The proposed HIPAA Security Rule update hasn't been finalized yet - but it's still on OCR's regulatory agenda. Here's what it means for your organization, and why waiting to prepare is a losing strategy.

If you have been in the healthcare compliance space for any amount of time, you have probably heard some version of "the HIPAA Security Rule hasn't been meaningfully updated since 2013." And every year, the response from the industry has essentially been a collective shrug - "well, it's flexible, we're doing our best, and nothing has changed yet."

That era is over. Or at least, it's on its way out the door.

On January 6, 2025, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a Notice of Proposed Rulemaking (NPRM) in the Federal Register - a 125-page document proposing the most significant overhaul of the HIPAA Security Rule in over a decade. The 60-day public comment period closed on March 7, 2025, with over 4,600 comments submitted.

To be clear: this rule has not been finalized. It is still a proposed rule. OCR is currently reviewing the public comments and working toward a final version. The current HIPAA Security Rule remains in effect as-is until a final rule is published.

Now, I know what some of you are thinking: "This was a Biden Administration proposal. The new administration will kill it." And look, I get why that's the first reaction - especially since President Trump issued a "Regulatory Freeze Pending Review" Executive Order just two weeks after the NPRM was published. That created real uncertainty about the rule's future.

But here's where it gets interesting: despite that initial freeze, and despite significant industry pushback and criticism during the comment period, OCR has kept the rule's finalization on its official regulatory agenda, with a target date of May 2026. It has not been withdrawn. Healthcare cybersecurity has historically been a bipartisan issue - the first Trump Administration was actually quite active in enforcing the Security Rule - and several legal analysts have noted this NPRM may survive the transition, potentially with modifications.

So where does that leave us? The rule could be finalized largely as proposed, it could be revised and reissued with changes that reflect the public comments, or (less likely at this point) it could be shelved. But the direction of travel is clear. The standards this NPRM proposes are where the industry is heading, regardless of the specific timeline. And if you wait until a final rule drops to start preparing, you're already behind.

---

So, What's Actually Being Proposed?

Let's break down the key changes in the NPRM. Again - none of this is final yet, but this is what OCR has put on the table. I'll try to keep this as digestible as possible without turning it into a 125-page document of my own.

1. "Addressable" Is Dead. Long Live "Required."

This is arguably the biggest philosophical shift in the entire NPRM. Since the Security Rule was finalized in 2003, implementation specifications have been categorized as either "required" or "addressable." The intent behind "addressable" was to give organizations flexibility - assess whether a specification is reasonable and appropriate for your environment, and if not, document why and implement an alternative.

The intent was flexibility. The reality, as OCR has observed over years of enforcement, is that a lot of organizations interpreted "addressable" as "optional." And when you treat multi-factor authentication or encryption as optional in 2025, you're essentially leaving the front door wide open and hoping nobody walks in.

Under the proposed rule, that distinction would go away entirely. All implementation specifications would be required, with only specific, limited exceptions. This is OCR essentially saying: "We gave you the flexibility. Many of you didn't use it responsibly. So now we're being more prescriptive."

If your organization has been treating addressable specifications as things you'll "get to eventually," eventually just arrived.

2. Written Documentation for Everything

The proposed rule would require that all Security Rule policies, procedures, plans, and analyses be documented in writing. Now, before you say "we already do that" - do you? Really?

In my experience working with healthcare organizations, the gap between "we have policies" and "we have written, comprehensive, current policies that actually reflect how we operate" is significant. This isn't just about having a binder on a shelf (or a SharePoint folder no one has opened since 2019). It's about maintaining living documentation that maps to your actual security posture and is reviewed and updated at least annually.

3. Technology Asset Inventory and Network Mapping

Here's where things get operationally intense. The NPRM proposes that regulated entities must maintain a written inventory of all technology assets - including identification, version, the person accountable for each asset, and its location. On top of that, organizations would need to create and maintain a network map showing how ePHI moves through their electronic information systems, including how it enters, exits, and is accessed from outside those systems.

Think of it this way: you can't protect what you don't know you have. And if you can't map where ePHI lives and travels in your organization, your risk analysis is built on a shaky foundation. For smaller organizations, this is going to feel like a heavy lift. For larger organizations that already do some version of this, it's a matter of formalizing and documenting what may already be happening informally.

4. Multi-Factor Authentication (MFA) - No Longer a "Nice to Have"

The proposed rule would require MFA for all access to ePHI. That means two or more verification factors - something you know (password), something you have (security token), or something you are (biometrics) - before anyone touches sensitive data.

For organizations that have already deployed MFA across their systems, this is a non-event. For those that haven't, particularly smaller practices or organizations with legacy systems that don't easily support MFA - this is going to require real planning and investment.

5. Encryption - At Rest and In Transit. Period.

The NPRM proposes mandatory encryption for ePHI both at rest and in transit. Previously, encryption was an addressable specification, which (as we just covered) too many organizations treated as optional. The proposed rule would make it compulsory, with very limited exceptions.

6. Regular Security Assessments, Vulnerability Scans, and Penetration Testing

Under the proposed changes, vulnerability scans would need to be conducted every six months, and annual penetration testing would be required. This is a significant step up from the current rule, which requires risk assessments but doesn't prescribe specific testing cadences with this level of detail.

7. Beefed-Up Incident Response and Contingency Planning

The NPRM includes more prescriptive requirements around contingency plans and incident response procedures. Organizations would need to have documented plans for responding to emergencies - including the ability to restore critical systems within 72 hours. Business associates would also be required to notify covered entities within 24 hours of activating a contingency plan.

8. Compliance Audits - Not Just for OCR Anymore

The proposed rule introduces an annual compliance audit requirement. Regulated entities would need to conduct annual audits assessing their compliance with the Security Rule's technical safeguards. This isn't OCR coming to audit you - this is you auditing yourself, documenting the results, and (presumably) acting on the findings.

9. Tighter Business Associate Requirements

The relationship between covered entities and business associates gets more scrutiny under the NPRM. Covered entities would need to obtain written verification from their business associates - annually - that those BAs are in compliance with the Security Rule's technical safeguards. Business associates would also have new notification obligations, including the 24-hour contingency plan activation notice and notification of workforce access changes.

---

Why This Matters - Even Though the Rule Isn't Final

I want to be direct about something: even in a world where this specific NPRM doesn't become final exactly as proposed, the expectations it outlines are already being treated as the standard of care in the industry. OCR's enforcement actions have been trending in this direction for years. The NIST Cybersecurity Framework already aligns with most of these proposed requirements. And OCR confirmed in March 2025 that its third phase of HIPAA compliance audits is underway, starting with 50 covered entities and business associates - with a focus on risk analysis and risk management.

Remember: the current Security Rule is still in effect and being enforced. Many of the proposed changes in the NPRM are simply making explicit what OCR has already been expecting in practice. If your organization gets audited today under the existing rule and you can't produce a current risk analysis, don't have MFA deployed, or can't demonstrate you've been managing your security program - you have a problem right now, proposed rule or not.

The organizations that will struggle the most when a final rule drops are the ones that are still operating with the mindset that HIPAA compliance is a one-time project rather than a continuous program. If your risk analysis was last updated in 2021, if your policies say one thing but your operations do another, if "addressable" has been your codeword for "we didn't do it" - the runway to get your house in order is shrinking.

---

What You Can (and Should) Do Right Now

Here's the thing about compliance - and I think anyone who has been in this space long enough will agree - the organizations that do well aren't the ones that scramble when a new rule is announced. They're the ones that have built a program, maintained it, and treated compliance as an ongoing discipline rather than a reaction to regulatory pressure.

That said, here's what you should be doing right now - whether the proposed rule is finalized as-is, modified, or delayed:

• Conduct a gap analysis against the proposed requirements. Map your current security posture against what the NPRM proposes. Where do you have gaps? Where are you solid? This gives you a roadmap regardless of what the final rule looks like.
• Get your asset inventory and network mapping in order. If you don't know every technology asset that touches ePHI and how that data moves through your systems, start there. You can't do an effective risk analysis without it.
• Deploy MFA if you haven't already. This one is non-negotiable at this point, proposed rule or not. If you're still relying on passwords alone to protect access to ePHI, you're behind the curve.
• Review and update your policies and procedures. Not just dusting them off - actually reviewing them against how your organization operates today, identifying gaps, and making them current. Then set a cadence for reviewing them at least annually.
• Evaluate your Business Associate relationships. Are your BAAs up to date? Do you have mechanisms to verify your BAs are meeting their security obligations? The proposed rule would require annual written verification - getting ahead of this now will save you significant headaches later.
• Build out or strengthen your incident response and contingency plans. Can you restore critical systems within 72 hours? Have you actually tested those plans? Documented the results?
• Update your risk analysis. If your last Security Risk Assessment was more than a year ago - or worse, if it was a checkbox exercise that didn't actually reflect your environment - now is the time to do it right.

---

How Iron Fort Helps

This is where I'll shift from the "what" to the "how" - because knowing what needs to happen and actually operationalizing it across your organization are two very different things.

At Iron Fort, we built our platform specifically to help healthcare organizations close the gap between knowing what compliance requires and actually achieving it - without spending six figures on consultants or drowning in spreadsheets.

Risk Assessment and Policy Alignment. Our platform takes your organization's risk assessments, policies and procedures, and operational practices and maps them against HIPAA and NIST frameworks. Instead of a generic, one-size-fits-all approach, we analyze your specific environment and generate tailored compliance materials that reflect how your organization actually operates.

Automated Training Generation. One of the most overlooked aspects of compliance - and one the proposed rule puts even more emphasis on - is workforce training. Not the generic, click-through-these-slides-and-take-a-quiz training that everyone forgets five minutes later. We're talking about training that's built from your policies, your risk profile, and your operational realities. When your workforce understands why the rules exist and how they apply to their specific role, compliance goes from being a chore to being part of the culture.

Continuous Compliance Management. The proposed rule emphasizes annual reviews, ongoing monitoring, and regular updates to policies and procedures. Iron Fort's platform is designed to support that continuous cadence - not just getting you to compliance, but keeping you there as regulations evolve and your organization changes.

Preparation for What's Coming. Whether the final rule mirrors the NPRM exactly or comes with modifications, the organizations that will be best positioned are those that are proactively aligning with these standards now. Iron Fort helps you get ahead of the curve, so when the final rule does drop, you're not starting from scratch - you're making adjustments to an already strong program.

---

The Bottom Line

The HIPAA Security Rule is evolving. The NPRM published in January 2025 may not be final yet, but with OCR targeting May 2026 for finalization and actively auditing under the current rule right now, we're looking at changes that will materially affect how every covered entity and business associate approaches cybersecurity. The "addressable means optional" era is ending. The expectations around documentation, technical controls, and ongoing compliance activities are getting more prescriptive, more specific, and more enforceable.

The organizations that treat this as an opportunity - to strengthen their programs, protect their patients, and build a culture of security - are the ones that will come out ahead. The ones that wait, hoping the regulatory landscape stays static, are going to find themselves scrambling with a ticking clock and a very long to-do list.

Don't be the second organization.

If you want to learn more about how Iron Fort can help your organization prepare for these changes and build a compliance program that's built to last, reach out to us. We'd love to help.

This article is provided for informational purposes only and does not constitute legal advice. Organizations should consult with legal counsel regarding their specific compliance obligations under HIPAA.