Quick answer
HHS OCR published the first major proposed overhaul of the HIPAA Security Rule since 2013 on January 6, 2025. The proposed rule would require encryption of all ePHI at rest and in transit, mandate multi-factor authentication for all workforce access to ePHI, and introduce specific timelines for vulnerability scanning, penetration testing, and data recovery. A final rule was tentatively scheduled for May 2026 but remains overdue after a presidential executive order froze agency rulemaking. Industry opposition has been significant and well-organized. OCR enforcement under the current rule, however, has continued at a steady pace through mid-2026.
The original HIPAA Security Rule was published on February 20, 2003, with most covered entities required to comply by April 21, 2005. In the more than two decades since, the threat landscape has shifted dramatically. From 2018 to 2023, large breaches affecting 500 or more individuals reported to OCR increased by 102%, while the total number of individuals affected by those breaches rose by 1,002%. In 2024, hacking and IT incidents affected more than 241 million individuals across large breach reports alone. The NPRM is a direct response to that trend.
What would the NPRM actually change?
The January 6, 2025 NPRM (Federal Register document 2024-30983) is the first substantive proposed overhaul of the Security Rule since the Omnibus/HITECH final rule took effect on March 26, 2013. One of its most consequential structural changes is the elimination of the distinction between “required” and “addressable” implementation specifications under 45 CFR Part 164 Subpart C. Under current rules, addressable specifications (including encryption) allow covered entities to implement “reasonable alternatives.” The NPRM would remove that flexibility for most specifications, converting what had been options into firm obligations.
The specific proposed requirements include:
Encryption of all ePHI at rest and in transit, replacing the current addressable specification at 45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii).
Multi-factor authentication (MFA) for all workforce member access to ePHI across all technology assets. The February 2024 Change Healthcare breach was attributed in part to the absence of MFA on a Citrix remote access portal; Change Healthcare processes roughly 50% of all U.S. medical claims, and OCR later confirmed approximately 192.7 million individuals were affected, making it the largest healthcare data breach ever reported to HHS.
Technology asset inventory and network map documenting ePHI movement, reviewed and updated at least once every 12 months and after operational changes. This requirement has no direct analog in the current Security Rule.
Vulnerability scanning at least every six months and penetration testing at least once every 12 months. The current rule at 45 CFR Part 164 requires periodic review under § 164.306(e) but sets no specific frequency, making these new time-bound, audit-ready obligations.
Backup and recovery: A recovery point objective (RPO) of no more than 48 hours, a recovery time objective (RTO) of 72 hours to restore critical electronic information systems, and monthly testing of backup and restoration procedures. Current § 164.308(a)(7) requires a data backup plan but contains no RPO, RTO, or testing frequency. For smaller practices in Texas and elsewhere managing ePHI on local systems or through regional EHR vendors, the monthly testing cadence and 72-hour RTO represent a substantial operational commitment.
If finalized, the rule would become effective 60 days after Federal Register publication, with a compliance date 180 days after that, totaling 240 days from publication to required compliance for most provisions.
Why hasn’t the final rule been published yet?
The NPRM’s 60-day public comment period closed March 7, 2025. OCR deputy director Tim Noonan confirmed the agency received 4,745 public comments. Before OCR could work through those submissions, President Trump signed an executive order on January 20, 2025 requiring all executive agencies to pause pending rulemaking, freezing the HIPAA Security Rule NPRM pending HHS Secretary review. The rule has not been formally withdrawn, but as of June 2026 it has missed its tentative May 2026 finalization target from the Unified Agenda.
Industry opposition has added sustained pressure. In December 2025, a coalition of more than 100 hospital systems and provider associations led by CHIME sent a letter to HHS Secretary Robert F. Kennedy Jr. requesting withdrawal of the proposed rule. Signatories included Cleveland Clinic, Yale New Haven Health System, and Advocate Health. A separate February 2025 letter from eight associations including CHIME and AHCA asked President Trump directly for rescission.
The cost figures give context to that opposition. HHS estimated first-year compliance costs at approximately $9.3 billion for all regulated entities, with ongoing annual costs of roughly $6 billion for years two through five, totaling about $34 billion over five years. HHS simultaneously concluded the rule would not have a “significant economic effect on a substantial number of small entities,” a conclusion critics contested given that no federal funding accompanies these mandates.
Is OCR enforcing the current Security Rule while the NPRM sits?
Yes, and consistently. In 2024, OCR closed 797 compliance reviews stemming from breach reports and resolved 12 investigations with settlements totaling $7,813,831. Corrective action was taken in 84% of closed cases.
The pattern of recent enforcement is instructive. OCR imposed a $1,190,000 civil money penalty on Gulf Coast Pain Consultants (finalized December 2024) after a workforce member accessed more than 34,000 patient records without authorization for nearly six months without detection. Heritage Valley Health System paid $950,000 in July 2024 for Security Rule failures traced back to a 2017 ransomware attack, illustrating OCR’s long investigative horizon. In April 2026, OCR announced four simultaneous settlements totaling $1,165,000, its 19th through 22nd completed ransomware investigations.
Business associates face the same exposure as covered entities. BST & Co. CPAs, an accounting firm acting as a business associate, settled for $175,000 in August 2025 after a ransomware infection compromised the PHI of 170,000 individuals. MMG Fusion, a business associate software company, settled in March 2026 for $10,000 (reduced due to financial condition) after a breach affecting approximately 15 million individuals whose PHI was later posted on the dark web. OCR will monitor MMG for three years, longer than the standard two-year corrective action plan term.
OCR also launched a 2024-2025 HIPAA Cybersecurity Audit Program targeting 50 covered entities and business associates for Security Rule provisions most relevant to hacking and ransomware. This followed a November 2024 HHS OIG report (Report No. A-18-21-08014) finding that OCR’s prior audit program had assessed only 8 of 180 HIPAA Rules requirements, with zero of those 8 addressing physical or technical Security Rule safeguards. The OIG called the prior audit scope “too narrowly scoped to effectively assess ePHI protections.”
Civil monetary penalties under 45 CFR § 160.404 range from $100 per violation with no prior knowledge up to a minimum of $50,000 per violation for uncorrected willful neglect, subject to a $1,500,000 annual cap per identical violation category. Criminal HIPAA violations under 42 U.S.C. § 1320d-6 can result in up to $250,000 in fines and ten years imprisonment when PHI is used for commercial advantage or malicious harm. These penalties apply to individuals, not just organizations, making them directly relevant to clinical staff and administrators.
What to do next
The HIPAA Security Rule NPRM may be frozen, but the enforcement record through mid-2026 makes clear that gaps in your security posture carry real financial risk under the rules that exist today. Large healthcare breaches involving ransomware have increased 264% since 2018, OCR’s Risk Analysis Initiative has produced 10 settlements and counting, and the 2024-2025 cybersecurity audits targeting 50 entities are still underway.
The most important step any covered entity or business associate can take right now is completing a current, documented risk analysis under 45 CFR § 164.308(a)(1). That analysis is the foundation for every other Security Rule obligation, the first thing OCR investigators request, and the gap most commonly cited in recent settlements. If your practice, whether in Houston, across Texas, or anywhere else, has not conducted a thorough risk analysis recently, or if your last one predates the Change Healthcare breach, now is the time to address it. Our HIPAA risk analysis service assesses your current posture against the existing rule and identifies the gaps the NPRM’s proposed changes would make mandatory, so you are not caught unprepared whenever a final rule arrives.
Last Updated: June 22, 2026