Why HIPAA Security 2025 Proposed Changes Matter Right Now
HIPAA Security 2025 Proposed Changes are coming, and they will change daily work for everyone. These proposed updates respond to rising cyberattacks and growing pressure from patients and regulators.
Every organization that touches electronic protected health information, or ePHI, should pay attention now. This includes solo practices, large systems, billing vendors, clearinghouses, and cloud service providers.
In this guide, we explain what the HIPAA 2025 proposed changes mean in plain language. We also show how Taino Consultants and EPICompliance can help you prepare without guessing.
You can read the official HHS summary of the proposed Security Rule changes on the HHS HIPAA Security Rule NPRM page.
Where the HIPAA Security 2025 Proposed Changes Stand Today
The HIPAA Security 2025 proposed changes are still in the “proposed rule” stage. HHS released the Notice of Proposed Rulemaking (NPRM) on January 6, 2025, and accepted public comments through March 7, 2025.
Today, HHS and the Office for Civil Rights are reviewing thousands of comments and drafting the final rule. The final effective date and compliance deadline are not set yet.
However, the direction is clear. The NPRM would require stronger cybersecurity practices for all covered entities and business associates.
That means you gain a big advantage if you start now instead of waiting for the last minute. Taino Consultants and EPICompliance both designed their tools and services around these proposed requirements already.
Big Picture: What HIPAA Security 2025 Proposed Changes Do
The HIPAA Security 2025 Proposed changes focus on a few big goals.
They want organizations to know exactly which systems can affect ePHI, and how data travels across networks. They want regular, documented risk analyses based on real inventories and network maps.
They also want strong technical controls like encryption and multi-factor authentication in place everywhere ePHI can be reached.
Just as important, they want proof. HHS expects written policies, logs, test results, and reports that show your security program actually works in practice.
Taino Consultants summarizes it simply: security can no longer be “good enough” or “we meant to fix it.” It must be planned, measured, and updated every year.
Goodbye “Addressable” vs “Required”
One of the biggest HIPAA 2025 Security Rule Changes involves the “addressable” safeguards. In the past, some safeguards were “required,” and others were “addressable.” You could sometimes skip “addressable” ones if you documented a reason.
The proposed rule removes that flexibility. If a safeguard appears in the rule, you must implement it, except for very narrow exceptions.
For example, encryption and multi-factor authentication (MFA) move from “nice to have” to “you must do this.”
What this means for you:
You should stop asking, “Can we skip this control if we explain why?” Instead, you should ask, “How will we implement this control in our environment?”
Taino Consultants can help you answer that question through a structured Security Risk Analysis and implementation roadmap. Their recent SRA articles describe how they guide practices through these decisions step by step.
Annual Asset Inventory, Network Map, and Risk Analysis
The HIPAA 2025 Security Rule changes require a clear picture of your technology. The NPRM would require a written inventory of all technology assets that create, receive, maintain, transmit, or even affect ePHI.
That inventory must include servers, laptops, tablets, phones, medical devices, network gear, and cloud systems. It must be updated at least every 12 months and after big changes, such as a new EHR, new site, or telehealth platform.
You also need a network map that shows how those systems connect and where ePHI flows. This includes internet connections, firewalls, Wi-Fi, cloud services, and remote access tools.
Using that inventory and map, you must perform a risk analysis at least every 12 months. This analysis must identify threats, vulnerabilities, and the likelihood and impact of each risk.
You also must create a written risk management plan with priorities, owners, and deadlines. Regulators will want to see that plan and the progress you made.
Real-life example:
A clinic did a risk analysis five years ago, then never updated it. Since then, they added telehealth, remote work, and a cloud document system. None of that appears in their old report. After a breach, this gap becomes a major problem with regulators.
Action step:
Schedule an updated Security Risk Analysis based on the 2025 expectations. Taino Consultants has deep experience running SRAs for practices of every size.1
Then use EPICompliance to track your risk items, policies, tasks, and evidence over time. The EPICompliance platform was designed to manage HIPAA, OSHA, and ACA/OIG documentation in one place.
Stronger Technical Safeguards: MFA, Encryption, and Testing
The HIPAA 2025 Security Rule changes lean heavily on stronger technical controls. These changes match what cybersecurity experts have recommended for years.
Multi-Factor Authentication (MFA) Everywhere
The proposed rule makes MFA a required control for systems that access ePHI, especially those reachable over the internet.
That means you should enable MFA for:
- EHR and practice management systems.
- Email accounts used for any PHI.
- VPNs and remote desktop tools.
- Administrator and “super user” accounts.
Simple example:
Right now, your front desk staff might log in with only a username and password. Under HIPAA 2025 Security Rule Changes, they may also need a code from their phone or a hardware token.
Encryption of ePHI at Rest and in Transit
Encryption moves from “addressable” to effectively mandatory. You must encrypt ePHI both at rest and in transit, with very limited exceptions.
That means full-disk encryption on laptops and workstations that store ePHI. It also means strong TLS encryption for patient portals, telehealth platforms, and any web-based system carrying PHI.
Example:
If a provider’s unencrypted laptop is stolen from a car, you likely have a reportable breach. If the laptop uses strong encryption and proper controls, the data may be considered unreadable, and the event may not be a breach.
Vulnerability Scans, Pen Tests, and Network Segmentation
The HIPAA 2025 Security Rule Changes add clearer requirements for continuous testing. You must run vulnerability scans at least every six months. You also must perform penetration tests at least once every 12 months using qualified professionals.
You must also segment your network, so attackers cannot move freely from one system to another.
Action step:
Work with your IT team or security partner to set a testing schedule. Document every scan, every pen test, and every fix.
If you do not have in-house expertise, Taino Consultants can coordinate security testing vendors for you. EPICompliance can store your reports, logs, and remediation plans.
Backup, Recovery, and Incident Response
The HIPAA 2025 Security Rule changes raise the bar for backups and response plans. You must create “exact” backup copies of ePHI and ensure you can restore critical systems within defined timeframes, such as 72 hours after an incident.
You also need a written incident response plan that staff understand and actually practice. The plan must explain how to report suspected incidents, how leaders will respond, and how you will communicate with patients and partners.
You must test your incident response plan and your ability to restore from backup at least once every 12 months. Then you must update your procedures based on what you learned.
Example:
A small practice has backups but never tested a restore. Ransomware hits, and the backups turn out to be unusable. Under HIPAA 2025 Security Rule Changes, that “policy on paper” will not be enough.
Action step:
Pick a quiet day and run a simple “tabletop” incident drill. Ask, “What if someone clicks a phishing link today?” Walk through who calls whom, which systems you shut down, and how you restore data.
Taino Consultants can help design and lead these tabletop exercises. EPICompliance can host your incident procedures, logs, and follow-up documentation in one secure hub.
Vendor Oversight and 24-Hour Notifications
The HIPAA 2025 Security Rule changes give Business Associate oversight more teeth. Covered entities must verify, at least annually, that their Business Associates use appropriate safeguards.
New language would also require Business Associates to notify covered entities within 24 hours when they activate a contingency plan after a security incident. That means your billing vendor or cloud EHR must tell you quickly if they switch into disaster recovery mode.
Action step:
Review your Business Associate Agreements. Update them to include 24-hour notice for security incidents and contingency plan activation. Then build a simple tracking sheet of vendors, BAAs, and last security reviews.
Taino Consultants can review your BAAs, and EPICompliance can store the signed agreements and annual vendor attestations.
Documentation and “Recognized Security Practices”
The HIPAA 2025 Security Rule changes do not just ask, “What controls do you have?” They also ask, “Can you prove it?”
You must maintain written policies and procedures that match how your staff actually work. You must review and update them at least every 12 months or after major changes.
You also must keep evidence for at least six years. That evidence includes risk analyses, training rosters, incident logs, backup tests, vulnerability scans, pen tests, and BA reviews.
HHS may look favorably on organizations that align with recognized frameworks like the NIST Cybersecurity Framework.
Action step:
Use a single system to organize your compliance evidence. EPICompliance was built for exactly this purpose, bundling policies, forms, training, and task tracking in one platform.
Practical Roadmap: What To Do in the Next 6–12 Months
Here is a simple roadmap based on the HIPAA 2025 Security Rule Changes and the training guide developed for healthcare teams.
First 90 Days
Start with visibility and quick wins.
Create or refresh your asset inventory and network map with help from IT or vendors. Turn on MFA everywhere you reasonably can, starting with EHR, email, and remote access. Begin encrypting laptops and devices that store ePHI. Check your backups and perform at least one restore test.
At this stage, many organizations ask Taino Consultants to perform a baseline SRA and gap analysis. EPICompliance then becomes the central hub for tracking fixes and follow-up actions.
Next 3–6 Months
Use your updated inventory for a full, documented Security Risk Analysis that meets the NPRM expectations. Build or refresh your written risk management plan with priorities, owners, and timelines.
Update security policies and procedures so they match real workflows, including telehealth and remote work. Develop and test your incident response and contingency plans. Set a schedule for vulnerability scans and penetration tests.
Ongoing, Every Year
Repeat your risk analysis and security compliance audit at least once every 12 months. Review and update policies, BAAs, and vendor security evidence. Test backups and incident response at least yearly.
Keep improving. Treat cybersecurity as a continuous program, not a one-time project.
How Taino Consultants and EPICompliance Fit Together
Think of Taino Consultants as your strategy and analysis team. They help you understand the HIPAA 2025 Security Rule changes, run your Security Risk Analysis, and design a realistic remediation plan. Their blogs explain how SRAs, evaluations, and policies work in the real world.
Think of EPICompliance as your daily control center. It provides online policies, standardized forms, training, BAAs, task lists, and documentation tools in one secure platform.
You can learn more about EPICompliance products here:
You can explore Taino Consultants’ insights and SRA support here:
Together, these two partners help you move from “we are worried” to “we have a plan and a system.”
Final Recommendation: Stay Ahead with EPICompliance Webcasts
HIPAA 2025 Security Rule changes will not wait for a quiet year. Threats keep growing, and regulators will expect real progress.
Take control now: review, refresh, and actively manage your program. For quick, practical guidance, see EPICompliance webcasts (Watch on YouTube). You can start with the video overview and resource center here: EPICompliance Video Overviews. EPICompliance