HIPAA Regulations
Listen to this post

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

Why Now? The Rising Cyber Threats Driving HIPAA Reform 

In December 2024, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) proposed the first significant update to the HIPAA Security Rule since 2013, prompted by a surge in cyberattacks against healthcare organizations that have compromised patient information and disrupted care. 

OCR’s goal is to align the Security Rule with current cybersecurity best practices and strengthen the protection of electronic protected health information (ePHI). As of December 2025, the rule is scheduled to be finalized in May 2026, which suggests that major new HIPAA security requirements could take effect by the end of 2026. 

What’s Changing? Key HIPAA Security Rule Updates and Their Impact 

The proposed revisions introduce several significant changes to HIPAA Security Rule requirements for health plans, healthcare providers, clearinghouses, and business associates. Key elements include: 

  • Mandatory Safeguards: All security safeguards would bee required, eliminating the current distinction between “required” and “addressable” measures. 
  • Annual Compliance Audits: Covered entities will need to conduct formal compliance audits at least once every 12 months. 
  • Asset Inventory & Network Mapping: Organizations must maintain an up-to-date inventory of all technology assets (including AI tools) that create, receive, maintain, or transmit ePHI, and maintain a network map detailing the flow of ePHI within their systems. 
  • Enhanced Risk Management: Risk analyses and gap assessments need to be done annually. When new technologies are implemented, patch management policies should be reviewed and updated each year, and disaster recovery procedures developed that can restore lost systems and ePHI within 72 hours of the loss. 
  • Stricter Technical Controls: All technology assets that access electronic protected health information (ePHI) must use multi-factor authentication (MFA). Encryption will be required for ePHI both when stored and when sent. Additionally, whenever possible, networks should be segmented to help contain potential cyberattacks. 
  • Business Associate Requirements:Business associates and their subcontractors must provide annual written confirmation of required technical safeguards. They should notify covered entities within 24 hours when activating a contingency plan for a security incident, or if workforce access to ePHI changes or ends. 
  • Group Health Plans: Plan sponsors must update plan documents to require compliance with HIPAA security safeguards, mandate incident reporting, and ensure notification to the plan within 24 hours of activating a contingency plan. 

Implementation Timeline: 
The rule is expected to become effective in July or August 2026 (60 days after publication), with most provisions required within 180 days. This meanscompliance deadlines will fall before the end of 2026 or early 2027. 

Potential Challenges: 
Healthcare organizations may face substantial operational and financial burdens, from technology upgrades to contract updates and workforce training. Accelerated notification of timelines and annual audits could further strain internal resources. 

Recent Enforcement Actions:  

In 2025, OCR levied more than $6.6 million in fines for HIPAA violations. These enforcement actions affected a variety of covered entities and business associates, from small physician practices to health systems. Many fines were attributed to breaches of the HIPAA Security Rule, especially inadequate risk assessments, ransomware incidents, and weak technical safeguards. Fines ranged from $80,000 to $3,000,000, with the highest penalty resulting from a major breach caused by a phishing attack on a business associate. 

What Should You Do Now? Practical Steps for Healthcare Leaders 

It is still uncertain whether OCR will finalize the proposed amendments and how much industry feedback it will incorporate. Despite sharp criticisms and industry pushback, recent developments strongly suggest that OCR is likely to move forward with finalizing the rule, having kept it on its official regulatory agenda for May 2026. In the meantime, stakeholders should prepare for potentially transformational changes to their HIPAA security programs. 

Action Items for Healthcare Organizations: 

  • Assess Your Current Security Posture: Review existing HIPAA security measures, technology asset inventories, and risk management processes. 
  • Prepare for Mandatory Safeguards: Identify any “addressable” security measures and develop plans to make them fully compliant and operational. 
  • Update Policies and Contracts: Review and update internal policies, workforce training, disaster recovery plans, and Business Associate Agreements to align with anticipated requirements. 
  • Engage Key Stakeholders: Coordinate with IT, compliance, legal, and vendor management teams to ensure readiness for annual audits, new technical controls, and accelerated notification obligations. 
  • Monitor Regulatory Developments: Stay informed about the rulemaking process and be prepared to adjust compliance strategies as the final rule is published. 

How Husch Blackwell Can Help: Your Partner in Navigating HIPAA’s Next Chapter 

Husch Blackwell’s Healthcare Privacy & Security team is uniquely positioned to guide healthcare organizations through these significant HIPAA Security Rule changes. Our attorneys have extensive experience advising clients on HIPAA compliance, cybersecurity risk assessments, policy development, and vendor management. We offer: 

  • Regulatory Guidance: Interpreting new requirements and developing tailored compliance strategies. 
  • Contract Review & Negotiation: Updating Business Associate Agreements and vendor contracts to reflect new technical and notification obligations. 
  • Policy & Training Updates: Assisting with the development and revision of internal policies, procedures, and workforce training to reduce non-compliance risks. 
  • Incident Response: Providing rapid support in the event of a breach, including regulatory notifications and mitigation strategies. 

Contact us

For further details or additional information, please contact Noreen Vergara or another member of the Husch Blackwell Healthcare Privacy and Security Work Group.