HIPAA compliance has always required ongoing attention. But with proposed changes to the HIPAA Security Rule now on the table, healthcare organizations may need to prepare for a higher standard of cybersecurity, documentation, and ePHI protection.
In January 2025, the U.S. Department of Health and Human Services Office for Civil Rights proposed major updates to the HIPAA Security Rule. If finalized as proposed, the updates could raise expectations around cybersecurity, documentation, workforce training, and how electronic protected health information, or ePHI, is protected.
For small and mid-sized healthcare organizations, that can feel like a lot to take on. You may already be balancing patient care, staffing, billing, vendor relationships, insurance requirements, and daily operations. Adding new compliance expectations to the list can feel like one more thing you don’t have time to manage.
That is exactly why preparation matters.
What Could Change?
The proposed updates focus on safeguards healthcare organizations should already be evaluating, including:
- Technology asset inventories
- Risk analysis
- Multifactor authentication
- Encryption
- Vulnerability management
- Contingency planning
- Documented policies and procedures
- Stronger incident response planning
- Business associate oversight
- Workforce training
Some of these areas may already be part of your compliance program. Others may need more documentation, stronger processes, or closer review if the rule is finalized as proposed.
The proposed updates point to a clear theme: healthcare organizations may need to show that safeguards are not only in place, but also documented, reviewed, and maintained over time.
Why This Matters Now
The response across the healthcare industry has been mixed. Many healthcare organizations have raised concerns about cost, timing, operational burden, and the potential impact on smaller or rural providers. At the same time, federal lawmakers continue to discuss stronger cybersecurity expectations across healthcare, including legislation aimed at improving cybersecurity resilience throughout the industry.
Those developments may seem to pull in different directions, but they point to the same reality: healthcare organizations should be paying close attention to cybersecurity and HIPAA compliance.
The timeline is what makes this especially important. If the proposed rule is finalized as written, covered entities and business associates may have as little as 180 days to demonstrate compliance.
That is a short runway for organizations that may need to:
- Identify compliance and security gaps
- Update policies and procedures
- Implement or strengthen security controls
- Train employees
- Review vendor and business associate relationships
- Document compliance efforts
For organizations without a dedicated compliance officer or internal HIPAA expert, waiting could make the process more stressful than it needs to be.
Preparation Doesn’t Have to Happen All at Once
The good news is that preparing for what may be coming doesn’t mean everything overnight.
It starts with understanding what has been proposed, reviewing where your compliance program stands today, and taking practical steps to strengthen the safeguards that protect patient data.
That may include reviewing your Security Risk Assessment, confirming policies and procedures are current, checking how your organization manages employee training, and looking more closely at areas like MFA, encryption, vendor oversight, and incident response.
It also means helping employees understand their role in protecting patient data, especially as cyber threats, AI tools, and Microsoft 365 usage continue to shape daily healthcare operations.
HIPAA Secure Now Can Help
Since 2010, HIPAA Secure Now has helped more than 5,000 healthcare organizations strengthen HIPAA compliance, protect patient data, and reduce cyber risk.
We provide HIPAA training, Security Risk Assessments, policies and procedures, phishing awareness, vulnerability tools, AI training, Microsoft 365 productivity training, and compliance support designed specifically for healthcare organizations.
Our connected compliance and training platform helps make HIPAA easier to understand, document, and maintain over time, so your organization can take practical steps before the deadline is set.
Protecting patient data is about more than meeting a requirement. It’s about knowing you can answer with confidence when someone asks, “Can you show me your HIPAA compliance program?”
The proposed rule is not final yet. The time to prepare is before the deadline is set.
Learn what may be changing, why it matters, and how HIPAA Secure Now can help your organization prepare.
Leave a Reply