New HIPAA Security Rule 2025: Do You Need a Pen Test? Requirements, Frequency, and Compliance Checklist

HIPAA Security Rule Update 2025 Overview

The 2025 HIPAA Security Rule update is a major modernization aimed at hardening protections for electronic protected health information (ePHI). It elevates prescriptive security controls alongside existing Administrative Safeguards and Technical Safeguards, shifting compliance from policy-heavy checklists to demonstrable, measurable security outcomes. Covered Entities and Business Associates are both in scope.

Key proposals include mandatory ePHI encryption, multi-factor authentication (MFA), defined testing cadences (vulnerability scanning and penetration testing), annual compliance audits, a living technology asset inventory with a network map, network segmentation, and stronger contingency planning (including the capability to restore certain critical systems and data within 72 hours). Together, these measures require rigorous Risk Assessments and documented Remediation Plans that show you can prevent, detect, and respond to threats.

Status note: As of April 14, 2026, these requirements come from the Notice of Proposed Rulemaking (published January 6, 2025). Final timing and language may shift, but healthcare organizations should begin implementing the core controls now to reduce risk and accelerate readiness.

Compliance Checklist (Quick Start)

• Confirm your status as a Covered Entity or Business Associate and update your system-of-record for in-scope ePHI.
• Build and maintain a technology asset inventory and network map showing ePHI data flows; review at least annually and after changes.
• Complete a written Risk Assessment addressing threats, vulnerabilities, likelihood/impact, and current controls.
• Implement ePHI encryption at rest and in transit; document exceptions, compensating controls, and timelines.
• Deploy MFA for workforce access to systems and applications that create, receive, maintain, or transmit ePHI.
• Schedule vulnerability scanning at least every six months and penetration testing at least annually; define scope and evidence.
• Create Remediation Plans with owners and deadlines; validate fixes and retain proof of closure.
• Strengthen incident response and contingency plans; exercise them and verify restoration objectives.
• Update Business Associate Agreements to reflect testing, encryption, MFA, segmentation, notification, and verification duties.
• Prepare for an annual compliance audit; centralize documentation to meet HIPAA’s retention requirements.

Penetration Testing Requirements

Under the 2025 update, penetration testing becomes an explicit requirement for regulated entities. If you create, receive, maintain, or transmit ePHI as a Covered Entity or Business Associate, you should plan for recurring penetration tests that validate the effectiveness of your security controls—not just the presence of policies.

Scope and depth

• External and internal network testing that targets systems and pathways touching electronic protected health information (ePHI).
• Application-layer testing for web, mobile, and APIs that handle ePHI, including authentication, authorization, and input validation.
• Cloud services, remote access, and identity planes (SSO, IAM, PAM) that could grant or broker ePHI access.
• Controls that enforce network segmentation around ePHI repositories and critical clinical systems.

Execution standards

• Use qualified, independent testers (internal team with separation of duties or a third party) following recognized methodologies.
• Define clear rules of engagement, data-handling protocols, and safety constraints for clinical environments.
• Coordinate with change management to avoid patient-care disruption and to prioritize retesting windows.

Required outputs you should expect

• A written test plan and methodology mapped to in-scope assets and ePHI data flows.
• Evidence-backed findings with severity, likelihood, affected assets, and exploitability.
• Actionable Remediation Plans with owners and due dates, plus retest results confirming closure or documented risk acceptance.
• An executive summary for leadership and an appendix suitable for auditors.

Annual Penetration Testing Frequency

The update sets a minimum cadence of once every 12 months. Build your testing calendar to preserve that interval year over year and align it with your budgeting cycle and audit timeline. To maintain accuracy between annual tests, add targeted testing after significant environmental changes—such as EHR upgrades, cloud migrations, network redesigns, or newly discovered critical vulnerabilities—so your controls stay validated as your architecture evolves.

Integrate testing outcomes into your Risk Assessments and Remediation Plans. Prioritize fixes that reduce attack paths to ePHI and that reinforce MFA, segmentation, and encryption controls already required elsewhere in the rule.

Vulnerability Scanning Mandates

Vulnerability scanning must occur at least every six months. Scanning should cover internal and external networks, applications, cloud services, medical devices where feasible, and configurations that could expose ePHI. Treat scanning as part of a repeatable vulnerability management program—not a one-off task.

Program essentials

• Authenticated scans where possible, to identify real misconfigurations and missing patches.
• Documented severity ratings, risk rationale, and fix-by timelines; tie each item to a tracked Remediation Plan.
• Change-driven rescans (e.g., after new deployments, major patches, or architectural changes) to keep the picture current.
• Evidence of remediation and verification artifacts retained alongside scan outputs.

Compliance Documentation and Retention

HIPAA’s documentation and retention baseline remains stringent. Maintain written policies, procedures, plans, and analyses—plus objective evidence that your controls work. Retain required documentation for at least six years from the date of creation or the date last in effect, whichever is later. Ensure records are complete, tamper-evident, and readily retrievable for audits.

What to maintain

• Administrative Safeguards: risk analysis, risk management plan, sanctions policy, workforce training records, and annual compliance audit results.
• Technical Safeguards: ePHI encryption design and key management records, MFA rollout evidence, segmentation diagrams, access control configurations, and activity review procedures.
• Asset and architecture: technology asset inventory, network map showing ePHI flows, data classification, and system-of-record for ePHI locations.
• Security testing: penetration test plans/reports/retests, vulnerability scans, Remediation Plans, and risk acceptance approvals.
• Continuity and response: incident response plan and exercise reports, contingency plan and restoration tests (including 72-hour recovery objectives where applicable), and backup/recovery validation.
• Third-party oversight: Business Associate Agreements, annual verification artifacts from Business Associates, and subcontractor flow-down evidence.

Encryption and MFA Standards

ePHI Encryption is expected at rest and in transit, with only narrow, documented exceptions supported by Risk Assessments and compensating controls. Apply strong cryptography across databases, file systems, application storage, backups, portable endpoints, and cloud object stores. For data in transit, encrypt clinical interfaces, APIs, remote access, and provider-to-payer exchanges end to end.

MFA is required for workforce access to systems and applications touching ePHI. Prioritize phishing-resistant factors for privileged accounts and remote access. Integrate MFA with identity governance (joiner/mover/leaver processes), enforce step-up authentication for risky actions, and ensure emergency access (“break-glass”) is controlled, logged, and regularly reviewed.

Incident Response and Business Associate Agreements

The update emphasizes operational resilience. Maintain a written incident response plan, exercise it at least annually, and demonstrate the capability to restore certain relevant systems and data within 72 hours. Align playbooks to real clinical risks (e.g., ransomware, EHR outages) and ensure audit logging and activity review can support investigation and breach notification decisions.

Business Associates carry explicit obligations. BAAs should require annual verification that Technical Safeguards are deployed, timely notification if contingency plans are activated (no later than 24 hours), documented vulnerability management practices, adherence to penetration testing and scanning frequencies, ePHI encryption, MFA, and segmentation, and flow-down of these duties to subcontractors. Reserve audit and evidence rights to validate performance.

Conclusion

The 2025 update makes security control validation—encryption, MFA, scanning, and penetration testing—table stakes for HIPAA programs. Start by tightening your Risk Assessments, inventorying assets and data flows, and proving controls with evidence-backed testing and Remediation Plans. Doing so reduces breach risk now and positions you to meet final compliance deadlines efficiently.

FAQs

What entities are required to perform penetration testing under the new HIPAA rule?

All Covered Entities and Business Associates that create, receive, maintain, or transmit ePHI are expected to conduct penetration testing under the 2025 update. That includes health plans, clearinghouses, most providers, and contractors handling ePHI on their behalf.

How often must penetration tests be conducted?

At least once every 12 months. Many organizations also run targeted tests after significant changes—such as major upgrades, cloud migrations, or segmentation redesigns—to keep their validation current between annual engagements.

What documentation is required to demonstrate compliance?

You should maintain test plans and rules of engagement, tester qualifications, detailed findings with evidence and severity, Remediation Plans with due dates, retest/closure proof, risk acceptance approvals (if any), and an executive summary linked to your Risk Assessments. Retain these records in accordance with HIPAA’s six-year documentation rule.

Are multi-factor authentication measures mandatory under the 2025 update?

Yes. MFA is required for workforce access to systems and applications that handle ePHI, with only limited, well-justified exceptions. Document any exception, apply compensating controls, and set a near-term remediation timeline.