HHS published a Notice of Proposed Rulemaking on January 6, 2025 (90 Fed. Reg. 898) proposing sweeping changes to the HIPAA Security Rule — mandatory MFA, mandatory encryption, 72-hour breach notification, and more. The final rule is expected in 2026. Is your organization ready?
What the NPRM Proposes
The 2003 HIPAA Security Rule relied heavily on "addressable" specifications — organizations could document equivalent alternatives. The NPRM closes that door on the most critical controls. 90 Fed. Reg. 898 ↗
MFA would be mandatory for all access to ePHI — clinical systems, EHRs, cloud storage, email. Under the current 2003 rule, MFA is an "addressable" specification: organizations can document a reasonable alternative. The NPRM eliminates that flexibility entirely for authentication.
Source: 90 Fed. Reg. 898 (Jan. 6, 2025)Encryption of ePHI — both at rest and in transit — would move from "addressable" to "required." Organizations that rely on physical security or network perimeter controls as a documented alternative to encryption would need to implement cryptographic encryption.
Source: 90 Fed. Reg. 898 (Jan. 6, 2025)Covered entities would be required to notify HHS within 72 hours of discovering a breach affecting ePHI. Current requirements allow "without unreasonable delay, no later than 60 days." This is a dramatic tightening requiring pre-built incident response runbooks and clear internal escalation paths.
Source: 90 Fed. Reg. 898 (Jan. 6, 2025)The NPRM proposes making risk analysis explicitly annual rather than "periodic." Organizations that conduct risk assessments every 2–3 years would need to increase cadence and build repeatable, documented processes. The assessment must be documented and address all potential risks to ePHI.
Source: 90 Fed. Reg. 898 (Jan. 6, 2025)ePHI systems would need to be segmented from general-purpose networks. This affects organizations that run clinical applications on shared corporate networks without isolation. May require VLAN restructuring, micro-segmentation, or dedicated ePHI network zones.
[UNVERIFIED] — verify against final rule textRegular vulnerability scanning and penetration testing would be mandated on a defined schedule, not left to organizational discretion. Organizations without existing vulnerability management programs would need to build or buy scanning capabilities and a remediation tracking process.
[UNVERIFIED] — verify against final rule textA comprehensive technology asset inventory and network map would be required, explicitly documenting all systems that create, receive, maintain, or transmit ePHI. This is a prerequisite for the required risk analysis and is often absent in smaller covered entities and critical access hospitals.
Source: 90 Fed. Reg. 898 (Jan. 6, 2025)Covered entities would face enhanced requirements to verify business associates' security controls — not just execute BAAs, but actively confirm implementation. This may require annual attestations, third-party assessment reviews, or evidence collection from BAs handling ePHI.
Source: 90 Fed. Reg. 898 (Jan. 6, 2025)The NPRM proposed 180 days for most provisions after the final rule's effective date, with a one-year window for certain provisions. For organizations with complex EHR environments, legacy infrastructure, or limited IT staff, 180 days is an aggressive timeline to implement MFA and encryption org-wide.
[UNVERIFIED] — subject to final rule textInteractive Assessment
Rate your current status against each proposed requirement. Your readiness score updates in real time — use it to prioritize your gap remediation effort.
Your current readiness
Toggle each item below — results not transmitted
Regulatory Timeline
From NPRM publication through expected compliance deadlines — where we are and what comes next.
HHS Office for Civil Rights published the Notice of Proposed Rulemaking proposing the most significant update to the HIPAA Security Rule since 2003. Proposed changes include mandatory MFA, encryption, asset inventory, and a tightened breach notification window.
federalregister.gov ↗The 60-day public comment period closed. HHS received comments from covered entities, business associates, healthcare associations, and technology vendors. HHS is now analyzing comments to finalize the rule.
90-day review period underwayHHS is reviewing comments and drafting the final rule. No official publication date has been announced. Healthcare organizations should treat this window as preparation time — gap assessments, MFA rollouts, and encryption projects take months to execute. [UNVERIFIED — status as of April 2026]
HHS has signaled intent to finalize the rule in 2026, but no official date has been set. The final rule text may differ from the NPRM — particularly on timelines and specific technical requirements.
The NPRM proposed a 180-day compliance window for most provisions after the final rule's effective date. MFA, encryption, asset inventory, and annual risk assessments would likely fall under this window.
Certain provisions may receive a one-year implementation window, potentially including network segmentation and enhanced business associate verification requirements that require more complex organizational change.
Financial Exposure
HIPAA enforcement has teeth. Between OCR penalties, breach remediation costs, and reputational damage, non-compliance is far more expensive than preparation.
Calculate your organization's breach risk exposure
Personalized estimate based on organization size, ePHI volume, and current controls
Action Plan
The comment period is closed and the rule's direction is clear. Organizations that start today have 6–18 months of preparation runway. Those that wait for the final rule risk a 180-day sprint they can't complete.
Map your current technical and administrative safeguards against each proposed requirement. Document what is in place, what is partial, and what is absent. This baseline drives your remediation budget and timeline. Use the proposed rule text (90 Fed. Reg. 898) as the assessment framework — don't wait for the final rule.
Enterprise MFA rollouts — especially in clinical environments with legacy systems, shared workstations, and 24/7 operations — take months of planning, testing, and change management. Identify systems outside your current MFA scope now: EHR integrations, lab systems, medical devices, and third-party portals.
Inventory all locations where ePHI exists: production databases, backups, archives, data lakes, mobile devices, laptops, and business associate systems. Verify encryption-at-rest and TLS-in-transit for each. Common gaps: legacy database servers without transparent data encryption, unencrypted backup tapes, and unencrypted sFTP endpoints used for HL7 feeds.
Rewrite your breach response runbook with a 72-hour HHS notification clock. This requires: defined discovery criteria, clear escalation paths to legal and compliance, a breach assessment workflow that can run over a weekend, and pre-drafted HHS notification templates. Test your plan with a tabletop exercise before the final rule is published.
A complete, current inventory of systems that create, receive, maintain, or transmit ePHI is both an explicit proposed requirement and a prerequisite for your risk analysis, network segmentation design, and vulnerability scanning scope. If you don't have an accurate inventory today, this is the highest-leverage first step — every other control depends on knowing what you're protecting.
Frequently Asked Questions
Related Tools
Free tools built for healthcare compliance teams and their advisors.
Stay Informed
We'll email you the moment HHS publishes the final HIPAA Security Rule — along with a plain-language summary, the key changes vs. the NPRM, and an updated compliance checklist. No spam. Unsubscribe anytime.
Your email is stored locally in your browser. Notification delivery is not yet active — we will update this page when the feature launches. grc.engineering is a consulting practice, not a SaaS vendor.