The U.S. Department of Health and Human Services (HHS) is proposing major changes to the HIPAA Security Rule that will reshape how healthcare organizations approach cybersecurity. If your practice has relied on flexibility in interpreting “addressable” safeguards, that’s about to end.
For years, the HIPAA Security Rule allowed organizations to treat certain safeguards as “addressable.” This gave practices and other, smaller healthcare providers leeway in deciding whether to implement a control, apply an alternative, or document why it wasn’t reasonable. That flexibility will go away when HHS updates the Security Rule likely in 2026.
The proposed updates create a more prescriptive framework requiring healthcare providers to implement specific cybersecurity measures and document compliance on strict timelines. Highlights include:
1. Addressable Safeguards Become Required
No more optionality. Every safeguard that was once addressable — 52% of current rules and controls — is moving to the “required” column. That means your practice must implement the controls or risk being out of compliance.
2. Annual Third-Party Risk Assessments
Internal assessments will no longer be enough. The rule requires covered entities and business associates to conduct annual, independent risk assessments to verify compliance and identify vulnerabilities.
3. New Technical Requirements
The update introduces concrete technical mandates, including:
- Multi-factor authentication (MFA) for all users accessing protected health information (PHI)
- Encryption for data in transit and at rest
- Routine vulnerability scanning to detect and mitigate risks
4. Faster User Termination Protocols
When an employee leaves or changes roles, practices must now deactivate (or adjust privileges to) their IT system access within 24 hours. Delayed deprovisioning — one of the most common security gaps — will no longer be tolerated.
5. Building a Compliance Roadmap
The proposed changes will require new investments in technology, vendor support and staff training. Forward-looking organizations should start now by:
- Mapping current safeguards to upcoming requirements
- Budgeting for security tools and assessments
- Establishing processes for faster compliance reporting
Why You Need to Act Now
These changes are designed to close persistent gaps that leave healthcare organizations vulnerable to cyberattacks and data breaches. With enforcement and penalties likely to increase, waiting until the rule is finalized could leave your practice scrambling.
By investing in a compliance roadmap today, you’ll not only meet regulatory expectations but also strengthen patient trust and reduce the risk of costly data breaches.
Need Help?
Need help preparing for HIPAA’s new security landscape? Talk to Revascent™ about risk assessments and implementation support. Download our guide here.