disruption, and protect against cyber threats that continue to target the healthcare sector. Here are some steps that health care entities can take now:

No. 1: Conduct enterprise-wide HIPAA program assessment.

Organizations should conduct an enterprise-wide HIPAA program assessment to compare existing controls with current requirements under the HIPAA Security Rule as well as the requirements and clarifications provided in the Proposed Rule. OCR has repeatedly emphasized the importance of this as a core compliance requirement. The written assessment should include a review of the technology asset inventory, identification of all reasonably anticipated threats to ePHI as well as potential vulnerabilities and predisposing conditions, and an assessment of the risk level for each identified threat and vulnerability. Understanding where current controls do not meet requirements is critical to prioritizing remediation efforts and budgeting accordingly. Organizations should use the assessment results to create a prioritized remediation plan and risk register, and to develop a timeline for implementation and budget planning.

No. 2: Strengthen technical safeguards.

Although the OCR already requires industry-standard administrative, technical, and physical safeguards, organizations should ensure that technical enhancements also align with the specific requirements in the Proposed Rule, including the following:

• Enforcing multi-factor authentication for remote and privileged access.
• Requiring encryption for data at rest and in transit.
• Implementing network segmentation and least privilege access controls.
• Deploying anti-malware protection and disabling network ports.

Further, organizations must review and test the effectiveness of certain security measures and conduct penetration testing at least annually. Doing this will help the organization withstand regulatory scrutiny and can mitigate the effect of any unauthorized access or prevent a successful cyberattack from occurring in the first place.

No. 3: Enhance incident response preparedness.

Organizations should reevaluate their current incident response planning and capabilities. Incident response plans should be updated to account for new requirements, and organizations should implement written procedures as the Proposed Rule underscores the importance of testing the incident response plan to ensure that it is operational across the organization. Organizations are encouraged to engage in annual tabletop exercises to practice responding to an incident and coordinating across stakeholders, including legal, IT, and executive leadership teams.

Early action will enable organizations to plan more effectively and account for budgets, and to be ready for the Final Rule when it is issued, rather than working under compressed timelines.

Our team regularly advises clients on HIPAA compliance, incident response, and cybersecurity risk management. We assist with risk assessments, policy development, vendor contracting, and tabletop exercises to help organizations align legal requirements with practical, operational processes and procedures. As the regulatory environment continues to evolve, our team is available to support organizations in building scalable compliance programs to protect organizations and their assets. If you would like additional information about state or federal data privacy laws, please contact us at cyber@constangy.com.