After more than a decade of operating under a Security Rule last substantively updated in 2013, US healthcare organizations now face a new compliance baseline. The Department of Health and Human Services finalized updates to the HIPAA Security Rule in 2025, converting several previously “addressable” implementation specifications into mandatory requirements.

The most operationally significant changes: multi-factor authentication is now required for all workforce members accessing electronic protected health information. Network segmentation between systems that handle ePHI and other systems is required. Encryption of ePHI at rest and in transit is required. Annual penetration testing is required. Vulnerability scanning on defined schedules is required. Technology asset inventories must be maintained and reviewed at defined intervals.

The rule also tightens requirements for business associate oversight. Covered entities must now contractually require — and verify — that business associates meet the updated Security Rule standards. The Change Healthcare breach, in which a business associate’s compromised credential brought down prescription processing nationwide, was explicitly cited in the rulemaking as a driver of this change.

For organizations that have treated security requirements as soft guidance, the new rule removes that ambiguity. These are mandatory controls with audit requirements. The Office for Civil Rights has signaled that enforcement priorities will reflect the updated standards.

The compliance timeline gives covered entities a defined window to implement changes. But for organizations that have not invested in security infrastructure — particularly smaller practices and community health systems — the requirements represent a significant lift. HHS has indicated that technical assistance resources will be made available, but the obligation is mandatory.

Healthcare security is now a legal requirement with a defined technical floor. It is a legal requirement with a defined technical floor.