HIPAA Security Rule NPRM: What's Proposed, What It Means, and How to Build a Program That Holds Up Either Way
OCR has proposed the most significant HIPAA Security Rule update since 2013. It is not final yet — and under the current administration's regulatory posture, timing is uncertain. But organizations that wait for a final rule may have approximately 240 days from Federal Register publication to comply, depending on what the final rule provides. Here is what may change, what to do before it does, and how to build a program that holds up regardless.
| Regulatory Stage | Status | Date |
|---|---|---|
| NPRM Issued by OCR | ✅ Complete | December 27, 2024 |
| Published in Federal Register | ✅ Complete | January 6, 2025 |
| Public Comment Period | ✅ Closed | March 7, 2025 |
| Final Rule Issued | ⏳ Pending | — |
| Effective Date | ⏳ Pending | TBD |
| Compliance Deadline | ⏳ Pending | ~180 days post-effective date |
The Spring 2025 Unified Regulatory Agenda listed the rulemaking at the final rule stage, but no final rule has been issued. OCR continues to resolve HIPAA Security Rule investigations, including matters focused on risk analysis, risk management, and ransomware-related control failures. This page is updated when OCR, HHS, or the Federal Register publish materially relevant developments. Last updated: June 2026.
We've published 5 in-depth articles on the HIPAA Security Rule NPRM — what's proposed, what it means, and how to prepare. Read them on our Insights page →
Quick Answer
The HIPAA Security Rule NPRM is not final. The current Security Rule remains in effect. But the proposed changes are directionally important because they reflect OCR's expectations for modern healthcare cybersecurity programs — including areas where OCR is already actively investigating and settling cases.
The safest move is not to treat the NPRM as current law, but to use it as a readiness roadmap for work that is already valuable under the current rule: risk analysis, asset visibility, MFA, encryption, incident response, vendor oversight, and documented evidence. Organizations that build this foundation now will have a shorter path to compliance when a final rule arrives — and a stronger posture if OCR comes knocking before it does.
Who Should Read This Page
This guide is for:
- Health system legal, privacy, compliance, and security leaders navigating the proposed changes and OCR enforcement risk
- Digital health companies and health tech vendors (business associates) who will face significant new obligations under the proposed rule
- Self-insured employers and group health plan sponsors with downstream plan document obligations
- Small providers trying to understand minimum viable readiness without overbuilding
- In-house counsel and procurement teams reviewing BAAs for NPRM compliance gaps
- Boards and executives funding HIPAA Security Rule remediation and needing a defensible posture
Current Rule vs. What Is Proposed
The table below maps the major structural changes across ten compliance domains. The shift is from a program you can largely design and document your own way, to one where OCR has defined the required evidence, required cadences, and what "reasonable and appropriate" means more explicitly.
| Domain | Current Rule | Proposed Rule | Operational Impact |
|---|---|---|---|
| Implementation Specs | Required vs. addressable | All specs required; narrow exceptions only | Most addressable controls become mandatory |
| Documentation | Written policies required; flexible implementation | ALL policies, procedures, plans, and analyses must be in writing | Undocumented processes no longer sufficient |
| Asset Visibility | No specific asset inventory requirement | Technology asset inventory + network map required; reviewed annually | Most organizations don't have this in a current, complete form |
| Risk Analysis | Required; "periodic" with no defined interval | Annual cycle; documented threat/vulnerability pair ratings required | One-time or outdated risk analyses need a full rebuild |
| MFA & Encryption | Addressable — implement or document why not | Required, with limited narrow exceptions | Systems without MFA/encryption need remediation plans now |
| Vulnerability Testing | General requirement to maintain security measures | Biannual vuln scanning + annual pen testing + annual compliance audit | Annual security testing calendar becomes a compliance obligation |
| BA Oversight | BAA required; oversight largely contract-based | Annual written SME verification of BA technical safeguards | Active annual program to collect, review, and retain BA verifications |
| Incident Response | IR procedures required; no prescribed content or testing | Written IR plan + written testing procedures + tested 72-hr restoration | IR plans that haven't been tested don't meet the proposed standard |
Your First 5 Moves — Start Here Regardless of When the Final Rule Drops
You don't need to wait for a final rule to begin. These five actions are defensible under the current HIPAA Security Rule and remain valuable under any realistic version of what gets finalized.
- Build or update your technology asset inventory. Every system, software tool, and vendor connection that touches ePHI needs to be on a list. If this doesn't exist in a current, complete form, this is your first project.
- Map ePHI flows. Where does patient data move? Which systems handle it? Which vendors receive it? You cannot conduct a defensible risk analysis — or segment your network — without this picture.
- Update your security risk analysis. The current rule already requires one. Most organizations' existing analyses are outdated, insufficiently specific, or undocumented in ways that would not survive OCR scrutiny.
- Confirm MFA and encryption gaps. Both were addressable under the current rule. Both are common targets in OCR enforcement. Identify every system where these controls are not in place and document a remediation plan.
- Audit your business associates. Know who your BAs are. Confirm your current BAAs are signed and current. Flag which agreements will need amendment when a final rule arrives.
Major Proposed Changes
The Big Structural Shift: The Required/Addressable Framework Would Largely End
The proposed rule would largely end the "addressable" implementation specification framework. All implementation specifications would become required, subject to specific, narrow exceptions. Encryption, MFA, and anti-malware — all addressable under the current rule — would become required.
Documentation and Asset Visibility
The proposed rule makes explicit what was implied: all Security Rule policies, procedures, plans, and analyses must be in writing. Regulated entities would also be required to develop and maintain a written inventory of all technology assets that create, receive, maintain, or transmit ePHI — reviewed at least annually and updated whenever there is a relevant change. A network map showing ePHI movement is required alongside the inventory.
Risk Analysis: From Periodic to Prescriptive
The proposed rule replaces "periodic" with "annual," and replaces general guidance with specific content requirements including documented risk ratings for each identified threat and vulnerability pair. A risk evaluation would also be required whenever new technology is adopted.
Technical Safeguards
MFA would be required for all access to ePHI. Encryption of ePHI at rest and in transit would be required. Network segmentation, anti-malware protection, and backup system isolation (to prevent ransomware from encrypting both production and backup data) would be required.
Vulnerability Management and Testing
New mandatory cadences: vulnerability scanning at least every six months, penetration testing at least annually, and an annual compliance audit. Together these create an annual security calendar that does not currently exist as a regulatory obligation for most organizations.
Incident Response: From Plan to Program
A written incident response plan would be required, along with written testing procedures and a requirement to restore critical systems within 72 hours. Organizations would need to document a criticality analysis establishing which systems are restored first — and test that capability before an incident requires it.
Business Associate Obligations
Covered entities would be required to obtain annual written verification from each BA that their technical safeguards meet the proposed requirements — conducted by a subject matter expert. BAs would face 24-hour contingency notification obligations. Most existing BAAs need review against these proposed requirements.
30/60/90-Day Readiness Plan
Days 1–30: Build the Foundation
| Action | Why Now | Current Rule Basis |
|---|---|---|
| Build or update technology asset inventory | Required under proposed rule; foundational to everything else | Risk analysis prerequisite under current rule |
| Map ePHI flows across all systems and vendors | Required for defensible risk analysis; needed for segmentation | Risk analysis prerequisite under current rule |
| Run a gap assessment against proposed requirements | Understand your actual exposure before planning remediation | Current rule requires ongoing self-evaluation |
| Confirm all BAAs are current and on file | Annual verification program requires knowing who your BAs are | Current HIPAA requirement |
| Identify MFA and encryption gaps | Both become required; remediation takes time to plan and budget | Both are OCR enforcement priorities under current rule |
Days 31–60: Rebuild Risk Analysis and Tighten Controls
Rebuild the security risk analysis to proposed content standards. Initiate MFA and encryption remediation planning. Launch BA verification workflow starting with highest-risk vendors. Review and flag BAAs that need amendment. Schedule biannual vulnerability scanning.
Days 61–90: Test, Document, and Close Evidence Gaps
Test the incident response plan (tabletop exercise against a ransomware scenario). Document 72-hour restoration capability. Complete annual compliance audit. Finalize written IR plan. Build governance calendar for ongoing cadence management.
Evidence Package Checklist
When OCR investigates — whether after a breach or through a compliance review — this is what they ask for. Items marked (proposed requirement) are not required under the current rule but are proposed in the NPRM.
Governance and Program Documentation
- Current written security policies and procedures for all Security Rule standards
- Written risk management plan
- Sanctions policy for workforce members who fail to comply
- Annual compliance audit results (proposed requirement)
- Board or leadership reporting on security program status
Risk Analysis
- Written risk analysis covering all ePHI systems
- Documented threat and vulnerability identification
- Risk ratings for each threat/vulnerability pair
- Risk evaluation triggered by new technology adoptions
- Risk analysis review date and schedule for next annual cycle
Technical Safeguards Evidence
- MFA implementation documentation (systems covered, exceptions documented)
- Encryption status for ePHI at rest and in transit
- Network segmentation documentation tied to risk analysis
- Separate backup and recovery system documentation
Incident Response
- Written incident response plan
- Written IR plan testing procedures (proposed requirement)
- Documentation of most recent IR tabletop exercise
- Written 72-hour restoration procedures (proposed requirement)
- Criticality analysis for system restoration priority (proposed requirement)
- Breach log and incident response records
Business Associates
- Complete BA inventory with current status
- Signed BAAs for all BAs (current)
- Annual written SME verification of BA technical safeguards (proposed requirement)
- Documentation of BA contingency notification procedures (proposed requirement)
Readiness Maturity Model
Level 1 — Paper Compliance
Policies exist. Risk analysis was last completed more than a year ago. No current asset inventory or network map. MFA and encryption are inconsistently deployed. Vendor oversight is a signed BAA. Incident response is a policy document, not a tested program. Risk: High OCR enforcement exposure.
Level 2 — Baseline Visibility
Asset inventory exists but is not current. Risk analysis conducted within 12 months but lacks risk ratings. MFA and encryption on primary systems. BAAs are current. IR has been documented but not tested. Risk: Moderate.
Level 3 — Operational Readiness
Annual risk analysis cycle is on a calendar with documented outputs. Technical testing is scheduled. MFA and encryption gaps are being closed. IR has been tested. BA inventory is current and BAAs are being reviewed against proposed new obligations. Risk: Low to moderate.
Level 4 — Audit-Ready Program
Evidence for every Security Rule standard is current, documented, and mapped. Annual cycles are operational. BA verification is documented. 72-hour restoration has been tested. Leadership has a current view of the program's status. Risk: Low.
Guidance by Audience
For health systems and hospitals: Focus first on the asset inventory, ePHI network map, risk analysis rebuild, MFA/encryption gap closure, and the BA verification program. These are both the highest-lift items and the areas of highest OCR enforcement priority.
For health tech companies and digital health vendors (business associates): Annual written verification of your technical safeguards by a subject matter expert, 24-hour contingency notification to your covered entity customers, and subcontractor oversight requirements are all your problem. Customer-facing evidence packages will become a competitive differentiator and a procurement requirement.
For self-insured employers / group health plan sponsors: Plan document amendments, plan sponsor safeguard requirements, and the 24-hour contingency notification obligation apply directly to your arrangement. This is a plan document project as much as a compliance project.
For small providers and solo practices: The HIPAA Security Rule applies to all covered entities regardless of size. Minimum viable program: current asset inventory, annual risk analysis, confirmed MFA and encryption on primary systems, current BAAs with major vendors, and a documented incident response process.
Frequently Asked Questions
Is the HIPAA Security Rule NPRM now law?
No. The NPRM is a proposed rule — a formal regulatory proposal that has gone through the public comment process but has not been finalized. The current HIPAA Security Rule remains in effect.
When will the final rule come out?
There is no official projected date. The Spring 2025 Unified Regulatory Agenda listed the rulemaking at the final rule stage, but no final rule has been issued. The current administration's deregulatory posture has added uncertainty to the timeline.
Should we wait to do anything until the final rule drops?
No. The foundational work — asset inventory, risk analysis, MFA/encryption gap assessment, BA audit — is valuable under the current rule. OCR enforcement does not stop while the rulemaking process plays out.
What is the "required vs. addressable" change and why does it matter?
Under the current rule, some implementation specifications are "addressable" — meaning you can implement them, implement an equivalent alternative, or document why implementation is not reasonable and appropriate. The proposed rule largely eliminates the addressable pathway. Controls like MFA, encryption, and anti-malware would become required implementation specifications, subject to any specific exceptions in the final rule.
What is the proposed compliance deadline?
The NPRM proposed 180 days from the effective date of a final rule, with the effective date typically 60 days after Federal Register publication — giving organizations approximately 240 days from publication. This timeline could change in a final rule.
What is the annual BA verification requirement?
Covered entities would need to obtain — at least annually — a written analysis of each BA's relevant electronic information systems conducted by a subject matter expert, plus a written certification that the analysis was performed and is accurate. This is an active annual program, not a one-time BAA review.
How JHarris Advisory Can Help
The HIPAA Security Rule update is not a policy project. It is an operational overhaul — and the organizations that treat it as a policy project will end up with documents that do not hold up when OCR comes knocking.
JHarris Advisory builds the governance infrastructure that makes compliance programs work in practice, not just on paper: gap assessment, risk analysis rebuild, BA audit and BAA remediation, incident response program, and board and executive reporting.
Not ready for an engagement? The tools below give you a structured starting point.
HIPAA Compliance Toolkit
Build your compliance program with the tools that fit your current gaps. Every artifact is built to the HIPAA Security Rule and mapped to the proposed NPRM requirements.
Free Resources
NPRM Readiness Checklist (HC-11) — Free, email required. 23-check self-assessment across 8 compliance domains. Download Free →
HIPAA Compliance Self-Assessment (HC-BD-02) — Free, no email required. 30-question interactive assessment across 6 Security Rule domains. Scored results with a prioritized gap list. Take the Assessment →
Core Implementation Resources
HIPAA Risk Analysis Template (HC-06) — $447 | OCR Audit Readiness Assessment (HC-05) — $497 | BAA Review Checklist (HC-03) — $247 | HIPAA Incident Decision Support (HC-02) — $347
Complete Bundle
HIPAA Compliance Toolkit — HC-01 through HC-10 — $1,497 (save $1,619 vs. individual pricing). Every artifact in the toolkit: PHI data handling addendum, incident decision support, BAA review checklist, clinical risk flags, OCR audit readiness assessment, risk analysis template, breach notification letters, annual recertification checklist, governance calendar, and quarterly review pack.
Buy the Bundle → | View all toolkit resources and pricing →
Sources and Authority
- HHS OCR NPRM Fact Sheet: hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet
- Federal Register NPRM (Full Text): Docket No. HHS-OCR-0945-AA22 / RIN 0945-AA22, published January 6, 2025
- Spring 2025 Unified Regulatory Agenda: RegInfo.gov, RIN 0945-AA22
- Current HIPAA Security Rule: hhs.gov/hipaa/for-professionals/security
- NIST SP 800-66 Rev. 2: csrc.nist.gov/pubs/sp/800/66/r2/final
- OCR Enforcement Data: hhs.gov/hipaa/for-professionals/compliance-enforcement/data
This page is updated when OCR, HHS, or the Federal Register publish materially relevant developments.
This guide covers the proposed HIPAA Security Rule changes contained in the NPRM published January 6, 2025. The proposed rule has not been finalized. Nothing in this guide constitutes legal advice or establishes an attorney-client relationship. Current HIPAA Security Rule obligations remain in effect. Consult qualified legal counsel for advice specific to your organization. Last updated: June 2026.