Background: Why HIPAA is being updated
The HIPAA Security Rule was last substantially updated in 2013. Since then, healthcare has moved from paper records to cloud systems, from desktop PCs to mobile devices, and from isolated networks to internet-connected everything. The threat landscape has changed entirely. The 2025 NPRM (Notice of Proposed Rulemaking) is HHS's response.
The biggest change: addressable vs. required
Under the current HIPAA Security Rule, security controls are divided into "required" and "addressable" standards. Addressable doesn't mean optional — it means you must either implement the control or document why you chose an equivalent alternative.
The proposed update eliminates this distinction for most security controls. The safeguards that were previously "addressable" — including encryption, multi-factor authentication, network segmentation, and vulnerability scanning — would become explicitly mandatory for all covered entities, regardless of size.
What this means for small practices: Controls you may have been deferring or substituting with alternatives would become mandatory. Practices that are not currently encrypting all ePHI or using multi-factor authentication would need to implement these regardless of cost or complexity arguments.
Key requirements in the proposed update
Mandatory encryption everywhere
All ePHI must be encrypted at rest and in transit — no exceptions based on risk assessment conclusions. This applies to all systems, including legacy systems and on-premise servers that many practices still run.
Multi-factor authentication (MFA)
MFA would be required for all access to systems containing ePHI. This means your practice management software, EHR, email, and any remote access must use two-factor authentication.
Network segmentation
Practice networks must separate clinical systems from administrative and guest networks. Patients using your waiting room Wi-Fi cannot be on the same network as your patient management system.
Annual technical assessments
In addition to the annual Security Risk Assessment, practices would be required to conduct annual technical vulnerability assessments — network scanning to identify and document security vulnerabilities.
Incident response and recovery plans
Written, tested incident response plans would be required — not just a policy on paper, but documented evidence that the plan has been reviewed and updated.
What "proposed" means — and why you should act now
As of mid-2026, the rule is still in the finalization process. However, two things are clear: the direction of enforcement is settled, and OCR has been citing the proposed rule's standards in its current investigations. Practices that implement these controls now are better protected today and will face no transition burden when the rule is finalized.
Our position: We advise every client to treat the proposed 2025 NPRM requirements as current requirements. The safeguards being proposed — encryption, MFA, vulnerability scanning — are baseline security hygiene regardless of what HIPAA requires. Implementing them now is good security practice and regulatory positioning simultaneously.
How to prepare your practice
The practices best positioned for the new requirements are those that have already completed a current Security Risk Assessment, implemented technical controls including encryption and MFA, and established documented security policies and training programs. If you haven't started, the annual risk assessment is the right first step — it identifies exactly where you stand against both current and proposed requirements.
Get ahead of the 2026 requirements now.
Our HIPAA assessments evaluate your practice against both current requirements and the proposed 2025 NPRM — so you're covered either way.
Book free consult →