Decoding HIPAA: Are All Safeguards Mandatory for Compliance?

You want a clear answer to whether every HIPAA safeguard is mandatory. Under today’s HIPAA Security Rule, some implementation specifications are “required” and others are “addressable,” which means they must be formally evaluated and either implemented, implemented with an equivalent alternative, or rejected with documented rationale—not ignored. In 2025, HHS/OCR proposed sweeping updates that, if finalized, would make many formerly addressable controls effectively mandatory with limited exceptions. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/appendix-A_to_subpart_C_of_part_164?utm_source=openai))

Practically, you should treat key cybersecurity controls—such as multi-factor authentication and encryption—as table stakes for robust ePHI protection now, and plan for prescriptive requirements once the 2025 rulemaking is finalized. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html?utm_source=openai))

Understanding HIPAA Security Rule Safeguard Categories

The Security Rule organizes protections for electronic protected health information (ePHI) across three categories: administrative, physical, and technical safeguards. Administrative safeguards include risk analysis, risk management, workforce security, incident response, contingency planning, and ongoing evaluations. Physical safeguards govern facility access, workstation security, and device/media controls. Technical safeguards cover access control, audit controls, integrity, person/entity authentication, and transmission security. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.308?utm_source=openai))

Each safeguard category consists of standards and specific “implementation specifications.” A helpful matrix in the rule identifies which specifications are required and which are addressable under the current framework. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/appendix-A_to_subpart_C_of_part_164?utm_source=openai))

Differentiating Required and Addressable Specifications

Required specifications must be implemented as written. Addressable specifications must still be considered: you assess reasonableness, implement the control if appropriate, or deploy an equivalent alternative—and in all cases, document your decision. Addressable does not mean optional. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/appendix-A_to_subpart_C_of_part_164?utm_source=openai))

Your documentation must be retained for six years from creation or last effective date, remain available to those responsible for implementation, and be updated in response to environmental or operational changes. This record-keeping is itself a required safeguard. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.316?utm_source=openai))

Impact of 2025 HIPAA Security Rule Updates

On January 6, 2025, HHS/OCR published a Notice of Proposed Rulemaking (NPRM) to modernize the Security Rule. Among the most consequential proposals: eliminating the distinction between “required” and “addressable” implementation specifications so that, with limited exceptions, all specifications must be met. The NPRM also proposes more prescriptive cybersecurity controls. Public comments closed March 7, 2025; a final rule had not been issued as of November 6, 2025. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html?utm_source=openai))

Key proposed technical requirements include: mandatory multi-factor authentication (with defined exceptions), reclassification of encryption as its own standard with encryption of all ePHI at rest and in transit (with limited, documented exceptions), vulnerability scanning at least every six months, and penetration testing at least annually (or more often based on risk). The NPRM would also require a technology asset inventory and a current network map. ([downloads.regulations.gov](https://downloads.regulations.gov/HHS-OCR-2024-0020-0001/content.htm))

If finalized, HHS indicates an effective date 60 days after publication and a general compliance date 180 days after the effective date (i.e., typically 240 days from publication), with additional transition time for certain Business Associate Agreement updates. ([downloads.regulations.gov](https://downloads.regulations.gov/HHS-OCR-2024-0020-0001/content.htm?utm_source=openai))

Implementing Mandatory Safeguards for ePHI Protection

Start with risk analysis and an authoritative asset view

• Perform a current, enterprise-wide risk analysis that maps where ePHI is created, received, maintained, or transmitted—including cloud services and connected devices.
• Build and maintain a written technology asset inventory and network map to anchor your controls, monitoring, and incident response. ([downloads.regulations.gov](https://downloads.regulations.gov/HHS-OCR-2024-0020-0001/content.htm))

Meet core technical safeguards decisively

• Deploy multi-factor authentication across relevant systems and for any change in user privileges; use the NPRM’s narrow exceptions only with documented compensating controls and migration plans. ([downloads.regulations.gov](https://downloads.regulations.gov/HHS-OCR-2024-0020-0001/content.htm))
• Implement encryption that meets prevailing cryptographic standards and encrypt all ePHI at rest and in transit unless a specific NPRM exception applies and is documented. ([downloads.regulations.gov](https://downloads.regulations.gov/HHS-OCR-2024-0020-0001/content.htm))
• Establish vulnerability management: automated scans at least every six months, continuous monitoring of authoritative sources for new CVEs, annual penetration testing by qualified personnel, and timely patching. ([downloads.regulations.gov](https://downloads.regulations.gov/HHS-OCR-2024-0020-0001/content.htm))

Strengthen administrative safeguards that drive outcomes

• Update policies, procedures, and training to reflect actual technical controls in use and test them on a set cadence.
• Refresh contingency plans (backup, disaster recovery, emergency operations) and validate that backups are recent and restorable. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.308?utm_source=openai))

Strategies for Compliance with Enhanced HIPAA Controls

Build a pragmatic roadmap

• Gap-assess current safeguards against the NPRM’s proposed requirements (MFA, encryption requirements, asset inventory, network segmentation, vulnerability and patch programs) and prioritize high-impact, high-risk gaps first. ([downloads.regulations.gov](https://downloads.regulations.gov/HHS-OCR-2024-0020-0001/content.htm))
• Sequence quick wins (e.g., enforcing MFA for remote/admin access, disabling unused ports, removing unsupported software) while you tackle longer-lead efforts (network mapping, segmentation, enterprise encryption). ([downloads.regulations.gov](https://downloads.regulations.gov/HHS-OCR-2024-0020-0001/content.htm))

Operationalize and evidence compliance

• Define measurable control objectives, log sources, and review cadences so you can show your work during audits or investigations.
• Align third parties: refresh Business Associate oversight, including prompt incident/contingency notifications contemplated in the NPRM. ([reuters.com](https://www.reuters.com/legal/litigation/top-10-takeaways-new-hipaa-security-rule-nprm-2025-03-14/?utm_source=openai))

Navigating Enforcement and Documentation Requirements

OCR enforces the HIPAA Rules through investigations, resolution agreements with corrective action plans, and civil money penalties (CMPs) when warranted. Recent enforcement emphasizes rigorous security risk analysis and remediation. ([hhs.gov](https://www.hhs.gov/press-room/ocr-settles-hipaa-security-rule-investigation-health-fitness-corporation.html?utm_source=openai))

Maintain a living documentary record: your risk analyses, risk treatment plans, policies and procedures, system activity reviews, training, incident response, contingency tests, and governance approvals. Retain documentation for six years and keep it accessible to implementers; update it whenever your environment or operations change. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.316?utm_source=openai))

Civil penalties are tiered by culpability and adjusted annually for inflation. As of penalties assessed on or after August 8, 2024, amounts range from a minimum of $141 per violation up to $2,134,831 per year for identical provisions, with higher caps for willful neglect; these figures remain in effect until HHS issues its next adjustment. ([tax.thomsonreuters.com](https://tax.thomsonreuters.com/news/hhs-announces-civil-monetary-penalties-for-hipaa-msp-and-sbc-violations-effective-august-8-2024/?utm_source=openai))

Conclusion

Today, not every HIPAA implementation specification is “required,” but none are optional in practice—you must implement, reasonably substitute, or document why not. The 2025 NPRM signals a shift toward consistently mandatory cybersecurity controls, especially MFA, encryption, and vulnerability management. If you prepare now—technically and on paper—you’ll protect ePHI and be ready for the final rule’s compliance clock. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html?utm_source=openai))

FAQs.

Are addressable safeguards optional under HIPAA?

No. “Addressable” means you must assess the specification and either implement it, implement an equivalent alternative, or document a reasoned decision not to implement—then maintain that documentation for six years. Addressable safeguards are not a free pass to do nothing. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/appendix-A_to_subpart_C_of_part_164?utm_source=openai))

Will all HIPAA safeguards become mandatory in 2025?

Not automatically. HHS/OCR proposed in January 2025 to eliminate the “addressable” category and require all implementation specifications (with limited exceptions). A final rule had not issued as of November 6, 2025. If finalized, the effective date would be 60 days after publication, with a general compliance date 180 days later. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html?utm_source=openai))

How should organizations document decisions on safeguards?

Keep a clear, dated trail: risk analysis findings, your risk treatment plan, the decision and rationale for each safeguard (including any equivalent measures), procedures, test results, and approvals. Update records after environmental or operational changes, and retain them for six years. For any NPRM exceptions (e.g., to encryption or MFA), you would also need to document why the exception applies and what compensating controls you used. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.316?utm_source=openai))

What are the penalties for non-compliance with new HIPAA rules?

The same HIPAA enforcement framework applies: investigations, corrective action plans, and tiered civil money penalties. Current inflation-adjusted CMPs for violations assessed on or after August 8, 2024, range from $141 per violation at the low end up to $2,134,831 in annual caps for identical provisions, with higher exposure for willful neglect. HHS updates these amounts periodically. ([tax.thomsonreuters.com](https://tax.thomsonreuters.com/news/hhs-announces-civil-monetary-penalties-for-hipaa-msp-and-sbc-violations-effective-august-8-2024/?utm_source=openai))