HIPAA Security Rule Update 2025: Key Changes, Deadlines, and Compliance Checklist

Proposed Update Overview

HHS’s Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) to modernize the HIPAA Security Rule, with publication in the Federal Register on January 6, 2025 and a public comment period that closed March 7, 2025. The proposal targets stronger safeguards for electronic protected health information (ePHI) and clearer, more testable expectations for covered entities and business associates. While rulemaking proceeds, the current Security Rule remains in effect. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

The NPRM emphasizes alignment with widely accepted cybersecurity practices and seeks to clarify obligations that OCR frequently finds deficient in investigations (for example, encryption and access control). It is not final until HHS issues a final rule; organizations should prepare now and plan to adjust once final dates are announced. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html))

Removal of Addressable Specifications

The proposal eliminates the longstanding distinction between “required” and “addressable” implementation specifications. Under the update, you would be expected to meet both the standards and the implementation specifications; flexibility remains in how you implement controls that are reasonable and appropriate for your environment, not whether you implement them. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Enhanced Documentation Practices

What to write, test, and retain

• Document how you considered the Security Rule’s risk factors (164.306(b)) when developing written policies and procedures; document every required action, activity, and assessment. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))
• Retain documentation for at least six years from creation or last effective date, and make it available to those responsible for implementation. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))
• Adopt explicit record-retention procedures for system activity (for example, audit logs), with retention periods that are reasonable and appropriate for each log type. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))
• Maintain a written incident response plan and test, review, and update it at least annually; keep test results. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Annual Compliance Audits

The NPRM adds a new standard: perform and document a Security Rule compliance audit at least once every 12 months, covering each standard and implementation specification. This audit is distinct from, and complementary to, your risk analysis and risk management activities. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Strengthened Technical Controls

Encryption elevated to a standard

Encrypt all ePHI at rest and in transit (with limited, clearly defined exceptions) and review/test encryption controls at least annually. The NPRM elevates encryption from an “addressable” item to a core standard aligned to prevailing cryptographic practices. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Access controls and Multi-Factor Authentication

Deploy Multi-Factor Authentication across relevant electronic information systems and for privilege changes, with narrow exceptions (for example, legacy devices that cannot support MFA with a migration plan, or emergencies with compensating controls). ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Vulnerability management and testing

• Vulnerability scanning: automated scans at least every six months or more often based on risk; verify scanner effectiveness annually. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))
• Penetration testing: at least annually (or more frequently per your risk analysis) by a qualified person. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))
• Ongoing monitoring: track authoritative sources for new vulnerabilities and remediate under your patch program. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Audit trail and system log controls

Deploy technical controls to record and identify activity across relevant systems (centralized logging, audit trails) and align reviews with documented procedures. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Configuration and segmentation

Segment networks that host ePHI to limit lateral movement; disable unused ports and remove extraneous software as part of configuration management. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Data backup and recovery

Create and maintain exact, retrievable copies of ePHI, plus backups of relevant information systems; review and test backup/recovery controls at least every six months. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Business Associate Requirements

Verify controls annually

Obtain written verification from each business associate at least annually confirming deployment of required technical safeguards, supported by a written analysis from a knowledgeable professional and a certification by an authorized representative. Keep the verification on file. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

24-hour notifications

Require business associates to notify covered entities of contingency plan activation without unreasonable delay and no later than 24 hours. Separately, establish procedures to notify other regulated entities within 24 hours when a workforce member’s access to ePHI or relevant systems is changed or terminated. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Business Associate Agreement updates and transition

Update Business Associate Agreements (BAAs) to incorporate new obligations (for example, contingency plan activation reporting and verification duties). The NPRM provides a transition period: existing BAAs may continue until the earlier of renewal after the compliance date or one year after the effective date. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Compliance Timeline and Actions

Where the rule stands as of March 13, 2026

The NPRM is not yet a final rule. Until a final rule is issued, the current Security Rule remains in effect; plan now so you can move quickly once final dates are published. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html))

Expected deadlines once finalized

• Effective date: 60 days after Federal Register publication of the final rule.
• Compliance date: 180 days after the effective date (i.e., generally 240 days after publication).
• BAA transition: Earlier of BAA renewal after the compliance date or one year after the effective date (limited deemed-compliance window). ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Your compliance checklist

• Map where ePHI lives; update your technology asset inventory and network diagrams.
• Assess gaps against the proposed implementation specifications; prioritize encryption, access control, and network segmentation.
• Stand up MFA where feasible; document exceptions and compensating controls with a migration plan.
• Schedule vulnerability scanning (≥ every 6 months) and annual penetration testing; integrate findings into patch management.
• Write or refine your incident response plan; run and document at least one tabletop/test annually.
• Define audit log retention and review cadence; centralize log collection where possible.
• Plan and budget for the annual Security Rule compliance audit, distinct from your risk analysis.
• Update BAAs for verification and 24-hour contingency plan notifications; prepare to collect annual attestations.
• Train your workforce on updated policies; refresh training at least annually and within 30 days for new users.

Conclusion

The 2025 HIPAA Security Rule proposal raises the floor on cybersecurity by making implementation specifications truly actionable and verifiable. If you document decisions, tighten technical controls, verify business associate practices, and operationalize annual reviews, you will be well positioned for final deadlines and better protected against today’s threats. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

FAQs

What are the main changes in the HIPAA Security Rule update 2025?

Highlights include removing the “addressable” category, elevating encryption to a standard (encrypt ePHI at rest and in transit), requiring Multi-Factor Authentication, instituting semiannual vulnerability scanning and annual penetration testing, formalizing incident response planning and testing, adding an annual compliance audit, and strengthening Business Associate obligations (annual verification and 24-hour contingency notifications). ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

How does the removal of addressable specifications affect compliance?

You still have flexibility in how you meet the Security Rule, but not in whether you meet it. The proposal makes all implementation specifications binding; your task is to select reasonable and appropriate measures for your environment and document those choices—rather than treating items as optional. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

When must covered entities complete the new compliance requirements?

Under the NPRM’s framework, the final rule would become effective 60 days after publication, and most requirements would be enforceable 180 days after that (about 240 days post-publication). Certain BAA updates would have a limited transition window through renewal after the compliance date or one year after the effective date. Monitor HHS for the final publication date to calculate your specific deadlines. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

What documentation is required under the updated Security Rule?

You would need written policies and procedures that reflect how you considered the 164.306(b) factors; written records of all required actions, activities, and assessments; documented incident response testing; defined log retention and review processes; and retention of documentation for at least six years from creation or last effective date. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))