Contact Us
logo foxpointe
Contact Us

FoxPointe Security Hub

Topics

HIPAA Security Rule Update as of August 20, 2025

September 18, 2025 by Brandon Agostinelli

fxp blog image 700x380 918

This article was written by Brandon Agostinelli and James Farr.

The proposed changes to the HIPAA Security Rule, introduced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), represent the most significant update to the rule since its inception in 2003. Here’s the current status and key details.

Current Status and Timeline

  • Notice of Proposed Rulemaking (NPRM) was published on January 6, 2025, following its announcement on December 27, 2024.
  • The public comment period closed on March 7, 2025, with over 4,700 comments
  • OCR is currently reviewing the comments, categorizing them, and determining the next steps. A final rule is expected in late 2025 or early 2026.
  • If finalized, while these timelines are still unknown, covered entities and business associates will likely have around an eight-month implementation window from when the changes are published.

Key Proposed Changes

1. Cybersecurity Enhancements

  1. Mandatory multi-factor authentication (MFA).
  2. Encryption of ePHI at rest and in transit.
  3. Vulnerability scanning every 6 months and penetration testing annually.
  4. Network segmentation and stricter technical safeguards.

2. Risk Management & Documentation

  1. Annual or event-triggered risk analyses with documented treatment plans.
  2. Technology asset inventories and network maps updated at least annually.
  3. Written policies, procedures, and incident response plans.

3. Compliance & Oversight

  1. Annual compliance audits for covered entities and business associates.
  2. Audit logging and data integrity verification.
  3. Stronger business associate agreements (BAAs) with verification and notification requirements.

4. Workforce & Governance

  1. Enhanced role-based training tailored to risk exposure.
  2. Executive-level accountability and potential board oversight for cybersecurity

Large changes are coming regarding information security compliance requirements in HIPAA. We can provide assistance in reviewing your current compliance status in preparation for the changes, as well as help in planning your path forward when the proposed changes are finalized and enacted. Contact us for more information or to go over any questions you may have on this evolving topic.