HHS Proposed Security Requirements: Key Changes, Timeline, and How to Comply

The Department of Health and Human Services (HHS) has proposed HIPAA Security Rule amendments that raise the baseline for safeguarding electronic protected health information. The proposal moves several “addressable” safeguards toward explicit, testable requirements and emphasizes operational resilience, third‑party assurance, and measurable outcomes. This guide breaks down the key changes, outlines a practical timeline, and shows you how to comply without disrupting care.

Suggested compliance timeline

• 0–30 days: Confirm scope and governance, appoint an executive sponsor, and map systems handling electronic protected health information.
• 30–90 days: Run a gap assessment against the proposed controls, select MFA and encryption patterns, and prioritize high‑risk workflows.
• 90–180 days: Roll out MFA to remote and privileged access, encrypt data in transit, harden backups, and update the incident response plan.
• 180–365 days: Complete encryption at rest, extend network segmentation security, formalize business associate risk management, and enhance training.
• Ongoing: Monitor with metrics, test incident playbooks, validate vendors, and refine patch management protocols.

Mandatory Encryption Requirements

What the proposal changes

The proposed updates elevate encryption from a discretionary choice to an expectation for both data at rest and in transit across environments that create, receive, maintain, or transmit electronic protected health information. Backups, portable media, and clinical endpoints fall explicitly in scope, with stronger emphasis on centralized key management and documented coverage.

How to comply

• Encrypt in transit using modern TLS for all user, application, and API connections; deprecate weak ciphers and legacy protocols.
• Encrypt at rest via full‑disk encryption for laptops and servers, database or volume encryption for EHR and data warehouses, and message‑level encryption for email containing clinical data.
• Centralize key management; rotate and escrow keys, enforce role‑based access, and monitor key use. Where feasible, prefer validated crypto modules.
• Ensure backup and archive encryption, including immutable or write‑once media used for recovery.
• Document compensating controls only where encryption is technically infeasible, with explicit risk acceptance and timelines to close gaps.

Evidence to maintain

• System inventory and data‑flow maps showing where encryption is applied.
• Key management procedures, rotation logs, and access reviews.
• Configuration baselines for TLS and storage encryption, plus exception records.

Common pitfalls

• Encrypting databases but not their backups or replicas.
• Leaving mobile devices and removable media unprotected.
• Using email transport encryption without message‑level protection for sensitive content.

Comprehensive Risk Analysis Processes

What the proposal changes

Risk analysis becomes a living program tied to change management, supply‑chain exposure, and measurable remediation. The emphasis shifts from one‑time scans to scenario‑driven analyses covering people, process, and technology—plus business associate risk management and patch management protocols.

How to comply

• Build and continuously update an asset inventory and data‑flow diagrams for systems that handle electronic protected health information.
• Assess threats and vulnerabilities across on‑premises, cloud, medical devices, and third parties; include misuse and availability scenarios.
• Quantify risk, record decisions in a risk register, and track remediation with owners and due dates.
• Integrate patch management protocols with defined severity tiers, SLAs, maintenance windows, and verification of successful deployment.
• Extend analysis to business associates: review controls, contractual obligations, incident processes, and interdependencies.

Deliverables and artifacts

• Documented methodology, current risk register, treatment plans, and executive summaries.
• Change‑driven reassessments after system upgrades, migrations, or vendor changes.
• Evidence of vulnerability management, configuration hardening, and exception handling.

Metrics to track

• Risk reduction over time by category and criticality.
• Patch and configuration compliance rates and SLA adherence.
• Third‑party remediation closure rates and reassessment cadence.

Multi-Factor Authentication Implementation

What the proposal changes

The proposal strengthens multi-factor authentication compliance by requiring strong authentication for remote access, privileged accounts, and systems that store or process clinical data. Coverage, not just capability, is expected—along with policies for break‑glass access and exceptions.

Scope and prioritization

• Phase 1: Remote access (VPN, VDI), administrators, and cloud consoles.
• Phase 2: EHR, e‑prescribing, email, and clinical portals.
• Phase 3: Remaining high‑value business systems and third‑party access.

Implementation options

• Adopt phishing‑resistant authenticators (for example, security keys or platform biometrics) for admins; use app‑based or time‑based one‑time codes for the broader workforce.
• Federate via SSO, enforce conditional access, and require step‑up MFA for sensitive operations.
• Replace SMS‑only factors; keep limited fallback methods with monitoring and rapid deprovisioning.

User experience and resilience

• Provide offline codes for continuity during outages and a documented break‑glass process with immediate post‑use review.
• Offer clear enrollment, device change, and lost‑token procedures to reduce help‑desk friction.

Network Segmentation Strategies

What the proposal changes

The updates highlight network segmentation security to limit lateral movement and contain incidents. Administrative, clinical, and guest networks should be separated, with high‑risk medical devices isolated and access tightly controlled.

Design patterns

• Create dedicated security zones for EHR, imaging, labs, and payment processing.
• Isolate IoMT/medical devices with strict allowlists; use application‑layer gateways for required protocols.
• Apply microsegmentation or host‑based firewalls to restrict east‑west traffic between workloads.

Control checklist

• Default‑deny ACLs between segments; allow only documented ports and destinations.
• Block risky protocols (for example, RDP from user subnets to servers) and require jump hosts with MFA for administration.
• Enforce DNS and web egress controls; monitor with network detection and EDR.

Validation and monitoring

• Continuously test rules with automated path analysis and red‑team exercises.
• Keep diagrams current and tie change control to firewall/SDN approvals and reviews.

Incident Response and Resilience Planning

What the proposal changes

Organizations are expected to maintain a mature incident response plan that integrates threat detection, containment, recovery, and patient‑safety considerations. Resilience is emphasized through reliable backups, tested restores, and continuity planning for critical services.

Build or refresh your plan

• Define roles, escalation paths, decision thresholds, and legal/privacy coordination.
• Create playbooks for ransomware, lost device, cloud credential compromise, and vendor breach.
• Standardize evidence handling, forensics support, and communication templates.

Resilience measures

• Use a 3‑2‑1 backup strategy with at least one immutable or offline copy; test restores regularly.
• Map recovery objectives for clinical systems and prioritize restoration sequencing.
• Harden endpoints and servers, and embed patch management protocols into post‑incident remediation.

Exercises and metrics

• Run tabletop and technical drills that include leadership, clinical operations, and vendors.
• Track time to detect, contain, and fully recover; convert lessons learned into control improvements.

Supply Chain Security Management

What the proposal changes

The proposals amplify accountability for third parties that create or handle electronic protected health information. Contracts, assurance, and technical controls must work together to manage business associate risk management.

Due diligence and contracting

• Tier vendors by data sensitivity and privilege; require security questionnaires and supporting evidence.
• Update BAAs to reflect minimum security controls, multi‑factor authentication compliance, incident notification, and right‑to‑audit provisions.
• Request software bills of materials for critical applications and documented vulnerability handling.

Ongoing oversight

• Monitor vendor posture via attestations, penetration test summaries, and remediation reports.
• Verify patch management protocols for supported products and track end‑of‑support dates.
• Reassess high‑risk vendors at least annually or after material changes or incidents.

Third‑party access control

• Provide least‑privilege, time‑bound access using PAM or just‑in‑time workflows with MFA.
• Segment vendor connections and log all privileged actions for review.

Security Awareness Training Enhancement

What the proposal changes

Training evolves from once‑a‑year checkboxes to continuous, role‑aware education that reinforces secure behavior in real workflows. Clinical realism and measurable outcomes replace generic modules.

Program design

• Deliver short, recurring content on phishing, safe messaging, mobile device use, and handling of electronic protected health information.
• Add role‑based modules for registration, nursing, pharmacy, IT administrators, and executives.
• Pair education with simulated phishing, just‑in‑time tips, and policy refreshers.

Measurement and improvement

• Track reporting rates, simulation performance, and policy acknowledgment.
• Use incident trends to target content and measure risk reduction over time.

Conclusion

The proposed HIPAA Security Rule amendments push encryption, risk analysis, MFA, segmentation, incident readiness, vendor assurance, and training to a higher, verifiable standard. By phasing work across people, process, and technology—and documenting proof at each step—you can meet the new bar while strengthening day‑to‑day operations.

FAQs.

What are the major changes in the HHS proposed security requirements?

The proposal heightens expectations for encryption at rest and in transit, requires broader multi‑factor authentication, formalizes continuous risk analysis, and reinforces network segmentation security. It also elevates the incident response plan and resilience testing and deepens oversight of business associates through stronger business associate risk management.

How does the timeline affect compliance deadlines?

Expect a staged approach: immediate governance and scoping, rapid hardening of high‑risk access and backups, then full encryption, segmentation, and vendor assurance over subsequent months. Build internal milestones now so you can meet final deadlines once they are confirmed, and keep evidence to demonstrate steady progress.

What steps should covered entities take to comply?

Start with a gap assessment against the proposals, prioritize systems that store or transmit clinical data, and implement encryption and multi‑factor authentication for the highest‑risk workflows. Mature your risk analysis program, tighten network segmentation, update the incident response plan, verify patch management protocols, and formalize business associate risk management in contracts and reviews.

How is multi-factor authentication addressed in the proposal?

MFA is strengthened from a recommended practice to a broad requirement for remote access, privileged users, and systems handling electronic protected health information. Aim for phishing‑resistant options for administrators, apply conditional access for sensitive actions, and document exceptions with compensating controls and timelines to close gaps.