HIPAA Security Rule 2025 Update: The Complete Covered Entity + Business Associate Guide

#The HIPAA rule that finally has teeth

Covered entities treated the HIPAA Security Rule as a paper exercise for over a decade. I'm not being cynical. I'm describing the operational reality we walked into on every healthcare engagement from 2015 through 2023. The rule required "appropriate" safeguards. It required "reasonable" protections. The Office for Civil Rights did not staff audit capacity proportional to the scale of the regulated industry. Covered entities read the Security Rule, noted how loose the language was, and built programs that were compliant on paper and trivial to exploit in practice.

That era ended on January 6, 2025. HHS published a Notice of Proposed Rulemaking that rewrites the Security Rule for the first substantial time since the 2013 Omnibus update. Twelve years of drift finally corrected. The rule that used to say "appropriate encryption" now says "AES-256 or equivalent with documented key management." The rule that said "perform risk assessment" now says "conduct assessment against specific threats annually with documented output." The rule that said "train workforce" now says "train workforce with measurable program outcomes."

This post is the complete guide to what changed. What it means in practice. What covered entities and business associates have to build in the 180-day implementation window after the Final Rule publishes. And the gap analysis framework we run on every HIPAA engagement.

#Who this is for

You're reading the right post if any of these apply.

• You work at a hospital, health system, or multi-specialty practice group.
• You work at a health insurance payer or TPA.
• You work at an EHR vendor, RCM company, telehealth platform, or any business associate.
• You are a privacy officer, security officer, or compliance lead at a covered entity.
• You're a healthcare tech founder whose SaaS touches ePHI.
• You do IT at any healthcare organization with 50+ employees.

This guide is too detailed if you're a solo medical practice on a cloud-based EHR with no in-house IT. In that case, the core answer is "use a HIPAA-compliant EHR vendor and follow their guidance." This guide is for organizations that own their technology stack.

#The legal framework in one paragraph

HIPAA has four implementation specifications relevant to security.

1. Privacy Rule (2003). Governs use and disclosure of PHI.
2. Security Rule (2005). Governs technical and administrative safeguards for ePHI.
3. Breach Notification Rule (2009). Governs disclosure obligations when unauthorized PHI exposure occurs.
4. Omnibus Rule (2013). Extended HIPAA obligations to business associates directly.

The January 2025 NPRM updates the Security Rule. It does not touch the Privacy Rule, Breach Notification, or Omnibus. If you read articles claiming "HIPAA is being rewritten," that's clickbait. Only the Security Rule got updated.

#The big changes

Twenty-seven distinct changes, grouped into nine themes.

#Change 1. Mandatory annual penetration testing

Previous Security Rule: "Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level."

New: "Conduct a penetration test of all systems containing or transmitting ePHI at least annually."

Translation. Every covered entity now has an explicit mandate for an annual pentest. Not a vulnerability scan. Not a gap assessment. A real penetration test conducted by a qualified tester.

Practical implementation.

• Scope includes every system that stores or transmits ePHI. Your EHR, your billing system, your telehealth platform, your patient portal, your mobile apps, your patient-facing forms, your clinical integration endpoints.
• Tester must be qualified. The rule doesn't mandate a specific certification, but OCR audit guidance historically recognizes OSCP, GPEN, CREST, or equivalent.
• Pentest report retained as part of the Security Rule documentation. Retention 6 years minimum.
• Findings from the pentest must be remediated or explicitly accepted with compensating controls documented.

#Change 2. Bi-annual vulnerability scanning

New requirement. Vulnerability scans of all ePHI-processing systems every six months minimum. This is in addition to the annual pentest.

Vulnerability scans are broader and faster than pentests. Typical tools: Tenable.io, Qualys, Rapid7, Wiz (for cloud), Nessus Professional. The rule doesn't mandate specific tools, but expect OCR to ask which one you use and how findings are tracked.

Documentation requirement. Scan outputs + remediation tickets + evidence of closure. All retained.

#Change 3. Formal network segmentation

Previous Security Rule was silent on segmentation. New rule requires:

• ePHI-processing systems logically separated from general corporate networks
• Access to ePHI systems restricted by firewall or equivalent technical control
• Network flows between ePHI and non-ePHI systems documented

For a hospital this means the EHR network is segmented from the nurse workstation network is segmented from the guest WiFi. For a SaaS vendor this means ePHI-handling services run in separate VPCs / accounts / subscriptions with explicit peering.

The rule doesn't mandate specific segmentation technology. Cloud-native segmentation via VPC isolation satisfies. Microsegmentation via Illumio or Guardicore satisfies. VLAN segmentation with strict ACLs satisfies. Flat networks explicitly do not.

#Change 4. Encryption with specified algorithms

Old rule: encrypt ePHI where appropriate.

New rule: encrypt ePHI at rest and in transit using:

• AES-256 minimum for data at rest
• TLS 1.2 minimum (1.3 recommended) for data in transit
• Documented key management with rotation, custodian assignment, and lifecycle tracking

The specification of AES-256 is notable. It explicitly excludes AES-128 and all older algorithms. If you have legacy systems using DES, 3DES, or RC4, they need to migrate.

Key management. This is where organizations historically cut corners. The new rule requires:

• Documented key lifecycle (generation, distribution, storage, rotation, destruction)
• Key custodian assignment for critical keys (two-person integrity for master keys)
• Separation between key management and data access
• Audit logs for key access operations

HSM-backed key management or cloud KMS services (AWS KMS, Azure Key Vault, GCP KMS) satisfy naturally. Application-managed encryption with keys stored in config files does not.

#Change 5. Technology asset inventory

New explicit requirement. Maintain a current inventory of:

• Hardware (servers, workstations, mobile devices, network equipment)
• Software (operating systems, applications, firmware versions)
• Data flows (what ePHI moves where, via what protocols)
• Third-party services processing ePHI (every business associate)

Inventory must be updated regularly (annual minimum, practical reality is continuous). OCR-recognized tools: ServiceNow CMDB, Device42, Lansweeper, Axonius, open-source tools like osquery + a CMDB layer.

This is an operational step that most covered entities have underinvested in. Your CIO might say "we have an inventory." In practice, the inventory is a spreadsheet from 2019 that's 40% accurate. Post-NPRM, that's a finding.

#Change 6. Written policies, procedures, and documentation

The old Security Rule allowed substantial flexibility in documentation form. The new rule is more prescriptive.

Required written documentation:

• Risk analysis methodology and annual output
• Security incident response plan with specific role assignments
• Contingency plan (BCP/DR) with annual testing evidence
• Security awareness training program with measurable outcomes
• Workforce sanction policy
• Access management procedures
• Transmission security standards
• Device and media controls

Each document must be:

• Written and reviewed at least annually
• Approved by a designated security official
• Distributed to affected workforce
• Updated when material changes occur

The required retention is 6 years from creation or last effective date, whichever is longer.

#Change 7. Specific incident response requirements

New: documented incident response plan tested annually via tabletop exercise at minimum.

Required elements in the IR plan:

• Specific role assignments (incident commander, communications lead, forensic lead, legal liaison)
• Classification schema for incident severity
• Notification decision tree aligned to Breach Notification Rule timelines
• External resources (forensic firm on retainer, legal counsel, regulator contacts)
• Post-incident analysis and lesson-learned process

Tabletop documentation required. Who participated, what scenario, what worked, what broke, what changed.

#Change 8. Enhanced workforce access reviews

Old rule: "Implement policies and procedures that ensure appropriate access to ePHI."

New: Access to ePHI reviewed at minimum annually for each workforce member. Access by privileged users (admins, developers with ePHI access) reviewed quarterly. Access by terminated users revoked within 24 hours of termination.

This changes day-to-day operations. Quarterly access reviews at scale are not trivial. Tools that help: Lumos, Veza, SailPoint, OneIdentity, BetterCloud.

#Change 9. Expanded business associate obligations

The Omnibus Rule (2013) extended HIPAA to business associates. The 2025 NPRM tightens this further.

Business associates must now:

• Sign the BAA with specific SLAs for breach notification (within 72 hours of discovery, was previously "without unreasonable delay")
• Conduct their own annual pentest and vulnerability scanning
• Maintain their own incident response plan with documented tabletop
• Provide evidence of compliance to the covered entity upon request
• Notify the covered entity immediately of any subcontracting of ePHI processing

Covered entities must maintain a current BAA inventory and evidence that each BA is meeting its obligations. "We signed a BAA in 2018" is no longer sufficient.

#The enforcement landscape

OCR's enforcement posture is changing alongside the rule.

• 2023 enforcement. 22 resolved cases, $1.2M aggregate penalties. Most cases < $100K.
• 2024 enforcement. 34 resolved cases, $4.8M aggregate. Higher average penalty.
• 2025 enforcement. OCR staff increased. Automatic audit triggers on breach reports above specific thresholds. Expect more cases at higher penalties.

The Right of Access Initiative continues. OCR specifically targets covered entities that fail to provide patients access to their own records. Over 50 enforcement actions in this category since 2019.

Breach-related settlements. When a breach hits a big organization, OCR typically settles for $1M-$20M depending on severity and prior history. Cognizant's $28M settlement (2022), Excellus BCBS $5M (2021), Anthem $16M (2018).

#The gap analysis we run

On a HIPAA engagement, the framework. Twelve categories, 107 specific control questions underneath.

1. Administrative safeguards. Risk analysis, workforce security, information access management, security awareness, incident response, contingency planning, evaluation.
2. Physical safeguards. Facility access, workstation use, workstation security, device and media controls.
3. Technical safeguards. Access control, audit controls, integrity, transmission security.
4. Organizational requirements. Business associate contracts, group health plans.
5. Policies and procedures. Written documentation, periodic updates, availability.

Under each category, specific control questions. For administrative safeguards > risk analysis:

• When was the last risk analysis completed?
• What methodology was used?
• Who approved it?
• What specific threats were considered?
• What specific vulnerabilities were identified?
• What remediation was planned?
• What remediation was executed?
• How is this tracked against the annual cadence?

Each answered with evidence. Gaps flagged with severity and remediation cost estimate.

#The 180-day implementation plan

Assuming the Final Rule publishes roughly as the NPRM reads. The 180-day implementation window we use for clients:

Days 1-30. Gap analysis.

Comprehensive audit against the 107-control framework. Each gap documented with current state, required state, and remediation plan.

Days 31-60. Policy + procedure updates.

Every required policy drafted or updated. Incident response plan refreshed with tabletop. Risk analysis methodology finalized.

Days 61-120. Technical control implementation.

The bulk of the work. Segmentation, encryption hardening, access management upgrades, inventory deployment, pentest + vulnerability scan procurement.

Days 121-150. Workforce training + awareness.

Training deployed, attendance tracked, measurable outcomes defined. Access reviews executed (quarterly cadence started).

Days 151-180. Evidence gathering + validation.

Internal audit confirming every gap is closed. Documentation refreshed. Pentest executed, findings tracked.

Timeline compresses if your baseline is strong. Extends significantly if you're starting from minimal compliance.

#Budget ranges

For a mid-sized covered entity (500-5000 employees, single-vendor EHR):

• Year-one compliance investment: $400K-$1.5M

- Consulting / gap analysis: $75K-$200K

- Pentest + vulnerability scanning: $40K-$80K

- Network segmentation upgrades: $50K-$300K (depending on starting point)

- Encryption upgrades: $30K-$150K

- Access management platform: $50K-$200K

- Inventory tooling: $20K-$80K

- Training program: $10K-$40K

- Internal staff time: $100K-$500K

• Ongoing annual cost: $200K-$600K

For a business associate / healthcare SaaS vendor (10-200 employees):

• Year-one compliance investment: $75K-$400K
• Ongoing annual cost: $50K-$150K

#The tools we deploy

Healthcare-specific security stack that works:

• EHR audit layer. Imprivata or Fairwarning for user behavior monitoring on the EHR.
• Access management. Okta or Entra ID for SSO. Lumos or Veza for access reviews.
• Segmentation. Cloud-native VPC isolation on AWS/Azure/GCP. Illumio or Guardicore for microsegmentation on legacy environments.
• Encryption key management. AWS KMS / Azure Key Vault / GCP KMS. HSM backing for master keys if risk profile warrants.
• Inventory. Axonius for cross-source visibility. ServiceNow CMDB if already in the tech stack.
• Vulnerability management. Tenable.io or Qualys VMDR. Wiz for cloud.
• Pentest. Annual engagement, we run these.
• IR + forensic retainer. Mandiant, CrowdStrike Services, Kroll, or specialized healthcare forensic firms.

#The OCR audit procedure

If OCR shows up, what happens.

1. Notice letter with 30-day response window for initial documentation.
2. OCR reviews submitted documentation. Follow-up questions common.
3. On-site or virtual audit (post-2021 most are virtual). Typically 2-4 days of interviews + technical verification.
4. Findings letter with specific violations identified.
5. Resolution. Either corrective action plan + monitoring (for less severe) or settlement + monetary penalty (for more severe).

The documents OCR wants on day one:

• Risk analysis (current + prior two years)
• Written security policies
• Incident response plan
• Contingency plan
• Business associate agreements (all)
• Workforce training records
• Access review records (quarterly)
• Audit log samples
• Encryption documentation
• Vulnerability scan results (last 2 years)
• Pentest results (last 2 years)

The organization that can produce these in 30 days has done the work. The organization that starts writing policies in week 2 is about to have a bad audit.

#What changed that the articles miss

Three subtle changes in the NPRM that most analysis overlooks.

#The "reasonable and appropriate" floor raised

The old rule used "reasonable and appropriate" as a flexibility valve. Couldn't afford HSM-backed encryption? As long as your risk analysis showed the alternative was reasonable, you passed. New rule constrains this. Specific technical minimums (AES-256, TLS 1.2+) are no longer negotiable via reasonable-and-appropriate. The flexibility valve still exists for operational controls but not for crypto.

#The documentation retention period clarified

Previous rule: retain documentation for 6 years from the date of creation or the date when it was last in effect, whichever is later. The NPRM clarifies that "in effect" means the date the policy was actively enforced, not the date it was last modified. Means policies replaced in 2020 should still be retained until 2026 at minimum.

#The "workforce member" definition widened

Workforce member used to mean employees + paid contractors on-premises. The NPRM extends to include:

• Remote contractors accessing ePHI systems
• Student interns and residents with system access
• Temporary staff from agencies
• Volunteer clinicians at charitable events with EHR access

All now subject to training, sanctions, and access review requirements.

#The audit-killing mistakes

Top 10 HIPAA audit failures we see:

1. Risk analysis not updated in the current year.
2. Workforce access reviews not completed to the documented cadence.
3. Terminated workforce member access not revoked in time.
4. Business associate agreements missing or outdated.
5. Incident response plan not tested.
6. Contingency plan not tested.
7. Security awareness training completion rate below 95%.
8. Vulnerability scans not completed to cadence.
9. Audit logs not retained to required period.
10. Encryption key management not documented.

Each is preventable with operational discipline. Most healthcare organizations accumulate 2-3 of these across any given audit cycle.

#State-level interactions

HIPAA is a federal floor. States can and do layer on additional requirements.

• New York SHIELD Act. Broader than HIPAA in some respects. Applies to any entity with a New York resident's data.
• Texas HB 300. Stricter than HIPAA for patient consent.
• California CMIA. Overlaps with HIPAA but has additional penalties under state law.
• Florida FIPA. State-level breach notification stricter than federal.

If you operate across states, your compliance program needs to satisfy the strictest applicable standard.

#Working with us

We run HIPAA Security Rule engagements covering the full 107-control framework. Gap analysis, remediation planning, pentest, tabletop exercises, and OCR audit preparation if you're under notice or expecting to be.

For covered entities, typical engagement length is 3-6 months end-to-end. For business associates it's 1-3 months. Budget varies based on complexity but our engagements are priced to be accessible to mid-market healthcare organizations.

We're particularly experienced with healthcare SaaS vendors operating as business associates. The cross-cutting concerns (cloud security, SaaS platform security, API security) plus the healthcare regulatory specificity is the niche we specialize in.

Valtik Studios, valtikstudios.com.