The U.S. Department of Health and Human Services Office for Civil Rights (OCR) released a Notice of Proposed Rulemaking (NPRM) that is scheduled to be finalized around May 2026. If finalized as proposed, it will significantly re-contextualize the HIPAA Security Rule. The goal of the updates are to reduce cybersecurity risk nationwide by making HIPAA cybersecurity requirements more explicit, technical, and enforceable. The proposed changes aim to reduce ambiguity, add standard expectations, and increase accountability to address modern cybersecurity threats.

For solo and small healthcare practices this is not a small update. The guidance shifts from “flexible guidance” to defined, auditable expectations. However, it is important to recognized that the final rule may differ substantially from the proposed. 

While these updates may appear to introduce new requirements, they formalize and expand upon existing obligations under the HIPAA Security Rule. Practices have always been expected to conduct a security risk assessment and implement appropriate safeguards. The proposed difference is that these expectations are becoming more explicit, structured, and enforceable.

The Biggest Changes 

1. “Addressable” Safeguards Would Become Required

Many practices treated the addressable definition of safeguards as "optional". However, the OCR has made it clear that "addressable" was never meant to be optional, but rather more flexible in implementation between different types of practice. Because of this, the distinction between "addressable" and "require" is being removed, making all safeguards required in at least some form. This alone will invalidate many existing template based compliance approaches. 

2. Mandatory Documentation 

Although implicitly already required, you would specifically need to maintain written documentation for all security processes, procedures, policies and logs as evidence that procedures and policies exist. Following the philosophy that if it’s not written it doesn’t exist, verbal or informal processes will not be considered sufficient.

3. Asset Inventory + Network Map (New Requirement)

You would then maintain:

• A technology asset inventory (devices, software, systems)

• A network map showing how ePHI moves

And update them at least annually and whenever your environment changes.

4. More Detailed Risk Assessment

The risk assessment requirement would be significantly expanded to towards the NIST 800-30 risk assessment standard (a "gold" standard in the cybersecurity industry). 

You must now explicitly document:

• All reasonable threats

• All vulnerabilities and predisposing conditions

• How those threats exploit those vulnerabilities

• Likelihood

• Resulting risk levels

For small practices, even if your setup is “simple” you are still expected to formally document all reasonably anticipated risks.

5. Required Technical Controls

You would be expected to implement:

• Multi-Factor Authentication across systems and accounts

• Encryption for ePHI at rest and transit (and practically client communication)

• Anti-malware protection

• Removal of unnecessary software

• Secure system configurations

• Controls for backup and recovery of ePHI

6. Incident Response, Contingency and Recovery Requirements

You must then have:

• Formal incident response and contingency plans

• A data critically analysis to determine the priority for restoration 

• Clear reporting procedures

• Regular testing of those procedures

• A means of restoring systems and data within a specified period of time

7. Periodic Activities

You may be expected to:

• Conduct a formal compliance review every 12 months

• Review and test the effectiveness of certain security measures every 12 months

• Perform Vulnerability scans every 6 months

• Perform Penetration testing every 12 months

What Matters Most

For solo providers and small groups, the impact is disproportionate. You likely don’t have internal IT or compliance staff, and don’t have time or technical skill-set to interpret regulatory language.

Many small providers wrongly assume they are excluded from these requirements, or that their EHR handles HIPAA compliance. But in fact, their biggest risks like phishing attacks, weak credentials, and mishandling of devices fall outside the EHR. And ePHI is required to be safeguarded from these threats.

For small providers, the majority of real-world risk reduction typically comes from:

• Implementing Multi-Factor Authentication across all critical systems

• Reducing phishing risk through training and basic safeguards

• Securing mobile devices against loss or theft (encryption, lock, remote wipe)

• Establishing and consistently following documented security policies

When Will This Take Effect?

The rule is currently in the proposed stage. Finalization is expected some time in 2026, possibly May or June. And enforcement typically follows after a compliance window. 

A Realistic Implementation

In practice, HIPAA security is typically handled in one of three ways. Some practices take a fully self-directed approach, using templates and online resources to interpret requirements and build everything themselves. This keeps costs low, but requires time, judgment, and carries a higher risk of gaps or misinterpretation.

Others follow a more structured approach, using a framework to develop documentation and implement safeguards in a more consistent way. This reduces ambiguity and effort, but still requires involvement and comes with some cost.

Some organizations use fully managed services, where implementation and ongoing maintenance are handled externally. This minimizes internal effort, but is significantly more expensive and often exceeds what smaller practices need.

What This Means

These updates are beyond adding a few policies, but are far from an overreaction to quickly growing and evolving modern cybersecurity threats. For small practices, this can feel burdensome, and difficult to translate the regulation into something practical and effective. 

You do not need enterprise-level security. But you do need a structured approach that connects your risks, safeguards, and documentation into a coherent system. If you’re a small practice, now is the time to, understand your current setup, identity current compliance gaps, and prepare before requirements become enforced.

References

(OCR), O. for C. R. (2026, March 18). Hipaa Security Rule Notice of Proposed Rulemaking to strengthen cybersecurity for Electronic Protected Health Information. HHS.gov. https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html

U.S. Department of Health and Human Services, Office of the Secretary. (2025). Standards for privacy of individually identifiable health information (45 CFR Parts 160 and 164; RIN 0945-AA22) (90 FR 898; Document No. 2024–30983). Federal Register.

National Institute of Standards and Technology. (2012). Guide for conducting risk assessments (NIST Special Publication 800-30 Rev. 1). U.S. Department of Commerce. https://doi.org/10.6028/NIST.SP.800-30r1