Cybersecurity: 24/7/365
Cybersecurity: 24/7/365
4MEDNET delivers managed IT, cybersecurity, HIPAA compliance, and AI automation solutions built exclusively for healthcare practices.
The HIPAA Security Rule is getting its first major overhaul since 2003. In December 2024, the HHS Office for Civil Rights (OCR) published a Notice of Proposed Rulemaking (NPRM) that would rewrite the rules for how medical practices protect electronic protected health information (ePHI). The public comment period closed in March 2025 with 4,745 responses. Finalization remains on OCR's regulatory agenda for mid-2026.
If you run a small or mid-size medical practice, these changes will affect you directly. The proposed rule eliminates the concept of "addressable" safeguards, adds strict timelines for patching and incident response, and requires annual penetration testing. Here is what you need to know — and what you should start doing now.
OCR published the NPRM on December 27, 2024, and it appeared in the Federal Register on January 6, 2025. A 60-day comment period followed. During that window, HHS received 4,745 public comments — one of the highest response volumes for any healthcare regulation in recent years.
On January 20, 2025, the incoming administration signed an executive order pausing pending rulemaking for review. Industry groups including MGMA and the CHIME coalition petitioned HHS to withdraw the proposal, citing cost concerns for small and rural practices. Despite the pushback, OCR kept the rule on its official regulatory agenda. As of early 2026, finalization is scheduled for mid-2026.
Healthcare cybersecurity has bipartisan support. Both parties recognize that the surge in ransomware attacks and data breaches demands stronger baseline requirements. The final rule may include modifications, but the core direction — tighter, more specific, mandatory controls — is unlikely to change.
The current HIPAA Security Rule was written in 2003 and last revised in 2013. Healthcare cybersecurity has changed dramatically since then. Ransomware attacks on hospitals and clinics have surged. Data breach costs now average $10.93 million per incident in healthcare — the highest of any industry. OCR settled 21 enforcement actions in 2024 alone, the second-highest annual total on record.
HHS acknowledged that the existing rule has not kept pace. Too many covered entities treated "addressable" safeguards as optional. The result: gaps in encryption, multi-factor authentication, and basic security hygiene that attackers exploit every day.
This single structural shift affects everything. Under the current rule, some security measures are "required" and others are "addressable." Addressable means you can implement an alternative if you document why the standard approach isn't reasonable for your organization.
The proposed rule removes this distinction entirely. Every implementation specification becomes required, with only narrow, specific exceptions. If you've been relying on documented alternatives to skip encryption or MFA, that approach will no longer work.
Encryption of ePHI is no longer addressable. Every server, laptop, mobile device, and data transmission must use encryption. The only exception is when an individual patient specifically requests unencrypted ePHI. If your practice still has unencrypted laptops, portable drives, or email systems, you will need to fix that before the compliance deadline.
MFA becomes required on every technology asset that accesses ePHI. That includes your EHR, patient portal, email, billing system, and administrative accounts. The proposed rule provides a limited exception for FDA-approved medical devices authorized before March 29, 2023 — but only if you maintain a written transition plan to move that data to MFA-supported technology.
If your practice hasn't rolled out MFA yet, this is the single most important step you can take right now. Our guide on cybersecurity threats facing medical offices explains why credential theft remains one of the top attack vectors.
The proposed rule introduces hard deadlines for applying security patches:
For a small practice without dedicated IT staff, the 15-day critical patch requirement is aggressive. It means someone must be monitoring for vulnerabilities and deploying fixes within two weeks — every time. This is one area where managed IT services outperform break-fix support, since your provider handles patch monitoring and deployment as part of the service.
Every practice must maintain a written inventory of all hardware, software, and data systems that handle ePHI. You also need a network map showing how patient data moves through your systems — from the front desk check-in to the EHR to the billing clearinghouse to the cloud backup.
Both documents must be reviewed and updated at least once every 12 months, and whenever significant changes occur (new threats, security incidents, new technology, or changes in regulations).
The proposed rule requires written procedures to restore critical electronic information systems and data within 72 hours of a loss event. You must maintain exact backup copies of ePHI and perform a criticality analysis to set restoration priorities. Our guide on backup and disaster recovery planning for medical offices covers the fundamentals.
Penetration testing must occur at least once every 12 months. Vulnerability scanning must occur at least every 6 months. For most small practices, this means hiring a third-party security firm — the same kind of work a virtual CISO (vCISO) coordinates for you.
Practices must implement network segmentation to limit lateral movement. If an attacker compromises one device, segmentation prevents them from reaching your entire network. At minimum, your guest Wi-Fi, medical devices, and administrative systems should sit on separate network segments.
When an employee leaves your practice, their access to all systems must be revoked within one hour. Other regulated entities must be notified of workforce access changes within 24 hours. This requires tight coordination between your HR process and IT systems — something you should document in advance, not scramble to figure out during a termination.
This is entirely new. Every business associate must provide written verification once per year that they have deployed the required technical safeguards. That verification must include a written analysis by a subject matter expert, and a person of authority at the business associate must certify it in writing.
If you work with an EHR vendor, a billing clearinghouse, a cloud backup provider, or an IT company, you will need this annual certification from each one. Review your business associate agreements now and plan for this new requirement.
Written incident response plans must be reviewed and tested at least once every 12 months. Business associates must notify covered entities within 24 hours of activating their contingency plans. Subcontractors must do the same.
The proposed rule requires compliance audits at least once per year. These can be internal or external, but they must verify adherence to the full Security Rule. Combined with the enhanced risk assessment requirements, this creates a continuous compliance cycle rather than a one-time checkbox.
New employees must complete security training within 30 days of getting system access. All staff must receive refresher training at least once every 12 months.
If HHS finalizes the rule as proposed, the timeline is tight:
That gives you roughly 240 days — about 8 months — from publication to compliance. If the final rule publishes in mid-2026, your practice would need full compliance by early-to-mid 2027. That is not a lot of time for practices starting from scratch.
HHS estimates the new rule will cost the healthcare industry approximately $9 billion in the first year and $6 billion per year after that. Over five years, the total reaches roughly $34 billion across all covered entities and business associates. Industry groups including MGMA and the CHIME coalition have pushed back, arguing the burden falls hardest on small and rural practices.
For individual small practices, costs will vary based on your current security posture. If you already encrypt ePHI, use MFA, and have a managed IT provider handling patches and monitoring, you may need only incremental changes — updated documentation, a penetration test, and revised business associate agreements. If you have been deferring security investments, the catch-up costs will be higher: new hardware encryption, MFA deployment, network segmentation, and potentially a full security assessment.
HHS argues that if the changes reduce breach-affected individuals by just 7 to 16 percent, the rule pays for itself. Given that a single ransomware attack can shut down a practice for weeks, proactive investment usually costs less than recovery.
Current HIPAA penalty tiers range from $145 per violation (Tier 1, lack of knowledge) up to $2.19 million per violation (Tier 4, willful neglect). Annual caps range from $25,000 to $1.5 million. OCR does not give small practices a pass — enforcement actions in recent years have targeted organizations of all sizes.
With "addressable" eliminated, enforcement becomes more straightforward. You either meet the requirement or you don't. There is no documented-alternative defense.
You don't need to wait for the final rule. Every requirement in the proposed rule is already a cybersecurity best practice. Here is what to do now:
Preparing for the updated Security Rule touches every part of your IT infrastructure. Most small practices don't have the in-house expertise to handle it alone. Here is how we help:
Managed IT & Monitoring: We handle patch management within the proposed timelines, maintain your asset inventory and network documentation, and monitor for threats 24/7. When OCR publishes the final rule, your infrastructure will already meet the technical requirements.
Cybersecurity & vCISO Services: Our team runs vulnerability scans, coordinates annual penetration tests, implements network segmentation, and deploys endpoint detection and response (EDR) across your practice. Our vCISO service gives you a dedicated security advisor without the cost of a full-time hire.
HIPAA Compliance Support: We help you build the required documentation — risk assessments, incident response plans, policies, and procedures. We also help you manage business associate verification and annual compliance audits.
AI & Automation: Automated monitoring, alerting, and reporting reduce the manual burden of ongoing compliance. AI-powered tools flag suspicious access patterns, track policy changes, and generate audit-ready reports.
Check our pricing plans to see which level of support fits your practice. Every plan includes HIPAA compliance assistance and 24/7 security monitoring.
The proposed HIPAA Security Rule changes are coming. The specific dates may shift, and some details may change in the final version. But the direction is clear: HHS expects every covered entity to implement real, documented, verifiable security controls. The days of "addressable means optional" are over.
Starting now gives you time to spread the cost, fix gaps methodically, and avoid a last-minute scramble. Every step you take today reduces your risk of a breach, a fine, or both.
Schedule a free consultation to review your current HIPAA security posture and build a compliance roadmap for 2026 and beyond.
Managed IT, cybersecurity, HIPAA compliance, and AI automation for healthcare practices. We keep your technology secure so you can focus on patient care.
4MEDNET.COM - Copyright 2026. All rights reserved.