For the first time in more than twenty years, the HIPAA Security Rule is getting a serious overhaul. On December 27, 2024, the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking that would fundamentally reshape how covered entities and business associates are expected to secure electronic protected health information. The public comment period closed in March 2025, and OCR received more than 4,700 comments.
Here's the timeline that matters. OCR's regulatory agenda currently targets May 2026 for publication of the final rule. Once that final rule is published, regulated entities get 180 days to comply, which puts the likely enforcement date somewhere around late 2026. For a change this substantial, that's a narrow window.
In our work with healthcare organizations, we’ve seen a consistent pattern over the years. Most HIPAA security programs were built to interpret the rule, not to prove it. The current Security Rule allows flexibility, especially in its “addressable” safeguards, and that latitude has shaped nearly two decades of program design. The proposed rule closes that gap. CISOs who wait for the final rule to start preparing will find themselves in a 180-day sprint they can’t win.
What’s Actually Changing
The proposed rule is long and detailed, but the shifts CISOs need to internalize come down to five.
The "addressable" category is going away. Nearly every implementation specification becomes required, with only narrow exceptions. The interpretive latitude that's shaped HIPAA programs for twenty years is gone.
Specific technical controls are being named, not implied. Multi-factor authentication, encryption of ePHI at rest and in transit, network segmentation, anti-malware protections, and written procedures to restore lost systems and data within 72 hours all become explicit requirements. The absence of any one of them becomes an auditable gap.
Testing moves from expected to mandated. This is the biggest operational shift in the rule, and the one most CISOs underestimate. The NPRM would require vulnerability scanning at least every six months and penetration testing at least every twelve months, performed by qualified professionals and scoped to systems that create, receive, maintain, or transmit ePHI. HIPAA has required risk analysis for decades. It has never explicitly named penetration testing as a requirement. If the rule finalizes as proposed, that changes, and pen testing becomes a direct compliance obligation rather than an industry best practice.
Business associates get pulled fully into the frame. Business associates would be required to annually verify, through subject-matter expert analysis and written certification, that the required technical safeguards are in place. Covered entities would no longer be able to rely on vendor attestations or annual questionnaires as sufficient oversight.
Documentation and audit expectations go up across the board. Current asset inventories, network maps showing ePHI flows, policies reviewed on a regular cycle, and annual compliance audits all become baseline expectations.
One caveat worth naming. The January 2025 regulatory freeze created real uncertainty, and the final rule could be trimmed, delayed, or reshaped based on the 4,700+ comments OCR is still processing. But as of late 2025, OCR confirmed the rule remains on its May 2026 agenda, and the core architecture is consistent with where HHS enforcement has been trending for years. Even if the specifics shift, the direction won't.
From Policy to Proof, and Why Boards Are Asking
The single biggest shift CISOs need to internalize isn’t any individual control. It’s the move from documented intent to demonstrated operation.
For most of HIPAA’s history, a strong compliance posture has meant a robust set of documents. Policies defined what the organization would do. Procedures described how. Periodic risk assessments validated the framework. The proposed rule no longer accepts that model. It assumes the policy exists and asks a different question: Can you prove the control operated?
In one engagement with a healthcare provider, we reviewed a set of access control policies that were genuinely well-written and fully aligned with HIPAA. The language was tight, the approvals were current. When audit preparation started, the problem wasn't the policy. No one could produce evidence that quarterly access reviews had actually happened. The control was sound on paper. The operation wasn't traceable. From an auditor's perspective, that's the same as not having the control at all.
If the rule is finalized as proposed, the evidentiary burden climbs sharply. CISOs will need to produce system logs, access review records, configuration baselines, remediation tickets, penetration test reports, and vulnerability scan results on demand, across every system that touches ePHI. Controls that can't be tracked, validated, and reproduced effectively don't exist.
This dynamic is changing the altitude at which HIPAA compliance gets discussed. Boards and CEOs are no longer asking whether the organization is HIPAA compliant. They're asking how the CISO knows, what evidence supports the answer, and what residual risk remains if an auditor shows up tomorrow. Part of what's driving this is financial exposure. IBM's Cost of a Data Breach Report has consistently placed healthcare at the top of the list for breach costs, and the gap has widened rather than narrowed. Board members who may not be fluent in Security Rule implementation specifications are very fluent in nine-figure breach exposure and are asking the questions that follow from it.
The proposed rule amplifies this. Ambiguity that used to be absorbed by the flexibility of the Security Rule will increasingly show up as either documented evidence or documented gaps. CISOs who can present that picture clearly will have a much easier board conversation than those who still frame HIPAA as a compliance exercise delegated downstream.
Accountability Extends Beyond Your Organization
Business associates have always been in scope under HIPAA, but the operational rigor expected of them has often lagged behind that placed on covered entities. The proposed rule closes that gap. Business associates would be held to the same level of control implementation as covered entities and would be required to annually verify, through subject-matter expert analysis and written certification, that the required technical safeguards are in place.
That cuts both ways.
For covered entities, the traditional approach to third-party risk management is no longer defensible on its own. Annual vendor questionnaires and signed BAAs are not evidence that a vendor's controls are operating. OCR has cited vendor oversight failures as a recurring factor in enforcement actions for years, and the proposed rule gives that expectation real teeth. The CISOs who handle this well will treat business associate oversight as a security function, not a procurement function. That means continuous validation, not annual questionnaires. Real evidence, not attestations.
For business associates, the cost and complexity of serving covered entities go up. An annual SME-signed certification isn't a trivial artifact. It requires the same kind of evidence-based program discipline that covered entities are being held to, and it's going to force a maturity conversation at many organizations that have historically treated HIPAA compliance as a contractual obligation rather than an operational one.
The Operational Reality, and What to Do About It
Knowing what's coming and being able to execute on it are two different problems, and the gap between them is where most healthcare security programs are going to struggle.
HIPAA compliance sits at the intersection of security, IT, compliance, and legal, and in most healthcare organizations, those functions don't operate from a shared playbook. When the proposed rule raises the evidence bar across all four, misalignment between them stops being an annoyance and becomes an audit finding. Add to that the resourcing required to produce continuous evidence of control operation, the environmental complexity of modern healthcare stacks where ePHI flows between EHRs, portals, telehealth platforms, analytics pipelines, and third-party clinical applications, and a threat landscape that isn't waiting for the rule to finalize, and the scope of what has to be prepared for becomes clear. HHS's own regulatory impact analysis pegged first-year implementation costs across the sector in the billions, and industry groups have pushed back hard on those numbers. Whatever the final figure, this costs real money, and organizations that haven't started planning for it will absorb the cost under time pressure rather than through normal budget cycles.
The most effective first move isn't a project plan. It's an honest audit of the current program against where the proposed rule is heading. A few questions are worth sitting with.
Can you produce evidence today that every required HIPAA control is actually operating? Not that it's documented. It's running right now, and you can prove it.
Can you show a complete, current inventory of every system that creates, receives, maintains, or transmits ePHI, with a map of how that data flows between them?
When was your last penetration test? What was its scope, and did it actually cover the systems where ePHI lives? If the answer is "we scan regularly but haven't done a formal pen test," the proposed rule would close that gap, and catching up takes more lead time than most CISOs assume.
How do you currently verify that your business associates' controls are operating, beyond their annual questionnaire response?
If an auditor asked you today to produce two years of evidence for any specific Security Rule control, how long would it take, and how clean would the evidence be?
The organizations that handle this transition well will treat it as an operational redesign, not a compliance update. Repeatable, evidence-driven workflows that run continuously. Third-party risk moved from procurement into security operations. And the testing requirements are handled ahead of the curve, because pen testing and vulnerability scanning within the scope of the proposed rule require qualified resources. Once the final rule is published and the 180-day clock starts, those resources get booked quickly.
Waiting isn't neutral. Every month between now and the final rule is a month that could be used to close gaps under normal operating conditions, rather than under audit pressure.
The End of Flexible HIPAA
The era of interpretive HIPAA compliance is closing. Whether the final rule publishes exactly as proposed, in a trimmed form, or on a slightly extended timeline, the direction is settled. HHS is moving HIPAA toward a program of demonstrable, operational, and continuously validated controls.
For healthcare CISOs, this is also an opportunity. A program built to produce continuous evidence, defend against modern threats, and prove control operation on demand isn't just a HIPAA program. It's the kind of security program that reduces exposure to breaches, improves board conversations, and makes every subsequent audit substantially easier. The CISOs who lead this transition well will emerge with stronger programs, not just compliant ones.
The question worth sitting with now is whether your current program can actually prove what it claims, across every system where ePHI lives, on the timeline the final rule will impose.
How VikingCloud Helps
VikingCloud works directly with healthcare CISOs and security teams on the two areas where the proposed rule requires the most immediate preparation.
HIPAA advisory and compliance services. We assess where your current HIPAA program aligns with the proposed rule, identify the specific gaps between policy and demonstrable operations, and help build repeatable, evidence-driven workflows that will hold up under expanded audit expectations. This includes asset inventory and ePHI data-flow mapping, control operation validation, business associate oversight program design, and audit-readiness preparation.
Penetration testing and vulnerability scanning. If the proposed rule finalizes as written, regulated entities will need penetration testing at least annually and vulnerability scanning at least every six months, scoped to every system that touches ePHI and performed by qualified professionals. VikingCloud's testing teams specialize in exactly this kind of scoped, evidence-producing work. The CISOs who engage early will have established methodologies, scoped environments, and baseline results in place before the 180-day compliance window creates a capacity crunch across the industry.
If you're not sure whether your current program can withstand what's coming, that's the conversation to have now, while there's still time to address gaps under normal operating conditions rather than under enforcement pressure.
Related Blogs
Stay up-to-date on the latest happenings in Cybersecurity and PCI Compliance.
AI-Enabled MDR: What Distributed Enterprises Need to Know Before Buying the Hype
.png)