HIPAA’s Security Shake-Up: Mandatory Controls and Enhanced Enforcement for 2025

For decades, the Health Insurance Portability and Accountability Act (HIPAA) has served as the bedrock of patient privacy and data security in the U.S. healthcare sector. While its core principles remain steadfast, today’s cyber threats demand stronger defenses than ever before. In response, the U.S. Department of Health and Human Services (HHS), through the Office for Civil Rights (OCR), has proposed significant updates to the HIPAA Security Rule.

These changes, proposed for 2025 and beyond, are far from minor tweaks. They represent a fundamental shift, moving critical “addressable” safeguards to “required” mandates and signaling a new phase of stricter enforcement. For healthcare organizations (Covered Entities) and their partners (Business Associates), the message is clear: the time for good-faith efforts is evolving into a demand for demonstrable, robust security. As a CPA and consulting firm, Johnson Lambert understands that preparing for these changes is not just a compliance exercise; it’s a strategic imperative to protect patient data, financial stability, and organizational reputation.

What Are the Updates? A New Era of Mandatory Safeguards

The proposed updates to the HIPAA Security Rule aim to strengthen the cybersecurity protections for Electronic Protected Health Information (ePHI) in response to the escalating volume and sophistication of cyberattacks targeting the healthcare sector. Key proposed changes include:

Elimination of “Addressable” Standards. All Are Now Mandatory: This is perhaps the most significant shift. Previously, certain implementation specifications were “addressable,” allowing entities flexibility to implement them as appropriate or to document why they were not reasonable and practicable. Under the proposed rule, this distinction is eliminated, making all applicable safeguards mandatory. This aims to create a more uniform and stringent baseline for ePHI protection.

Impact: Organizations can no longer justify opting out of certain safeguards; all must be implemented, documented, and auditable.

Mandatory Multi-Factor Authentication (MFA): MFA is no longer an option. It is proposed to become a required safeguard for all access points to systems containing ePHI. This includes cloud services, on-premise systems, and third-party applications.

Impact: Organizations must implement MFA across all user accounts accessing ePHI, regardless of whether the system is internal or managed by a Business Associate.

Mandatory Encryption for ePHI at Rest and In Transit: While often considered a best practice, encryption of ePHI, both when stored on devices and servers (at rest) and when transmitted across networks (in transit), is set to become a required implementation specification.

Impact: Covered Entities and Business Associates must ensure robust encryption methods are applied to all ePHI across their entire infrastructure, including databases, endpoints, cloud storage, and network communications.

Enhanced Risk Analysis and Asset Inventories: The updates emphasize a more comprehensive and detailed approach to risk analysis. This includes:

• Mandatory Technology Asset Inventories and Network Maps: Organizations will be required to develop and maintain detailed inventories of all technological assets that process, store, or transmit ePHI, along with network maps tracing ePHI flow. These must be reviewed at least annually or following significant operational changes.
• Data Flow Mapping: Risk assessments will need to be more granular, focusing on where ePHI resides, how it moves through systems, and its vulnerabilities at each stage.

Impact: Expect a higher bar for documenting your ePHI environment and associated risks.

Strengthened Incident Response and Contingency Planning: The proposed rule reinforces requirements for preparing for and responding to security incidents:

• Disaster Recovery Testing: Mandated regular testing of disaster recovery plans to ensure systems and data can be restored within a reasonable timeframe (e.g., 72 hours).
• Incident Response Plans: Covered entities must establish written incident response procedures, conduct regular reviews, and test their effectiveness through exercises. The rule does not explicitly require tabletop drills but conducting them is a best practice to validate readiness.

Impact: Organizations must move beyond theoretical plans to demonstrably test and refine their resilience.

Regular Security Assessments, Vulnerability Scanning, and Penetration Testing:

• Vulnerability Scans: Required at least every six months.
• Penetration Testing: Required annually to simulate attacks and identify exploitable weaknesses.
• Annual Compliance Audits: Regulated entities must conduct compliance audits of their safeguards at least once every 12 months.
• Business Associate Verification: Business Associates must annually verify, via subject matter expert (SME) analysis and written certification, that required technical safeguards are in place.

Impact: Continuous vigilance and proactive testing will be non-negotiable.

Timelines: What to Expect in 2025

The initial Notice of Proposed Rulemaking (NPRM) for these updates was issued in late December 2024. The public comment period ended in March 2025. The finalization is uncertain due to the president’s January 31, 2025 executive order placing a regulatory freeze on new rules pending review, which casts uncertainty on the rule’s future. Typically, a compliance window (e.g., 180 to 365 days) follows the final rule’s publication before enforcement begins. Therefore, organizations should consider preparing for these new technical and administrative safeguards becoming legally binding and actively enforced.

Comparison to Other Key Regulations

The HIPAA Security Rule updates reflect a broader trend in cybersecurity regulation, emphasizing a more proactive and auditable approach.

• NYDFS Part 500 (New York Department of Financial Services Cybersecurity Regulation):
  • Similarities: NYDFS Part 500, especially its updates impacting “Class A” companies, already requires mandatory MFA, encryption of sensitive non-public information (similar to ePHI), robust risk assessments, and comprehensive incident response plans. Both aim for a high standard of data protection and accountability.
  • Differences: NYDFS is sector-specific (financial services in New York), while HIPAA is healthcare-specific. NYDFS has explicit requirements for CISO reporting to the Board and annual certifications, which HIPAA has not historically required (though the new updates move in that direction).
• NAIC Insurance Data Security Model Law:
  • Similarities: The NAIC Model Law, adopted by many states for the insurance industry, mandates information security programs, risk assessments, incident response plans, and third-party oversight.
  • Differences: The NAIC Model Law offers more flexibility than the prescriptive HIPAA Security Rule. However, some states allow HIPAA compliance to stand in for NAIC compliance, making HIPAA’s updates a new benchmark.
• CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act):
  • Similarities: CPRA introduced annual cybersecurity audits and risk assessments for certain businesses, echoing HIPAA’s proposed annual compliance audit requirements. The CPRA audit requirements are in the final stages of the regulatory process.
  • Differences: CCPA/CPRA covers all personal information for California residents, with strong data subject rights (access, deletion, opt-out). HIPAA is narrowly focused on health data. Organizations serving Californians’ health data must reconcile both.

How to Prepare: Key Focus Areas for Covered Entities and Business Associates

Navigating these proposed updates requires a proactive and comprehensive strategy. Here are key focus areas for healthcare organizations and their partners in 2025:

Conduct a Thorough Gap Analysis and Updated Risk Assessment

• Action: Begin with a comprehensive assessment of your current security posture against the new, mandatory HIPAA Security Rule requirements. Identify all systems, applications, and processes that create, receive, maintain, or transmit ePHI. Document data flows.
• Why: This will highlight specific areas of non-compliance and pinpoint vulnerabilities. A detailed, up-to-date risk assessment is the foundational element for all subsequent preparation.

Prioritize and Implement Mandatory Technical Safeguards

• Action: Review and implement MFA across all systems accessing ePHI. Ensure ePHI is encrypted at rest and in transit across all environments (on-premise, cloud, mobile devices, backups).
• Why: These are no longer “addressable” choices; they are non-negotiable requirements that will be a prime focus for OCR enforcement.

Strengthen Incident Response and Contingency Planning

• Action: Review and update your incident response plan to align with the new requirements for recovery timelines (e.g., 72 hours). Conduct disaster recovery testing and consider tabletop exercises as a best practice to validate readiness.
• Why: A tested plan ensures rapid recovery and minimizes the impact of a breach, directly influencing compliance and financial fallout.

Enhance Third-Party Risk Management (TPRM)

• Action: Review and update all Business Associate Agreements (BAAs) to reflect the strengthened security mandates. Conduct more rigorous due diligence and ongoing monitoring of your business associates’ and downstream vendors’ security practices.
• Why: You are increasingly accountable for your partners’ security; their weaknesses become your regulatory liabilities.

Invest in Continuous Monitoring and Proactive Testing

• Action: Implement regular (biannual) vulnerability scanning and annual penetration testing to identify and remediate weaknesses before they can be exploited. Establish continuous monitoring systems for ePHI access and activity.
• Why: Proactive testing and monitoring are essential for maintaining an agile defense against evolving threats and demonstrating ongoing compliance.

Update Policies, Procedures, and Training

• Action: Revise internal security policies and procedures to reflect the new mandatory safeguards and enhanced requirements. Conduct mandatory and ongoing cybersecurity awareness training for all workforce members, emphasizing their role in protecting ePHI.
• Why: Policies provide the framework, procedures guide action, and training ensures human vigilance, all of which are subject to audit.

Seek Expert Guidance

• Action: Consider engaging cybersecurity and compliance experts, especially if your internal resources are stretched or lack specialized knowledge in the updated requirements. They can support the requirement to complete a compliance audit at least once every 12 months.
• Why: External expertise can provide objective assessments, identify blind spots, and efficiently guide your organization through complex implementation processes.

Safeguarding Health Data, Securing the Future

The proposed HIPAA Security Rule updates are a clear signal from regulators: the protection of ePHI is paramount, and complacency will not be tolerated. For healthcare organizations and their vital partners, this means a pivotal shift towards a demonstrably secure and compliant posture. It’s an opportunity not just to meet anticipated legal obligations but to significantly enhance patient trust, mitigate financial risks, and strengthen the very foundation of the healthcare ecosystem.

Johnson Lambert bridges the gap between regulatory requirements and practical implementation. Our expertise in risk advisory, internal controls, and compliance audits uniquely positions us to help your organization prepare for these critical HIPAA changes, ensuring your security investments translate into effective protection for sensitive health information and sustained compliance confidence.

Connect with our team to discuss how these proposed HIPAA changes could impact your organization and the steps you can take now to prepare.