Photo: andresr/Getty Images
Brent T. Hoard is a partner at Troutman Pepper Locke. This article was co-authored with his colleague, TPL Associate Emma E. Trivax.
On January 6, 2025, the Biden administration’s Department of Health and Human Services Office for Civil Rights published a proposed rule that, if enacted, would significantly amend the HIPAA Security Rule.
The final rule is expected, at least for now, in May 2026. The proposed rulemaking purportedly responds to the rise in cyberattacks, expanded use of cloud and mobile technologies, and OCR’s repeated findings of inconsistent compliance.
Many of the proposed changes to the Security Rule would be materially time‑consuming and costly for covered entities and business associates to implement, and the proposed rule received criticism from many stakeholders across the healthcare industry.
However, if we look past the proposed rule’s potentially unduly burdensome features and understated costs ($360 for a penetration test? sign me up!) the proposed update does address a number of foundational security practices most entities can and should consider addressing now, irrespective of whether the proposed rule is finalized in its present form.
The practices and controls that we identify here will help an organization align its compliance program with existing HIPAA requirements, mitigate risk of a potential cyberattack and, if needed, be positioned to adjust to a final rule in any form within the compliance timeframe of 180 days from the effective date.
HIPAA Security Rule risk analysis
If your organization has not conducted a recent HIPAA Security Rule risk analysis, prioritize this action item. The risk analysis is used to identify, evaluate, and mitigate against risk to your organization’s ePHI and inform the development and implementation of safeguards to mitigate against those risks.
In addition to being good practice, compliant risk analyses is an enforcement focus for the OCR.
Encryption and multi‑factor authentication
The proposed rule would move to mandatory encryption of ePHI at rest and in transit and require multi‑factor authentication (MFA), subject to limited exceptions. Because most modern EHRs, cloud services, and email platforms already support these features, this is a practical place to start.
Steps your organization can take now:
- Inventory where ePHI is processed or stored within your IT environment (EHR, cloud platforms, laptops, mobile devices, email, patient portals);
- Confirm encryption is enabled by default (or implement it) for stored data and data in transit;
- Document encryption settings for laptops, smartphones, tablets, and removable media.
- Verify transport security for email and patient portals; and
- Phase in MFA for:
- Remote access and VPNs;
- Administrator and privileged accounts; and
- Cloud services and applications that process ePHI.
Basic system hardening: anti-malware, software cleanup and ports
The proposed rule would add more prescriptive requirements for systems that store or process ePHI, including anti‑malware, removal of unnecessary software, and disabling unnecessary network ports.
Steps your organization can take now:
- Confirm anti‑malware tools are deployed and kept current on relevant servers, workstations, and mobile devices;
- Remove unused, legacy, or nonessential software from clinical and administrative systems; and
- Disable unnecessary services and ports.
Backups, business continuity and disaster recovery
The proposed rule would tighten contingency planning, including written procedures to restore certain systems and data within 72 hours of a service disruption, separate technical controls for backup and recovery, and documented restoration priorities.
Steps your organization can take now:
- Identify and document truly critical systems for ePHI (e.g., EHR, billing, imaging, telehealth);
- Set realistic recovery time objectives (RTOs) for those systems;
- Confirm backups; and
- Document your organization’s backup procedures and business continuity/disaster recovery plan, including responsible personnel.
Incident response planning and testing
The rule would memorialize the need for written incident response plans, workforce reporting procedures, and periodic testing.
Steps your organization can take now:
- Develop (or update) a written incident response plan that:
- Assigns clear roles and a response lead;
- Defines how incidents are reported, triaged, and escalated;
- Addresses coordination with vendors, law enforcement, insurers, and legal counsel; and
- Covers patient and regulatory notifications in the event of a breach
- Develop a schedule to perform periodic incident response tabletop exercises (e.g., ransomware event or major vendor breach) to effectiveness.
Access management and timely termination
The rule would strengthen access management requirements, including notice within 24 hours when a workforce member’s access to ePHI or relevant systems is changed or terminated – an area where OCR frequently finds deficiencies.
Steps your organization can take now:
- Review current access provisioning and deprovisioning processes;
- Establish a standard workflow requiring HR or managers to notify IT immediately when an employee or contractor:
- Leaves the organization; and
- Changes roles or responsibilities;
- Set an internal expectation to disable access to ePHI systems and remote tools within 24 hours of status change; and
- Develop a plan to extend these expectations to vendors by contract:
- Clarifying responsibilities for access changes and termination; and
- Planning to update business associate agreements if and as the rule is finalized.
The importance of documentation
The proposed final rule repeatedly emphasizes written documentation of security policies, procedures, plans, and analyses.
Steps your organization can take now:
- Inventory existing HIPAA program documentation;
- Complete a Security Rule risk analysis (if not current); and
- Prioritize addressing any gaps in:
- Encryption and MFA documentation;
- Access provisioning, deprovisioning, and modification;
- Incident response plans; and
- Backup and business continuity/disaster recovery plans.
Transition period and next steps
While the fate of the proposed rulemaking remains somewhat uncertain, the action items above are relevant to protecting ePHI and mitigating cybersecurity risk regardless of that outcome.
Additionally, proactive organizations will be better prepared for the final rule in the event that it is not abandoned or significantly modified.
