anHIPAA is no longer just a privacy issue. It is now very clearly a cybersecurity issue. Because of this, the U.S. Department of Health and Human Services (HHS), through the Office for Civil Rights (OCR) has issued proposed changes to HIPAA rules.
In late December 2024, HHS, issued a proposed update to the HIPAA Security Rule. The goal is to strengthen protection for electronic protected health information, (ePHI), in response to the increase in cyberattacks, ransomware, and large-scale health care breaches. The final rule is due in May 2026. As of writing, this is still a proposed rule, not the rule currently in force, but it is the clearest signal yet about where HIPAA expectations are heading.
For small practices, that distinction matters. You do not need to treat every proposed requirement as if it is already binding law today. But you should treat it as a roadmap for what regulators increasingly expect a modern medical office to have in place. OCR has said the proposal is meant to address changes in how health care is delivered, the increase in breaches and ransomware, and common compliance failures seen during investigations. When they say this, think Change Healthcare’s disastrous breach in 2024.
The biggest practical change is that the rule would become much more specific. In the past, many parts of the Security Rule have been flexible, and some implementation specifications were labeled “addressable”. Unfortunately, many organizations mistakenly interpreted this to mean optional. They weren’t optional, it just meant that the way it was to be handled was left to the practice to decide. HHS is proposing to remove that distinction and make implementation specifications required, with only limited exceptions. In plain English, that means less room for a practice to say, “We decided not to do that control.” Instead, the expectation would be that key safeguards are in place and documented.
The proposal also puts a lot more importance on documentation. HHS would require written documentation for policies, procedures, plans, and analyses. For a small practice, that means it is not enough to have a good IT vendor or a verbally understood process. If your password reset process, access termination process, backup plan, or incident response steps are not written down, reviewed, and maintained, then you would not be compliant.
Another major change is the requirement for a current technology asset inventory and a network map. A technology asset inventory is simply a complete list of the systems that touch patient data: laptops, desktops, servers, cloud applications, EHR platforms, email systems, scanners, tablets, firewalls, Wi-Fi equipment, and backup systems. A network map shows how those systems connect and how ePHI moves between them. For a physician owner, the simple question is: can your practice clearly show where patient data lives, where it travels, and who can reach it? Under the proposal, that inventory and map would need to be maintained on an ongoing basis, reviewed at least annually, and updated after significant operational changes.
Risk analysis would also become more detailed and explicit. HIPAA already requires risk analysis, but the proposal spells out what that analysis should contain, including review of the asset inventory and network map, identification of reasonably anticipated threats, identification of vulnerabilities, and a risk rating for each threat-vulnerability combination. For a small practice, this means the annual “HIPAA checklist” approach will likely no longer be enough. Regulators are pointing toward a more structured cybersecurity assessment.
Propose changes to HIPAA Rules
Several of the proposed technical controls will be very familiar to hospitals and larger organizations, but they matter just as much for smaller offices. HHS proposes to require encryption of ePHI at rest and in transit, multi-factor authentication, anti-malware protection, vulnerability scanning at least every six months, penetration testing at least annually, network segmentation, and separate controls for backup and recovery.
These terms can sound intimidating, but the concepts are straightforward.
Multi-factor authentication means users need more than just a password to access a system, usually a second factor like a phone prompt, code, or security key. For doctors, this is the digital equivalent of needing both a keycard and a PIN to enter a medication room. It makes stolen passwords much less useful to an attacker.
Encryption means patient data is turned into unreadable information unless someone has the proper key to unlock it. If a laptop is stolen or data is intercepted in transit, encryption helps prevent that information from being exposed in usable form. HHS proposes encryption both when data is stored and when it is sent.
Network segmentation means separating systems so that one compromised device does not automatically give an attacker access to everything else. Think of it like fire doors in a building. If the front desk PC is infected, segmentation helps stop that infection from spreading directly to the EHR server, imaging system, or backup environment.
Vulnerability scanning is a routine check for known weaknesses in systems and software. Penetration testing is a deeper exercise where qualified testers try to exploit weaknesses the way a real attacker might. The point is not technical perfection. The point is finding weak spots before a criminal does.
The proposal also takes incident response and recovery much more seriously. HHS would require written incident response plans. These include written testing and revision procedures, and written restoration procedures aimed at restoring certain systems and data within 72 hours. For a small practice, that changes the question from “Do we have backups?” to “Can we actually restore critical systems fast enough to keep seeing patients safely?” Those are not the same thing.
There is also a workforce management element. The proposal would require notification within 24 hours when certain workforce access changes or terminations occur. This reflects a basic security reality: former staff should not retain lingering access to EHRs, email, shared drives, VPNs, or remote support tools. A surprising number of breaches begin with simple access control failures.
Small practices should pay close attention to business associates as well. HHS proposes stronger obligations around business associate safeguards, annual verification, and contingency notifications. In practical terms, your compliance posture will depend not only on what happens inside your office, but also on whether your IT provider, cloud vendor, billing company, hosted phone vendor, and other partners are doing what they should.
Why does all of this matter so much? Because OCR has directly tied the proposal to the increase in large breaches and ransomware in health care. HHS says that from 2018 to 2023, reports of large breaches increased 102 percent. The number of affected individuals increased 1002 percent. In 2023 alone, more than 167 million people were affected by large breaches. HHS has also said cyberattacks in health care create direct patient safety risks by disrupting care and delaying medical procedures.
For a small practice, the message is simple: cybersecurity is now part of clinical continuity. If your systems go down, the problem is not merely regulatory. It affects scheduling, refill requests, chart access, lab review, claims, patient trust, and in some cases patient safety itself.
The good news is that the proposal still recognizes a formal rulemaking process. HHS said a final rule would take effect 60 days after publication, and compliance required 180 days after that. HHS also indicated there would be some transition relief for certain existing business associate agreements. That means practices would likely have some time, but not much.
The smart move for a small practice is not to panic. It is to prepare. Build an accurate device and software inventory. Confirm where ePHI lives. Turn on multi-factor authentication wherever possible. Review backups and restoration time. Document policies. Revisit vendor oversight. And have your risk analysis done in a way that would stand up to scrutiny.
HIPAA is moving toward a more concrete cybersecurity standard.