This article, written by Barry Mathis, Managing Principal of IT Advisory Consulting, was originally published by For The Record magazine.
The proposed HIPAA security rule updates are a mixed bag of challenges and wins.
After 30 years in health care IT, spanning roles as a CIO, chief technology officer (CTO), IT audit director, and now a consultant, I’ve lived through more than a few regulatory cycles, cybersecurity incidents, and well-intended but often loosely defined compliance expectations. The HIPAA Security Rule, originally finalized in 2003, was groundbreaking at the time. But the world has changed. Threats have evolved. Technology has accelerated. And finally, after more than two decades, we’re staring down a long-awaited set of proposed updates to the HIPAA Security Rule.
These updates bring clarity, some specificity, and modern relevance to a rule that has long depended on subjective interpretation. That’s the good news. The not-so-good news? For many health care organizations, particularly small to midsized hospitals, the road ahead could be steep and unforgiving if the rule proceeds without refinement or tiered implementation strategies.
Health Care IT Leaders Benefit
One of the most welcomed aspects of the proposed updates is the attempt to eliminate systemic confusion around “addressable” vs “required” implementation specifications. For years, organizations have wrestled with the interpretive nature of the rule: What exactly does “reasonable and appropriate” mean when every organization’s size, budget, and threat surface are different?
The proposed rule revisions offer greater precision. For example, rather than vaguely instructing covered entities to implement mechanisms to protect against unauthorized access, the updated language moves toward definitive requirements, such as minimum encryption standards, risk analysis documentation, multifactor authentication, and explicit expectations around incident response.
This is a major step forward. Clearer requirements reduce subjective compliance interpretations and arm CIOs, CTOs, chief information security officers, and compliance officers with the language they need to secure funding and organizational buy-in for foundational cybersecurity practices. When ambiguity fades, accountability grows, and that improvement is a net positive for the industry and for patient trust.
Shift Toward Risk-Based Security
Another strong element in the proposed rule is its alignment with a more risk-based approach to security management. Health care entities will now be expected to demonstrate ongoing risk analysis, documented security measures tailored to actual threats, and evidence of consistent program maintenance, not just a check-the-box annual assessment.
The health care industry is finally seeing a shift from static compliance to continuous risk management, and that aligns well with how cybercriminals operate in the real world. They don’t wait until your annual review to attack; they exploit vulnerabilities as they emerge. This rule encourages, if not mandates, that organizations match that pace with continuous vigilance.
Accountability Layer
One area that has long been problematic and now takes center stage is third-party vendor management. Under the current rule, covered entities are responsible for ensuring business associates adhere to proper safeguards, but enforcement and validation mechanisms have been weak at best.
The proposed rule addresses this issue by requiring documented vendor risk assessments, contract language with clear security obligations, and, most importantly, proof of independent assessments or certifications. This is a long-overdue and welcome evolution. As a consultant, I’ve witnessed too many business associates being treated as low risk simply because they signed a business associate agreement. That’s no longer acceptable, and rightly so.
While this shift is both necessary and overdue, it introduces a critical operational challenge. Do health care facilities truly have visibility into all the third parties and potentially their subcontractors who interact with their systems?
In my opinion, the majority of this burden should fall on the third parties who profit from these arrangements, not on the health systems that are already under immense pressure to remain financially viable and focused on patient care.
Expecting hospitals to shoulder the full weight of oversight, evidence gathering, and continuous monitoring, while simultaneously securing their own infrastructure, is not only unrealistic but also risks diverting critical resources away from their primary mission: treating patients effectively and safely.
Right Idea, Real Challenges Ahead
The new rule also zeroes in on technical specifics such as maintaining a complete inventory of connected devices, including Internet of Things endpoints. On paper, this is a no-brainer. Visibility is foundational to cybersecurity. You can’t secure what you don’t know exists.
Knowing the inventory, however, is where the rubber meets the road for smaller hospitals and rural providers. Many still lack centralized inventory systems or the technical staffing to support continuous device monitoring. Asking a 50-bed community hospital to maintain the same real-time asset inventory and endpoint visibility as a multibillion-dollar academic medical center sets up an uneven playing field.
Without supplemental funding, scalable tools, and staggered adoption timelines, we risk forcing underresourced hospitals into noncompliance despite their best intentions. While the rule rightly raises the bar, it needs to recognize the diversity of capabilities across the health care landscape.
Mixed Blessing
Perhaps the most complex challenge within the proposed HIPAA rule is the presumption of uniform compliance expectations across all provider types and sizes. On one hand, patient data deserves equal protection regardless of whether it’s stored in a rural clinic or a Level 1 trauma center. On the other hand, the operational realities of these facilities couldn’t be more different.
The proposed rule doesn’t yet adjust for differences in organization size, complexity, or available resources. That lack of detail could lead to compliance fatigue, penalties, or a growing gap between the “security haves and have-nots.”
Timing and Implementation
The proposed rule was published on December 27, 2024, and entered into the Federal Register on January 6, 2025. The proposed HIPAA Security Rule update received approximately 4,745 public comments during the comment period, which closed on March 7, 2025. The final rule is expected later in 2025, with compliance deadlines likely to follow 180 days after publication.
Policymakers should listen carefully to feedback that came from across the health care spectrum during the public comment period.
We all need a regulatory framework that holds the industry accountable, absolutely. But we also need one that supports equitable adoption. Consideration should be given to phased timelines, technical assistance, and perhaps tiered requirements based on risk profile or provider capacity. If we fail to do that, the unintended consequence may be widespread noncompliance vs stronger security.
In Conclusion
Having walked the halls of hospitals, vendor data centers, and boardrooms for 30 years, I believe the changes in the HIPAA Security Rule are timely, necessary, and largely headed in the right direction. They bring specificity where there was ambiguity. They demand accountability from vendors and internal teams alike. They better reflect the complexity of modern cyber threats.
But they also represent a significant operational lift, particularly for smaller providers. If the final rule goes unchanged, we risk pushing organizations beyond their capabilities without offering the necessary tools, support, or reasonable pathways to compliance.
In the end, regulation is only as effective as its adoption. Let’s not confuse aspiration with feasibility. Let’s aim high, yes, but also create a framework that enables all providers, regardless of size, to succeed in protecting the data entrusted to them.
For The Record magazine has been a resource for news and trends for health information management professionals for more than 30 years. Read the article in the autumn 2025 issue.
PYA is dedicated to helping healthcare organizations of all sizes anticipate, understand, prepare for, and successfully manage regulations, so providers can focus on patient care.
