Proposed 2025 HIPAA Security Rule Changes & SMB Implications
Comment Period for 2025 HIPAA Security Rule changes ends March 7
The 2024 HIPAA Security Rule amendments represent a significant overhaul, demanding strategic realignment of governance, risk management, and compliance (GRC) programs, particularly for SMBs. The proposed rule changes have an open commentary period, which ends on March 7th, 2025. To leave comments, go here: https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information
The elimination of the "addressable" implementation specifications, expanded technical safeguards, and compressed implementation timelines create compliance obligations and opportunities for strengthening organizational resilience. To navigate these changes successfully, SMBs must prioritize a phased approach, leveraging cost-optimization strategies and cultural change initiatives. The key is to transform compliance from a burden into a strategic advantage. Failing to adapt puts SMBs at considerable risk, as demonstrated by the statistic that "60% [of SMBs] fail within six months of a breach."
1. Core Changes to the HIPAA Security Framework:
Elimination of "Addressable" Implementation Specifications: The removal of the distinction between "required" and "addressable" safeguards is a fundamental shift. The revised rule "mandates implementation of all security controls unless specific documented exceptions apply." This directly addresses the previous tendency of SMBs to treat these standards as optional. Specific examples now mandated include:
Multi-Factor Authentication (MFA): "Now required for all system access points handling ePHI, replacing previous conditional implementations."
Encryption: "Mandatory for ePHI both at rest and in transit, closing previous loopholes for internal network communications."
Network Segmentation: "Requires documented segmentation strategies preventing lateral movement during breaches."
Expanded Technical Safeguards: The updated Technical Safeguards (45 CFR §164.312) introduce 14 new implementation specifications aligning with NIST Cybersecurity Framework standards. This expansion creates "technical debt requiring immediate prioritization" for SMBs. Examples of the added or emphasized safeguards include:
Maintaining comprehensive technology inventories updated quarterly.
Developing network topology maps tracking ePHI flow across systems.
Implementing session timeout policies for inactive systems.
Extending workstation security controls to mobile devices.
Automated patch management within 30 days of release.
Removal of unnecessary software from ePHI systems.
2. GRC Program Transformations:
Integrated Risk Management Frameworks: The updates mandate alignment between HIPAA compliance and enterprise risk management programs. Key integration points include:
Unified risk register (mapping HIPAA vulnerabilities to corporate risk appetite).
Annual security validation for all business associates.
Contractual requirements for 24-hour breach notifications.
Executive reporting (monthly dashboards and board-level briefings).
Compliance Lifecycle Acceleration: Implementation timelines are being compressed, requiring more agile compliance processes:
Previous Cycle:
Risk analysis - Biannual
Security training - Annual
Policy updates - Event-driven
2024 Proposed Rule changes:
Risk analysis - Continuous monitoring + annual formal review
Security training - Quarterly + post-incident refreshers
Policy updates - Annual review + change-triggered updates
3. Technical Implementation Roadmap:
Phased Control Deployment: For resource-constrained organizations, a phased approach is recommended:
Phase 1 (0-6 months): Gap analysis, MFA implementation, enterprise encryption.
Phase 2 (6-12 months): Asset inventory, penetration testing, and network segmentation.
Phase 3 (12-18 months): GRC platform integration, automated vendor risk assessments, continuous monitoring.
Cost Optimization Strategies:
Leverage compliance-as-a-service: MSP partnerships, cloud-based encryption.
Automate documentation:Â Tools generating audit-ready reports and AI-assisted policy creation.
Pool resources:Â Join healthcare ISACs and collaborate on training.
4. Operationalizing Cultural Change:
Leadership Engagement Tactics: Map HIPAA requirements to business outcomes (e.g., reduced insurance premiums) and implement cross-functional governance committees.
Staff Enablement Programs: Role-based compliance dashboards, gamified training, and recognition programs for control improvement suggestions.
5. Anticipating Future Regulatory Trends:
Emerging Requirements: Anticipate requirements related to AI governance, Software Bill of Materials (SBOM) adoption, and Zero Trust architecture.
Strategic Preparation Steps: Conduct tabletop exercises, allocate a budget for adaptive controls, and build partnerships with academic cybersecurity programs.
"The 2024 HIPAA changes present SMB cybersecurity leaders with challenges and strategic opportunities." By modernizing GRC programs, SMBs can "reduce breach risks," "improve operational efficiency," and "enhance market position." The immediate next steps include conducting a formal gap assessment, briefing executives, and exploring managed security services. For SMBs that successfully navigate this transition, the HIPAA updates offer a pathway to building cyber resilience that supports compliance and business growth.
Key Statistics & Concerns Highlighted:
747 large breaches exposing 168 million records in 2023
43% of SMBs historically treated "addressable" specifications as optional
60% of healthcare organizations targeted by ransomware
34% of breaches originate through business associates
$1.85M average breach cost threatening SMB viability
49% of healthcare data breaches involving unencrypted devices
58% of breaches stem from human error
82% of healthcare employees targeted by social engineering
73% of surveyed providers expect mandatory zero trust architectures by 2026
SMBs investing in HIPAA modernization achieve 34% faster audit cycles and 27% lower cyber insurance premiums
Recommendations:
Prioritize gap assessments against the updated requirements.
Secure executive-level buy-in and resource allocation.
Explore managed security services and compliance-as-a-service solutions.
Invest in staff training and awareness programs.
Begin planning for future regulatory trends like AI governance and Zero Trust architectures.
Product Shoutout: Omnistruct
Expert Governance Team + GRC Platform = Your Outsourced Risk Management Leadership
ELEVATE YOUR CYBERSECURITY WITH OMNISTRUCT’S PROVEN SERVICES.
Achieve superior data and privacy security at a fraction of the cost of building an in-house team. We can fast-track compliance, reduce risks, and help you focus on what you do best.
Learn more here: https://omnistruct.com/partners/influencers-meet-omnistruct/
References and resources:
https://www.hipaajournal.com/new-hipaa-regulations/
https://www.business-reporter.co.uk/management/the-future-of-grc-how-small-businesses-are-fighting-the-rise-of-cyber-crime
https://www.hipaajournal.com/hipaa-updates-hipaa-changes/
https://www.hipaajournal.com/hhs-strengthened-hipaa-security-rule/
https://www.tenfold-security.com/en/hipaa-security-rule-update/
https://hyperproof.io/resource/proposed-new-hipaa-rules-2025/
https://360advanced.com/hipaa-compliance-tips-for-small-to-mid-sized-business-smb-healthcare-providers/
https://greeneis.com/what-is-grc-in-cyber-security-comprehensive-guide/
https://www.kirkland.com/publications/kirkland-alert/2025/01/proposed-changes-to-the-hipaa-security-rule
https://www.techtarget.com/healthtechsecurity/feature/Things-to-know-about-proposed-HIPAA-Security-Rule-updates
https://www.elisity.com/blog/hipaa-security-rule-changes-2025-new-network-segmentation-requirements-and-implementation-guidelines
https://right-hand.ai/blog/grc-cyber-security/
https://www.morganfranklin.com/insights/hipaas-new-era-navigating-the-regulatory-changes-to-strengthen-cyber-risk-tprm-privacy-and-grc/
https://www.sheppardhealthlaw.com/2025/01/articles/hipaa/hhs-last-minute-holiday-gift-proposed-changes-to-the-hipaa-security-rule/
https://info.docxellent.com/blog/hippa-updates-and-changes
https://www.triagehealthlawblog.com/hipaa/hhs-publishes-notice-of-proposed-rulemaking-to-amend-hipaa-security-rule-requirements-comments-due-march-7-2025/
https://www.hklaw.com/en/insights/publications/2024/12/big-changes-proposed-for-the-hipaa-security-rule
https://www.cov.com/en/news-and-insights/insights/2025/01/hhs-issues-notice-of-proposed-rulemaking-to-update-the-hipaa-security-rule
https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html
https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html
https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information
https://www.hipaaguide.net/new-hipaa-regulations/
https://www.foley.com/insights/publications/2025/01/hhs-proposes-changes-strengthen-hipaa-security-rule/
https://hallboothsmith.com/hipaa-privacy-rule-changes-2024/
https://www.nixonpeabody.com/insights/alerts/2024/12/31/ocr-announces-proposed-updates-to-hipaa-security-rule
https://www.federalregister.gov/documents/2024/04/26/2024-08503/hipaa-privacy-rule-to-support-reproductive-health-care-privacy
https://www.hipaaguide.net/recent-hipaa-changes/
https://www.paubox.com/blog/upcoming-2024-hipaa-updates-and-changes
https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310\&RIN=0945-AA22
https://deandorton.com/2024-hipaa-regulations-update/
https://www.maynardnexsen.com/publication-hipaa-reproductive-health-care-phi-rules-compliance-date-approaching
https://www.healthcarelawinsights.com/2025/01/ocr-announces-proposed-updates-to-hipaa-security-rule-raises-the-bar-for-healthcare-cybersecurity/
https://www.barradvisory.com/resource/2024-year-in-review/
https://www.onetrust.com/blog/10-grc-trends/
https://www.navex.com/en-us/blog/article/the-state-of-cybersecurity-for-small-and-medium-businesses/
https://blog.procircular.com/how-the-new-hipaa-security-rule-changes-will-affect-healthcare
https://www.brightdefense.com/resources/cybersecurity-compliance-statistics/
https://www.barradvisory.com/resource/hipaa-security-rule-changing/
https://blog.rsisecurity.com/understanding-hipaa-violations-and-their-consequences/
https://www.frazierdeeter.com/insights/article/understanding-the-proposed-changes-to-hipaas-security-rule/
https://www.brightdefense.com/resources/hipaa-compliance-for-startups/
https://hallboothsmith.com/hipaa-2024-and-beyond/
https://www.sai360.com/resources/grc/hipaa-cybersecurity-updates-coming-soon-8-things-to-know-blog
https://www.cybernetman.com/blog/hipaa-compliant-technology-the-ultimate-guide/
https://www.compliancemanagergrc.com/blog/
https://blog.cspire.com/outsourced-it-can-improve-hipaa-compliance.-heres-how
https://clearwatersecurity.com/blog/ocrs-proposed-hipaa-security-rule-notice-of-proposed-rulemaking/
https://thoropass.com/blog/compliance/hipaa-requirements-healthcare-smb/
https://sprinto.com/blog/hipaa-security-rule-update/
https://www.brightdefense.com/resources/what-is-grc-in-cybersecurity-2/
https://www.fepbl.com/index.php/csitrj/article/view/1277/1509
https://www.metricstream.com/insights/utilizing-HIPAA-as-the-starting-point-for-comprehensive-cyber-risk-and-compliance.html
https://www.healthcarecompliancepros.com/blog/top-5-hipaa-challenges-for-small-health-practices