The HIPAA Security Rule Proposed Update: What It Will Require

Why the update is happening

The HIPAA Security Rule was written when most healthcare organizations stored records on local servers behind physical firewalls. In the two decades since, the healthcare sector has moved to cloud-hosted EHR systems, telehealth platforms, mobile devices, and interconnected medical devices — while becoming the most-targeted industry for ransomware attacks.

OCR's enforcement experience has revealed a persistent pattern: covered entities treat "addressable" specifications as optional, skip encryption because the rule technically allows alternatives, and conduct risk analyses that exist on paper but do not reflect actual security posture. The proposed update is designed to close these gaps.

Key changes in the proposed rule

Elimination of the addressable/required distinction

Under the current Security Rule, implementation specifications are classified as either "required" or "addressable." Addressable specifications must be assessed and either implemented, replaced with an equivalent alternative, or documented as inapplicable. In practice, many organizations treat "addressable" as "not required."

The proposed rule eliminates this distinction entirely. All implementation specifications would become mandatory. There would be no addressable category. If a specification exists in the rule, you must implement it. Period.

This is the single most structurally significant change in the proposal. It removes the ambiguity that has allowed organizations to justify not encrypting ePHI, not implementing audit controls, and not deploying access management technologies.

Mandatory encryption at rest and in transit

Under the current rule, encryption is addressable — meaning you can choose not to encrypt if you document a reasonable alternative. Under the proposed rule, encryption of ePHI at rest and in transit would be required with no alternative. Every laptop, every database, every email, every backup tape, every portable device.

For organizations that have already implemented encryption across their environment, this changes nothing. For those relying on the addressable loophole, it changes everything. See our detailed analysis of HIPAA encryption requirements for current and proposed obligations.

Mandatory multi-factor authentication

The proposed rule would require MFA for all access to systems containing ePHI. This applies to EHR systems, email platforms with patient data, cloud storage, administrative portals, and any other system where ePHI is accessible.

Limited exceptions would exist for situations where MFA is technically infeasible — legacy systems that cannot support it, for example — but the burden is on the covered entity to document why and to implement compensating controls. The default expectation is MFA everywhere.

Annual written asset inventories and network maps

The proposed rule would require covered entities to create and maintain a written inventory of all technology assets that create, receive, maintain, or transmit ePHI, updated at least annually. This includes hardware, software, and network components.

Additionally, the rule would require a network map showing how ePHI moves through your environment — between systems, to business associates, across network segments. The intent is to ensure organizations actually know where their ePHI lives, which is a prerequisite for protecting it.

Annual compliance audits documented in writing

The current rule requires periodic "evaluation" of security measures. The proposed update would replace this with a requirement for annual compliance audits that must be documented in writing and retained for review. The audit must verify that the organization's security measures conform to the Security Rule as implemented.

This is more prescriptive than the current evaluation standard and establishes a clear annual cycle of accountability.

72-hour notification to regulated entities for business associate incidents

Business associates would be required to notify covered entities within 72 hours of activating their contingency plan or identifying a security incident that could affect ePHI. This is faster than current breach notification timelines and is designed to ensure covered entities learn about threats to their data quickly.

Current status and timeline

The NPRM was published in the Federal Register on January 6, 2025, with a 60-day public comment period that closed in March 2025. As of April 2026, the proposed rule is on OCR's finalization agenda. Once a final rule is published, HHS has indicated a compliance window of approximately 180 days for most provisions.

Whether the rule is finalized exactly as proposed, modified, or delayed, the direction is clear: OCR is moving toward more prescriptive, less flexible requirements. Organizations that wait for the final rule to begin preparing will be behind.

How to prepare now

Regardless of the final rule's timeline, the proposed changes reflect what OCR already considers best practice — and what they already cite in enforcement actions. Preparing now means:

1. Implement encryption everywhere. If you have unencrypted ePHI on any device or in any transmission, fix it now. This will be mandatory under the proposed rule and is already a near-automatic willful neglect finding when breaches involve unencrypted data.
2. Deploy MFA. Enable multi-factor authentication on every system that touches ePHI. Start with your EHR, email, and cloud platforms.
3. Build your asset inventory. Document every system, device, and application that creates, receives, maintains, or transmits ePHI. Map how data flows between them.
4. Conduct a current-state risk analysis.If your last risk analysis is more than 12 months old, do a new one. Use the proposed rule's standards as your benchmark.
5. Review business associate agreements. Ensure your BAAs include incident notification timelines that align with the proposed 72-hour requirement.
6. Document everything. The proposed rule increases documentation requirements across the board. Start building the habit of written policies, written assessments, and written audit trails.

How BlackSheep helps

BlackSheep's HIPAA compliance platform is already aligned with the proposed rule's requirements. Asset inventory tracking, risk analysis workflows, policy documentation, encryption verification, and compliance audit trails — built into one platform so you are not scrambling when the final rule drops.