HIPAA Security Rule NPRM Explained: What’s Changing and How to Prepare

Product Pricing
Ready to get started? Book a demo with our team
Talk to an expert

HIPAA Security Rule NPRM Explained: What’s Changing and How to Prepare

Kevin Henry

HIPAA

October 31, 2025

7 minutes read
Share this article
HIPAA Security Rule NPRM Explained: What’s Changing and How to Prepare

The HIPAA Security Rule Notice of Proposed Rulemaking (NPRM) aims to modernize safeguards for electronic protected health information (ePHI) in light of escalating ransomware and supply-chain threats. It emphasizes cybersecurity safeguards for healthcare by tightening expectations around encryption, access controls, risk analysis, and timely incident handling.

While the NPRM is not yet final, its direction is clear: move key “addressable” controls to required, define sharper incident reporting timelines, and strengthen business associate oversight. By acting now, you can reduce risk, demonstrate good-faith compliance, and be ready when enforcement mechanisms take effect.

Mandatory Implementation Specifications

From “addressable” to “required”

The NPRM elevates several controls from flexible to mandatory implementation specifications. You should expect fewer carve‑outs and stronger evidence requirements when exceptions are claimed.

  • Default encryption of ePHI in transit and at rest, aligned to recognized ePHI encryption standards.
  • Multi-factor authentication requirements for remote access, administrative accounts, and systems housing ePHI.
  • Authoritative asset inventory covering endpoints, servers, medical devices, applications, and cloud services.
  • Patch and vulnerability management with defined service-level targets and secure configuration baselines.
  • Comprehensive audit logging, centralized monitoring, and anomaly detection for critical systems.

Operational impact

Expect more rigorous documentation, tighter change control, and stronger board reporting. When a control is not feasible, the NPRM anticipates a documented risk analysis, compensating controls, and a remediation plan with accountable owners and dates.

Encryption Requirements for ePHI

In transit and at rest

The NPRM clarifies that ePHI should be encrypted by default both in transit and at rest. For data in motion, use modern, well-configured transport encryption between users, apps, and APIs. For data at rest, enable strong storage encryption for databases, file systems, backups, and endpoint media.

Key management and lifecycle

Strong encryption is only as good as key management. Implement centralized key management (for example, a KMS or HSM), separation of duties, rotation and revocation procedures, and secure secrets storage. Ensure backup key material and recovery workflows are tested and documented.

Risk-based exceptions

Where encryption is not technically feasible (such as certain legacy medical devices), the NPRM expects a written exception grounded in security risk assessment guidelines and compensating controls like network isolation, strict access control, and continuous monitoring. Reassess exceptions regularly and retire them as technology allows.

Multi-Factor Authentication Mandates

Scope and depth

The NPRM makes MFA a baseline safeguard. Prioritize remote access, privileged and administrative accounts, and applications that create, receive, maintain, or transmit ePHI. Favor phishing‑resistant authenticators where feasible, and apply step‑up authentication for sensitive actions.

Clinical usability

Balance security and care delivery by enabling fast, reliable factors (for example, tokens or platform authenticators), kiosk or shared‑device workflows, break‑glass procedures with enhanced logging, and robust device lifecycle management.

Rollout roadmap

  • Inventory identities, privileged roles, and entry points (VPN, SSO, EHR, admin interfaces).
  • Define MFA policies, recovery procedures, and enrollment at scale.
  • Integrate MFA with SSO and enforce conditional access for high‑risk scenarios.
  • Measure coverage and exceptions; reduce SMS reliance over time.

Annual Security Risk Assessments

Cadence and scope

The NPRM establishes an explicit annual cadence for enterprise risk analysis. Your assessment should map threats and vulnerabilities to ePHI assets, third‑party dependencies, and clinical workflows, and then prioritize remediation based on likelihood and impact.

Method and evidence

Use defensible methods aligned to security risk assessment guidelines. Produce a risk register, treatment plans, owners, target dates, and residual risk justifications. Keep evidence—network diagrams, data flows, control testing results—ready for audits.

Governance integration

Present results to executive leadership and the board, link remediation to budget requests, and track progress with quantitative metrics such as control coverage, patch SLAs, and incident mean time to detect and recover.

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Incident Reporting and Response

Timelines and decisioning

The NPRM sharpens incident reporting timelines and clarifies the threshold for notifying HHS, affected individuals, and—when applicable—the media. Establish criteria for when a security incident becomes a reportable breach, and document decision paths.

Detection and response readiness

Implement 24/7 monitoring across endpoints, servers, cloud, and identity systems. Maintain playbooks for ransomware, email compromise, data exfiltration, and third‑party incidents. Preserve forensic artifacts, practice tabletop exercises, and validate recovery with clean, tested backups.

Communication and coordination

Define roles, escalation paths, and contact lists for legal, privacy, clinical operations, cyber insurance, and law enforcement. Ensure incident reporting content meets regulatory expectations and that you can deliver notifications within the defined windows.

Business Associate Oversight Enhancements

Due diligence and monitoring

The NPRM strengthens business associate oversight. Before contracting, evaluate security maturity, certifications, penetration testing history, and breach records. After onboarding, require periodic attestations, vulnerability reporting, and prompt notification of material changes.

Business associate contract compliance

Update BAAs to reflect NPRM requirements: encryption and MFA baselines, incident reporting timelines, subcontractor flow‑downs, audit rights, minimum logging standards, and termination rights for noncompliance. Use a shared responsibility matrix to clarify who does what across hosting, application, and data layers.

Accountability and enforcement

Expect closer scrutiny of BAAs during investigations and audits. Stronger HIPAA NPRM enforcement mechanisms mean covered entities should verify—not just trust—partner controls and be able to produce evidence on demand.

Preparing for Compliance

90‑day quick‑start

  • Enable MFA for all remote access and privileged accounts; close known gaps.
  • Turn on encryption at rest for databases, file shares, and backups; validate transport encryption everywhere.
  • Complete an interim risk assessment focused on high‑impact ePHI systems; open remediation tickets with owners and dates.
  • Harden logging: centralize critical audit logs, increase retention, and tune alerts.
  • Refresh the incident response plan and run a ransomware tabletop with executive participation.
  • Review and update BAAs to align with business associate contract compliance expectations.

Technology and process priorities

  • Identity: SSO, MFA, privileged access management, just‑in‑time elevation.
  • Data protection: disk/database encryption, key management, data loss prevention, immutable backups.
  • Visibility: asset inventory, vulnerability management, configuration baselines, SIEM/SOAR.
  • Network and endpoint: segmentation, EDR, secure remote access, secure medical device onboarding.

Measuring readiness

  • MFA coverage across users, apps, and admin interfaces.
  • Encryption coverage for ePHI at rest and in transit.
  • Patch and vulnerability SLAs met by asset class.
  • Incident reporting timelines met in exercises and real events.
  • BAA attestations received on schedule and exceptions tracked to closure.

By aligning early with the NPRM’s direction—multi‑factor authentication requirements, clearer ePHI encryption standards, rigorous risk analysis, prompt reporting, and stronger partner oversight—you embed durable cybersecurity safeguards for healthcare and reduce regulatory exposure.

FAQs.

What are the key changes in the HIPAA Security Rule NPRM?

The NPRM elevates several controls to mandatory implementation specifications, including default encryption of ePHI, broader MFA, explicit annual risk assessments, clearer incident reporting timelines, and tighter business associate oversight. It also signals more assertive enforcement mechanisms and a stronger expectation for measurable, evidence‑based security programs.

How does the NPRM affect encryption requirements?

Encryption moves from largely “addressable” to a default requirement for both data in transit and at rest, supported by disciplined key management and documented exceptions only where truly unavoidable. The NPRM emphasizes alignment with recognized ePHI encryption standards and expects compensating controls when encryption cannot be applied.

What are the new incident reporting requirements?

The NPRM clarifies when to treat a security event as a reportable breach and sets firmer notification windows to HHS and affected individuals. It expects well‑defined playbooks, comprehensive logging, and the ability to demonstrate timely investigation, containment, notification, and post‑incident lessons learned.

How should organizations prepare for the HIPAA NPRM updates?

Run a focused gap assessment, enable MFA where risk is highest, encrypt ePHI at rest and in transit, strengthen monitoring and backups, and update BAAs to reflect business associate contract compliance. Build a yearly risk assessment program, test incident response, and track metrics so you can show progress and readiness when audits occur.

Share this article

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Related Articles