In December 2023, HHS published a Notice of Proposed Rulemaking (NPRM) that represents the most significant update to the HIPAA Security Rule since its original adoption in 2003. Healthcare organizations have been buzzing about the proposed HIPAA technology rule changes ever since — and for good reason. If finalized, these modifications would eliminate the distinction between "required" and "addressable" implementation specifications, mandate encryption of all electronic protected health information (ePHI) at rest and in transit, and impose aggressive timelines for compliance that will strain unprepared covered entities and business associates alike.

Why the HIPAA Technology Rule Is Being Proposed Now

OCR's enforcement data tells the story. Between 2018 and 2023, healthcare data breaches affecting 500 or more individuals increased by over 100%. The Change Healthcare breach in early 2024 — affecting an estimated 100 million individuals — laid bare the systemic vulnerabilities that existing Security Rule standards have failed to prevent.

HHS has been signaling these changes for years. The 2022 Health IT cybersecurity strategy, combined with escalating ransomware attacks on hospitals, made a comprehensive technology update inevitable. The proposed HIPAA technology rule directly responds to these threats by modernizing technical safeguards that were written in an era before cloud computing, mobile health apps, and interconnected health information exchanges.

Key Requirements in the Proposed HIPAA Technology Rule

The NPRM introduces several changes that will fundamentally reshape how your organization manages ePHI security. Here are the provisions that demand immediate attention.

Mandatory Encryption — No Exceptions

Under the current Security Rule (45 CFR § 164.312), encryption is an "addressable" specification. Organizations can document why an alternative measure is reasonable and appropriate. The proposed rule eliminates that flexibility entirely. All ePHI must be encrypted at rest and in transit using standards consistent with NIST guidelines.

For organizations that have historically relied on alternative safeguards instead of full encryption, this change alone could require significant infrastructure investment.

72-Hour System Restoration Requirement

The proposed rule requires covered entities and business associates to establish the capability to restore critical systems and data within 72 hours of a disruption. This goes far beyond the current contingency planning requirements and forces organizations to maintain tested, documented disaster recovery processes with specific recovery time objectives.

Annual Technical Inventory and Network Mapping

Your organization would need to conduct and maintain a comprehensive technology asset inventory and network map, updated at least annually. This includes all systems that create, receive, maintain, or transmit ePHI — including cloud environments, mobile devices, and IoT medical devices.

Multi-Factor Authentication Across the Board

MFA would become mandatory for all systems accessing ePHI, with very limited exceptions. In my work with covered entities, I've found that MFA implementation remains inconsistent, especially in smaller practices and long-term care facilities. This requirement will close one of the most exploited attack vectors in healthcare breaches.

The Risk Analysis Requirement Gets Teeth

OCR has cited inadequate risk analysis as a factor in the majority of its enforcement actions and settlements. The proposed HIPAA technology rule makes the risk analysis requirement far more prescriptive. Organizations would need to conduct a written risk analysis that includes specific asset-level threat identification, a review of the technology asset inventory, and an assessment of the effectiveness of existing safeguards.

This isn't the high-level checkbox exercise many organizations have been performing. OCR is making clear that a compliant risk analysis must be detailed, documented, and reviewed at least annually — or whenever significant changes occur in your environment.

Business Associate Obligations Expand Significantly

Business associates already face Security Rule obligations under the Omnibus Rule of 2013. The proposed changes go further. Business associates would need to verify their compliance to covered entities through written certifications, and covered entities would need to obtain these certifications at least annually.

This creates a new administrative burden but addresses a real gap. Too many covered entities sign Business Associate Agreements and never verify actual compliance. If your organization relies on vendors who handle PHI, you'll need a structured process for collecting and reviewing these certifications.

The Workforce Training Requirement Most Organizations Underestimate

The proposed rule strengthens workforce training requirements under the Security Rule's administrative safeguards. Training must be provided upon hire and at least annually thereafter, with content specifically addressing current threats and your organization's specific policies and procedures.

Healthcare organizations consistently struggle with training that goes beyond generic slide decks. Effective HIPAA training and certification programs must cover the Security Rule's technical safeguards, workforce responsibilities for protecting ePHI, and the specific threats — like phishing and social engineering — that drive the majority of healthcare breaches today.

If you're building or updating your workforce compliance program, investing in comprehensive HIPAA workforce compliance training now positions your organization to meet these heightened requirements before they're finalized.

Penalties and Enforcement: What's at Stake

The proposed rule doesn't change the penalty structure established under the HITECH Act's penalty tiers, which range from $137 per violation for unknowing violations up to $2,067,813 per violation for willful neglect (2024 adjusted amounts). But by making more specifications mandatory rather than addressable, OCR expands the universe of findings that can trigger penalties.

When every specification is "required," there's no room to argue that your organization reasonably chose an alternative. Non-compliance becomes a straightforward HIPAA violation — and OCR's enforcement record shows it will act on that authority.

How to Prepare Your Organization Right Now

Even though the HIPAA technology rule is still in proposed form, waiting for finalization is a mistake. Here's where to focus immediately:

  • Conduct a gap analysis comparing your current Security Rule compliance against the NPRM's proposed requirements. Identify where encryption, MFA, and asset inventory practices fall short.
  • Update your risk analysis to meet the more prescriptive, asset-level standard the proposed rule demands.
  • Review business associate agreements and establish a process for obtaining annual compliance certifications from all vendors handling ePHI.
  • Test your disaster recovery capability against a 72-hour restoration target. Document the results and remediate gaps.
  • Strengthen workforce training to address current technical threats and align with your organization's specific security policies and procedures.

The proposed HIPAA technology rule represents HHS's most ambitious effort to bring healthcare cybersecurity standards into the modern era. Covered entities and business associates that begin preparing now — rather than scrambling after a final rule is published — will be in a far stronger position to protect their patients' protected health information and avoid costly enforcement actions.