Author: Beau Dickie, Chief Information Security Officer
The proposed HIPAA Security Rule update is more than another healthcare compliance update. It could reshape how electronic protected health information, or ePHI, must be secured, monitored, documented, and defended. If you are a healthcare organization, business associate, vendor, IT partner, billing provider, consultant, or any business that works with healthcare clients, this is worth paying attention to now.
Healthcare is a high-value target for cybercriminals because it holds the kind of information attackers want most: patient records, insurance details, financial information, login credentials, and critical systems people depend on every day.
When healthcare technology goes down, it is not just an IT issue. It can affect care, trust, revenue, and compliance all at once. And when a third-party partner is connected to that environment, their security matters too.
HHS has issued a proposed HIPAA Security Rule update (a Notice of Proposed Rulemaking). While the final rule may change, and is not enforceable until finalized, organizations should not wait until a future compliance deadline is right in front of them to prepare.
In plain English, HIPAA compliance may soon become less about "we considered this control" and more about "we can prove this control is in place."
This HIPAA Rule Update Is Not Just a Healthcare Issue
It is easy to think HIPAA only applies to hospitals, clinics, and medical practices. But many businesses touch healthcare data or support healthcare operations without realizing how closely connected they are.
That can include billing companies, software providers, law firms, accounting firms, consultants, managed IT providers, cloud vendors, call centers, document storage providers, and other third-party service providers.
If your organization creates, receives, maintains, or transmits protected health information on behalf of a covered entity, you may be considered a business associate. Even if HIPAA does not directly apply to your organization, healthcare clients may begin asking tougher questions about your cybersecurity controls, documentation, access management, encryption, vendor oversight, and incident response plans.
The message is clear: healthcare cybersecurity extends across every organization connected to patient data.
What Organizations Should Watch in the HIPAA Rule Updates
The proposed rule would move HIPAA cybersecurity expectations in a more prescriptive direction, shifting away from flexible implementation options. In plain terms, controls that were previously treated as "addressable" could become required across the board.
Here are the areas I would be watching closely.
1. Multi-Factor Authentication May Become Mandatory
Multi-factor authentication, or MFA, is one of the most important protections any organization can put in place.
Passwords get stolen, reused, phished, saved in browsers, and exposed on the dark web. MFA adds another layer of protection by requiring a second form of verification before someone can access sensitive systems.
Under the proposed rule, MFA would be required across access points to ePHI, including remote access, administrator accounts, workstation access, and vendor access.
If MFA is only turned on for some users, some systems, or some locations, that gap needs to be identified now.
2. Encryption Could Become a Clear Requirement
Encryption helps reduce the damage of a lost device, stolen file, compromised backup, or intercepted transmission.
The proposed rule would require encryption for ePHI at rest and in transit, with limited exceptions. That could include databases, file storage, backups, email containing ePHI, portable devices, removable media, cloud storage, and data transmission.
This is not something you want to rush. You need to know where sensitive data lives, how it moves, who has access to it, and whether your systems can support encryption without disrupting operations.
3. Risk Assessments May Need to Become More Continuous
One of the most common HIPAA issues I see is a risk assessment that exists but has not been updated in a meaningful way.
A risk assessment should not be treated like a binder on a shelf. It should be a living process that helps leadership understand where risk exists, what has changed, and what needs attention.
The proposed rule points toward more frequent and documented security activity, including vulnerability scans, penetration testing, and maintaining written technology asset inventories and current network maps. It also reflects a broader shift toward clearer documentation requirements, being able to show evidence of what you did, when you did it, and who approved it.
That kind of visibility helps beyond compliance. You cannot protect what you cannot see.
4. Patch Management Timelines May Tighten
Patching sounds simple until you have to manage it across servers, workstations, applications, firewalls, vendors, and remote users.
The proposed rule would create more prescriptive timelines for addressing vulnerabilities, including shorter deadlines for critical and high-risk issues.
That means organizations will need more than a general patching policy. They will need a process that can identify vulnerabilities, classify severity, assign ownership, track remediation, and prove that action was taken.
If your patching process depends on memory, spreadsheets, or "we will get to it soon," now is the time to tighten it.
5. Access Termination Could Become More Time-Sensitive
Access control is one of the areas I would pay close attention to.
The proposed rule includes more prescriptive timelines around workforce access to ePHI, including faster access termination after employment ends.
Organizations need a clear offboarding process so HR, management, IT, and compliance all know who is responsible, when action must happen, and how access removal is documented.
Former employee access is one of the easiest risks to overlook, and one of the most important to fix.
6. Network Segmentation May Become a Bigger Priority
Network segmentation is one of the most practical ways to limit damage during a cyberattack.
Think of it like fire doors in a building. If a fire starts in one area, the goal is to slow it down and prevent it from spreading everywhere.
The same idea applies to your network. If an attacker gets into one workstation, they should not automatically be able to move freely into servers, backups, clinical systems, billing systems, or databases containing ePHI.
Even if HIPAA does not apply to your organization, segmentation is a smart security control for protecting financial data, client files, intellectual property, backups, and business-critical systems.
7. Business Associate Oversight May Become More Formal
Healthcare organizations rely heavily on vendors, software providers, billing partners, IT providers, cloud platforms, consultants, and other business associates. But outsourcing a function does not mean outsourcing responsibility.
The proposed changes could require more formal verification that business associates have required safeguards in place. That means vendor management may need to become more structured.
For vendors and service providers, this is a sign to prepare for more detailed security questions from healthcare clients. You may be asked to show proof of MFA, encryption, risk assessments, access controls, incident response planning, backup protections, and employee training.
What Non-Healthcare Organizations Can Learn from the HIPAA Rule Update
Even if HIPAA does not directly apply to your business, the proposed HIPAA rule update gives every organization a useful cybersecurity roadmap.
The core lessons are simple:
- Use MFA
- Encrypt sensitive data
- Know where your data lives
- Scan for vulnerabilities
- Patch quickly
- Limit access
- Segment your network
- Train your team
- Document what you are doing
- Review your vendors
Those are not just compliance tasks. They are good business habits.
Cybersecurity expectations are rising across industries. Healthcare may be one of the clearest examples because the data is so sensitive, but every business has information worth protecting.
Make Sure You Are Prepared
To help organizations understand what is being proposed and how to prepare, Vector Choice is hosting a webinar on the proposed HIPAA Security Rule updates on June 1st.
I will walk through what the proposed changes could mean, where organizations should focus first, and how to begin preparing without feeling overwhelmed.
This webinar is designed for healthcare organizations, business associates, vendors, and anyone who works with or supports healthcare clients.
And as an added bonus, everyone who attends live will be entered into a drawing for a free HIPAA/Compliance Readiness Assessment.
This assessment can help identify gaps, clarify priorities, and give your organization a stronger starting point before the final rule takes effect.
Final Thought on the HIPAA Rule Update
HIPAA compliance is not just a checklist. It is a commitment to protecting sensitive information, reducing risk, and keeping healthcare operations resilient in a threat landscape that keeps changing.
The proposed HIPAA rule update may feel like a lot, but it is also an opportunity. Organizations that prepare early will be in a much better position to adapt, document, and defend their cybersecurity program when the rule is finalized.
And for organizations outside of healthcare, this is a reminder that strong cybersecurity practices are becoming the standard, not the exception.
At Vector Choice, we help organizations turn compliance pressure into a practical plan. When it comes to cybersecurity, practical preparation beats last-minute panic every time.
