Why a 2025 HIPAA Security Rule Update?
Cyberattacks on healthcare have skyrocketed, leading to the first in-depth HIPAA Security Rule re-write in over a decade.
Alone in 2024, breaches affected more than 180 million individuals health information, at an average cost of more than $10 million per incident – more than any sector.
Regulators said that most of the previous HIPAA rules were too permissive; some providers treated “addressable” security measures as voluntary and failed to implement necessary ones.
Now that there are record breaches and ransomware attacks, HHS is asking for more stringent and more explicit security regulations to safeguard electronic protected health information (ePHI).
It is good news for solo practitioners, private practices, clinics, and any covered entity that handles ePHI. The 2025 HIPAA Security Rule changes proposed aim to improve healthcare cybersecurity – and every practice, small or big, will have to take heed.
Timeline of the New 2025 HIPAA Security Rule Changes
It is crucial to monitor crucial dates in compliance planning. The following is the timeline for the proposed rule:
December 27, 2024 – NPRM Announced: The HHS Office for Civil Rights (OCR) published the Notice of Proposed Rulemaking (NPRM) to strengthen the HIPAA Security Rule. (This is the proposal that defines all the new rules.)
January 5, 2025 – Published for Comment: The rule was published in the Federal Register on the first day of January 2025 and initiated the public comment. Individuals had 60 days to provide comments.
March 7, 2025 – Comment Period Closed: The public had until March 7, 2025, to comment. More than 4,000 comments were received, indicating considerable industry interest (almost 4,700 by one estimate). OCR is now considering this feedback.
Late 2025 – Anticipated Final Rule: HHS will probably publish the final rule in late 2025 after taking comments into account (this may be subject to change). The final rule may implement minor revisions to certain proposals based on the comments they received.
Effective Date – Effective 60 Days After Publication – The new Security Rule takes effect after 60 days from publication. (This provides entities with time for making required changes.)
180 Days After Effective Date – Date of Compliance: Subsidiaries subject to the rules will have 180 days from the effective date to be in compliance with the majority of the new provisions.
Overall, this is around 240 days from the date of the final rule publication to get to the new level. Therefore, if the final rule is published towards the end of 2025, enforcement may begin around mid-2026.
Business Associate Agreement (BAA) Transition – HHS will provide additional time to revise BA agreements to include the new rules. (As with past HIPAA revisions, practices will have a transition period – likely up to 1 year – to modify contracts with vendors without penalty.)
Bottom line – If these regulations are finalized in 2025, business associates and covered entities will have barely more than a few months to come into compliance. It’s wise to begin preparing now, before time runs out.
Key Recommended Changes to the HIPAA Security Rule (2025)
The “HIPAA Security Rule 2025” draft has various revisions. We explain the most significant new HIPAA regulations (2025) and what they include below.
The changes affect what is performed, the technical protections that are utilized, and the way vendors are treated. All changes aim to fix errors in the present rule and entail more safeguarding of electronic personal health information (ePHI).
1. All Safeguards Are Now Mandatory (No More "Addressable" Loopholes)
One blanket change is the removal of the “addressable” vs. “required” implementation specifications. In the past, some security controls were “addressable,” so you had discretion about how (or if) to implement them depending on your circumstances.
In the 2025 proposal, all HIPAA Security Rule protections would be required by default.
HHS would like to keep providers from bypassing key controls; only very narrow exceptions would be permitted.
For instance, if a specific legacy system isn’t able to support a control, you’d have to have a documented risk mitigation plan.
What this does:
All HIPAA security rules have to be complied with.
Small practices can no longer claim “not applicable” – they have to apply the safeguard or adhere to strict exception rules.
OCR determined that too many individuals treated addressable measures as voluntary, and this undermined.
Organizations such as the AMA have complained regarding this strictness for small and rural providers, stating that they require flexibility based on what they can afford.
Documentation Requirements:
The rule eliminates the potential for “addressable” flexibility and explicitly says that you need to have written documentation of all security policies, procedures, and risk analyses.
All decisions and plans, including any exceptions you make, need to be in writing.
Solo practitioners who used to manage security informally will now be required to document everything in writing or electronically.
Regulators will require written evidence of your compliance efforts.
2. All should employ Multi-Factor Authentication (MFA) to access ePHI.
The 2025 regulation will mean multi-factor authentication (MFA) is required.
Currently, MFA (such as entering a code or fingerprint, in addition to a password) is not required – few small practices employ it.
MFA will be mandatory for any device that logs on to ePHI under the new regulation.
All physicians, nurses, and billing clerks will have to have an alternative method of verifying themselves when they log in to EHRs, patient portals, cloud backup, etc.
Some old systems or medical devices may not need to use MFA if they cannot support it, but this is only if they were made before March 2023 and you have a plan to update them.
Basically, older technology gets a short break, but you need to be working on solutions that can use MFA.
This MFA mandate is a direct response to incidents:
stolen passwords have led to many health data breaches, and regulators consider MFA a “must” in 2025 and beyond.
For small practices, this will mean you will likely need to start using authenticator apps, text codes, or tokens for systems that store PHI.
If you use a cloud EHR or portal, check if your vendor supports MFA and switch it on. While MFA introduces a bit of inconvenience to users, it makes a huge difference in security by keeping out attackers who steal or guess passwords.
3. Encryption of ePHI at Rest and in Transit – Now Mandatory
Encryption is also key protection in the new regulation.
HIPAA consistently pushed encryption of ePHI (encrypting email, for instance, or laptops), but it wasn’t required – so some practices weren’t encrypting data if they didn’t feel it was “reasonable and appropriate.”
That’s no longer the case. All electronic PHI transmitted or maintained has to be encrypted as per the new standards that covers utilization of approved encryption on data for servers, workstations, mobile, databases, and sharing data (email, messaging, integrations), except an exception.
As examples, patients will continue to have the option for unencrypted e-mail communication, so that will continue to be allowed.
But for anything above and beyond patient request, everything from hard drive storage to cloud storage will be encrypted.
Information “at rest” (stored on devices) and “in transit” (transmitted) must both be safeguarded. If you haven’t turned disk encryption on at office computers yet or are still sending PHI non-encrypted, those habits won’t be allowed when this rule comes into force.
Industry comment has called out problems with this regulation – specifically the impossibility of encrypting legacy systems and cost.
But as laptops are stolen and databases are hacked on a regular basis, HHS feels encryption is a must for patient data protection.
Solo practices need to budget for encryption software or arrange with IT vendors to have all PHI storage (e.g., EHR files and backup disks) encrypted by default.
The good news is that much new equipment already has encryption capabilities built into it (e.g., BitLocker and TLS for email) – it just needs to be activated and used on a regular basis.
4. Regular Risk Assessment & Annual Security Reviews
Risk analyses are crucial to HIPAA compliance, but the new rule strengthens and clarifies them.
HHS suggests that covered entities conduct a thorough risk analysis at least annually and revise it whenever there are significant changes.
The risk analysis should be thoroughly documented and include certain sections: review of inventory, identifying all possible threats and vulnerabilities to ePHI, and assessing how likely each risk is and what the effect would be.
Essentially, you need to document in detail what can go wrong (such as hacking, theft, or IT issues) and score how bad each risk is to your practice’s ePHI.
Other requirements of the proposal include: perform vulnerability scanning a minimum of twice a year and penetration testing (ethical hacking attempts on your systems) at least once a year.
This is a big ask for small organizations – many have never performed a pen-test. These requirements are best practice in cybersecurity, but may require hiring IT security services to accomplish.
The message is that security is not something you do one time and forget about. Periodic testing and checking of your defenses will be required, ensuring practices identify and repair weaknesses before they become issues.
5. Technology Asset List and Network Map
In order to better know and better protect their environment, health care professionals will be required to have an accurate inventory of all technology devices and a network diagram of ePHI.
This entails recording all hardware and software storing or processing ePHI – from EHR servers, laptops, and cell phones to cloud services – and charting the flow of data through your systems. For instance, you’d chart the flow of patient data from intake iPad to EHR to billing system to backup, etc.
Under the rule, this list of assets and map of data flow must be done at least annually (and as often as changes are significant).
The intention is to allow organizations to be able to see where electronic protected health information (ePHI) resides and how it travels, so that they can address security vulnerabilities at each point.
Even a single doctor’s office can be surprised at how many locations ePHI is forwarded (like email, billing company, x-ray machine computer, etc.). You will need to keep a list and a diagram – which auditors may request as proof.
The network map is connected to risk assessment:
You can’t protect what you don’t know you’ve got. By taking a look over the inventory and map, you guarantee that no device or connection is left behind (like that lab machine in the corner running lab software).
It might seem tedious, but OCR is encouraging it because hidden assets are low-hanging fruit for attackers.
Be prepared to spend some time counting out your IT assets and drawing a basic network diagram showing how patient data moves.
Templates and tools are available to help with this, and it will actually inform your security decisions (like where to put encryption or access controls).
6. Improved Incident Response and Contingency Planning
The rule as drafted significantly enhances standards for incident response and disaster recovery.
Businesses are obligated to maintain formal, written Security Incident Response Plans that describe how employees alert management to security incidents and how the business will address and control them.
Saying “we’ll call IT if something occurs” does not qualify – you have to have written-down, specific steps. Second, you need to test and refresh your incident response plan annually to ensure that it works effectively and is current.
Periodic drills or dry runs for your personnel to prepare for a breach are suggested under this policy.
New requirements are being put in place for advance planning for IT downtime or cyber-attacks.
You must have a method of recovering lost data or systems within 72 hours after the incident.
This 72-hour time frame is challenging – it means you must have good data backups and a disaster recovery plan that can bring your practice back to normal in about 3 days after a significant problem.
You must also conduct a “criticality analysis” of your systems – that is, figuring out which systems are most important to patient care and operations, so you can prioritize recovery of those promptly.
For example, an EHR might be highly critical (restore ASAP), but a scheduling system might be less so.
The rule states to have independent backup systems and not share the same infrastructure for backup as for primary data.
If you ever need to initiate your backup plan, i.e., use backups during a ransomware attack, your business partners need to alert you within 24 hours.
These are all steps to minimize downtime and data loss when issues arise. For a small provider, this is having ePHI backups daily, a process to restore data in a rush (such as cloud backups or having an employee on call IT), and written downtime procedures (even as basic as “use paper charts and call patients if EHR is not functioning”).
7. Enhanced Access Controls and Monitoring
The NPRM also strengthens daily access control requirements. Covered entities must have rigorous procedures to control who has access to ePHI systems.
Access needs to be granted on a need-to-know basis by what an individual needs to know and their position, and must be modified or revoked rapidly when one changes jobs or leaves employment.
One of the requirements is that when an employee or contractor who had access to ePHI leaves employment or changes jobs, you must revoke their access as soon as possible, hopefully immediately, and notify other key parties within 24 hours.
For example, if a billing service employee who has logins to your systems is terminated, the business associate must notify you within 24 hours so you can revoke their access. Revoking access in a timely manner is very critical to prevent disgruntled former employees from abusing data.
Also, you must maintain audit controls. That is, you must monitor who is accessing ePHI. While HIPAA has always recommended that, you can anticipate more insistence on reviewing logs and ensuring there is no unauthorized access or unusual activity.
The necessity to “review and test” security controls on a yearly basis also implies that you must be reviewing from time to time that your access controls and other safeguards are functioning as they ought.
Small practices must ensure that their EHR or systems have audit logging enabled and consider conducting periodic checks on who is looking at patient records.
Briefly, the principle promotes a zero-trust and vigilant approach: give least privilege necessary and remove it as soon as possible when not in use.
Multi-factor authentication (as outlined above) and distinct user IDs are included, as is ongoing monitoring.
Office managers or compliance personnel within clinics must be more vigilant with user accounts and permissions, especially with staff turnover.
8. Network Security: Anti-Malware, Patching, and Segmentation
To address technical protections, HHS is prescribing particular cyber safety practices that should be applied everywhere in the same manner.
Under the 2025 plan, organizations should establish basic setup standards for all devices and systems. In practical terms, this means such as:
- Install anti-malware software on all systems. (All computers or servers must have up-to-date antivirus/anti-malware software.)
- Removing or disabling unwanted software and services that could create vulnerabilities. For example, don’t keep trial software or outdated apps on a device if not needed.
- Deactivating unused network ports based on your risk assessment – keeping hackers from plugging in an exposed port or remotely exploiting it.
- Regular patching: This is not exactly what the HHS fact sheet mentions, but the rule highlights the importance of applying security patches and updates timely. Rules will likely specify how to quickly patch systems (within a specific time window after being made available). Keeping software up to date is very critical since unpatched systems become attack targets most of the time.
Segmentation of the network is obviously necessary. This would involve segmenting your network into distinct zones such that a breach in one zone will not provide access to all the others.
For instance, your guest Wi-Fi would be isolated from your internal EHR network, and medical device networks would be isolated from office admin networks.
Big hospitals do this a lot already. For a small practice, segmentation might be as simple as using a business-class router to create isolated VLANs or networks for different purposes.
HHS would require even the smaller groups to implement reasonable segmentation “as appropriate” depending on risk. It is difficult to do, but it severely restricts how far an intruder can roam around if they make it past.
Taken together, these demands formalize what the overwhelming majority of cybersecurity guidance advises:
Utilize anti-virus, reduce bloat and idle services, patch regularly, and segment networks.
Solo providers must make sure that they have IT support in order to continue doing these things.
If you are using an IT service or an EHR cloud vendor, ask how they deal with malware protection and updates. In the end, it’s up to the covered entity to make sure that these protections are in place.
9. Improved Vendor Monitoring and Business Associate Requirements
Perhaps most notable is how the rule treats business associates (BAs) and other vendors.
Under previous rules, covered entities only needed a contract (BAA) to ensure the vendor would protect PHI, but they did not need to audit the vendor’s security on a continuous basis.
Now HHS is suggesting covered entities need to keep monitoring their BAs’ security practices on a continuous basis.
Under the proposal, a covered entity would be required to obtain written attestations of security compliance from its BAs at least once in every 12 months.
The BA would be required to provide a written report on its own ePHI systems, attested by a security professional, and ensure that it has all the necessary safeguards in place.
Your practice might be required to send an annual questionnaire or request to each BA (EHR vendor, billing company, cloud provider, etc.) asking them to attest that they meet the HIPAA Security Rule standards.
This essentially forces vendors to perform their own internal audit and report the results.
Also, business associates are required to inform covered entities within 24 hours if they activate their contingency plans because of an incident.
That is, if your cloud IT vendor experienced a system failure or cyber-incident and they had to fail over to backups, they are required to inform you promptly (no longer having to hear about a vendor breach months later).
There is also a new requirement that if a BA’s workforce member’s access to your data is revoked or modified, the BA is required to inform you within 24 hours, as described above.
These prompt notices are intended to enhance transparency when something potentially ugly has occurred on the vendor side.
For small practices, this is a reminder that it is not enough to just sign a BAA.
You must discuss with your vendors how they protect data. It may be worth it to select vendors who are certified or follow guidelines (such as HITRUST, SOC 2, or NIST) because it will be easier for them to demonstrate to you that they are in compliance.
Be ready to update all of your BA agreements to include the new requirements (the OCR will provide you with time to do so).
The proposed rule also clarifies that a business associate can be your Security Officer if you formally assign them that duty – this is a benefit for small providers who may have someone else do their IT security.
In brief, HIPAA 2025 vendor management is much more hands-on. You’ll need to:
Ensure that your BAs employ the same level of security as you, get annual evidence that they do, and adjust contracts for it.
While this is more administrative, it also means more confidence that your partners won’t be the weak link in your privacy chain.
HIPAA Rules for Private Practices: What the 2025 Security Rule Holds
So what are the implications for solo practitioners and small to mid-size firms? Bottom line: more onerous responsibilities and maybe more expense – but more protection too against abuses.
Compliance Burden & Costs: Some of these new requirements (e.g., MFA, encryption, annual audits, pen-testing) will require small offices to pay for IT upgrades or services.
Practices that have been doing minimal security only now will have to pay for things such as encryption software, MFA apps, network upgrades, and risk assessment consultants.
Industry associations worry the rules will be a financial burden on smaller providers.
For instance, the College of Healthcare Information Management Executives (CHIME) said the size and timing of the rule could “place an undue financial burden” on healthcare organizations.
The AMA also requested flexibility for small- and medium-sized practices, saying a one-size-fits-all approach may not be realistic.
But it is not worth it to ignore these regulations. Data breaches can ruin a small clinic, costing hundreds of thousands in fines, repairs, and lost trust – enough to take a business out of commission.
The median cost of a breach ($10M) we talked about above is inflated by large hospitals, but even a small practice breach generally costs tens of thousands or more (not to mention reputation harm).
Regulators are also making it clear that they will be tougher in enforcing the rules: if these regulations pass, OCR will probably hit non-compliers harder with bigger fines, especially if a breach happens because of sloppy security.
That is, the price of noncompliance could be even higher, through fines or problems because of a breach.
Operational Impact: Small practices will need to institute a stronger security program. This could mean having a security officer (even part-time), training staff on new policies regularly, and planning regular security exercises (like monthly updates and quarterly drills).
Workflows will be slightly different – for example, staff may take an extra 30 seconds to do MFA login, or there may be extra steps when an employee leaves.
At first, this can be difficult. But most changes, once started, become routine work. For example, after a few weeks, clinicians will get used to using an authenticator app to log in, and it feels normal.
Positive Side: There is a good part: these changes, although challenging, will make your practice’s security much better.
Small providers are often targeted by hackers because they usually have weaker security.
Putting strong protections in place can stop serious problems. For instance, if an encrypted device is stolen, it won’t lead to a reportable breach (avoiding fines) because encryption makes the PHI unreadable.
Multi-Factor Authentication (MFA) can stop a cybercriminal who somehow gets a user’s password.
Regular risk checks can find weaknesses (like an old firewall) before hackers do. So, consider these actions as a way to protect your patients and help your business last longer.
Scalability: HIPAA has always been scalable to the size of the organization (“addressable” was one form of scaling, but now with that eliminated, scalability is inherent in how you perform required procedures).
Small offices can perform requirements in a lightweight way relative to a hospital, as long as the underlying principle is met.
For instance, you might use an internal employee to perform your yearly security assessment with a checklist, and a large hospital contracts an outside vendor – both meet the requirement.
HHS is going to expect guidance that recognizes a 5-person clinic’s network segmentation will differ from a 500-bed hospital’s. Utilize low- or free-cost resources whenever possible (i.e., use free MFA software, use built-in encryption, leverage HHS’s security guidance tools).
In short, private practices need to get ready to change. Keeping within the law will take extra effort and could mean collaborating with IT experts. It’s best to begin budgeting and planning now (see next section) so you don’t get blindsided. It’s difficult, but becoming compliant will lower your chances of ending up in a front-page article about a breach – and that warm feeling is worth it.
1. HIPAA Compliance for Private Practices: Impacts of the 2025 Security Rule
So what does this do to solo practitioners and small- to mid-size firms? Essentially, more onus and maybe more expense – but greater protection against wrongdoing.
Compliance Burden & Expenses: Several of the new regulations (e.g., MFA, encryption, yearly audits, pen-testing) can compel small offices to invest in IT upgrades or services.
Practices that have been managing on minimal security now must invest in encryption software, MFA applications, network upgrades, risk assessment consultants, etc. Industry groups have complained that these requirements will squeeze smaller providers financially.
For example, the College of Healthcare Information Management Executives (CHIME) warned that the scope and timelines for the rule could “place an undue financial burden” on healthcare organizations.
The AMA also urged HHS to leave some room for small and medium practices, noting that one-size-fits-all may be unrealistic.
Disregarding these rules is not an option. Breaches can be extremely devastating for a small clinic, potentially resulting in hundreds of thousands in costs of fines, repairing issues, and lost trust – sufficient to shut a business.
The $10M average cost of a breach referenced above is impacted by large hospitals, but even a small practice breach tends to cost tens of thousands or more (along with reputational damage).
Regulators are also threatening that enforcement will be more severe: if these rules are implemented, OCR will likely levy larger fines on those who fail to comply, particularly if a breach occurs due to poor security.
That is, the price of not complying with the rules may be even higher, through fines or the fallout of a breach.
Operational Effect: Solo and small practices will require a stronger security program.
This could entail hiring a security officer (even a part-time one), regularly training staff on new regulations, and regularly carrying out security activities (such as monthly updates and quarterly drills).
Workflows could be adjusted a little – e.g., staff spend an extra 30 seconds logging in using MFA or perform new actions when an employee is leaving.
At first, it can feel like a huge effort. But most of these steps, once implemented, become second nature.
For instance, after a couple of weeks, clinicians become accustomed to using an authenticator app to log in, and it becomes second nature to do so.
Positive Side: There is something positive here: these changes, though challenging, will greatly make your practice more secure.
Small providers are most often targeted by hackers because their defenses are typically weaker. Adding robust protections can prevent serious issues.
For example, if a stolen device is encrypted, it will not trigger a reportable breach (preventing fines), as encryption renders the personal health information unreadable.
Multi-factor authentication (MFA) can prevent a cybercriminal who obtains a user’s password.
Periodic risk checks can identify vulnerabilities (such as an outdated firewall) before hackers do. So, consider these steps a means of guarding your patients and your business and keeping it safe for longer.
Scalability: HIPAA has always scaled based on the size of the organization.
Previously, “addressable” was a method of scaling, but now it is scaled based on how you implement required steps.
Small practices can implement these requirements in a less complex manner than a hospital, as long as the overall objective is met.
For instance, you can conduct your annual security audit yourself using a checklist, but a large hospital can contract with an outside company – both meet the requirement.
HHS will probably release guidance stating that a 5-doctor clinic’s network configuration will be different from the network configuration for a 500-bed hospital.
Utilize free or low-cost tools wherever possible (e.g., use free MFA software, enable built-in encryption, and read HHS’s security guidance documents).
In summary, private practices need to be ready to change. Adherence to the regulations will involve more effort and perhaps working with IT experts. It is sensible to begin planning and budgeting in advance (see following section) so you will not be surprised.
As hard as it is, compliance will help minimize your chances of being in the headlines for a data breach – and that alone is worth it.
2. Industry Responses to the Proposed 2025 HIPAA Rule (and What's Coming Next)
The healthcare sector is discussing a lot about these HIPAA updates. During the public comment period, numerous individuals who were involved – ranging from solo physicians to large health systems and professional associations – expressed their endorsement and concerns.
In general, most individuals think that we should make ePHI cybersecurity more robust due to the existing threats.
Meanwhile, numerous commenters raised genuine concerns: the challenge of complying with the rules, ambiguous language in certain sections, and whether all the concepts are feasible for organizations of varying sizes.
Some interesting responses and figures:
2.1 Record-Breaking Response:
The NPRM received close to 4,750 comments during the deadline time – an incredibly large number, which indicates how much these changes impact individuals.
Input came from a range of constituencies: independent physicians, small clinics, hospital chains, medical groups, computer firms, security firms, and patients.
Complaints of cost and complexity were the most frequent from the small providers, with security companies and patient advocacy groups usually requesting even stronger requirements.
A response as big as this indicates that HHS has much to consider while drafting the final rule.
2.2 Assistance to Security Objectives:
Most individuals were in favor of it being a good idea to protect patient information. Even the doubters generally concurred that it is a good idea to enhance cybersecurity.
For example, a coalition of healthcare IT organizations endorsed enhanced safety measures but requested that HHS promote good security habits rather than simply penalizing noncompliance (referencing a new law that shields practitioners of known best cybersecurity practices).
Most individuals feel that the rule must supplement current security systems and not duplicate or contradict other guidelines.
2.3 Concerns for Small Businesses:
As we said, physician groups such as the AMA reported that small practices and rural practices may be hit harder than others.
In their formal comments, the AMA recommended maintaining some flexibility (such as the idea of addressable implementation) in small and medium-sized practices so that they could implement measures to their risk and capacity.
Likewise, the National Rural Health Association (NRHA) and others asked for longer implementation periods or exemptions for the smallest organizations, worried that strict rules would cause some practices to shut down.
Whether or not HHS will make special accommodations, they will need to address these concerns about fairness in the final rule preamble.
2.4 Hospital & CIO Concerns:
Large hospital systems and CIO groups (such as CHIME and HIMSS) were also concerned, not necessarily with the concept but with how long it would take to implement it and how complex it would be.
CHIME, speaking on behalf of healthcare CIOs, even requested that HHS take a step back and reconsider the rule as proposed, deeming the timeline “unreasonable” and the requirements “unfunded” mandates that would “jeopardize the financial health” of healthcare providers.
They stated that many hospitals are still reeling from the pandemic’s challenges and are short-staffed, so diverting resources to quickly adjust to new cybersecurity regulations might be challenging.
CHIME and eight other groups signed a joint letter requesting the new administration (in 2025) to reconsider these requirements.
2.5 Major Issues Contested:
Some specific proposals got a great deal of feedback. For example, on the definition of “security incident” – HHS wanted to include attempted incidents, but many people complained that it would be too burdensome to report every try to send out a phishing email.
The 72-hour system recovery requirement was also contentious – some thought it was a good goal, others said that it might not always be possible depending on the situation.
These criticisms suggest that HHS might modify some of the details of the final rule to make them more practical (e.g., stating that only successful incidents need to be reported, or that the 72-hour recovery is merely a guideline and not a strict requirement).
What’s next? Now that comments are in, OCR will write the final rule and quite possibly revise some of it as a result of the feedback.
We expect the final rule to appear sometime late 2025, but it may get bumped to 2026 if there are complex issues.
When the final rule appears, it will clearly indicate what requirements are adopted and when they become effective.
Industry folks think most of the big proposals (like MFA and encryption) will hold, but HHS might make some parts easier (like providing more time for compliance or explaining exceptions more clearly).
Healthcare providers take notice. After the final rule is published, the official clock begins ticking on compliance.
Organizations like HHS OCR, healthcare law firms, and professional associations will publish summaries of the final rule at that point.
Those summaries will enable a person to quickly understand what is new from the proposal.
Experts are all in agreement (even the typically conservative ones) that you don’t have to wait: tighten your security now, as if these recommendations are going to be enforced.
These threats are very real and on the rise, and some of these measures (MFA, encryption, backups) are considered minimum security today.
An early start will not only prepare you for future regulations, but reduce your likelihood of a breach today. The second half provides you with actionable advice to get started.
3. Steps to get Ready for the New HIPAA 2025 Security Rule Compliance
Preparation for these sweeping changes may seem overwhelming, but acting now will avoid trouble (and fines) later. Here is a HIPAA compliance checklist for private practices and clinics navigating the 2025 Security Rule changes:
3.1 Educate Yourself and Your Team:
Start by making sure you get the recommended requirements and why they’re necessary.
Relate the top points to your office staff and leaders. Once individuals know the reasons why MFA or encryption is necessary (to prevent breaches, safeguard patients, prevent fines), they’ll be more supportive of the initiative.
Think of hosting a training session on basic cybersecurity habits which align with these new rules.
3.2 Do a Gap Analysis:
Compare your existing security practices to what is being proposed in the requirements.
See where you are lacking. Do you have MFA in place on all systems? Is all of your PHI encrypted? Do you have an asset inventory? Make a list of the gaps and rank them in order of risk.
This gap analysis is really your risk analysis update – write it down! If you never actually did do a risk assessment in the near past, do one now using the new standards (inventory assets, list threats and vulnerabilities, etc.).
This will inform you what you need to address with highest priority.
3.3 Create/Revise Policies and Documentation:
Start drafting any necessary policies or plans. At least, each practice should have the following documented: an information security policy, incident response plan, contingency (disaster recovery) plan, access management procedure, and risk management plan.
If you already have these, update them to include specifics (e.g., put an MFA requirement into policy, specify the times that backups must be restored, etc.).
Make sure you also have a paper tech inventory and a network drawing (even a simple spreadsheet and flowchart are okay).
The new rule will mandate written documentation on all of the above, so organize your documents now.
3.4 Implement Quick Wins First:
Tackle the low-hanging fruit compliance issues first. For instance, turning on MFA for an Office 365 email address or a cloud EHR typically can be done in a day – just have your vendor or IT support do it for all accounts.
Turning on full-disk encryption on new Windows or Mac computers typically is a straightforward option (BitLocker or FileVault).
These steps give you a lot of security value for little effort or cost. Begin with these “easy wins” to quickly mitigate risk.
3.5 Plan for Complex Upgrades:
If you need more sophisticated features such as separating networks or performing annual security scans, start planning now.
You might need to speak with an IT network professional to split your Wi-Fi or install a VLAN on medical devices.
You might also consider hiring outside companies like Human Medical Billing to perform vulnerability scans and penetration testing for small healthcare clinics – receive quotes and budget for these (every six months or annually as necessary).
Having your choices ahead of time will enable you to move quickly when the moment arrives.
3.6 Improve Access Controls:
Audit who has access to what within your organization. Rein in any excessive access straight away (principle of least privilege).
Remove unnecessary obsolete user accounts. Check for role-based access on your software if this is not already implemented. And create a process to immediately remove access when someone leaves.
If you use a cloud service, ensure you understand how to immediately remove user access.
Begin utilizing an onboarding and off-boarding employee checklist that includes access management – this will probably be an auditable item under the new rule.
3.7 Improve Backup and Recovery
Make sure you back up ePHI data each day, and secure the backups off-site or in the cloud (and encrypted!).
Test a restore to verify that you can recover critical systems in 72 hours. If taking a week currently to recover your EHR in the event of a failure, talk with IT to get that faster (possibly using cloud backup images or backup systems).
Document the steps of your contingency plan, and even practice it (e.g., “what do we do in case our system gets hacked?”).
This will help you stay in compliance and might save your practice in an actual crisis.
3.8 Check and Activate Your Suppliers:
Develop a list of all your business partners and IT services vendors. Contact them regarding the impending changes – ask if they have heard of the HIPAA Security NPRM and how they plan to meet the regulations.
Specifically, ask if they already use encryption, MFA, etc., and if they can make available the yearly security evidence that HHS will demand.
For the major vendors who seem unprepared or uncooperative, consider shopping around for new options in the future.
Revise your Business Associate Agreements as needed to reflect new requirements (such as 24-hour incident reporting).
Proactiveness with vendors will keep them from becoming your weakest link.
3.9 Stay Up-to-Date with Rule Changes
Monitor for release of the final rule (presumably through email or industry news).
Subscribe to OCR’s listserv or ask reliable sources so you know when the rule comes out and what’s new in the final rule.
Monitor for guidance documents as well – HHS frequently releases FAQs or guidance with new rules to provide some advance information about what to expect.
Having final details (e.g., specific compliance dates or what’s changed) will improve your prep plan.
4.0 Get Expert Help if Needed:
If unsure, don’t be afraid to speak with a HIPAA compliance expert or a cybersecurity advisor.
Some smaller practices outsource IT or security firms that offer HIPAA compliance packages.
Some of these packages offer virtual Security Officer services, policy templates, risk assessment information, and regular monitoring. Although it is an added expense, it may be worth it to know it’s all taken care of, and it will give you time to concentrate on patient care.
A one-time consultation will also provide you with a plan tailored to your practice.
4.1 Promote a Security-First Culture:
Start integrating cybersecurity into office culture before these rules start.
Let your staff know that patient data protection is central to quality care. Ask them to report unusual activity or email, and have your new incident response plan detail how to do it.
Reward good security behavior, like when an employee suggests a useful security tweak.
Human behavior is a major source of security breaches (like phishing or weak passwords), so training and culture are as vital as any technology solution.
By raising awareness now, your staff will be well prepared to adopt new processes like MFA logins or stricter rules when they go into effect.
By doing this, your practice will be that much closer to compliance with the 2025 HIPAA Security Rule changes, and you will also reduce your chances of a data breach in the process.
This is good for compliance and for actual security. Security is a process that continues – the notion is to keep improving, not to just do it once.
Take this as an opportunity to make your practice’s security to match the value of the information that you have.
Conclusion: Build Your Practice for 2025 and Beyond
The 2025 HIPAA Security Rule updates represent a new frontier in healthcare cybersecurity.
To solo practitioners and small clinics, it might sound scary, but it’s actually about safeguarding your patients trust and your own reputation.
Cyber attacks aren’t disappearing, and regulators want to tighten up protections.
Although there will probably be some tweaking before the rule is released, it’s certain that all will need to have more robust security in place.
By acting now – understanding the changes, building your team, and hardening your defenses – you can turn this compliance headache into an opportunity for improvement.
Not only will you sidestep last-minute scrambling and potential fines, but you’ll sleep better knowing your practice is far less likely to be struck by an attack.
As HHS officials have indicated, enforcement will likely become more stringent for non-compliers, but conversely, those who do invest in security may well find regulators more forgiving if something goes wrong (particularly under laws that reward good security habits).
Following the new HIPAA regulations in 2025 will not be a matter of doing the bare minimum – it will be a matter of weaving security into your daily work.
This may mean implementing new technology, developing new policies, and breaking habits for your staff.
Change is rarely a simple task, but in this case, it is necessary. The bright side is that there is support and guidance.
With support from HHS and healthcare IT solutions, you don’t have to be alone. Most practices encounter the same problems, and consulting others or having professional help can make it simpler.
Ultimately, good security is required for good healthcare. Protecting patient information is protecting the patient, period.
By making these changes to the HIPAA Security Rule, you demonstrate to your patients that you care about their privacy and security.
This can provide you with a competitive advantage when patients are more informed about data breaches.
Have your practice’s security in place and invest in it today. Whether the final rule comes in 6 months or 18 months, you will be ahead of the game.
If some rules do change, you will be thankful that you invested in excellent security. Following the rules is time-consuming, but with the proper attitude, it can make your practice better and more secure.
To a safer and more secure 2025 and beyond, and to you and your patients!
