Deep Dive: What’s New in HIPAA’s 2025 Security Rule

The Office for Civil Rights (OCR) has proposed its most significant update to the HIPAA Security Rule in over 20 years. While the rule is still in the Notice of Proposed Rulemaking (NPRM) phase, many of the updates are already influencing enforcement behavior, audits, and how Covered Entities and Business Associates are expected to protect electronic protected health information (ePHI).

If you haven’t reviewed your HIPAA compliance posture in the last year, now is the time, especially if you’re a smaller practice or vendor partner without a dedicated compliance team.

Here’s a breakdown of what’s coming and what you should be preparing for today.

🧾 1. Mandatory Annual System Inventories

OCR is proposing that organizations be required to maintain an up-to-date inventory of all systems that store, process, or transmit ePHI. This includes servers, laptops, mobile devices, cloud tools, and third-party platforms.

✅ What to do now:
Start documenting all assets connected to PHI including apps like email, EHRs, CRMs, transcription services, and shared drives.

📊 2. Strengthened Security Risk Assessments (SRAs)

Risk assessments have always been required, but under the proposed rule, they must be:

• Annual

• Documented

• Comprehensive (covering technical, administrative, and physical safeguards)

OCR is likely to focus more audits on how the SRA was conducted, not just whether one exists.

✅ What to do now:
Make sure your SRA covers vendor access, mobile use, remote work risks, and backup procedures.

🔐 3. Mandatory Multifactor Authentication (MFA)

The NPRM would move MFA from an “addressable” safeguard to a required one for systems accessing ePHI, especially administrative portals, cloud systems, and remote access points.

✅ What to do now:
Enable MFA on email, EHRs, cloud storage, and any system used by staff with elevated access.

🔑 4. Encryption Requirements for PHI at Rest and in Transit

Encryption would become a default expectation. OCR may no longer accept vague “addressable” excuses. If PHI is not encrypted, you’ll need formal documentation and a compensating control strategy.

✅ What to do now:
Ensure encryption is enabled for:

• Laptops and mobile devices

• Cloud storage and backups

• Emails and file transfers

• USB drives (if used)

🛠️ 5. Incident Response Drills & Planning

The proposed rule adds emphasis on practical preparedness, including the need to:

• Have a tested Incident Response Plan (IRP)

• Conduct periodic drills or tabletop exercises

• Retain documentation of testing and lessons learned

✅ What to do now:
Review your IRP and conduct a mock drill, especially one involving ransomware or data loss.

🤝 6. Vendor Management & BA Oversight

OCR is cracking down on poorly managed Business Associate Agreements (BAAs) and unchecked vendor access. You’ll need to:

• Maintain active BAAs

• Vet vendors for compliance and incident history

• Ensure BA vendors can report incidents within required timeframes

✅ What to do now:
Audit your vendor list. Are all BAAs current? Have vendors signed off on security requirements?

🧱 7. Network Segmentation & Access Controls

Organizations must demonstrate role-based access, strong login management, and—where possible—network segmentation between PHI systems and general use systems.

✅ What to do now:
Evaluate whether staff have only the access they need and whether unnecessary connections can be cut off.

⚠️ Why Smaller Practices Should Take This Seriously

Many smaller providers and vendors rely on templates, outdated risk assessments, or inherited practices from years ago. OCR’s proposed rule is a wake-up call: size is no longer a buffer from enforcement. If you’re handling PHI, your controls will be judged with the same expectations as larger entities.

🎯 Don’t Wait for HIPAA 2.0 to Become a Problem

While the 2025 Security Rule isn’t final yet, the direction is clear: HIPAA compliance must be intentional, documented, and resilient. This isn’t about checking boxes; it’s about protecting trust.

📋 In our next article, we’ll dive deeper into two areas where most organizations are falling short: encryption and vendor control.

Be Pro-Active:  HIPAA 2.0’s Encryption & Vendor Control

As the proposed 2025 HIPAA Security Rule takes shape, two areas are standing out as top compliance gaps for many organizations: Encryption and Business Associate (BA) management.

These are no longer just IT concerns. They’re strategic compliance imperatives. And if you’re a covered entity or BA handling PHI, now is the time to ask: are you ready?

🔐 Encryption: More Than a Setting

The updated HIPAA proposal shifts encryption from an “addressable” safeguard to an expected default for both data at rest and data in transit.

This includes:

• PHI stored in cloud services, EHRs, laptops, or mobile devices

• PHI shared via email, portals, chat tools, or file transfers

• Backups and disaster recovery copies

• External storage (e.g., USB drives)

✅ Quick Check:

• Are all company laptops encrypted?

• Do you use encrypted email or secure portals to share PHI?

• Are mobile devices used for work secured and enrolled in MDM?

• Are your backups encrypted and testable?

🤝 Vendor Controls: Your Risk Is Their Risk

HIPAA has long held Covered Entities responsible for vetting and overseeing their Business Associates but the proposed rule raises the stakes.

OCR is now pushing for:

• Active BA Agreement (BAA) maintenance

• Vendor due diligence and incident notification timeframes

• Formal vetting of security practices and compliance posture

✅ Quick Check:

• Do you have BAAs on file for all vendors handling PHI?

• Can your vendors report a security incident within 24–48 hours?

• Are you reviewing vendor risk annually—or at all?

• Have you documented who handles vendor compliance inside your organization?

🛠️ VanRein Compliance Supports You

At VRC, we don’t just hand you a policy template. We help you build a program that holds up under audit and real-world risk.

Here’s how we help:

✅ Encryption Posture Reviews – We walk you through where encryption should be applied and help close the gaps.
✅ Vendor Compliance Audits – We review your current vendor list, ensure BAAs are up to date, and identify missing documentation.
✅ Policy Development & Controls Mapping – We build policies that reflect what you actually do, then map them to HIPAA requirements.
✅ Risk Assessment & Documentation Support – All findings are organized and tracked inside VRC1, your live compliance workspace.

🎯 Let’s Strengthen Your Program Before the Rule Is Final

The 2025 Security Rule isn’t in effect yet, but enforcement priorities are already shifting.

Don’t wait until you're asked for documentation you don’t have.