The First Major HIPAA Security Rule Update in 20 Years

What Every Healthcare CTO Needs to Know - And Do - Before 2027

By Saida Babu Chanda & Yogananda Karra

Ex-AWS Solutions Leaders | Co-founders, Infinitra Innovations

On January 6, 2025, the Department of Health and Human Services published the most significant proposed change to the HIPAA Security Rule since the Omnibus Rule of 2013. If you are a CTO, technical co-founder, or security lead at a healthcare or health tech company, this is the single most important regulatory development you need to understand this year.

This is not a minor update. The proposed rule would fundamentally change what HIPAA expects from your security posture. Controls that were once considered optional become mandatory. Timelines that were vague become specific. And the cost of non-compliance - both financial and operational - goes up significantly.

In our work with healthcare and health tech companies, Yogananda and I see the same pattern: teams that are building great products but treating compliance as something they will deal with later. That approach worked when the Security Rule was flexible. It will not work under the proposed changes.

Here is what is changing, what it means for you, and what smart CTOs are doing right now to prepare.

The Timeline You Need to Know

The proposed rule attracted over 4,000 public comments and significant industry pushback, including a coalition of 57 hospital systems urging HHS to withdraw it. Despite that, OCR has kept the rule on its official regulatory agenda for finalization in May 2026. Here is what the timeline looks like:

The total compliance window is 240 days from publication. That sounds like a lot until you account for budgeting, vendor procurement, implementation, testing, and documentation. If you wait for the final rule to start planning, you will be scrambling.

The 9 Changes That Will Hit You Hardest

The proposed rule runs over 400 pages. You do not need to read all of it. Here are the nine changes that will most directly affect how you build, operate, and secure your product and organization.

1. No More "Addressable" Loopholes

Today, the Security Rule has two types of safeguards: "required" and "addressable." Many organizations, especially startups with limited budgets, have used the "addressable" designation to defer or skip controls they could not afford yet. HHS explicitly stated in the NPRM that they are concerned "some regulated entities proceed as if compliance with an addressable implementation specification is optional."

Under the proposed rule, every safeguard becomes mandatory with very limited exceptions. This is the single biggest mindset shift. If your compliance program has gaps justified by "addressable," those gaps become violations.

2. Mandatory Encryption Everywhere

All ePHI must be encrypted at rest and in transit. No more risk-based exceptions. This applies to servers, laptops, mobile devices, databases, backups, and every transmission path. If you are storing or moving patient data in any form, it must be encrypted.

For health tech companies, this means your product architecture needs encryption baked in from the start, not bolted on later. Review your data stores, API endpoints, internal services, and backup systems.

3. MFA on Every System That Touches ePHI

Multi-factor authentication becomes mandatory for every system that stores, transmits, or accesses patient data. This includes your EHR platform, cloud services, internal tools, admin consoles, and third-party vendor portals. Limited exceptions exist for certain legacy systems and pre-March 2023 FDA-approved medical devices, but only if you have a documented transition plan to migrate to MFA-supported technology.

4. Technology Asset Inventory - Updated Every 12 Months

You must maintain a written, continuously updated inventory of every technology asset that may affect the confidentiality, integrity, or availability of ePHI. This includes workstations, mobile devices, cloud instances, IoT devices, AI tools, and third-party SaaS applications. The inventory must be accompanied by a network map showing how ePHI flows through your systems.

For startups, this is actually an opportunity. If you build this discipline early, it becomes a competitive advantage when enterprise customers do due diligence on your security posture.

5. Network Segmentation Required

The proposed rule requires network segmentation to prevent lateral movement during a breach. Your systems that handle ePHI must be isolated from general-purpose networks. This is a fundamental architecture requirement, not something you can retrofit easily. If your production environment, development environment, and corporate network are all on the same flat network, that needs to change.

6. Vulnerability Scanning and Penetration Testing

Vulnerability scans every 6 months. Penetration testing every 12 months. Both are now mandatory, not best practice. Penetration testing must be conducted by "qualified person(s) with appropriate knowledge of generally accepted cybersecurity principles." You will need to budget for this as a recurring line item, not a one-time exercise.

7. 72-Hour Recovery and 48-Hour Backup

If a cyber incident takes down your systems, you must be able to restore critical electronic information systems and ePHI within 72 hours. Your backups must have a recovery point objective of no more than 48 hours, meaning data must be backed up at least every 48 hours. And you must test your backup and restoration process monthly.

This is not aspirational. This is a specific, measurable requirement. If your disaster recovery plan has never been tested, or if your last backup test was "we think it works," you have a problem.

8. Workforce Access - 1 Hour Termination Cutoff

When an employee is terminated, their access to ePHI systems must end within one hour. Other regulated entities must be notified of changes to workforce access within 24 hours. This requires tight integration between HR processes and IT access management. If your offboarding process takes days, that becomes a compliance gap.

9. Business Associate Accountability Gets Teeth

Business associates are now directly liable for HIPAA compliance, not just contractually obligated through a BAA. Covered entities must verify their partners' security measures annually. Business associates must notify covered entities within 24 hours of activating contingency plans. If you are a health tech startup selling to hospitals or health plans, expect your customers to ask harder questions about your security posture. Your BAA alone will not be enough.

What This Costs

HHS estimates the proposed rule would cost the healthcare industry $9 billion in the first year and $33 billion over five years. For individual organizations, the cost depends on your size and current posture. Here are rough ranges based on industry data:

But here is the cost most CTOs do not think about: the cost of not being compliant. For startups, it is not just the fines (up to $1.9 million per violation category per year). It is the lost enterprise deals, failed due diligence, BAA rejections from larger health systems, insurance complications, and the reputation damage that comes with a breach. A startup that cannot demonstrate compliance will lose contracts to one that can.

The Mistakes Healthcare Startups Keep Making

OCR's enforcement data and the 2025 HIPAA Journal Annual Survey paint a clear picture of where organizations fall short. These are the patterns we see most often in the startups and health tech companies we work with:

• No risk analysis at all. This is the number one finding in OCR investigations. Many startups either skip it entirely or rely on a checklist completed years ago. Under the proposed rule, risk analysis must be tied to your technology asset inventory and network map with documented threat assessments.

• Treating BAAs as a checkbox. Having a signed BAA is not enough. Under the proposed rule, you must verify your partners' security measures annually. If you are a health tech vendor, your customers will be required to do this, so expect deeper security questionnaires.

• Using "addressable" to justify gaps. This loophole is closing. Every control you have deferred under "addressable" needs a remediation plan now.

• No dedicated security or privacy officer. The HIPAA Journal survey found a significant number of organizations still have not appointed a dedicated Privacy Officer with sufficient decision-making authority.

• Generic compliance training. Annual HIPAA training that covers the basics is not enough. Your team needs role-specific training that covers the systems they actually use, the data they actually handle, and the emerging risks around AI tools and remote work.

• No incident response plan, or an untested one. The 72-hour recovery requirement means your DR plan needs to be tested monthly. If your plan exists only as a document no one has read, it will not save you when you need it.

What Smart CTOs Are Doing Right Now

You do not need to wait for the final rule to start preparing. The core requirements - encryption, MFA, risk analysis, asset inventory - are almost certain to be in any final version. Here is a practical phased approach:

Phase 1: Assess (Now)

• Run a gap analysis against the proposed rule. Compare your current controls to what is being proposed. Identify the biggest gaps and estimate remediation cost and effort.

• Build your technology asset inventory. Document every system, device, and service that touches ePHI. Map the data flows. This is required under the proposed rule and it gives you the foundation for everything else.

• Assign ownership. Appoint a dedicated security/privacy officer if you do not have one. Build a small readiness team across IT, compliance, and leadership.

Phase 2: Harden (Next 3-6 Months)

• Deploy MFA on all systems that touch ePHI. Start with the highest-risk systems: admin consoles, cloud infrastructure, EHR access.

• Enforce encryption at rest and in transit across all data stores, APIs, and transmission paths. Document the encryption standards you are using (AES-256 for at rest, TLS 1.2+ for transit).

• Implement network segmentation. Isolate ePHI systems from general corporate networks and development environments. This is an architecture change, so start early.

• Budget for recurring security testing. Penetration testing annually, vulnerability scanning every six months. Find a qualified vendor and get it on the calendar.

Phase 3: Document and Test (Months 6-9)

• Write it down. Every policy, procedure, risk analysis, and plan must be documented in writing. If it is not written down, it does not exist from a compliance perspective.

• Build and test your incident response plan. Define roles, escalation paths, communication procedures, and recovery steps. Test it. Then test it again monthly.

• Set up backup and recovery that meets the 48-hour RPO and 72-hour RTO. Automate your backups and schedule monthly recovery tests.

• Review every BAA. Update your BAA templates with AI-specific language, annual verification requirements, and 24-hour notification obligations.

Phase 4: Sustain (Ongoing)

• Annual compliance audit. Conduct a full compliance review every 12 months. Do not wait for OCR to audit you.

• Continuous workforce training. Role-specific, covering AI tools, remote work, device security, and incident reporting. Update it as your systems and risks evolve.

• Monitor the final rule. The final version may differ from the proposed rule. Stay informed and adjust your plan accordingly.

A Word of Caution

The proposed rule is not yet final. There is significant industry opposition, and the Trump administration may modify or scale back certain requirements. A coalition led by CHIME has petitioned HHS to withdraw the proposed rule entirely, arguing it imposes unsustainable financial and operational demands, particularly on smaller organizations and rural providers.

That said, there is bipartisan support for stronger healthcare cybersecurity. The core principles - encryption, MFA, risk analysis, incident response - are widely agreed upon. Even if the final rule is scaled back, these controls represent baseline security that any healthcare organization should have in place. Building them now is not wasted effort regardless of what the final rule says.

About the Authors

Saida Babu Chanda and Yogananda Karra are co-founders of Infinitra Innovations and ex-AWS Solutions Leaders. They built healthtechcompliance.com and the HIPAA Compliance Navigator to help healthcare and health tech companies navigate HIPAA requirements with clarity and confidence.