HIPAA NPRM: New Vulnerability Scanning Requirements Explained

HIPAA NPRM Overview

The HIPAA Security Rule Notice of Proposed Rulemaking (NPRM) proposes prescriptive cybersecurity controls to counter escalating cyber threats against the U.S. health care system. It would apply to health plans, health care clearinghouses, most health care providers, and their business associates, and it emphasizes written, tested, and regularly updated safeguards. While rulemaking proceeds, the current Security Rule remains in effect. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html))

Who is in scope

The NPRM’s requirements explicitly extend to Covered Entities and Business Associates, including expectations for enterprise-wide policies, ongoing testing, and verification activities tied to systems that create, receive, maintain, or transmit ePHI. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html))

Vulnerability Scanning Requirements

Core obligation

The proposal adds a new “Vulnerability management” standard at 45 CFR 164.312(h), requiring deployment of technical controls to identify and address technical vulnerabilities across relevant electronic information systems. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Frequency and cadence

• Automated vulnerability scans: at least once every six months, or more frequently if your risk analysis indicates. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))
• Penetration testing: at least once every 12 months, or more frequently if your risk analysis indicates; testing must be performed by a qualified person. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))
• Tool validation: review and test the effectiveness of the technology asset performing automated scans at least once every 12 months, modifying as appropriate. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))
• Ongoing monitoring: monitor authoritative sources for known vulnerabilities and remediate per your patch management program. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Security remediation linkages

The NPRM ties scanning to timely Security Remediation via a documented Risk Management Framework—prioritizing and mitigating vulnerabilities, installing patches and critical updates, and, where necessary, applying compensating controls until secure patches are available. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Compliance Impact on Covered Entities

From flexibility to prescriptive Cybersecurity Controls

The NPRM proposes eliminating the “addressable” versus “required” distinction, effectively making all implementation specifications required (with limited exceptions). This shifts organizations toward prescriptive baseline safeguards and clearer evidence expectations. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Business Associates: verification and accountability

Covered Entities must obtain written verification at least annually that each Business Associate has deployed the required technical safeguards, supported by a written analysis from a qualified person and a signed certification by an authorized individual. The NPRM would also require BAs to report activation of their contingency plan to the Covered Entity within 24 hours. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Risk Management Framework and program operations

Risk analysis and a formal risk management plan are elevated and operationalized through recurring scanning, testing, patch management, and documented change-driven reviews, bringing day-to-day security engineering activities squarely into HIPAA compliance scope. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Compliance Audits and evidence readiness

The NPRM would introduce an annual, documented compliance audit covering every standard and implementation specification—separate from the risk analysis—to verify that required safeguards are deployed and effective. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Security Improvement Goals

The proposal’s goals are to standardize a defensible baseline across the sector, accelerate vulnerability discovery and fix cycles, strengthen supply-chain assurance, and improve resilience and Data Breach Prevention via tested backups, logging, and incident/contingency processes—aligned with HHS Cybersecurity Performance Goals. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html))

Implementation Timeline

Where things stand

• Issued by OCR on December 27, 2024; published in the Federal Register on January 6, 2025 (90 FR 898). Comment period closed March 7, 2025. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))
• As of April 14, 2026, HHS has not yet issued a final rule; the NPRM remains pending. ([hipaajournal.com](https://www.hipaajournal.com/final-rule-implementing-hipaa-security-rule-updates-edges-closer/?utm_source=openai))

Compliance clocks after finalization

• Effective date: 60 days after the final rule is published.
• General compliance date: 180 days after the effective date (i.e., 240 days after publication), unless otherwise specified. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))
• Business Associate Agreement transition: permitted until the earlier of (a) the first contract renewal after the compliance date or (b) one year after the effective date. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Documentation and Reporting Procedures

Policies and procedures

Maintain enterprise-wide, written policies and procedures across administrative, physical, and technical safeguards. Review and test them at least annually and update as reasonable and appropriate. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Vulnerability management and testing records

• Keep scheduled evidence of automated vulnerability scans, documented findings, and Security Remediation steps; test and document the effectiveness of scanning technology annually. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))
• Maintain penetration testing reports showing timing, scope, methodology, qualified tester credentials, and remediation tracking. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Log review and retention

Retain and review records of activity (for example, audit trails, event, firewall, system and backup logs, access reports, anti‑malware logs, and security incident tracking) with documented review frequency appropriate to each log type. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Compliance Audits

Perform and document an annual Compliance Audit against each standard and implementation specification; keep auditable records of scope, tests performed, results, and corrective actions. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Business Associate verification and notifications

• Obtain and retain annual written verification from each BA, including a qualified person’s analysis and executive certification, that required technical safeguards are deployed. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))
• Ensure contracts require BAs to report any security incident and to notify you within 24 hours when a contingency plan is activated. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Summary

The HIPAA NPRM formalizes a cadence for automated vulnerability scans and annual penetration testing, links findings to prioritized remediation, and adds auditable proof points (from policy documentation to BA verification). When finalized, organizations will have defined clocks for compliance and clear evidence paths to demonstrate mature, outcome‑oriented cybersecurity. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

FAQs

What entities are affected by the HIPAA NPRM vulnerability scanning requirement?

The requirement applies to all HIPAA Covered Entities and their Business Associates. It targets each organization’s “relevant electronic information systems” that create, receive, maintain, or transmit ePHI. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html))

How often must vulnerability scans be performed?

At least every six months, or more frequently if your risk analysis warrants it. The NPRM also requires penetration testing at least annually (or more often, per risk), ongoing monitoring of authoritative vulnerability sources, and annual validation of the scanning technology’s effectiveness. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

What documentation is required for compliance?

Maintain written policies and procedures, records of automated scans and remediation, penetration testing reports by a qualified person, documented log reviews and retention, an annual Compliance Audit, and annual written verification from Business Associates (analysis plus certification). ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

When will the new HIPAA vulnerability scanning rules be enforced?

They will not be enforceable until a final rule is published. Under the NPRM, a final rule would take effect 60 days after publication, and most provisions would have a 180‑day compliance period after that; certain Business Associate Agreement updates could extend up to one year after the effective date. As of April 14, 2026, no final rule has been issued. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))