HIPAA Series: Security Rule Just Changed for the First Time in 20 Years. Starts the Clock on Compliance - Up to 240 Days

The HIPAA Security Rule has not been meaningfully updated since 2003. That's not a typo. The foundational federal standard governing how your practice protects patient data was written before iPhones existed, before cloud-based EHRs, before telehealth became a delivery standard, and before ransomware became the most expensive business risk in healthcare.

That era is ending. The question right now is exactly when. This is the first of a series of articles I will write about the upcoming requirements. Stay tuned for more specific articles. This one is an overview.

In January 2025, HHS published a 125-page Notice of Proposed Rulemaking to overhaul the Security Rule for the first time in over two decades. The proposed rule covers mandatory multi-factor authentication, required encryption of electronic protected health information (ePHI) at rest and in transit, tightened risk analysis and risk management standards, and business associate agreement requirements that most current contracts don't meet. Once the final rule publishes, covered entities have 180 days to comply (business associates get an additional 60 days to update agreements, for 240 days total).

As of this writing in June 2026, that final rule has not been published.

The Trump administration received more than 4,700 public comments, many of them critical. A coalition of more than 100 hospital systems and provider associations asked HHS to withdraw the proposal outright, citing the $9 billion estimated year-one cost. OCR Director Paula Stannard confirmed at the HIPAA Summit in April 2026 that the agency is still reviewing comments and hasn't decided what to do: "After we review the comments, the Trump administration may have a different view on the burdens and benefits of the proposed changes." The May 2026 finalization target on the regulatory agenda appears to have slipped.

None of that means the threat has changed, and it doesn't mean OCR is waiting.

Why this rule matters regardless of its final form

The proposed rule's significance isn't only in what it adds, but also in what it eliminates.

The HIPAA Security Rule has always had a structural problem: it divided required safeguards into two buckets. Some controls were "required." Others were "addressable" - which meant a covered entity could document a reasoned business decision not to implement them, implement something equivalent, or in many cases do nothing and document why that was acceptable.

Encryption was addressable. Multi-factor authentication was addressable. A lot of basic security hygiene was addressable. For 20 years, organizations took that option. Stannard acknowledged this plainly at the April summit: "In practice, regulated entities, especially small and medium-sized entities, have treated addressable implementation specifications as optional. This has resulted in much more lax security."

The proposed rule eliminates that flexibility. Almost everything becomes required, with narrow exceptions for legacy medical devices under active migration plans. If the rule finalizes in anything close to its current form, the "we assessed and decided it wasn't reasonable" documentation strategy disappears.

Whether the final rule matches the proposal exactly, gets modified, or takes longer to arrive than planned, Stannard's message about the underlying security problem was unambiguous: "I want to encourage you not to overlook the very high cost of doing nothing. A successful cyberattack can cost far more in terms of reputation, the need to pay ransom, remediation of your systems, protection for those whose protected health information was accessed, potential civil liability - and my investigators knocking on your door asking for documents."

What's already happening under the existing rules

OCR doesn't need a final rule to enforce. The existing Security Rule already requires risk analysis, risk management, and appropriate safeguards. What has changed in 2026 is how aggressively OCR is applying those existing standards.

In fall 2024, OCR formally launched the Risk Analysis Initiative, a targeted enforcement campaign focused on organizations that hadn't conducted adequate, documented risk assessments. By early 2026, that initiative had produced 11 enforcement actions. Settlement amounts range from $10,000 for small rural providers to $350,000 for larger organizations, with mandatory corrective action plans - two to three years of required reporting to OCR - often more burdensome than the financial penalty.

In April 2026, OCR announced four additional ransomware settlements totaling $1,165,000, including one involving Axia Women's Health, a multi-state women's health network. In April, OCR's Senior Advisor for Cybersecurity Nick Heesters also released a formal guidance video expanding the enforcement signal: OCR is now examining not just whether organizations conduct risk analysis, but whether they act on what they find.

"Failing to take action to mitigate risks or implementing security measures that do not sufficiently reduce risks to a reasonable and appropriate level is something OCR discovers frequently," Heesters said. The agency's position is explicit: policies and written plans are not sufficient. OCR wants evidence that identified risks drove real decisions; configurations changed, controls implemented, measures documented.

“Willful neglect,” the classification applied when organizations know about risks and do nothing, carries a minimum penalty of $73,011 per violation for violations not corrected within 30 days. OCR can treat each day of continuing non-compliance as a separate violation, which is how penalties compound into the millions.

The underlying breach data explains the enforcement posture. In 2024, 725 large breaches were reported to OCR, a record year. Approximately 276.7 million patient records were exposed, a 64 percent increase from the prior year. The February 2024 ransomware attack on Change Healthcare alone accounted for an estimated 192.7 million of those records, roughly 57 percent of the U.S. population, and the largest single healthcare breach in U.S. history. In 2025, 76 percent of large HIPAA breaches were caused by hacking and IT incidents. The average cost of a healthcare data breach in 2024 was $9.77 million, the highest of any industry for the 14th consecutive year, according to IBM's 2024 Cost of a Data Breach Report. Sophos's 2024 State of Ransomware report found 67 percent of healthcare organizations were hit by ransomware that year, the highest rate of any sector tracked, with an average demand of $5.7 million.

These are not only interesting or cautionary statistics. They're actually the threat environment your organization is operating in right now, under the current rules, even before the proposed Security Rule update adds a single new requirement.

What the proposed rule requires

The specific requirements in the NPRM are detailed enough to function as a compliance checklist, and they represent where OCR's enforcement expectations are heading regardless of final rule timing:

Encryption. ePHI must be encrypted at rest and in transit. No documentation alternative. The required standard is NIST-approved - AES-256 for data at rest, TLS 1.2 or higher for data in transit. This applies to devices, backups, email, and any system that stores or transmits patient data.

Multi-factor authentication. MFA is required for all user access to any system that creates, receives, maintains, or transmits ePHI - not just the EHR. Email, remote access, cloud storage, practice management software, billing platforms. Internal and remote access both covered.

Risk analysis and risk management. The existing risk analysis requirement gets substantially tightened, and the enforcement focus has already expanded. The proposed rule requires a written asset inventory, documented threat-vulnerability mapping with likelihood and impact ratings, a risk management plan tied to specific findings, and regular updates. But OCR's current enforcement standard is also clear: the analysis must generate action. A risk analysis that identifies vulnerabilities and gets filed is not compliance. In fact, it's likely potential evidence of willful neglect waiting to be discovered.

Vulnerability management. Vulnerability scanning every six months. Annual penetration testing. Critical patches deployed within 15 days. High-severity patches within 30 days.

Business associate agreements. Every vendor contract touching ePHI needs to reflect the new requirements. Most pre-2025 agreements don't.

Access management. Workforce access terminated within one hour of separation.

HHS estimated sector-wide year-one implementation costs at approximately $9 billion, the figure industry groups have pushed back on hardest. Having worked through changes from HHS before, this number is likely low. For a mid-sized medical practice, realistic initial setup runs $20,000 to $50,000, with $5,000 to $15,000 per year in ongoing maintenance. Set against an average breach cost of $10.9 million and a $7 million average ransom demand, the math is not complicated, but still difficult to get through a budget cycle.

My read on timing

The rule's finalization timeline is genuinely uncertain. The Trump administration may publish a modified version with a longer compliance window, may extend the timeline for small providers, or may take longer than the original regulatory agenda projected. Stannard didn't rule any of that out.

What she did rule out is the idea that the underlying cybersecurity problem is optional. The existing Security Rule already requires entities to identify and address risks to ePHI. OCR is enforcing that standard actively, right now, and expanding its enforcement focus to include risk management, not just risk analysis. The technical controls the proposed rule will eventually mandate are the same controls OCR is already finding absent when it investigates breaches under existing authority.

Waiting for the final rule text before beginning a gap assessment is a reasonable instinct. It's also how organizations end up in front of OCR with inadequate risk documentation and no corrective action plan, which is exactly the fact pattern I see in most of the current enforcement actions.

The "up to 240 days" in the headline is honest. The timeline depends on when the final rule publishes, and that hasn't been confirmed. What's confirmed is that the compliance expectations are already moving, enforcement is already running, and the companies that start now will be in a materially better position regardless of when the final rule lands.

Where to start

Inventory your ePHI first — every system, device, and vendor that touches patient data. The proposed rule requires this documentation; OCR expects it in investigations under the existing rule.

Run a gap analysis against the specific proposed requirements: MFA coverage, encryption status, risk analysis currency, and BA agreement completeness. Each will surface issues. Most HIPAA programs have at least one significant gap in each category.

Prioritize by risk, not by rule finalization. MFA and encryption take time to deploy without disrupting operations. Risk analysis done correctly takes weeks. BA agreement review across a full vendor stack takes longer than most organizations expect. Start now.

Document everything, not for the sake of paper, but because OCR's corrective action plans require documented timelines, responsible parties, and completion records. Build that infrastructure before you need it in an investigation.

Over the coming weeks, I'm walking through each major requirement in detail: what the rule says, where entities may be falling short right now under existing enforcement, and what actually needs to happen. Up next: why the MFA requirement is one your EHR vendor can't solve for you.

If your organization needs a structured gap assessment before the deadline, whenever that lands, schedule a consult @ https://jharrisadvisory.com/contact. The enforcement machinery is already moving, and OCR has been remarkably transparent about exactly what it's looking for.

For the full picture — proposed changes, readiness plan, and toolkit — see our HIPAA Security Rule NPRM guide

Previous
Previous

HIPAA Series: MFA - Your EHR Vendor Can't Do This One for You

Next
Next

California signed two AI executive orders in sixty days. Both have compliance implications, but what are they?