HIPAA Security Rule Cybersecurity Requirements Are Moving Toward a More Prescriptive Baseline

Healthcare IT leaders should treat the proposed HIPAA Security Rule overhaul as a planning signal even before a final rule lands. HHS OCR issued the Notice of Proposed Rulemaking on December 27, 2024, and described it as an effort to strengthen protections for electronic protected health information after years of rising hacking and ransomware incidents.¹

The important change is not just that OCR wants stronger security. It is that the proposed rule points toward a more explicit operating model: written documentation, regular review, testing, technical controls, and less room for vague “addressable” decisions that never become measurable safeguards.

What changed in the signal

OCR’s fact sheet says the proposal would remove the distinction between required and addressable implementation specifications, with limited exceptions, and require written documentation of Security Rule policies, procedures, plans, and analyses.¹ OCR also says the current Security Rule remains in effect while rulemaking continues.²

For healthcare providers, clinics, FQHCs, and business associates, that means the near-term work is not speculation. The current rule already requires administrative, physical, and technical safeguards for ePHI.³ The proposed direction simply makes the expected evidence more concrete.

Why this matters for healthcare IT teams

Many healthcare organizations already have security tools but lack a complete evidence chain. They may have MFA on some systems, backups that have not been recently restored, partial endpoint coverage, or vendor access that depends on legacy accounts. Those gaps become harder to defend when regulators ask for current inventories, tested plans, documented risk decisions, and clear ownership.

The right response is a readiness sprint, not a panic purchase. Start with the systems that create, receive, maintain, or transmit ePHI. Map identities, privileged accounts, remote access, backup coverage, logging, endpoint protection, and vendor connectivity. Then record the control status in plain language that compliance, operations, and leadership can understand.

Datapath perspective

Healthcare cybersecurity is shifting from policy possession to operational proof. A binder of policies will not help if the EHR, imaging archive, Microsoft 365 tenant, billing platform, and third-party integrations cannot be recovered or audited.

For organizations with lean IT teams, the practical move is to convert HIPAA risk analysis into a living roadmap. That roadmap should define what is already controlled, what must be remediated, what compensating controls exist, and when leadership accepted residual risk.

What to do next

Prioritize four workstreams:

1. Build a current ePHI system and vendor inventory.
2. Validate identity controls, especially MFA, privileged access, and terminated-user removal.
3. Test backup recovery for clinical and billing workflows, not just file restoration.
4. Update incident response, downtime, and breach escalation procedures with named owners.

The final rule may change, but the direction is clear: healthcare IT programs need to be documented, tested, and ready to prove how ePHI is protected.

Footnotes

1. HHS OCR, “HIPAA Security Rule Notice of Proposed Rulemaking to Strengthen Cybersecurity for Electronic Protected Health Information” ↩ ↩²

2. HHS OCR, “HIPAA Security Rule NPRM” ↩

3. HHS OCR, “Summary of the HIPAA Security Rule” ↩