What the 2025 HIPAA Security Rule Update Means for Your Medical Practice

On December 27, 2024, HHS Office for Civil Rights published the first proposed update to the HIPAA Security Rule since 2013. The proposed rule is expected to be finalized by mid-2026, with a 240-day compliance window after that. For medical practices that have been treating certain security requirements as optional, that window is closing fast.

This is not a minor refresh. The update fundamentally changes what HIPAA compliance means for healthcare organizations of every size. Here is what your practice needs to understand.

What Is Changing in the HIPAA Security Rule?

The current HIPAA Security Rule distinguishes between "required" and "addressable" implementation specifications. Addressable does not technically mean optional, but in practice many small and mid-sized practices have treated it that way, documenting why they chose not to implement certain controls rather than actually implementing them.

The proposed update eliminates that distinction entirely. Every specification becomes mandatory. No more documenting why you decided not to encrypt portable devices or why you skipped penetration testing. If the rule says do it, you do it.

Key requirements in the proposed update include:

• Mandatory multi-factor authentication (MFA) on all systems that access electronic protected health information (ePHI). Not just email. Not just remote access. Every system.
• 72-hour system restoration after a security incident. Your practice must be able to recover critical systems within three days of an attack or outage. If your current backup and disaster recovery plan cannot meet that timeline, it needs to be rebuilt. For more on building a recovery plan, see our guide to business continuity planning for healthcare organizations.
• Network segmentation to isolate systems containing ePHI from general office networks. A shared flat network where the front desk PC, the billing system, and the EHR all sit on the same subnet will no longer pass compliance review.
• Annual penetration testing and vulnerability scanning every six months. This moves from a best practice recommendation to a hard requirement.
• Written, tested incident response plans with documented tabletop exercises. Having a plan in a binder that no one has practiced does not count. Read our incident response planning guide for medical practices to get started.
• Encryption of ePHI at rest and in transit with no exceptions. The current rule technically allows alternatives to encryption if you document your rationale. The update removes that flexibility.
• Asset inventory and network mapping updated annually, documenting every device, application, and data flow that touches ePHI.
• Business associate notification within 24 hours of contingency plan activation. When your EHR vendor or clearinghouse has an incident, you need to know about it within a day, not weeks.

Why Is HHS Updating the Security Rule Now?

The numbers tell the story. From 2018 to 2023, large breach reports to OCR increased by 102%. The number of individuals affected increased by over 1,000%. In 2023 alone, over 167 million individuals were affected by healthcare data breaches. In 2024, that number climbed to 275 million across 725 reported breaches.

The Change Healthcare ransomware attack in February 2024 was the tipping point. A single stolen credential, used on a system without MFA, led to the largest healthcare data breach in U.S. history: 190 million individuals affected, $2.9 billion in costs to UnitedHealth Group, and weeks of disrupted billing and claims processing that hit 94% of U.S. hospitals.

OCR Director Melanie Fontes Rainer stated directly that the update addresses "current and future cybersecurity threats" and requires "updates to existing cybersecurity safeguards to reflect advances in technology."

What Will This Cost a Medical Practice to Implement?

HHS estimates the first-year compliance cost at approximately $9 billion across the healthcare industry, with $6 billion annually after that. For individual practices, the cost depends on your current security posture.

Practices that already have MFA deployed, encrypted backups tested regularly, network segmentation in place, and a documented incident response plan may need relatively minor adjustments. Practices that have been operating with flat networks, shared passwords, untested backups, and no formal security program face a more significant investment. For a detailed look at what a compliant IT environment includes, see our breakdown of HIPAA-compliant IT stack essentials for outpatient clinics.

Common cost areas include:

• Deploying and configuring MFA across all clinical and administrative systems
• Network infrastructure upgrades for proper segmentation
• Backup and disaster recovery improvements to meet the 72-hour restoration requirement
• Annual penetration testing and biannual vulnerability scans by qualified assessors
• Developing or updating written policies, procedures, and incident response plans
• Staff training on new procedures and security awareness

The cost of non-compliance is significantly higher. OCR has settled or imposed penalties in over 152 enforcement cases totaling more than $144.8 million. The average healthcare data breach costs $7.42 million. And under the HITECH Act, organizations that can demonstrate 12 months of recognized security practices may receive reduced penalties, which creates a direct financial incentive to start now rather than waiting for the final rule.

How Does Cyber Insurance Factor Into HIPAA Compliance?

Many of the controls required by the proposed HIPAA Security Rule update are the same controls your cyber insurance carrier already requires for policy renewal. MFA, endpoint detection and response, tested backups, and documented incident response plans are standard insurer requirements in 2025. If your practice is already meeting insurer expectations, you may be closer to compliance than you think. For a full breakdown, see our article on cyber insurance requirements for medical practices and our guide to the specific cybersecurity controls insurers expect.

What Should Your Practice Do Right Now?

The final rule has not been published yet, but every requirement in the proposed update aligns with what security professionals already consider baseline best practices. Waiting for the final rule to start preparing means you will be scrambling during the 240-day compliance window instead of entering it ready.

Start with these steps:

1. Run a current-state gap assessment. Compare your existing security controls against the proposed requirements. Identify where MFA is missing, where encryption gaps exist, where your backup recovery time exceeds 72 hours, and where documentation is incomplete.
2. Deploy MFA everywhere. If your practice has any system accessing ePHI without multi-factor authentication, fix that now. This is the single control most likely to prevent a breach.
3. Test your backups. Not just that they completed, but that you can actually restore from them. Time the process. If full restoration takes longer than 72 hours, you need a better solution.
4. Document your incident response plan and run at least one tabletop exercise before the end of the year. Walk your team through a ransomware scenario: who gets called, what systems get isolated, how you notify patients, and how you shift to paper workflows.
5. Map your network and assets. Create a current inventory of every device, application, and data flow that touches ePHI. This becomes the foundation for your risk analysis and your compliance documentation.

The practices that will be best positioned when the final rule takes effect are the ones that treat the proposed requirements as current requirements and start building now.

How NorthStar Technology Group Can Help

NorthStar works with medical practices across the country to build HIPAA-compliant security programs that meet both current requirements and the proposed updates. Our healthcare IT and cybersecurity team handles gap assessments, MFA deployment, network segmentation, backup architecture, incident response planning, and ongoing compliance monitoring so your practice is audit-ready before the final rule drops.

If you are not sure where your practice stands against the proposed HIPAA Security Rule requirements, start with a free Security and AI Readiness Check. You can also explore all of our healthcare cybersecurity resources for more guides on HIPAA compliance, incident response, and risk management.