HIPAA Security Rule: what’s changing, what’s coming, and how to prepare now

If your organization operates in the US healthcare sector or works with entities that do, the cybersecurity regulatory landscape is shifting in a meaningful way. On January 6, 2025, the US Department of Health and Human Services (HHS) published a Notice of Proposed Rulemaking (NPRM) to modernize the HIPAA Security Rule, the standard that has governed the protection of electronic protected health information (ePHI) since 2013.

This is not a minor adjustment. It’s a structural rethink of what compliance looks like, and how organizations are expected to prove it.

Where things stand: The NPRM drew nearly 5,000 public comments. OCR’s Spring 2025 Unified Agenda targets finalization for mid-2026, followed by a 60-day effective period and a 180-day compliance window — a total of 240 days from publication to mandatory compliance.

From proposal to mandate

Timeline

→Dec 2024 — OCR issues the NPRM

HHS releases the proposed modernization of the Security Rule — the first substantive update since the 2013 Omnibus Rule.

→Jan – Mar 2025 — Public comment period

The NPRM is published in the Federal Register (90 FR 898). Comments close on March 7 with close to 5,000 industry responses.

→2025 – Today — OCR reviews and drafts the final rule

OCR continues to work through the comments. Despite industry pushback, the rule remains on the agenda for finalization in May 2026.

→Mid 2026 — Final rule publication

The rule takes effect 60 days after publication. From that point, the 180-day compliance clock begins.

→Late 2026 – Early 2027 — Mandatory compliance

240 days after publication, the rule is fully enforceable. Organizations that haven’t prepared will face material regulatory risk.

From “reasonable and appropriate” to explicit requirements

Key changes

The most fundamental shift is conceptual. The current Security Rule leaves room to interpret which controls are “reasonable” for a given organization. The NPRM removes that flexibility and replaces it with controls that are mandatory, specific, and auditable. The highlights:

• No more “addressable” specs. Every implementation specification becomes required, with very narrow exceptions. There is no longer a documentation path to defer a control.
• Encryption is mandatory. ePHI must be encrypted at rest and in transit, with limited and documented exceptions.
• MFA required. Multi-factor authentication becomes mandatory for access to systems handling ePHI, with limited exceptions.
• Network segmentation. Explicitly required to limit access and prevent lateral movement by attackers across the environment.
• Asset inventory & network map. A technology asset inventory and a network map showing ePHI flows must be maintained and reviewed at least annually.
• Defined time windows. 24-hour notification for access changes, 72-hour system restoration, vulnerability scans every 6 months, annual penetration testing.

On top of that, regulated entities will need to run annual compliance audits, and business associates will be required to certify each year — in writing, by a subject-matter expert — that they have deployed the technical safeguards the rule demands.

Qubika supports every step of the journey

How we help

1. Gap assessment against the NPRM. We map your current controls against the new explicit requirements — encryption, MFA, segmentation, asset inventory — so you know precisely what you have and what’s missing.
2. Architecture and implementation of technical controls. We design and roll out the controls the rule requires: network segmentation, ePHI encryption, identity management, and MFA at scale.
3. Vulnerability management and penetration testing. We stand up scanning programs and pen-testing engagements aligned to the new cadences (6-month scans, annual pen tests), with the documentation auditors will expect.
4. Incident response and contingency planning. We build the written plans the rule demands: incident response procedures, 72-hour restoration playbooks, and documented testing exercises.
5. Ongoing support for covered entities and business associates. Whether you’re a covered entity or a business associate, the NPRM places obligations on you. We support end-to-end compliance across the chain.

Qubika’s expertise in healthcare

Qubika has spent two decades building secure, compliant software for healthcare leaders and innovators – from FDA-cleared medical devices and HIPAA-compliant data platforms to EPIC integrations, FHIR/HL7 interoperability, and AI-powered clinical solutions. Over a third of our revenue comes from healthcare, we’re SOC 2 Type 2 and ISO 27001 certified, and we’re compliant with the NIST AI Risk Management Framework. We understand the operational realities and what it takes to translate regulatory change into working controls without disrupting care delivery – see more about the work of our Health & Wellbeing Studio.