HIPAA Security: Waiting For the Final Rule Is Not an Option

By Erik Eisen, CEO, CTI Technical Services.

Few in the healthcare industry question the need to modernize the HIPAA Security Rule, the proposed overhaul of which is expected to be finalized in 2026. But even if the final rule is modified to scale back requirements or lengthen timeframes, compliance will be a heavy lift for many physician practices, hospitals, and health systems.

That reality, coupled with the common-sense need for robust security around protected health information (PHI) and other patient data, makes procrastination a compliance strategy that is doomed to fail.

Cyberattacks have reached unprecedented levels in the two decades since the HIPAA Security Rule was passed. The first, and last, major update to the rule took place in 2013, a year when healthcare organizations experienced just 269 data breaches. By 2024, that number had skyrocketed to 734 incidents involving more than 500 records each. Based on current trends, 2025 could experience 750–800 large breaches and analysts warn that more than 300 million records could be compromised if mega breaches continue.

A Proposed Overhaul

In the HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information proposed rule, the Office of Civil Rights (OCR) noted that the overhaul was prompted by the reality that cybersecurity concerns now touch nearly every facet of healthcare due to the industry’s reliance on stable and secure computer networks and technologies.

Also at play are covered entities (CEs) and business associates (BAs), which raise healthcare’s risk profile with the threat of unintentional and nefarious events that can endanger electronic PHI and other sensitive data.

Thus, OCR determined that it was time to update the rule to address technological advancements and evolving breaches and cyberattacks. The proposed rule also acknowledges OCR’s greater enforcement experience, improved guidelines, best practices, methodologies, procedures, and processes for protecting ePHI, and various legal decisions that have impacted enforcement.

It also re-addresses one of OCR’s most significant challenges when it comes to regulating security: the rapid advancement of both health IT and the methods employed by malicious actors.

Too-prescriptive mandates would necessitate updating the rule more frequently than is realistic. Previous iterations of the HIPAA Security Rule attempted to address this by being flexible with compliance and classifying many security measures as “addressable implementations,” meaning they were strongly recommended but not explicitly required.

For example, the current rule requires any organization touching ePHI to conduct a security risk assessment to evaluate potential risks and vulnerabilities, resolve any identified vulnerabilities, and document the steps taken. OCR even provides a tool for use in conducting the evaluation. But beyond that, there is no prescriptive guidance. As a result, many healthcare organizations that lacked the resources or technical knowledge to conduct a comprehensive risk assessment wound up taking shortcuts.

While industry support for the HIPAA Security Rule overhaul is broad, so are concerns that the compliance burden will be too high for many organizations it affects. There was a consensus throughout the nearly 4,750 letters submitted during the proposed rule’s public comment period that many requirements would be almost impossible for some organizations to meet without assistance.

Additionally, the proposed rule converts many addressable implementation specifications to required, eliminating a core flexibility aspect of the rule. Finally, for many, compliance with the updated HIPAA Security Rule will not be feasible with their existing technical infrastructure. It would necessitate significant investments in new technologies capable of protecting ePHI as mandated by the rule.

Lessening the Burden

The good news is that compliance does not have to come at the cost of financial ruin. Small steps toward anticipated mandates can be taken now to lessen the compliance burden—many of which are common-sense protective measures that should be implemented with or without regulatory dictates. For example:

• Multifactor authentication (MFA) is a highly effective yet reasonably priced protection against phishing and other forms of infiltration.
• Regularly backing up data ensures continuous access to information in the event of a system outage.
• Ransomware or exfiltration protection that goes beyond encryption can prevent bad actors from exploiting vulnerable access points once they are inside a system.

Other actions that should be taken now include conducting a security risk assessment and drafting a mitigation and remediation plan. Doing so allows for the prioritization of limited resources.

It is also likely that even well-resourced healthcare organizations will require third-party support to take these early actions or achieve compliance within the timeframes outlined in the final security rule. As such, now is the time to identify the right trusted IT management firm to assist with enhanced security and, eventually, regulatory compliance.

Look for firms with a deep understanding of healthcare-specific compliance requirements. Prospective partners should also offer comprehensive services to ensure they can address the comprehensive needs related to compliance with the HIPAA Security Rule and other issues that may arise, including the ability to future-proof security. They should also possess advanced expertise and the willingness and ability to leverage cutting-edge tools and processes that can outperform older or less adaptive technologies.

Look for a partner that emphasizes long-term relationships and offers personalized customer support. Other must-haves include flexibility and scale in their approach to services, transparent price structures, and simple contracts with clear and fair service terms. Finally, during the evaluation process, be sure to ask prospects about response times and disaster recovery capabilities and obtain—and check—references.

Ending Procrastination

While the final requirements may differ from what has been proposed, there is little likelihood that OCR will retract its decision to overhaul the HIPAA Security Rule. It is an action that is long overdue and should serve as a reminder that strengthening data protection is the right thing to do, whether mandated by OCR or not.

Taking steps now will significantly ease compliance burdens and protect one of healthcare’s most valuable assets. For provider organizations with limited resources, taking small steps towards compliance now will go a long way toward protecting patient data.