In late 2024, HHS published a Notice of Proposed Rulemaking (NPRM) to modernize the HIPAA Security Rule. It is important to be precise about its status: these are proposed changes. They have not been finalized, and the requirements described here could change, be delayed, or not take effect at all. Organizations should monitor developments rather than treat the proposals as current law.
Why HHS proposed updates
The core Security Rule has not been substantially revised since the 2013 Omnibus Rule, while threats have evolved dramatically, especially ransomware and large-scale breaches. The proposal aims to strengthen cybersecurity expectations and reduce ambiguity in how regulated entities protect ePHI.
What the proposal would change
According to HHS materials describing the NPRM, the proposed updates would, among other things:
- Reduce the distinction between "required" and "addressable" specifications, making more safeguards effectively mandatory.
- Require more rigorous, documented risk analyses and asset inventories, including a technology asset inventory and network map.
- Strengthen expectations around measures such as encryption, multi-factor authentication, and network segmentation.
- Add or sharpen requirements for vulnerability scanning, penetration testing, and timely patching.
- Emphasize contingency planning, including restoring systems within defined timeframes.
- Tighten business associate verification and notification obligations.
The exact contours depend on the final rule, which will follow public comment and HHS review.
How to prepare without overreacting
Even though the proposal is not final, much of it reflects practices that are already widely considered prudent. Organizations can prepare in low-regret ways:
- Keep your risk analysis current and well documented.
- Maintain an accurate inventory of systems and data flows that involve ePHI.
- Deploy MFA on remote and privileged access.
- Encrypt data at rest and in transit.
- Establish and test backups and recovery procedures.
- Track vendor security and keep business associate agreements current.
These steps strengthen security today regardless of the final rule's wording.
Watching the process
The rulemaking process includes a public comment period, review of those comments, and publication of a final rule with an effective and compliance date. The gap between proposal and enforcement can be substantial. Reliable ways to follow the status include the Federal Register, the HHS HIPAA pages, and the Office for Civil Rights.
How rulemaking actually works
Understanding the federal rulemaking process explains why a proposal is not law. An agency like HHS first publishes a Notice of Proposed Rulemaking that describes the changes it is considering and invites public comment for a set period. The agency must then review and respond to those comments, which can lead to revisions, and only afterward publish a final rule. The final rule sets an effective date and, separately, a compliance date by which regulated entities must conform. At each of these stages a proposal can be narrowed, broadened, delayed, or withdrawn, and litigation can further affect the timeline. This is why responsible guidance describes the late-2024 updates as proposed and not yet binding.
The takeaway: treat the NPRM as a strong signal of where requirements may be heading, invest in fundamentals that help regardless, and avoid stating or assuming that any proposed provision is already law until a final rule is published.