As technology rapidly advances, the ways healthcare practices manage patient information have evolved significantly, reshaping how that data is created, stored, and protected. With patient information stored across multiple systems and platforms, the number of potential security gaps has grown.
Cyberattacks on healthcare organizations have become more frequent and more sophisticated. With threats growing more advanced and widespread, it is no surprise that the regulations overseeing patient information are preparing for significant updates. The U.S. Office for Civil Rights (OCR), which enforces the Health Insurance Portability and Accountability Act (HIPAA), is set to introduce major revisions to the HIPAA Security Rule aimed at strengthening how patient data is protected and secured.
Debi Carr.
HIPAA was enacted in 1996, when most healthcare practices were still using paper charts. Technology did not become a routine part of practices until around 2009, with the introduction of the Health Information Technology for Economic and Clinical Health Act, also known as HITECH. By 2013, the two laws were combined into the HIPAA/HITECH Omnibus Rule. But even since then, technology has changed dramatically.
In 2024, OCR opened the proposed rule changes for public comment. While some portions of the proposal received pushback, many of the updates reflect fundamental security practices needed to address today’s threat landscape. One of the most significant changes would remove the distinction between “required” and “addressable” safeguards, making all previously addressable measures fully required.
Other changes include:
• Mandatory multifactor authentication (MFA). This is already common in practice, as many insurance companies require MFA for providers to log into their portals to verify insurance or review payments.
• Stronger encryption requirements. Windows 11 or later will now be required, enabling endpoints and workstations to be encrypted with the flip of a toggle. Servers should also be encrypted. HIPAA already mandates that patient information be transmitted through encrypted platforms, including email.
• Asset tracking and data mapping. Practices will be required to know where their patient information is created, transmitted, and stored.
• Stronger third-party management. As technology has evolved, so has our reliance on partners and third-party vendors that create, transmit, or store patient information. This includes cloud-based practice management systems and outsourced services, such as virtual front-desk support. Many breaches affecting healthcare practices originate from third-party vulnerabilities. Under the proposed changes, practices will not only need business associate agreements but will also be required to document how they evaluated each vendor’s security posture. Vendors will now have to demonstrate that they can meet compliance.
• Annual compliance review. Risk analysis has always been required under HIPAA, but there was no time requirement. Under the proposed changes, practices will be required to conduct an annual review of all documentation and perform technical testing through vulnerability scans and penetration testing.
The final changes are expected to be announced around May 2026, and practices will have 180 days to achieve compliance. These updates are considered best practices in the cybersecurity community and align with the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework, which is used across many industries, including healthcare. In 2024, the U.S. Department of Health and Human Services released a preview of coming changes in its cybersecurity performance goals, which aligned with the NIST framework.
Enforcement under HIPAA remains significant. In 2025, OCR issued more than $6.6 million in fines for violations, many of which involved organizations that failed to meet basic compliance requirements.
The upcoming changes to the HIPAA Security Rule mark a shift away from checkbox compliance and toward a continuous security program that meets or exceeds best security practices. Practices and business associates will be expected to demonstrate, through clear documentation, that they have stronger security measures in place. Security is not a one-time task; it is an ongoing process.
Debi Carr is a speaker, consultant, and recognized leader in cybersecurity and compliance, known for her expertise in protecting sensitive healthcare information and ensuring organizations comply with regulatory frameworks including the NIST Cybersecurity Framework and HIPAA. She is the founder and CEO of DK Carr and Associates, a consulting firm that provides customized solutions for small to medium-sized healthcare practices to safeguard patient data and maintain operational security while meeting regulatory compliance.
The comments and observations expressed herein do not necessarily reflect the opinions of DrBicuspid.com, nor should they be construed as an endorsement or admonishment of any particular idea, vendor, or organization. Some content may be AI-generated.
