HIPAA Annual Penetration Testing: Is There a New Rule and What’s Required?

Overview of Proposed HIPAA Security Rule Updates

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking to update the HIPAA Security Rule on January 6, 2025. The proposal aims to strengthen safeguards for electronic protected health information (ePHI) with clearer, more prescriptive requirements. As of April 14, 2026, this is still a proposed rule, not a final regulation. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Key proposals include: removing the “required” vs. “addressable” distinction; mandating written policies, procedures, and analyses; requiring a technology asset inventory and network map at least annually; adding explicit requirements for encryption of ePHI at rest and in transit; multi-factor authentication; network segmentation; an annual Security Rule compliance audit; and greater business associate oversight. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet))

Critically for security testing, the NPRM would require automated vulnerability scanning at least every six months and penetration testing at least once every 12 months (or more often if your risk analysis indicates). These activities must be performed by qualified personnel and documented. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet))

Current HIPAA Penetration Testing Requirements

Under the current HIPAA Security Rule, there is no explicit penetration testing requirement or fixed annual cadence. Instead, covered entities and business associates must perform risk analysis and risk management to identify and address reasonably anticipated threats and vulnerabilities to ePHI; technical and non-technical evaluations are required, but methods and frequency are risk-based. ([hhs.gov](https://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html?utm_source=openai))

As of April 14, 2026, the NPRM has not been finalized, so the existing HIPAA Security Rule remains in effect. Organizations should continue to meet today’s risk analysis and management obligations while planning for potential new, explicit testing standards. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html))

Industry Best Practices for Penetration Testing

Independent of regulation, healthcare organizations commonly align penetration testing with NIST Special Publication 800-115, which outlines planning, execution, reporting, and remediation verification for security testing. It helps you scope to systems that store or process ePHI and distinguish vulnerability assessments (automated scans) from penetration tests (attempted exploitation to validate risk). ([csrc.nist.gov](https://csrc.nist.gov/pubs/sp/800/115/final?utm_source=openai))

Recommended cadence and scope

• Run an external and internal penetration test at least annually; increase frequency after major changes (new EHR modules, cloud migrations, mergers) or significant incidents.
• Continuously perform vulnerability assessments; at minimum, quarterly scanning is typical in higher-risk environments, with validated remediation and retesting. ([csrc.nist.gov](https://csrc.nist.gov/pubs/sp/800/115/final?utm_source=openai))
• Cover applications, networks, endpoints, identity systems, and cloud services that touch ePHI; include segmentation testing to ensure ePHI is isolated as intended. ([csrc.nist.gov](https://csrc.nist.gov/pubs/sp/800/115/final?utm_source=openai))
• Use qualified testers, defined by appropriate knowledge and experience; establish clear rules of engagement and require evidence-based reporting with exploit proof-of-concept where safe. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Compliance Recommendations for Covered Entities

To meet today’s HIPAA Security Rule—and position for a possible future penetration testing requirement—anchor your program in risk analysis and management, then add structured testing and documentation. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html?utm_source=openai))

Practical steps

• Refresh your risk analysis to current threat conditions; prioritize risks that could compromise ePHI confidentiality, integrity, or availability. Tie testing decisions to those risks. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html?utm_source=openai))
• Build and maintain a technology asset inventory and ePHI data-flow network map; use them to scope vulnerability assessments and penetration tests. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet))
• Stand up a vulnerability management process: automated scanning, triage, patch/compensating controls, and verification within defined SLAs. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))
• Plan annual penetration tests performed by qualified personnel and require remediation validation (retest) for high-risk findings. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))
• Strengthen business associate oversight: request testing/verifications aligned to your risk analysis and proposed BA verification duties. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet))
• Document everything—testing scopes, reports, remediation decisions, and approvals—to support compliance enforcement reviews. ([hhs.gov](https://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html?utm_source=openai))

Rulemaking and Public Comment Process

The NPRM was published in the Federal Register on January 6, 2025, with comments due by March 7, 2025. After reviewing comments, HHS may issue a final rule. The NPRM proposes a standard timeline: a final rule effective 60 days after publication, with a compliance date 180 days after the effective date (unless otherwise stated). ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Until a final rule is issued, the current HIPAA Security Rule remains in force; OCR continues oversight and enforcement under existing standards. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html))

Potential Impact of New Rule

If finalized as proposed, the HIPAA Security Rule would introduce an explicit penetration testing requirement and semiannual vulnerability scanning. Organizations would need to budget for testing, address skills gaps, and increase documentation and verification across covered entities and business associates. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet))

HHS’s economic analysis anticipates significant nationwide costs tied to activities such as penetration testing, MFA deployment, segmentation, and policy updates; small and rural providers were considered for exceptions, but the Department emphasized sector-wide needs for testing. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Preparing for Future Compliance

Start now: align with the HIPAA Security Rule’s risk analysis and management baseline, adopt the HHS Healthcare and Public Health Cybersecurity Performance Goals (CPGs) for prioritized controls, and formalize a testing program that includes vulnerability assessments and penetration tests scoped to ePHI systems. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html?utm_source=openai))

Build a 12–18 month roadmap that sequences asset inventory and mapping, vulnerability management SLAs, BA verification workflows, encryption and MFA upgrades, and a qualified-pen-testing vendor strategy. Doing this positions you to demonstrate “recognized security practices,” which OCR considers during compliance enforcement under the HITECH Act. ([hhs.gov](https://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html?utm_source=openai))

Bottom line: as of April 14, 2026, annual penetration testing is not yet mandatory under HIPAA; however, the proposed HIPAA Security Rule would make it explicit. Treat the NPRM as a strong signal—mature your testing, documentation, and third‑party oversight now to reduce risk and accelerate compliance once final timelines are set. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet))

FAQs

Is annual penetration testing currently mandatory under HIPAA?

No. Today’s HIPAA Security Rule does not include an explicit, annual penetration testing requirement; it requires risk analysis, risk management, and evaluations determined by your risks. The NPRM proposes annual penetration testing and semiannual vulnerability scanning, but that has not been finalized as of April 14, 2026. ([hhs.gov](https://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html?utm_source=openai))

What are the proposed changes to the HIPAA Security Rule?

Highlights include: eliminating “addressable” specifications; requiring asset inventories and network maps; mandating encryption at rest and in transit, MFA, and network segmentation; adding an annual Security Rule compliance audit and BA verification; and requiring vulnerability scanning every six months and penetration testing every 12 months (or more frequently based on risk). ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet))

How often should vulnerability assessments be conducted?

Under the NPRM, automated vulnerability scans would be required at least every six months or more frequently if your risk analysis indicates. Until a final rule is issued, frequency should be determined by risk analysis and industry practice. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

How can organizations prepare for potential new HIPAA penetration testing requirements?

Refresh your risk analysis; map ePHI systems and data flows; implement scanning and patching SLAs; schedule annual penetration tests by qualified testers; strengthen BA verification; align methods with NIST SP 800‑115; and leverage HHS CPGs to prioritize controls likely to be required. Document scopes, results, and remediation for compliance enforcement readiness. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))