In December 2023, the HHS Office for Civil Rights published a Notice of Proposed Rulemaking (NPRM) that would represent the most significant overhaul of the HIPAA Security Rule since its original adoption. Then in January 2025, HHS followed up with a proposed rule to strengthen cybersecurity protections for electronic protected health information. If your organization hasn't started preparing for HIPAA new rules, you're already behind the curve — and the compliance burden is about to increase substantially.

The Most Significant HIPAA New Rules in Over a Decade

The proposed changes aren't cosmetic. HHS has signaled a fundamental shift in how covered entities and business associates must approach cybersecurity. The 2025 NPRM proposes to eliminate the distinction between "required" and "addressable" implementation specifications in the Security Rule — a change that would make every safeguard mandatory.

That single change has enormous implications. For years, organizations have used "addressable" as shorthand for "optional." OCR has always maintained that addressable doesn't mean optional, but enforcement has been inconsistent. Under the proposed HIPAA new rules, there's no ambiguity left. Every specification must be implemented, or your organization is out of compliance.

The proposed rule also mandates encryption of all electronic PHI at rest and in transit, with no exceptions. Organizations that have deferred encryption for cost or operational reasons will need to act fast.

Mandatory Risk Analysis Requirements Get Teeth

Risk analysis has been the number one area of noncompliance in OCR enforcement actions for over a decade. In nearly every resolution agreement and civil money penalty since 2016, OCR has cited failures in risk analysis under 45 CFR § 164.308(a)(1). The proposed rules aim to close this gap permanently.

Under the NPRM, covered entities would be required to maintain a written technology asset inventory and a network map. Risk analyses would need to be conducted at least every 12 months, and the methodology must be documented in a format that OCR can review during an investigation or compliance audit.

If your organization currently treats risk analysis as a checkbox exercise conducted once every few years, these changes will force a complete rethinking of your approach. The era of vague, narrative-style risk assessments is over.

Workforce Training Obligations Under the Proposed Changes

The proposed HIPAA new rules also elevate workforce training requirements. Currently, the Security Rule requires training under 45 CFR § 164.308(a)(5), but it provides minimal specifics about frequency, content, or documentation. The NPRM proposes that covered entities and business associates provide cybersecurity training at least every 12 months, with content tailored to the organization's specific threat environment.

This is an area where healthcare organizations consistently struggle. Annual training tends to be generic, outdated, or delivered without verification of comprehension. Under the proposed changes, organizations must be able to demonstrate that training is relevant, current, and completed by every workforce member who handles protected health information.

Now is the time to evaluate whether your current program meets this higher bar. A comprehensive HIPAA training and certification program can help your workforce stay current on regulatory requirements before the rules are finalized.

Business Associate Agreements Need Immediate Review

The proposed rules strengthen obligations for business associates in ways that affect every covered entity's vendor management strategy. Business associates would be required to verify compliance with Security Rule requirements through written certifications, and covered entities would need to obtain these certifications at least annually.

If you haven't reviewed your business associate agreements since the Omnibus Rule took effect in 2013, you're working with outdated contracts. The new proposals would require BAAs to include specific provisions around incident notification timelines — business associates would need to notify covered entities within 24 hours of activating a contingency plan, a dramatic reduction from the current 60-day breach notification window.

Audit your BAA inventory now. Identify vendors who handle electronic PHI and determine whether your agreements reflect current requirements, let alone the proposed ones.

OCR's enforcement actions in 2023 and 2024 provide a roadmap for where the agency is headed. The HIPAA Right of Access Initiative has generated dozens of enforcement actions with penalties ranging from $3,500 to $875,000. Simultaneously, OCR has pursued cases involving failures in risk analysis, lack of encryption, and inadequate access controls.

In 2024, OCR settled with Montefiore Medical Center for $4.75 million over insider threats and access control failures — a case that underscores exactly the types of vulnerabilities the proposed rules aim to address. The pattern is clear: OCR is building an enforcement framework that aligns with the stricter requirements in the proposed regulations.

Organizations that treat these proposed rules as distant possibilities rather than imminent realities are making a strategic error. OCR is already enforcing the spirit of these changes through its current authority.

Five Steps to Prepare Your Organization Today

  • Conduct a current-state gap assessment. Compare your existing Security Rule compliance against the proposed requirements. Identify gaps in encryption, access controls, and documentation.
  • Update your risk analysis process. Move to an annual cycle with a documented methodology, technology asset inventory, and network mapping.
  • Audit all business associate agreements. Ensure every BAA addresses current Omnibus Rule requirements and begin planning for the proposed certification and notification changes.
  • Strengthen workforce training. Implement annual, role-based training that addresses your organization's specific risk environment. HIPAA Certify's workforce compliance platform offers a structured approach that aligns with both current and proposed training standards.
  • Document everything. The proposed rules emphasize verifiable, written compliance. If it isn't documented, it didn't happen — and OCR will hold you to that standard.

The Compliance Window Is Narrowing

Final rules typically take effect 60 to 180 days after publication, though HHS has indicated it may provide extended implementation timelines for certain provisions. Even so, the volume of changes proposed means that organizations need 12 to 18 months of preparation — minimum — to achieve full compliance.

Healthcare organizations that begin adapting now will have a significant advantage. Those that wait for the final rule to be published will face compressed timelines, higher costs, and greater exposure to HIPAA violations during the transition period.

The regulatory landscape is shifting. The minimum necessary standard, Notice of Privacy Practices requirements, and Security Rule safeguards are all under active review. Whether you're a small covered entity or a large health system, the HIPAA new rules demand proactive preparation — not reactive scrambling after a compliance deadline or, worse, after an OCR investigation.