HIPAA Security Rule NPRM Readiness Guide | JHarris Advisory

HIPAA Security Rule NPRM: What's Proposed, What It Means, and How to Build a Program That Holds Up Either Way

OCR has proposed the most significant HIPAA Security Rule update since 2013. It is not final yet — and under the current administration's regulatory posture, timing is uncertain. But organizations that wait for a final rule may have approximately 240 days from Federal Register publication to comply, depending on what the final rule provides. Here is what may change, what to do before it does, and how to build a program that holds up regardless.

⚠ Regulatory Status Tracker — HIPAA Security Rule NPRM
Regulatory StageStatusDate
NPRM Issued by OCR✅ CompleteDecember 27, 2024
Published in Federal Register✅ CompleteJanuary 6, 2025
Public Comment Period✅ ClosedMarch 7, 2025
Final Rule Issued⏳ Pending
Effective Date⏳ PendingTBD
Compliance Deadline⏳ Pending~180 days post-effective date

The Spring 2025 Unified Regulatory Agenda listed the rulemaking at the final rule stage, but no final rule has been issued. OCR continues to resolve HIPAA Security Rule investigations, including matters focused on risk analysis, risk management, and ransomware-related control failures. This page is updated when OCR, HHS, or the Federal Register publish materially relevant developments. Last updated: June 2026.

📖
Further Reading

We've published 5 in-depth articles on the HIPAA Security Rule NPRM — what's proposed, what it means, and how to prepare. Read them on our Insights page →

Quick Answer

The HIPAA Security Rule NPRM is not final. The current Security Rule remains in effect. But the proposed changes are directionally important because they reflect OCR's expectations for modern healthcare cybersecurity programs — including areas where OCR is already actively investigating and settling cases.

The safest move is not to treat the NPRM as current law, but to use it as a readiness roadmap for work that is already valuable under the current rule: risk analysis, asset visibility, MFA, encryption, incident response, vendor oversight, and documented evidence. Organizations that build this foundation now will have a shorter path to compliance when a final rule arrives — and a stronger posture if OCR comes knocking before it does.

Who Should Read This Page

This guide is for:

  • Health system legal, privacy, compliance, and security leaders navigating the proposed changes and OCR enforcement risk
  • Digital health companies and health tech vendors (business associates) who will face significant new obligations under the proposed rule
  • Self-insured employers and group health plan sponsors with downstream plan document obligations
  • Small providers trying to understand minimum viable readiness without overbuilding
  • In-house counsel and procurement teams reviewing BAAs for NPRM compliance gaps
  • Boards and executives funding HIPAA Security Rule remediation and needing a defensible posture

Current Rule vs. What Is Proposed

The table below maps the major structural changes across ten compliance domains. The shift is from a program you can largely design and document your own way, to one where OCR has defined the required evidence, required cadences, and what "reasonable and appropriate" means more explicitly.

DomainCurrent RuleProposed RuleOperational Impact
Implementation SpecsRequired vs. addressableAll specs required; narrow exceptions onlyMost addressable controls become mandatory
DocumentationWritten policies required; flexible implementationALL policies, procedures, plans, and analyses must be in writingUndocumented processes no longer sufficient
Asset VisibilityNo specific asset inventory requirementTechnology asset inventory + network map required; reviewed annuallyMost organizations don't have this in a current, complete form
Risk AnalysisRequired; "periodic" with no defined intervalAnnual cycle; documented threat/vulnerability pair ratings requiredOne-time or outdated risk analyses need a full rebuild
MFA & EncryptionAddressable — implement or document why notRequired, with limited narrow exceptionsSystems without MFA/encryption need remediation plans now
Vulnerability TestingGeneral requirement to maintain security measuresBiannual vuln scanning + annual pen testing + annual compliance auditAnnual security testing calendar becomes a compliance obligation
BA OversightBAA required; oversight largely contract-basedAnnual written SME verification of BA technical safeguardsActive annual program to collect, review, and retain BA verifications
Incident ResponseIR procedures required; no prescribed content or testingWritten IR plan + written testing procedures + tested 72-hr restorationIR plans that haven't been tested don't meet the proposed standard

Your First 5 Moves — Start Here Regardless of When the Final Rule Drops

You don't need to wait for a final rule to begin. These five actions are defensible under the current HIPAA Security Rule and remain valuable under any realistic version of what gets finalized.

  1. Build or update your technology asset inventory. Every system, software tool, and vendor connection that touches ePHI needs to be on a list. If this doesn't exist in a current, complete form, this is your first project.
  2. Map ePHI flows. Where does patient data move? Which systems handle it? Which vendors receive it? You cannot conduct a defensible risk analysis — or segment your network — without this picture.
  3. Update your security risk analysis. The current rule already requires one. Most organizations' existing analyses are outdated, insufficiently specific, or undocumented in ways that would not survive OCR scrutiny.
  4. Confirm MFA and encryption gaps. Both were addressable under the current rule. Both are common targets in OCR enforcement. Identify every system where these controls are not in place and document a remediation plan.
  5. Audit your business associates. Know who your BAs are. Confirm your current BAAs are signed and current. Flag which agreements will need amendment when a final rule arrives.

Major Proposed Changes

The Big Structural Shift: The Required/Addressable Framework Would Largely End

The proposed rule would largely end the "addressable" implementation specification framework. All implementation specifications would become required, subject to specific, narrow exceptions. Encryption, MFA, and anti-malware — all addressable under the current rule — would become required.

Documentation and Asset Visibility

The proposed rule makes explicit what was implied: all Security Rule policies, procedures, plans, and analyses must be in writing. Regulated entities would also be required to develop and maintain a written inventory of all technology assets that create, receive, maintain, or transmit ePHI — reviewed at least annually and updated whenever there is a relevant change. A network map showing ePHI movement is required alongside the inventory.

Risk Analysis: From Periodic to Prescriptive

The proposed rule replaces "periodic" with "annual," and replaces general guidance with specific content requirements including documented risk ratings for each identified threat and vulnerability pair. A risk evaluation would also be required whenever new technology is adopted.

Technical Safeguards

MFA would be required for all access to ePHI. Encryption of ePHI at rest and in transit would be required. Network segmentation, anti-malware protection, and backup system isolation (to prevent ransomware from encrypting both production and backup data) would be required.

Vulnerability Management and Testing

New mandatory cadences: vulnerability scanning at least every six months, penetration testing at least annually, and an annual compliance audit. Together these create an annual security calendar that does not currently exist as a regulatory obligation for most organizations.

Incident Response: From Plan to Program

A written incident response plan would be required, along with written testing procedures and a requirement to restore critical systems within 72 hours. Organizations would need to document a criticality analysis establishing which systems are restored first — and test that capability before an incident requires it.

Business Associate Obligations

Covered entities would be required to obtain annual written verification from each BA that their technical safeguards meet the proposed requirements — conducted by a subject matter expert. BAs would face 24-hour contingency notification obligations. Most existing BAAs need review against these proposed requirements.

30/60/90-Day Readiness Plan

Days 1–30: Build the Foundation

ActionWhy NowCurrent Rule Basis
Build or update technology asset inventoryRequired under proposed rule; foundational to everything elseRisk analysis prerequisite under current rule
Map ePHI flows across all systems and vendorsRequired for defensible risk analysis; needed for segmentationRisk analysis prerequisite under current rule
Run a gap assessment against proposed requirementsUnderstand your actual exposure before planning remediationCurrent rule requires ongoing self-evaluation
Confirm all BAAs are current and on fileAnnual verification program requires knowing who your BAs areCurrent HIPAA requirement
Identify MFA and encryption gapsBoth become required; remediation takes time to plan and budgetBoth are OCR enforcement priorities under current rule

Days 31–60: Rebuild Risk Analysis and Tighten Controls

Rebuild the security risk analysis to proposed content standards. Initiate MFA and encryption remediation planning. Launch BA verification workflow starting with highest-risk vendors. Review and flag BAAs that need amendment. Schedule biannual vulnerability scanning.

Days 61–90: Test, Document, and Close Evidence Gaps

Test the incident response plan (tabletop exercise against a ransomware scenario). Document 72-hour restoration capability. Complete annual compliance audit. Finalize written IR plan. Build governance calendar for ongoing cadence management.

Evidence Package Checklist

When OCR investigates — whether after a breach or through a compliance review — this is what they ask for. Items marked (proposed requirement) are not required under the current rule but are proposed in the NPRM.

Governance and Program Documentation

  • Current written security policies and procedures for all Security Rule standards
  • Written risk management plan
  • Sanctions policy for workforce members who fail to comply
  • Annual compliance audit results (proposed requirement)
  • Board or leadership reporting on security program status

Risk Analysis

  • Written risk analysis covering all ePHI systems
  • Documented threat and vulnerability identification
  • Risk ratings for each threat/vulnerability pair
  • Risk evaluation triggered by new technology adoptions
  • Risk analysis review date and schedule for next annual cycle

Technical Safeguards Evidence

  • MFA implementation documentation (systems covered, exceptions documented)
  • Encryption status for ePHI at rest and in transit
  • Network segmentation documentation tied to risk analysis
  • Separate backup and recovery system documentation

Incident Response

  • Written incident response plan
  • Written IR plan testing procedures (proposed requirement)
  • Documentation of most recent IR tabletop exercise
  • Written 72-hour restoration procedures (proposed requirement)
  • Criticality analysis for system restoration priority (proposed requirement)
  • Breach log and incident response records

Business Associates

  • Complete BA inventory with current status
  • Signed BAAs for all BAs (current)
  • Annual written SME verification of BA technical safeguards (proposed requirement)
  • Documentation of BA contingency notification procedures (proposed requirement)

Readiness Maturity Model

Level 1 — Paper Compliance

Policies exist. Risk analysis was last completed more than a year ago. No current asset inventory or network map. MFA and encryption are inconsistently deployed. Vendor oversight is a signed BAA. Incident response is a policy document, not a tested program. Risk: High OCR enforcement exposure.

Level 2 — Baseline Visibility

Asset inventory exists but is not current. Risk analysis conducted within 12 months but lacks risk ratings. MFA and encryption on primary systems. BAAs are current. IR has been documented but not tested. Risk: Moderate.

Level 3 — Operational Readiness

Annual risk analysis cycle is on a calendar with documented outputs. Technical testing is scheduled. MFA and encryption gaps are being closed. IR has been tested. BA inventory is current and BAAs are being reviewed against proposed new obligations. Risk: Low to moderate.

Level 4 — Audit-Ready Program

Evidence for every Security Rule standard is current, documented, and mapped. Annual cycles are operational. BA verification is documented. 72-hour restoration has been tested. Leadership has a current view of the program's status. Risk: Low.

Guidance by Audience

For health systems and hospitals: Focus first on the asset inventory, ePHI network map, risk analysis rebuild, MFA/encryption gap closure, and the BA verification program. These are both the highest-lift items and the areas of highest OCR enforcement priority.

For health tech companies and digital health vendors (business associates): Annual written verification of your technical safeguards by a subject matter expert, 24-hour contingency notification to your covered entity customers, and subcontractor oversight requirements are all your problem. Customer-facing evidence packages will become a competitive differentiator and a procurement requirement.

For self-insured employers / group health plan sponsors: Plan document amendments, plan sponsor safeguard requirements, and the 24-hour contingency notification obligation apply directly to your arrangement. This is a plan document project as much as a compliance project.

For small providers and solo practices: The HIPAA Security Rule applies to all covered entities regardless of size. Minimum viable program: current asset inventory, annual risk analysis, confirmed MFA and encryption on primary systems, current BAAs with major vendors, and a documented incident response process.

Frequently Asked Questions

Is the HIPAA Security Rule NPRM now law?

No. The NPRM is a proposed rule — a formal regulatory proposal that has gone through the public comment process but has not been finalized. The current HIPAA Security Rule remains in effect.

When will the final rule come out?

There is no official projected date. The Spring 2025 Unified Regulatory Agenda listed the rulemaking at the final rule stage, but no final rule has been issued. The current administration's deregulatory posture has added uncertainty to the timeline.

Should we wait to do anything until the final rule drops?

No. The foundational work — asset inventory, risk analysis, MFA/encryption gap assessment, BA audit — is valuable under the current rule. OCR enforcement does not stop while the rulemaking process plays out.

What is the "required vs. addressable" change and why does it matter?

Under the current rule, some implementation specifications are "addressable" — meaning you can implement them, implement an equivalent alternative, or document why implementation is not reasonable and appropriate. The proposed rule largely eliminates the addressable pathway. Controls like MFA, encryption, and anti-malware would become required implementation specifications, subject to any specific exceptions in the final rule.

What is the proposed compliance deadline?

The NPRM proposed 180 days from the effective date of a final rule, with the effective date typically 60 days after Federal Register publication — giving organizations approximately 240 days from publication. This timeline could change in a final rule.

What is the annual BA verification requirement?

Covered entities would need to obtain — at least annually — a written analysis of each BA's relevant electronic information systems conducted by a subject matter expert, plus a written certification that the analysis was performed and is accurate. This is an active annual program, not a one-time BAA review.

How JHarris Advisory Can Help

The HIPAA Security Rule update is not a policy project. It is an operational overhaul — and the organizations that treat it as a policy project will end up with documents that do not hold up when OCR comes knocking.

JHarris Advisory builds the governance infrastructure that makes compliance programs work in practice, not just on paper: gap assessment, risk analysis rebuild, BA audit and BAA remediation, incident response program, and board and executive reporting.

Not ready for an engagement? The tools below give you a structured starting point.

Take the free assessment to find out where your program stands — 30 questions, scored results, no email required.

Take the Free HIPAA Assessment → Book a Scoping Call →

HIPAA Compliance Toolkit

Build your compliance program with the tools that fit your current gaps. Every artifact is built to the HIPAA Security Rule and mapped to the proposed NPRM requirements.

Free Resources

NPRM Readiness Checklist (HC-11) — Free, email required. 23-check self-assessment across 8 compliance domains. Download Free →

HIPAA Compliance Self-Assessment (HC-BD-02) — Free, no email required. 30-question interactive assessment across 6 Security Rule domains. Scored results with a prioritized gap list. Take the Assessment →

Core Implementation Resources

HIPAA Risk Analysis Template (HC-06) — $447 | OCR Audit Readiness Assessment (HC-05) — $497 | BAA Review Checklist (HC-03) — $247 | HIPAA Incident Decision Support (HC-02) — $347

Complete Bundle

HIPAA Compliance Toolkit — HC-01 through HC-10 — $1,497 (save $1,619 vs. individual pricing). Every artifact in the toolkit: PHI data handling addendum, incident decision support, BAA review checklist, clinical risk flags, OCR audit readiness assessment, risk analysis template, breach notification letters, annual recertification checklist, governance calendar, and quarterly review pack.

Buy the Bundle → | View all toolkit resources and pricing →

Sources and Authority

  • HHS OCR NPRM Fact Sheet: hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet
  • Federal Register NPRM (Full Text): Docket No. HHS-OCR-0945-AA22 / RIN 0945-AA22, published January 6, 2025
  • Spring 2025 Unified Regulatory Agenda: RegInfo.gov, RIN 0945-AA22
  • Current HIPAA Security Rule: hhs.gov/hipaa/for-professionals/security
  • NIST SP 800-66 Rev. 2: csrc.nist.gov/pubs/sp/800/66/r2/final
  • OCR Enforcement Data: hhs.gov/hipaa/for-professionals/compliance-enforcement/data

This page is updated when OCR, HHS, or the Federal Register publish materially relevant developments.

This guide covers the proposed HIPAA Security Rule changes contained in the NPRM published January 6, 2025. The proposed rule has not been finalized. Nothing in this guide constitutes legal advice or establishes an attorney-client relationship. Current HIPAA Security Rule obligations remain in effect. Consult qualified legal counsel for advice specific to your organization. Last updated: June 2026.