Proposed HIPAA Security Rule Update: What Healthcare Leaders Need to Know

HS has issued a Notice of Proposed Rulemaking (NPRM) to tighten the HIPAA Security Rule, significantly reducing flexibility in how covered entities protect ePHI. For healthcare leaders, this update reinforces a broader reality: compliance alone is no longer enough — security controls must support operational resilience, patient safety, and continuity of care.

This is the largest HIPAA Security Rule update in over a decade, aiming to boost ePHI protection and address flexibility concerns.

Who Is Impacted

All covered entities and business associates handling ePHI should prepare for compliance. Smaller providers often have larger implementation gaps and should start planning and resourcing now.

The NPRM’s emphasis on reducing “flexibility” means that previously tolerated approaches will be harder to justify.

What Are the Potential Changes

Key proposals include:

• Convert many addressable specifications into required controls, narrowing the flexibility organizations previously had.
• Authentication and access controls: mandated multi-factor authentication (MFA, which requires users to present two or more forms of verification to access systems) for remote access and privileged accounts, with tighter session-management and authorization practices.
• Encryption and integrity: stronger expectations around encryption of ePHI in transit and at rest, plus integrity controls and anti-tamper measures.
• Asset and vulnerability management: requirements for annual asset inventories, ongoing vulnerability scanning, patch management, and documented remediation timelines.
• Logging and telemetry: explicit logging and retention requirements to support incident detection and forensic investigations.
• Third-party/vendor oversight: stricter Business Associate Agreement (BAA) expectations, vendor due diligence, and oversight obligations.

What You Should Prioritize Today

Organizations that take these actions now will reduce risk and simplify future compliance, even before a final rule is issued. These priorities should not be addressed as isolated IT projects, but as part of a unified risk strategy that spans clinical operations, finance, IT, and vendor management.

1. Update your risk analysis to an operational roadmap.

Convert your high-level risk analysis into an actionable remediation plan that maps existing gaps to the NPRM’s proposed controls (MFA, encryption, logging, asset inventory, etc.). Prioritize remediation by probable impact and exploitability.

2. Build or refresh an accurate asset and data inventory.

Track where ePHI lives (systems, backups, cloud services) and which vendors have access. The NPRM’s expected requirements for asset inventories and vendor oversight make this foundational.

3. Implement and test MFA and encryption broadly.

MFA for remote and privileged access and encryption of ePHI in transit/at rest are highlighted as top items. Start rollouts and table-top test scenarios (provider logins, EHR access, telehealth endpoints).

4. Strengthen logging, monitoring, and IR readiness.

Expand logging to include user activity and privileged operations, ensure logs are protected and retained, and test incident response playbooks with realistic scenarios.

5. Tighten vendor/BAA management.

Re-examine BAAs and vendor security questionnaires, require evidence of controls (MFA, encryption, logging) and include audit/monitoring rights and SLAs for patching and incident notification.

6. Plan budget and timeline — don’t wait for the final rule.

Technology rollouts, third-party remediation, and new monitoring/forensics tools take time and money. Preparing budgets and phased timelines now reduces scramble if the rule moves quickly.

Questions Boards and Executive Teams Should Be Asking

• Do we have a current, documented inventory of assets that store or transmit ePHI?
• Where are our largest gaps on MFA, encryption, logging, patching, and vendor oversight?
• What projects will need budget and how long will procurement and deployment take?
• Are our incident response and forensic capabilities sufficient to meet stricter logging and notification expectations?

How Eide Bailly Can Help

The NPRM signals a significant tightening of expectations for protecting ePHI. While the final rule and timeline are not certain, healthcare leaders should assume reduced flexibility and prepare accordingly.

Early focus on inventory, MFA/encryption, logging, and vendor oversight cuts cyber risk and prepares organizations for final compliance.

Our Risk Advisory team can help you convert the NPRM language into a practical compliance plan. If the rule becomes final, having an assessed and partially implemented program will reduce implementation time and exposure. Let’s talk.