If you run a medical or dental practice, you have probably heard that HIPAA is about to get a lot stricter. That is partly true and partly premature, and the difference matters for how you spend your time and money this year.
Here is the honest status. In January 2025, the HHS Office for Civil Rights (OCR) published a Notice of Proposed Rulemaking that would overhaul the HIPAA Security Rule for the first time since 2013. The public comment period closed in March 2025 after more than 4,700 comments came in. OCR then signaled it wanted a final rule out by the spring of 2026. That target has come and gone with nothing published. On top of that, a coalition of more than 100 hospital and provider organizations formally asked HHS to withdraw the proposal, arguing that the cost, which HHS itself estimated at roughly 9 billion dollars in the first year across the industry, would fall hardest on small and rural providers.
So to be clear, this is a proposed rule, not law. It is not being enforced. It could be finalized largely as written, softened, delayed for years, or shelved entirely. Nobody outside OCR knows yet.
That uncertainty is exactly why this guide is not a reason to panic. It is a plan. Almost everything in the proposal is already considered baseline security practice, and OCR still enforces the current Security Rule, where a weak or missing risk analysis remains the most common finding in its investigations. In other words, most of what the proposed rule would require, you should be doing anyway. Reading it as a preparation checklist rather than a countdown clock is the calm, correct way to approach it.
A quick note on scope. This article explains a proposed regulation for general educational purposes. It is not legal advice, and the final rule, if one is ever issued, may differ from what is described here. Confirm your specific obligations with a qualified healthcare attorney and your compliance advisor.
The one change that drives everything else
Under the current rule, every safeguard is labeled either required or addressable. Required means you must do it. Addressable was meant to give flexibility. You assess whether a safeguard is reasonable for your practice, and if it is not, you can document an alternative or explain why you skipped it.
In practice, addressable quietly became optional. Practices wrote a paragraph explaining that encryption was too expensive or that MFA was too disruptive, and auditors often accepted it. The proposed rule removes that distinction entirely (45 CFR 164.306). Nearly every implementation specification would become required, with only a few narrow exceptions. The era of documenting your way out of a control would be over. What would matter is whether the control is actually in place.
Two more structural shifts run through the whole proposal. First, everything moves to writing. Policies, procedures, plans, and analyses would all have to be documented, and most would need to be reviewed and updated at least once every 12 months (45 CFR 164.316). Second, vague obligations get hard deadlines. Where the current rule says periodically, the proposal attaches specific clocks: every 6 months, every 12 months, within 72 hours, within 24 hours.
The compliance clock, if it is finalized
If OCR finalizes the rule as proposed, the timeline is short. The final rule would take effect 60 days after publication. Covered entities would then have 180 days to comply, for a total of about 240 days, or roughly eight months. Business associate agreements would generally need to be updated within one year.
Eight months sounds like a while. It is not, for a practice running aging on-premises servers, a mix of cloud apps, and informal device management. Assessing your environment, buying and deploying new controls, writing policies, and training staff takes most of that window even when you start early. That is the practical argument for doing the groundwork now, while it is optional and unhurried, rather than later under a deadline.
The rest of this guide walks through the proposed requirements as a sequence of steps. For each one, we note where it would live in the regulation, what it means in plain terms, and what your practice would actually do about it. The citations refer to the proposed provisions within each part of the Security Rule.
The proposed requirements at a glance
| Proposed requirement | CFR location | Cadence or deadline |
| Technology asset inventory and network map | 164.308 | Reviewed at least every 12 months and on change |
| Written, specific risk analysis | 164.308 | At least every 12 months |
| Multi-factor authentication | 164.312 | Continuous; limited exceptions |
| Encryption at rest and in transit | 164.312 | Continuous; limited exceptions |
| Network segmentation | 164.312 | Continuous |
| Secure configuration and anti-malware | 164.312 | Continuous |
| Audit logging and activity review | 164.312 | Ongoing review |
| Vulnerability scanning and penetration testing | 164.312 | Scan every 6 months; test every 12 months |
| 72-hour recovery and backup controls | 164.308, 164.312 | Restore critical systems within 72 hours |
| Written incident response plan | 164.308 | Tested at least every 12 months |
| Workforce access controls and change notice | 164.308 | Notify within 24 hours of a change |
| Business associate verification | 164.314 | Verified at least every 12 months |
| Annual compliance audit and documentation | 164.308, 164.316 | At least every 12 months |
The steps a practice would need to follow
Step 1. Build a technology asset inventory and network map
Proposed location: 45 CFR 164.308 (Administrative Safeguards)
You cannot protect what you have not counted. The proposal would require a written inventory of every technology asset that creates, receives, maintains, or transmits ePHI, along with a network map that shows how that data moves through your systems. Both would need to be reviewed at least once every 12 months and whenever your environment changes in a way that could affect ePHI.
For a practice, that means a living list of every workstation, laptop, server, phone, tablet, network device, and cloud application that touches patient data, plus imaging systems, practice management software, and any connected medical or dental equipment. The network map shows where ePHI lives, where it travels, and where it leaves your walls, whether that is a billing company, a cloud EHR, or a backup provider. This inventory is the foundation for everything after it, because your risk analysis, your segmentation, and your recovery plan all depend on knowing exactly what you have.
Step 2. Conduct a written, specific risk analysis
Proposed location: 45 CFR 164.308 (Administrative Safeguards)
The risk analysis has always been the heart of the Security Rule, and it is the control OCR cites most often when it investigates a breach. The proposal makes it far more specific. Your written assessment would need to review the asset inventory and network map, identify all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI, identify vulnerabilities and weak points in your systems, and assign a risk level to each threat based on how likely it is to exploit a given vulnerability.
The key word is written. A vague, verbal sense that the practice is probably fine is not a risk analysis. This is a documented, methodical exercise that produces a prioritized list of real risks. For most practices this is where an outside partner earns their keep, because doing it properly takes both security expertise and an honest, outside look at the environment.
Step 3. Require multi-factor authentication
Proposed location: 45 CFR 164.312 (Technical Safeguards)
Multi-factor authentication (MFA) would become mandatory for access to systems that contain ePHI, with only limited exceptions. This is the single highest-value control in the entire proposal. The large majority of breaches start with a stolen or guessed password, and MFA stops most of them by requiring a second factor, such as a code from an app or a hardware key, in addition to the password.
For a practice, this means turning on MFA for your email, your EHR or practice management system, your remote access, and your cloud accounts. The added friction is real but small, and modern tools make it manageable. If you do only one thing from this entire list before the rule is ever finalized, make it this one.
Step 4. Encrypt ePHI at rest and in transit
Proposed location: 45 CFR 164.312 (Technical Safeguards)
Encryption was the most famous addressable specification, and the one practices most often skipped. The proposal would make it required, both for data at rest, meaning data sitting on a drive, server, or backup, and data in transit, meaning data moving across a network or the internet, with limited exceptions.
In practice, that means full-disk encryption on every laptop and workstation, encrypted servers and backups, and secure encrypted connections for email that carries ePHI and for any data moving to the cloud. Much of this is already available in tools you own and simply needs to be switched on and verified. Encryption also carries a bonus. Under the current breach notification rules, properly encrypted data that is lost or stolen generally does not trigger a reportable breach.
Step 5. Segment your network
Proposed location: 45 CFR 164.312 (Technical Safeguards)
Network segmentation would move from unwritten best practice to explicit requirement. Segmentation means dividing your network into zones so that a problem in one area cannot spread freely to the rest. The stated goal in the proposal is to limit access and prevent an intruder from moving laterally through your systems.
For a practice, a simple and powerful example is keeping your guest and waiting-room Wi-Fi completely separate from the network that carries patient data. More broadly, your clinical systems, your administrative systems, and any smart devices or connected equipment should sit in separate zones with controlled paths between them. If ransomware lands on a front-desk PC, segmentation is what keeps it from reaching your servers.
Step 6. Standardize configuration and deploy anti-malware
Proposed location: 45 CFR 164.312 (Technical Safeguards)
The proposal would require consistent, secure configuration of your systems, including workstations. It calls out three specific actions: deploy anti-malware protection, remove extraneous software from systems that touch ePHI, and disable network ports you do not need, based on your risk analysis.
In plain terms, every device is set up to a known, secure baseline rather than however it arrived out of the box. Anti-malware runs everywhere. The random free programs and unused applications that accumulate on office computers get removed, because every extra piece of software is another way in. Unused ports and services get switched off. This is basic digital hygiene, formalized and made mandatory.
Step 7. Turn on audit logging and review activity
Proposed location: 45 CFR 164.312 (Technical Safeguards)
The proposal strengthens the requirement to record and examine activity in systems that contain ePHI. That means audit logs that capture who accessed what and when, and a real process for reviewing them, rather than logs that exist only to be ignored until after an incident.
For a practice, the value is twofold. Logs help you catch a problem early, such as an account behaving strangely in the middle of the night. And when something does go wrong, logs are how you reconstruct what happened, which is essential for both your response and any breach determination. Many EHR and cloud platforms already generate these logs. The usual gap is that no one is set up to watch them.
Step 8. Scan for vulnerabilities and test your defenses
Proposed location: 45 CFR 164.312 (Technical Safeguards)
This is one of the most concrete new demands in the proposal. It would require vulnerability scanning at least every 6 months and penetration testing at least once every 12 months.
The two are different. A vulnerability scan is an automated check that looks for known weaknesses, such as missing patches or misconfigurations, across your systems. A penetration test is a controlled, hands-on attempt by a security professional to actually break in, which reveals how those weaknesses could be chained together in the real world. For a small practice, both are almost always outsourced. The important shift is cadence. This becomes a scheduled, recurring commitment rather than a one-time project.
Step 9. Plan for 72-hour recovery and protect your backups
Proposed location: 45 CFR 164.308 and 164.312
The proposal puts hard numbers on resilience. You would need written procedures to restore the loss of certain critical systems and data within 72 hours, and you would need to analyze which of your systems and assets are most critical so you know what to bring back first. Separately, the technical safeguards would require dedicated controls for backing up and recovering ePHI.
For a practice, this is the ransomware and disaster question stated plainly. If your systems went down today, could you restore them within three days, and do you know for certain that your backups are complete, protected, and tested? Many practices have backups they have never actually tried to restore. The proposal, sensibly, would push you to prove that recovery works before you need it.
Step 10. Formalize your incident response
Proposed location: 45 CFR 164.308 (Administrative Safeguards)
Alongside recovery, the proposal would require written security incident response plans: documented procedures for how your team reports a suspected or known incident, and how the practice responds when one happens. You would also need to test and revise those procedures on a schedule.
The practical version is a short, written playbook that every staff member understands. Who do you call when a workstation is acting strange or an email looks like a phishing attempt? What are the first steps, and who makes the decisions? A plan written in advance and rehearsed at least once a year turns a chaotic emergency into a managed process.
Step 11. Tighten workforce access and notify on changes within 24 hours
Proposed location: 45 CFR 164.308 (Administrative Safeguards)
The proposal sharpens control over who can reach ePHI. Access should follow the principle of least privilege, meaning each person can reach only the data their job actually requires. And when a workforce member’s access is changed or terminated, certain other entities would need to be notified within 24 hours.
For a practice, the everyday reality here is the departing employee. When someone leaves or changes roles, their access to your EHR, email, and systems needs to be adjusted or shut off promptly, not weeks later. This closes one of the most common and dangerous gaps in small offices: former staff whose logins still work long after they are gone.
Step 12. Verify your business associates and vendors
Proposed location: 45 CFR 164.314 (Organizational Requirements)
This is a significant new burden, and it cuts in two directions. Your business associates, the outside vendors who handle ePHI on your behalf, such as your billing company, your cloud EHR, and your IT provider, would be required to verify at least once every 12 months that they have actually deployed the technical safeguards the rule requires. That verification would take the form of a written analysis by a subject matter expert plus a written certification that the analysis was performed and is accurate. Business associates would also have to notify you when they activate their own contingency plans, no later than 24 hours after activation.
For a practice, this means your vendor relationships become more formal. You would collect these annual certifications and keep them on file, and you would need to choose partners who can actually produce that evidence. A vendor who cannot certify their own safeguards quietly becomes your liability.
Step 13. Run an annual compliance audit and document everything
Proposed location: 45 CFR 164.308 and 164.316
Finally, the proposal would require a compliance audit at least once every 12 months to confirm that you are meeting the Security Rule’s requirements, and it would require that all of the policies, procedures, plans, and analyses above be written down, reviewed, and updated at least annually.
This is the connective tissue for everything else. Every step in this guide produces a document or a record, and this requirement keeps them current and provable. If OCR ever comes knocking, the phrase we do that is worth very little. The phrase here is the written policy, here is the analysis, and here is the date we last reviewed it is worth a great deal.
What this means specifically for smaller medical and dental practices
One point deserves emphasis, because it is easy to miss and expensive to get wrong. The proposed rule has no small-practice exemption. A solo dental office and a regional hospital system would face the same requirements. The difference is that the hospital has a chief information security officer, a security team, and a large compliance budget, while an independent practice usually has none of those things.
That is not a reason for despair. It is a reason to be deliberate about how you meet the requirements. Right-sized does not mean exempt. A five-person practice does not need an enterprise security operations center, but it does need MFA, encryption, a real risk analysis, tested backups, and a documented plan. For most small practices, the most efficient path is to lean on a managed security partner who can deliver these controls as a package rather than assembling and running them in-house.
For dental practices specifically, a few areas tend to need the most attention: imaging systems and the older workstations often attached to them, practice management software that can lag on updates, and connected operatory equipment that quietly sits on the same flat network as everything else. For medical practices, the common gaps are EHR access controls, the sprawl of cloud apps and patient portals, and business associate sprawl, meaning the long list of outside vendors who touch patient data.
A note for Central Florida practices
Location does not exempt anyone from HIPAA, but it does shape the risk. Central Florida’s dense cluster of independent medical and dental practices, from Lake Mary and Sanford through the greater Orlando metro, is exactly the kind of target attackers favor: valuable patient data held by offices large enough to be worth hitting but usually too small to staff a security team. The patterns we see locally match what the national data shows, namely phishing, stolen credentials, and ransomware aimed at practices that assumed they were too small to notice. The proposed rule, whatever its final fate, is a reasonable description of the defenses a practice in this market should already have.
What to do in the next 90 days
You do not have to wait for a final rule to make your practice materially safer, and none of the following depends on the proposal ever passing. If you do only a handful of things this quarter, do these:
- Turn on multi-factor authentication everywhere it is available: email, EHR, remote access, and cloud accounts. This is the highest-value, lowest-cost move on the list.
- Confirm that encryption is actually on for your laptops, workstations, servers, and backups, and for email that carries patient data.
- Build or update a simple inventory of every device and application that touches ePHI, and sketch how that data flows.
- Get a real, written risk analysis done, ideally by an outside professional who will tell you the truth.
- Test a backup restore. Do not assume your backups work. Prove it.
- Separate your guest Wi-Fi from your clinical network if you have not already.
That is a short, achievable list, and it covers the requirements most likely to matter and most likely to survive into any final rule.
How Harmony MSP helps
Harmony MSP is a managed IT and security provider based in Lake Mary, Florida, serving medical, dental, and legal practices across the Orlando metro. We were founded in 2011, and security is built into our base engagement rather than sold as an upgrade, which is exactly the posture the proposed rule points toward.
For practices working through the requirements above, that means we handle the inventory and network mapping, run and document the risk analysis, deploy MFA and encryption, segment your network, manage patching and configuration, watch your logs, schedule the vulnerability scans and penetration tests, harden and test your backups, and keep the written policies and annual reviews current. When the business associate verification requirement lands, we can produce the evidence for our own safeguards rather than becoming one more vendor you have to chase.
If you want a clear picture of where your practice stands against the proposed rule today, give us a call at (407) 720-6540 and we can start with a straightforward assessment and a prioritized plan.
What could change before this becomes final
It would be a mistake to prepare for this rule as if every clause is settled. It is not. Several parts of the proposal drew heavy criticism during the comment period, and a final rule, if one comes, may look different in specific places.
The cost objection is the loudest. HHS estimated first-year industry costs at roughly 9 billion dollars, and the provider coalition that asked for withdrawal argued that small and rural practices simply cannot absorb that. If OCR keeps the rule alive, the most likely concessions are longer compliance windows, scaled expectations for very small entities, or softened language on the most expensive items, such as the frequency of penetration testing or the strict business associate certification.
The specific timeframes are also candidates for adjustment. The 72-hour restoration target and the 24-hour notification windows are aggressive for a small office, and OCR received detailed comments arguing they are impractical without more flexibility. The mandatory penetration test every 12 months, in particular, is a real recurring cost that smaller practices pushed back on hard.
Here is the useful way to think about it. The controls least likely to change are the ones that are already cheap, standard, and effective: MFA, encryption, asset inventory, risk analysis, and tested backups. Those are safe to act on today with almost no regret, because you would want them regardless of any rule. The items most likely to be softened are the ones with the highest recurring cost and the tightest clocks. You can prepare for those in principle, budget for them, and hold off on locking in expensive long-term commitments until the final text is known. That approach lets you get materially safer now without overspending on requirements that may yet move.
The bottom line
The proposed HIPAA Security Rule may become law in something close to its current form, or it may not. Either way, the direction is unmistakable, and it matches where healthcare security was always heading: fewer optional safeguards, more written proof, and firm deadlines in place of good intentions. The practices that treat this moment as a calm opportunity to get their house in order, rather than a fire drill to be dreaded, will be the ones that barely notice when and if the rule finally arrives.
Sources
Primary source is the HHS Office for Civil Rights Notice of Proposed Rulemaking, HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information, published in the Federal Register on January 6, 2025, together with the accompanying HHS OCR fact sheet. Regulatory status details reflect publicly reported developments as of mid-2026.