HIPAA Penetration Testing Requirements in 2025: What’s Required, What’s Recommended, and How to Stay Compliant

Mandatory Annual Penetration Testing

In January 2025, HHS/OCR proposed HIPAA Security Rule updates that would make penetration testing of environments handling electronic Protected Health Information (ePHI) mandatory at least once every 12 months, with vulnerability scanning at least every six months. While this is an NPRM (proposed rule), it signals regulators’ clear intent to codify annual testing; until finalized, the current Security Rule remains in force. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet))

Plan for HIPAA-grade tests that: follow recognized penetration testing methodologies, simulate realistic attacker paths to ePHI, document evidence and exploitability, and are performed by independent, qualified testers. Aligning your approach with NIST SP 800-115 provides a defensible, repeatable method and strengthens audit readiness. ([nvlpubs.nist.gov](https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-115.pdf))

Risk-Based Testing Frequency

Annual testing is the proposed floor—not the ceiling. Increase frequency when risk changes: major system upgrades or cloud migrations, new patient portals or APIs, mergers, material incidents, or emerging threats identified by your risk assessment framework. NIST SP 800-66r2 emphasizes risk analysis and ongoing evaluation, supporting a cadence that adapts to business and technology change. ([nvlpubs.nist.gov](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-66r2.pdf))

Comprehensive System Coverage

Scope penetration tests to all systems that create, receive, maintain, or transmit ePHI, including EHRs, patient portals, mobile apps, APIs (e.g., FHIR), cloud and on‑prem infrastructure, identity systems, backups, and third-party/business associate connections. The NPRM also contemplates a current technology asset inventory, a network map showing ePHI flows, and network segmentation—use these artifacts to drive complete test coverage. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet))

Documentation and Reporting

Produce compliance audit documentation that examiners can follow end‑to‑end: rules of engagement, penetration testing methodologies, data handling protocols, exploitable paths to ePHI, proof of concepts, and a prioritized remediation roadmap. Pair findings with threat vulnerability analysis and measurable corrective action plans, then track closure to due dates. NIST SP 800-115 outlines planning, execution, and reporting practices; the NPRM would also require annual compliance audits, elevating expectations for documented evidence. ([nvlpubs.nist.gov](https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-115.pdf))

Integration with Risk Management

Treat testing as a feedback loop into your risk assessment framework. Map each validated finding to likelihood and impact on ePHI, decide to remediate, mitigate, transfer, or (rarely) accept risk, and document rationale. NIST SP 800-66r2 provides HIPAA-aligned guidance for risk analysis, risk management, and periodic evaluations—use it to keep security measures commensurate with risk and to demonstrate continuous improvement. ([nvlpubs.nist.gov](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-66r2.pdf))

Engaging Qualified Professionals

Select assessors with healthcare experience, proven penetration testing methodologies, and strong reporting discipline. Insist on independence, clear scoping tied to ePHI, safe‑handling of sensitive data, and transparent retest terms to validate fixes. Referencing NIST SP 800-115’s phases (planning, discovery, attack, reporting) helps set expectations and ensures tests yield actionable, audit‑ready results. ([nvlpubs.nist.gov](https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-115.pdf))

Ongoing Compliance and Training

Compliance is continuous. Maintain up‑to‑date asset inventories and network maps, rehearse incident response, and train your workforce. The NPRM signals specific controls (e.g., MFA, encryption, segmentation) and requires timely access revocation and periodic effectiveness reviews; HHS sector Cybersecurity Performance Goals provide practical, voluntary checkpoints to mature your program between formal assessments. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet))

Quick 2025 action checklist

• Schedule biannual vulnerability scans and an annual penetration test; budget for retesting.
• Refresh your asset inventory, ePHI data flows, and segmentation boundaries before testing.
• Embed findings into risk registers; issue corrective action plans with owners and deadlines.
• Tighten vendor oversight for business associates that touch ePHI; obtain evidence, not attestations.
• Strengthen access controls (MFA), encryption, logging, and backup/restore testing.

Conclusion

The 2025 HIPAA Security Rule updates point to mandatory annual penetration testing and stronger operational rigor. Even before finalization, adopting risk‑based testing, comprehensive scope, and disciplined documentation positions you to safeguard ePHI, satisfy auditors, and cut breach exposure.

FAQs

What are the new HIPAA penetration testing requirements for 2025?

The HIPAA Security Rule NPRM published January 6, 2025 proposes penetration testing at least annually and vulnerability scanning at least every six months, alongside other controls (e.g., MFA, encryption, segmentation). Until a final rule is issued, the current Security Rule remains in effect, but preparing now reduces risk and eases adoption. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet))

How often must penetration testing be conducted under HIPAA?

If finalized as proposed, at least once every 12 months—plus additional testing after significant changes or incidents. Independently of the proposal, HIPAA requires risk analysis and periodic evaluation, so your testing cadence should scale with risk (e.g., new portals, cloud moves, or major upgrades). ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet))

What systems must be included in HIPAA penetration tests?

All components that handle or protect ePHI: clinical apps (EHR), patient‑facing portals, APIs and integrations, identity and access systems, cloud/on‑prem infrastructure, backups, and any business associate connections. Use your asset inventory and network map of ePHI flows to define scope, and validate segmentation boundaries to prevent lateral movement. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet))

How can organizations ensure ongoing HIPAA compliance?

Adopt a HIPAA‑aligned risk assessment framework (NIST SP 800-66r2), apply recognized penetration testing methodologies (e.g., NIST SP 800-115), maintain audit‑ready documentation, and drive corrective action plans to closure. Between formal assessments, use HHS sector Cybersecurity Performance Goals to prioritize high‑impact safeguards and workforce training. ([nvlpubs.nist.gov](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-66r2.pdf))