The Proposed HIPAA Security Rule Overhaul: What Your Practice Should Start Preparing For Now

If you run a small medical practice — family medicine, dental, chiropractic, mental health, physical therapy, urgent care — you need to know about what is coming. The Department of Health and Human Services has proposed the most significant update to the HIPAA Security Rule since it was first written in 2003. The proposed rule (NPRM) was published January 6, 2025 and is still under review. If and when it is finalized, the clock starts on a compliance window that is likely 180 days — possibly less.

This is not a minor tweak. This overhaul changes the fundamental way HIPAA treats cybersecurity for every covered entity and business associate in the country, regardless of size. If your practice has five staff or fifty, the same rules will apply to you.

Most of what has been written about this so far is aimed at hospital CISOs and IT security vendors. This article is not. This article is for the practice owner, the office manager, the person who wears the compliance hat on top of twelve other hats. Here is what is changing, what it means for your day-to-day operations, and exactly what you should start doing right now.

What Is Actually Changing?

HHS published a Notice of Proposed Rulemaking (NPRM) on January 6, 2025, proposing sweeping modifications to the HIPAA Security Rule. The comment period closed in March 2025 and drew significant industry feedback — much of it from small practice advocates concerned about cost and feasibility. Despite that pushback, HHS has signaled it intends to finalize the rule, potentially in a scaled-back form, in 2026.

Here are the changes that matter most to a small practice.

1. "Addressable" Safeguards Are Gone — Everything Becomes Mandatory

This is the single biggest change and the one that will affect the most practices. Under the current Security Rule, safeguards are classified as either "required" or "addressable." If a safeguard was addressable — like encryption — you could assess whether it was reasonable and appropriate for your practice. If you decided it was not, you could document your reasoning and implement an alternative measure. Many small practices used this flexibility to skip encryption entirely, arguing that their small size or limited budget made it impractical.

Under the proposed rule, that distinction disappears. Nearly all implementation specifications become mandatory, with only very narrow exceptions. Encryption, access controls, audit logging, multi-factor authentication — these are no longer things you can reason your way out of. You either implement them or you are out of compliance. Period.

What this means for your practice: If you have been relying on the "addressable" classification to avoid implementing encryption on laptops, email, or your EHR backup, that justification is about to expire. Start planning now.

2. Multi-Factor Authentication Becomes Mandatory

The proposed rule would require multi-factor authentication (MFA) on every system that accesses electronic protected health information (ePHI). That includes your EHR, your practice management system, your email (if it touches patient information), your cloud storage, and your billing software.

MFA means logging in requires two things: something you know (your password) and something you have (a code from your phone, a hardware token, or a biometric like a fingerprint). If your staff currently logs into your EHR with just a username and password, that will no longer be sufficient.

What this means for your practice: Check whether your EHR vendor supports MFA today. Most modern cloud-based EHR systems do, but it may not be turned on. If your EHR does not support MFA, that is a conversation you need to have with your vendor now — not after the rule is finalized.

3. Annual Risk Assessments Must Drive Real Action

The HIPAA Security Risk Assessment (SRA) has been a requirement since 2003, and it is the single most-cited deficiency in OCR audits. But under the current rule, many practices treat it as a paperwork exercise — answer some questions, generate a PDF, put it in a drawer.

The proposed rule changes this. Risk assessments must now be conducted at least every 12 months, must be documented in detail, and must produce actionable remediation plans. The assessment has to identify specific risks to ePHI, evaluate the likelihood and impact of each risk, and document what the practice is doing to mitigate each one. Importantly, your remediation plan cannot just sit on paper — the rule requires that you implement the mitigations and document that implementation.

What this means for your practice: If your last SRA was a checkbox exercise, it will not pass muster under the new rule. You need an SRA process that identifies real risks, produces a real remediation plan, and tracks your progress on fixing the gaps. This is exactly what GuardWell's Security Risk Assessment module is built for — a guided, question-by-question walkthrough that generates a risk register and tracks remediation automatically.

4. You Need a Network Map Showing Where ePHI Lives

The proposed rule requires covered entities to create and maintain a technology asset inventory and a network map that shows how ePHI moves through your practice. This means documenting every system, device, and application that creates, receives, stores, or transmits patient data — and showing how they connect to each other.

For a small practice, this might include your EHR system, your practice management software, your billing clearinghouse, your email provider, your fax service (especially cloud fax), any cloud storage you use, your appointment scheduling system, your patient portal, and every workstation and mobile device that accesses any of those systems.

What this means for your practice: Sit down with whoever manages your IT — whether that is an internal person, an MSP, or you — and create a list of every system that touches patient data. Document which ones talk to each other. This does not have to be a complex network diagram. A spreadsheet listing each system, what data it holds, how it connects to other systems, and who has access is a solid start.

5. Written Verification From Every Business Associate

Under the current rule, a signed Business Associate Agreement (BAA) is the primary mechanism for ensuring your vendors protect ePHI. The proposed rule goes further: you must now obtain written verification from each business associate — at least annually — confirming that they have actually implemented the required technical safeguards.

A signed BAA alone is no longer enough. You need to ask your EHR vendor, your billing company, your cloud fax provider, your IT company, and every other vendor who touches patient data to provide written documentation that they have encryption in place, that they use MFA, that they conduct their own risk assessments, and that they can report breaches within 24 hours.

What this means for your practice: Start with your highest-risk vendors — EHR, billing, IT provider, cloud services — and send them a simple request: "Can you provide written verification that you have implemented the technical safeguards required by the HIPAA Security Rule, including encryption, MFA, and audit logging?" If a vendor cannot or will not provide this, that is a red flag you need to address.

6. Business Associates Must Report Incidents Within 24 Hours

Under the current Breach Notification Rule, business associates must notify covered entities of a breach "without unreasonable delay" — which has been interpreted as within 60 days. The proposed rule would tighten this dramatically to 24 hours for security incidents (not just confirmed breaches).

What this means for your practice: Review your BAAs. Do they include a specific timeframe for incident notification? If they say "60 days" or "without unreasonable delay," you should plan to update them to reflect the 24-hour requirement once the final rule is published. You also need an internal incident response process so that when a vendor notifies you at 2 AM on a Saturday, someone knows what to do.

7. Mandatory Vulnerability Scanning and Penetration Testing

The proposed rule would require vulnerability scans every six months and penetration testing annually for all systems handling ePHI. For most small practices, this means engaging an outside cybersecurity firm to run these tests — and documenting the results and any remediation actions taken.

What this means for your practice: If you have never had a vulnerability scan or penetration test performed, you are not alone — most small practices have not. But under the new rule, this will be a hard requirement. Start budgeting for it now. A basic external vulnerability scan and penetration test for a small practice typically costs $2,000–$5,000 depending on scope, and you will need it done annually.

When Does This Take Effect?

A final rule has not yet been published. If and when HHS finalizes the rule, it will set a compliance deadline. Based on precedent and the complexity of the changes, this is likely to be 180 days (about 6 months) from the publication date.

However, some of the requirements — like conducting a thorough risk assessment and implementing encryption — cannot be done overnight. If you wait until the final rule drops to start preparing, you will be scrambling. The practices that start now will be the ones that are ready on time.

Your 8-Step Action Plan — Start This Week

You do not need to do everything at once. But you should start moving. Here is a practical action plan, ordered by priority, that any small practice can begin immediately.

Step 1: Turn on MFA everywhere you can today. Start with your EHR and your email. Most cloud-based systems already support it — you just need to enable it. This is free and takes 30 minutes.

Step 2: Run (or re-run) your Security Risk Assessment. If your last SRA was more than 12 months ago, or if it was a superficial exercise, do it again. Use a guided tool that produces a real risk register with scored risks and remediation tracking.

Step 3: Inventory every system that touches ePHI. Make a list: EHR, practice management, billing, email, fax, cloud storage, appointment scheduling, patient portal, every workstation and mobile device. Note who has access to each one.

Step 4: Check encryption status. Is your EHR data encrypted at rest and in transit? What about your email? Your laptops? Your backups? If you do not know the answer, ask your IT provider. If you do not have an IT provider, that itself is a gap to address.

Step 5: Contact your top 5 vendors. Ask your EHR vendor, billing company, IT provider, cloud fax, and any cloud storage provider for written verification that they have implemented encryption, MFA, and audit logging. Document their responses.

Step 6: Review and update your BAAs. Check whether your existing BAAs include specific incident notification timeframes. Flag any that need to be updated once the final rule is published.

Step 7: Budget for a penetration test. Get quotes from 2–3 cybersecurity firms that specialize in small healthcare practices. You do not need to do the test today, but knowing the cost and having a vendor ready means you can move quickly when the rule is finalized.

Step 8: Document everything. Under the new rule, documentation is not just good practice — it is a specific, auditable requirement. Every policy, every risk assessment, every vendor verification, every remediation action needs to be documented and retrievable. A compliance platform that tracks all of this in one place will save you significant time and stress when audit season arrives.

The Bottom Line

The proposed HIPAA Security Rule overhaul would be the most significant change to healthcare cybersecurity requirements in over 20 years. The core message from HHS is clear: documenting that you intended to be secure will no longer be enough. You will have to prove that you actually are.

For small practices, this does not have to be overwhelming. Most of the individual steps — enabling MFA, encrypting devices, running a proper risk assessment, verifying vendor safeguards — are manageable. The key is to start now, while you have time to address gaps methodically rather than scrambling under a deadline.

GuardWell Compliance is built for exactly this moment. Our platform walks you through your Security Risk Assessment step by step, tracks your compliance across all 15 regulatory modules, manages your vendor BAAs with expiration alerts, and gives you a real-time compliance score that tells you exactly where you stand — updated daily. If the new Security Rule has you thinking about where your practice's gaps are, take our free 2-minute compliance score quiz to get a snapshot of where you are today.