Recent HIPAA Security Rule Changes and how it Affects U.S. Businesses and Organizations

Overview of the Proposed HIPAA Security Rule Updates

The U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking on December 27, 2024, marking the first major update to the HIPAA Security Rule since 2013. This proposal aims to strengthen cybersecurity requirements in response to escalating cyberattacks on the healthcare sector.

Industry observers anticipate substantial operational impacts if these changes are finalized, with mandatory safeguards replacing flexible standards. Organizations may need major investments in cybersecurity infrastructure.

Key Technical and Administrative Requirements

The proposed rule introduces stricter technical requirements, including mandatory multi-factor authentication and mandatory encryption for electronic protected health information. These updates closely align with HHS efforts to address ransomware threats. Administrative requirements also expand, such as detailed documentation of policies, annual penetration tests, and more rigorous incident response obligations.

Timeline and Expected Compliance Considerations

Regulators project the finalization of the updated HIPAA Security Rule by May 2026, with major compliance deadlines potentially following within 240 days. This shortened compliance window may require organizations to begin preparing now. HHS recommends proactive measures, including early gap analyses and implementation of stronger cybersecurity controls, to ensure readiness.

Regulators advise organizations to begin conducting gap analyses, updating risk assessments, and enhancing cybersecurity controls well before the final rule arrives. Early action is expected to reduce compliance burdens and minimize organizational disruptions, especially for entities with complex IT infrastructures. As cyber threats continue to accelerate, proactive alignment with evolving standards will remain essential for long-term resilience.

Webcheck Security can help your organization prepare now, with gap assessments, audit preparation, audit evidence collection and review leadership, remediation leadership, and embedded virtual Chief Information Security Officer (vCISO)/Fractional Information Security Officer (FISO) continuous support and leadership.