HIPAA Security Rule 2025 Update: What the Proposed NPRM Means for Your Organization

Background: Why HHS Proposed Strengthening the Security Rule

The existing HIPAA Security Rule was last substantially updated in 2013. In the intervening twelve years, the healthcare sector experienced a dramatic escalation in ransomware attacks, supply chain compromises, and large-scale data breaches. HHS cited statistical evidence in the NPRM’s preamble demonstrating that large breaches — those affecting 500 or more individuals — increased by approximately 102 percent between 2018 and 2023, and that ransomware and hacking incidents have become the dominant threat vector, now accounting for the majority of breached individuals across all reported incidents.
The NPRM reflects HHS’s determination that the flexibility built into the 2013 rule — particularly the addressable specification framework and the absence of specific technical requirements — has resulted in inconsistent implementation and inadequate protection across the sector. The proposed changes are designed to establish a more uniform security floor, reduce the variation in implementation quality, and bring Security Rule requirements into alignment with current cybersecurity standards including the NIST Cybersecurity Framework 2.0 and NIST SP 800-66 Revision 2, which HHS updated in 2024 specifically to support HIPAA Security Rule compliance planning.

Key Proposed Changes

Elimination of the Addressable Designation for Several Specifications

The most operationally significant structural change in the proposed rule is the removal of the addressable category for a set of specifications that HHS has determined should be universally Required. Under the current Security Rule structure, organizations can decline to implement an addressable specification if they document that it is not reasonable and appropriate for their environment. The NPRM would eliminate that flexibility for specifications including encryption of ePHI at rest and in transit, multi-factor authentication, network segmentation controls, and vulnerability management processes. If finalized, these controls would become mandatory for all covered entities and business associates regardless of size or complexity.

Mandatory Encryption Requirements

The proposed rule would require encryption of all ePHI at rest and all ePHI in transit using technology that complies with NIST-approved cryptographic standards. This represents a fundamental shift from the current posture, where encryption is an addressable specification subject to a documented risk-based assessment. HHS has proposed that organizations would have a defined implementation period after the final rule’s effective date to achieve compliance, with the encryption requirement applying to ePHI across all covered systems including cloud platforms, endpoints, backup media, and data in transit across all network segments.

Multi-Factor Authentication

The NPRM would require multi-factor authentication for all workforce members accessing ePHI, including access through remote sessions and third-party applications. The proposed requirement extends to business associate personnel with access to covered entity systems. This aligns with longstanding security guidance from CISA, NIST, and sector-specific regulators, and is consistent with cyber insurance underwriting requirements that many organizations already face in practice. Organizations that have not yet deployed enterprise-wide multi-factor authentication should treat this as a near-term priority regardless of the final rule’s timeline, given that the absence of MFA is a high-risk finding in both security risk assessments and breach investigations.

Technology Asset Inventory and Network Mapping

The proposed rule would require covered entities and business associates to maintain a written inventory of all technology assets, including hardware, software, and information systems that create, receive, maintain, or transmit ePHI. This inventory must include network maps documenting how ePHI flows through the organization’s systems and between covered entities and business associates. HHS has identified the absence of comprehensive asset inventories as a systemic failure contributing to both breach severity and inadequate risk assessments — when organizations do not know what systems touch ePHI, they cannot accurately assess risk or scope breach notification obligations.

Vulnerability Management and Penetration Testing

The proposed rule would mandate documented vulnerability management programs, including defined timelines for patch deployment based on vulnerability severity. It would also introduce explicit penetration testing requirements — the NPRM proposes that covered entities conduct penetration tests at least once every twelve months and following significant system changes. This moves penetration testing from a recommended practice into a regulatory requirement, and has direct implications for both internal security programs and vendor relationships with third parties that manage ePHI systems.

Enhanced Business Associate Requirements

The NPRM proposes significant strengthening of the requirements applicable to business associates. Proposed changes include requirements for business associates to conduct and document annual compliance audits, to implement the same encryption and MFA requirements applicable to covered entities, and to notify covered entities of security incidents — including incidents that do not rise to the level of a reportable breach — within 24 hours of discovery. This last requirement represents a major tightening of the existing 60-day business associate notification window and would require covered entities to reassess their current BAA language and vendor monitoring programs.

Incident Response Planning

The proposed rule would require all covered entities and business associates to develop and maintain documented incident response plans that address specific scenarios including ransomware, phishing, and insider threats. Plans must be tested at least annually, and testing results must be documented and used to update the plan. This formalizes what has long been a best practice recommendation into a binding compliance requirement with documentation obligations that OCR can audit.

What the NPRM’s Status Means for Planning

As of the time of publication, the NPRM remains a proposed rule and has not been finalized. The comment period closed in March 2025, and HHS is reviewing the substantial volume of public comments received from covered entities, business associates, industry groups, and consumer advocates. The administrative and regulatory process for finalizing significant rules of this scope typically extends twelve to eighteen months or longer after the comment period closes. Additionally, the rule may be subject to further revision during the Biden-to-Trump administration transition and associated regulatory review priorities.
However, treating the NPRM as a distant contingency is a strategic error. The controls it proposes — encryption universally applied, multi-factor authentication for all ePHI access, documented asset inventories, annual penetration testing, and rapid business associate incident notification — represent the current standard of care that OCR uses as a benchmark when evaluating the penalty tier applicable to a breach investigation. Organizations that align to the proposed standards now will be better positioned for enforcement today, better prepared for the final rule whenever it takes effect, and better defended against the threat landscape that drove HHS to propose the changes in the first place.

Aligning to the Proposed Standards Now

Armorstack’s 100+ technical experts operate at the intersection of current Security Rule requirements and the strengthened standards proposed in the NPRM. Our SENTRY Managed Detection and Response program delivers the continuous monitoring, vulnerability management, and incident response capabilities that the proposed rule would require. Our VERITY vCISO advisory practice helps healthcare organizations build the governance documentation — asset inventories, network maps, incident response plans, penetration testing programs — that the NPRM would mandate. The starting point is your current risk assessment, your Security Rule control gaps, and your BAA program’s readiness to absorb the proposed business associate changes. Explore our compliance services hub or begin a gap analysis through our 90-Day Proof program.