The Biggest HIPAA Change in Twenty Years Is Coming

On January 6, 2025, the Office for Civil Rights published a Notice of Proposed Rulemaking that would rewrite the HIPAA Security Rule for the first time in a meaningful way since 2013. If you run a small medical or dental practice, this is the most consequential compliance development you will face this decade, and most practice owners I speak with in San Diego County have not heard about it.

The Security Rule is the part of HIPAA that governs how you protect electronic protected health information. For more than twenty years it has been deliberately flexible, which is a polite way of saying it let small practices defer almost every meaningful safeguard. The proposed rule removes that flexibility. It does not add a few new boxes to check. It changes the entire philosophy of what compliance means.

I want to walk you through exactly what is being proposed, in plain language, and what each change would require from a practice with five to twenty-five people. The rule is not final yet, but the direction is clear, and the practices that prepare now will not be scrambling when it lands.

Where this stands: The NPRM (Notice of Proposed Rulemaking) was published in January 2025 and the public comment period has closed. A final rule has not been issued as of mid-2026. Nothing below is legally binding yet. Treat this as a preview of where the requirements are heading, not as current law.

Change 1: "Addressable" Safeguards Go Away

This is the single most important change, and it is the one that will catch small practices off guard. Under the current Security Rule, safeguards are split into two categories: "required" and "addressable." Most practices treat "addressable" as "optional." That was never quite the legal meaning, but it is how the category was used in the real world. Encryption, for example, has been addressable since 2003, which is why so many practices still store patient records unencrypted.

The proposed rule eliminates the addressable category entirely. Every safeguard becomes required, with only narrow, documented exceptions. The era of writing "not reasonable for a practice our size" in a risk analysis and moving on is ending.

Action step: Pull your current HIPAA risk analysis and find every safeguard you marked as addressable or "not implemented." That list is your gap list. Each item on it is likely to become mandatory.

Change 2: Encryption Becomes Mandatory

Electronic protected health information would have to be encrypted both at rest and in transit, with very limited exceptions. At rest means the data sitting on your server, your workstations, your backup drives, and the laptop a hygienist takes home. In transit means email, file transfers, and any data moving across a network.

For a small practice this is less expensive than it sounds. Full-disk encryption is built into both Windows (BitLocker) and macOS (FileVault) at no additional cost. The harder part is process: confirming it is turned on everywhere, documenting that it is on, and closing the gap on email, which is where most practices leak protected information without realizing it.

Action step: Verify that disk encryption is enabled on every computer, laptop, and server that touches patient data. Then audit how your practice sends patient information by email, because unencrypted email of protected health information is one of the most common violations I find.

Change 3: Multi-Factor Authentication on Everything

The proposed rule would require multi-factor authentication for access to systems that contain electronic protected health information, again with narrow exceptions. This means your electronic health record system, your practice management software, and remote access into your network.

Stolen and reused passwords remain the most common way attackers get into a practice. Multi-factor authentication defeats that attack almost entirely, which is precisely why it is moving from a recommendation to a requirement. If your EHR vendor offers multi-factor authentication and you have not turned it on, you are already behind where the rule is heading.

Action step: Enable multi-factor authentication on your EHR, your practice management system, and any remote access tool today. It does not require the final rule to be worth doing, and it is the highest-value control you can implement this week.

Change 4: A Written Technology Asset Inventory and Network Map

You would be required to maintain a written inventory of every piece of technology that creates, receives, maintains, or transmits protected health information, along with a network map showing how that information moves through your practice. Both would need to be reviewed and updated at least once a year and whenever the environment changes.

This sounds bureaucratic, and most practices do not have it, but the logic is sound. You cannot protect what you have not catalogued. The inventory is also where the new encryption and authentication requirements get enforced, because each asset on the list has to be accounted for.

Action step: Build a simple spreadsheet listing every server, workstation, laptop, mobile device, and cloud service that touches patient data. Note where each one sits and what protects it. That single document is the foundation for almost every other requirement in the proposed rule.

Change 5: Annual Penetration Testing and Vulnerability Scanning

The proposed rule would require vulnerability scanning at least every six months and penetration testing at least once a year. For a practice that has never done either, this is a genuinely new operating expense, and it is the change most likely to require outside help.

A vulnerability scan is automated and looks for known weaknesses in your systems. A penetration test is a controlled, authorized attempt by a professional to break in the way a real attacker would. The two are not interchangeable, and the rule would require both on a schedule. Budget for this now, because it is a recurring cost that did not exist in your compliance plan before.

Action step: Get a quote for annual penetration testing and semiannual vulnerability scanning so the number is in your budget for the coming year. Knowing the cost ahead of time turns a future emergency into a planned line item.

Change 6: A Hard Deadline to Restore After an Incident

The proposed rule would require practices to be able to restore critical systems and data within 72 hours of a loss. This raises the stakes on backups considerably. It is no longer enough to have backups somewhere. You have to prove you can bring the practice back online inside a defined window.

That means tested backups, a written recovery plan, and a clear understanding of which systems are critical. A backup you have never restored is not a backup. It is a hope. Ransomware does not care how small your practice is, and the 72-hour clock is exactly the scenario this requirement is built around.

Action step: Run a real restore test. Pick a recent backup, restore it to a separate location, and time how long it takes to get a working system back. If you cannot do it inside 72 hours, that is your most urgent gap.

Change 7: Annual Compliance Verification of Your Vendors

A business associate is any vendor that handles protected health information on your behalf: your EHR provider, your billing company, your IT support firm, your cloud backup service. The proposed rule would require business associates to verify their technical safeguards once a year through a written analysis by a qualified person, and to provide that verification to you.

For your practice, this means a Business Associate Agreement on file is no longer the finish line. You would need annual evidence that each vendor is doing what they promised. Many practices have signed agreements they have never revisited, with vendors they cannot fully account for.

Action step: List every vendor that touches patient data, confirm you have a signed Business Associate Agreement with each one, and start asking for their security documentation now. The vendors that cannot produce it are the ones that will become your problem when the rule is final.

What This Means for a Small Practice

Read together, these changes move HIPAA from a flexible framework to a defined security baseline that looks a great deal like the standards already required of defense contractors and large health systems. The proposed rule explicitly removes the cost-and-size arguments that small practices have leaned on for two decades. The Office for Civil Rights has signaled that "we are too small for that" will no longer be an acceptable answer.

The good news is that the most important controls do not require the final rule to justify them. Multi-factor authentication, encryption, a real backup you have tested, and an honest inventory of your systems protect your patients and your practice regardless of when the rule takes effect. Every practice that implements those four things now will be most of the way to compliance before the deadline is even set.

The practices that will struggle are the ones that wait for the final rule, then try to close a decade of deferred safeguards in a single quarter. A current, honest risk analysis is the document that tells you exactly where you stand and what order to fix things in. That is the work I do for medical and dental practices across San Diego County, and the first conversation is always free.

Not Sure How Your Practice Measures Up?

A HIPAA security assessment gives you a clear picture of where your practice stands against both today's rule and the changes coming next, and the order to fix what matters most. Book a free consultation at https://adamscloudcyber.com

Schedule Your Free Consultation