HHS Proposed HIPAA Security Rule Update: What Healthcare Organizations Need to Know

On December 27, 2024, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), issued a proposed rule to substantially strengthen the cybersecurity measures required under the HIPAA Security Rule. This Notice of Proposed Rulemaking (NPRM) is one of the most significant proposed overhauls to healthcare data security requirements in years, and it arrives at a moment when the scale and sophistication of attacks targeting electronic protected health information (ePHI) have reached historic levels.

The proposed amendments move beyond high-level principles, introducing specific, enforceable mandates around risk analysis, encryption, multi-factor authentication, and continuous monitoring. For covered entities and their business associates, the message is clear: existing security frameworks are no longer sufficient, and voluntary best practices must give way to mandatory requirements.

Since publication, the NPRM has moved through a public comment period, generated significant industry debate, and is now on the OCR's official regulatory agenda for finalization. This article examines the motivation behind the proposed amendments, outlines the core changes organizations need to understand, covers the latest developments in the rulemaking process, and explains how Limina's data de-identification technology can support compliance efforts across the healthcare ecosystem.

Why HHS is updating the HIPAA Security Rule now

The healthcare sector has become the most targeted industry for cyberattacks, and the numbers substantiate the urgency. According to OCR breach data published by HHS, from 2018 to 2023, large breach reports increased by 102 percent, while the number of individuals affected by those breaches grew by 1,002 percent. In 2023 alone, more than 167 million individuals were impacted by large breaches. The primary drivers are hacking incidents and ransomware attacks, which have grown both in frequency and in the scope of data they compromise.

The existing Security Rule, which dates largely to 2003 with updates in 2013, was designed for a different threat environment. It established important foundations but left significant room for interpretation, allowing organizations to take a "flexible" approach to requirements that adversaries have learned to exploit. The NPRM is HHS's response to that gap: moving from guidance that permitted flexibility to standards that require specificity.

The proposed rule also reflects an acknowledgment that healthcare organizations are storing and transmitting far more ePHI than ever before, across a far wider array of systems, devices, and third-party integrations. The traditional perimeter-based model of data protection is no longer adequate when ePHI flows across cloud environments, remote access tools, vendor networks, and legacy infrastructure simultaneously.

What the proposed HIPAA cybersecurity amendments would require

The NPRM outlines a series of updates to the Security Rule that would affect virtually every covered entity and business associate. While the final rule has not yet been published, the proposed changes represent the direction of regulatory travel and organizations that begin aligning now will be better positioned when requirements are finalized.

One of the most consequential structural shifts in the proposed rule is the elimination of the distinction between "required" and "addressable" implementation specifications. Under the current framework, addressable specifications require organizations to assess whether a control is reasonable and appropriate in their specific environment, allowing some to opt out with a documented rationale. The NPRM would make virtually all implementation specifications required, with only specific, limited exceptions. This is a significant change: it signals that the HHS views the current flexibility not as an asset but as a compliance gap that bad actors have exploited.

The proposed rule would also mandate encryption of ePHI both at rest and in transit, multi-factor authentication as a baseline control rather than a recommended practice, regular testing of security policies and procedures, network segmentation, documented incident response plans, and formal continuity procedures for ePHI systems.

Perhaps the most operationally demanding element of the NPRM, however, is its approach to risk analysis.

What does the enhanced risk analysis requirement mean in practice?

Central to the NPRM is a substantially upgraded risk analysis standard. The proposed rule moves risk analysis from a general obligation to a detailed, structured process with specific documented outputs. Under the enhanced risk analysis framework, covered entities and business associates would be required to assess risks to the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit.

This is not simply a documentation exercise. The proposed requirements would mandate that organizations maintain a written inventory of all technology assets that touch ePHI, develop network maps showing how ePHI moves across those systems, and document specific findings on threats, vulnerabilities, likelihood of exploitation, and potential impact. Risk analysis would also need to account for risks posed by legacy devices, including both the risks of continuing to operate them and the risks associated with replacing them.

The proposed rule specifically identifies the types of questions that a compliant risk analysis would need to address. Has the organization identified all ePHI it creates, receives, maintains, or transmits? What are the external sources of ePHI, including vendors and consultants? What human, natural, and environmental threats exist to systems containing ePHI? What vulnerabilities do legacy devices introduce into the environment? These are not rhetorical questions; under the proposed rule, organizations would be expected to document substantive, evidence-based answers.

For many organizations, the challenge is not willingness to comply but operational capacity. Locating, classifying, and mapping all ePHI across a complex, heterogeneous environment is enormously difficult to do manually. Structured data in purpose-built EHR systems is relatively tractable; the harder problem is the vast volume of ePHI that exists in unstructured form across clinical notes, scanned documents, emails, chat transcripts, call recordings, and third-party integrations.

If your organization is assessing its readiness for these proposed changes, talk to an expert at Limina to understand how automated ePHI detection and de-identification can strengthen your risk analysis process.

Where does the HIPAA Security Rule NPRM stand today?

The rulemaking process has moved forward, though its ultimate form remains subject to political and regulatory forces that have introduced meaningful uncertainty.

The public comment period closed on March 7, 2025. According to the HIPAA Journal, OCR received 4,745 comments on the proposed Security Rule update, and OCR Deputy Director of Health Information Privacy Tim Noonan confirmed that the agency will read every single one. "We organize the comments by category and try to get a sense of what the public response is to all the proposals," Noonan said. OCR will then work within HHS to determine what future actions to take.

The volume of comments alone signals the weight of the proposal. And much of the feedback has been critical. In February 2025, eight industry associations co-signed a letter to President Trump calling for the proposed update to be rescinded. The College of Healthcare Information Management Executives (CHIME) stated that "the combination of the depth and breadth of the proposed requirements on an unreasonable timeline presents significant challenges, and the unfunded mandates associated with this regulation would place an undue financial strain on hospitals and healthcare systems." CHIME and other groups have argued that the HHS should instead focus on encouraging proactive, flexible, evidence-based security frameworks aligned with industry best practices.

Adding to the uncertainty, President Trump issued an Executive Order requiring a "Regulatory Freeze Pending Review" just two weeks after the NPRM was published in the Federal Register. That freeze directed federal agencies not to propose or issue any rule until a presidentially designated department head had reviewed and approved it, raising questions about whether the proposed amendments would move forward under the new administration.

Despite that backdrop, the most current signal from regulators is that finalization is still on the table. As noted by Alston and Bird, healthcare law attorneys, OCR has kept the rule's finalization on its official regulatory agenda for May 2026. OCR itself has estimated that first-year compliance costs across all covered entities and business associates would reach approximately $9 billion. If finalized as proposed, regulated entities would have just 240 days from the final rule's publication date to come into compliance.

In parallel, OCR has not waited for the final rule to increase enforcement activity. The long-awaited third phase of HIPAA compliance audits commenced in December 2024 and, as HIPAA Journal reported, OCR confirmed in March 2025 that audits of 50 covered entities and business associates are underway. These audits are specifically focused on the risk analysis and risk management provisions of the Security Rule, which are also the centerpiece of the NPRM. This parallel track of enforcement signals that regardless of when or whether the proposed amendments are finalized, OCR is actively scrutinizing how organizations are meeting existing Security Rule obligations.

The bottom line for healthcare organizations: the regulatory direction is clear even if the final language is not. The proposed amendments represent OCR's view of where healthcare cybersecurity needs to go, and the agency is already enforcing the existing standard more rigorously. Waiting for a finalized rule before beginning to act is a strategically risky posture.

How Limina supports HIPAA risk analysis and ePHI compliance

Limina's privacy-enhancing technology is purpose-built for the kind of comprehensive ePHI discovery and protection that the proposed HIPAA amendments would require. Built by linguists, Limina's platform is context-aware in a way that pattern-matching tools are not: it understands language nuances, entity relationships, and the way sensitive information is expressed across different document types and communication formats.

Limina's machine learning models can identify more than 50 types of personal information across both structured and unstructured data. For healthcare organizations facing a risk analysis requirement, this means automated, comprehensive detection of ePHI that goes far beyond what manual review or simple rule-based systems can achieve. Whether ePHI appears in a structured database record, a scanned PDF, a clinical note, or a recorded patient interaction, Limina identifies and classifies it.

This capability directly addresses the most operationally demanding aspect of the proposed risk analysis standard: knowing where ePHI actually lives. Organizations cannot assess risks to ePHI they have not located, and they cannot map data flows they have not traced. Limina automates both the discovery and the classification steps, providing the documented inventory that the proposed rule would require.

Beyond discovery, Limina enables organizations to assess the potential impact of a breach in a way that is both precise and defensible. Understanding which types of ePHI are present in which systems, in what volume, allows organizations to estimate the scope and severity of potential harm to individuals whose data could be exposed. This impact analysis, combined with a threat likelihood assessment, produces the overall risk determination that the enhanced standard demands.

Addressing ePHI in unstructured data: a critical compliance gap

One of the most significant compliance vulnerabilities for healthcare organizations is the volume of ePHI that exists outside of structured, purpose-built systems. Scanned PDFs, clinical correspondence, insurance forms, call center transcripts, and email exchanges all routinely contain protected health information, and this unstructured data is far harder to inventory, monitor, and protect than records stored in an EHR or claims management system.

The proposed HIPAA cybersecurity amendments would require organizations to account for ePHI wherever it resides, including in these unstructured environments. For healthcare organizations, this means that clinical documentation workflows, patient communication systems, and operational records are all within scope for risk analysis and remediation.

Limina addresses this challenge directly. Its tools analyze and redact ePHI from diverse unstructured sources, reducing the exposure surface without requiring organizations to reconstruct their entire document management infrastructure. The platform handles formats ranging from scanned images to email threads to audio transcripts, providing consistent detection and redaction across the full spectrum of unstructured ePHI.

For organizations in pharma and life sciences, where clinical trial data, adverse event reports, and patient narratives often contain highly sensitive ePHI in document form, this capability is particularly valuable. The same applies to insurance organizations managing claims records that span structured and unstructured formats, and to contact centers where patient interactions generate transcripts and recordings that may contain protected health information.

Continuous monitoring and incident response under the proposed rule

The proposed HIPAA amendments would establish ongoing monitoring as a baseline expectation rather than a periodic exercise. Organizations would need to demonstrate that their security controls are continuously effective, not simply that policies exist on paper. For ePHI environments that span multiple systems and vendors, continuous monitoring requires both technical tooling and organizational processes capable of detecting anomalies in real time.

Limina's platform supports continuous compliance monitoring by enabling organizations to apply ePHI detection consistently across data inputs on an ongoing basis. Rather than conducting point-in-time assessments that may quickly become outdated as new data enters the environment, Limina integrates into data workflows to ensure that ePHI is identified and protected as it is created, received, or processed.

The proposed rule's incident response requirements further underscore the value of automated ePHI detection. When a breach occurs, the speed and accuracy of the response depend directly on the organization's ability to identify exactly what ePHI was compromised, in which systems, and affecting which individuals. Manual investigation of large, complex environments is slow and error-prone. Limina enables rapid identification of ePHI in affected systems, supporting both the regulatory reporting obligations that follow a breach and the remediation steps that limit further exposure.

What this means for covered entities and business associates

The combination of the proposed rule's aggressive requirements, the volume of industry pushback, the Trump administration's regulatory freeze, and OCR's decision to keep finalization on its May 2026 agenda creates an environment of genuine uncertainty. It is possible that the final rule will be materially different from what was proposed, with some requirements scaled back or timelines extended in response to industry feedback. It is equally possible that the core structure of the NPRM survives largely intact.

What is not uncertain is OCR's enforcement posture. The agency is actively auditing covered entities and business associates right now, with a specific focus on risk analysis and risk management. These are the same provisions that sit at the heart of the proposed rule. Organizations that cannot demonstrate a documented, proactive compliance program face greater scrutiny in enforcement proceedings, regardless of when or whether the new rule is finalized.

For organizations across financial services and adjacent regulated sectors that handle ePHI or operate as business associates to covered entities, the proposed amendments are equally relevant. Business associates bear direct obligations under the Security Rule, and their covered entity partners will increasingly look to contractual protections and demonstrated security controls as part of the vendor management processes the NPRM would reinforce.

If finalized as proposed, the 240-day compliance window would leave relatively little time for organizations that have not already begun to assess their ePHI inventory, update their risk analysis documentation, and implement technical controls. Organizations that start that work now are not just preparing for a proposed rule; they are building security infrastructure that reduces real risk today.

Organizations looking to understand their current exposure and build a roadmap for compliance should contact Limina today. Our team works with healthcare organizations, business associates, and regulated industries to implement privacy-enhancing technology that meets evolving compliance requirements.

The path forward

The HHS proposed HIPAA cybersecurity amendments represent a meaningful shift in how the federal government expects healthcare organizations to protect ePHI. The move from flexible, interpretable requirements to specific, enforceable mandates is a direct response to a decade of escalating breach data that demonstrates the inadequacy of the previous standard. Whether the final rule looks exactly like the NPRM or reflects changes made in response to the nearly 5,000 public comments OCR received, the trajectory of regulation is clear.

For healthcare organizations, business associates, and their technology partners, the proposed rule is both a compliance challenge and an opportunity to build security infrastructure that genuinely protects patients. The organizations that respond most effectively will be those that combine strong technical controls with documented, auditable processes that can withstand regulatory scrutiny, and that treat the current enforcement environment as reason enough to act without waiting for the final rule.

Limina's context-aware, linguist-built data de-identification platform provides the ePHI detection, classification, and redaction capabilities that underpin a defensible compliance strategy. From initial risk analysis through continuous monitoring and breach response, Limina's technology helps organizations meet these evolving requirements with precision and efficiency.

‍