HIPAA Security Rule Modernization Proposed Rule Mandates Encryption, MFA, and 72-Hour Recovery

The HIPAA Security Rule has not been substantively updated since 2013, a period during which the healthcare sector has become the most-targeted industry for ransomware attacks, the volume of electronically stored protected health information has grown exponentially, and the technology environment has transformed through cloud adoption, telehealth expansion, and connected medical devices. The proposed modernization rule acknowledges that the original rule's flexibility — its reliance on "addressable" specifications that allowed covered entities to adopt alternative measures or decline implementation based on risk assessment — has been exploited by organizations seeking to minimize security investment. The proposed rule replaces flexibility with mandates, creating enforceable minimum security standards that all covered entities and business associates must meet.

Elimination of the addressable-required distinction

The current HIPAA Security Rule divides implementation specifications into "required" and "addressable" categories. Required specifications must be implemented as written. Addressable specifications allow covered entities to assess whether the specification is a reasonable and appropriate safeguard in their environment and, if not, to implement an alternative measure or document why the specification is not applicable. In practice, the addressable category has been used by some organizations to justify not implementing fundamental security controls like encryption, citing cost, complexity, or operational disruption.

The proposed rule eliminates the addressable category entirely. All implementation specifications become mandatory. The rule's preamble explicitly acknowledges that the addressable framework was abused: HHS cites enforcement investigations where organizations used addressable status to avoid implementing encryption on laptops, portable storage devices, and email systems containing ePHI, resulting in preventable data breaches affecting millions of individuals.

The elimination of addressable specifications represents the most significant structural change in the rule's history. Organizations that have documented risk-based justifications for not implementing specific security controls must now implement those controls or accept noncompliance. The compliance baseline rises substantially, particularly for smaller healthcare providers and business associates that have historically operated with minimal security infrastructure.

A limited exception framework replaces the addressable concept. Organizations may request temporary implementation deferrals for specific requirements through a formal waiver process administered by the HHS Office for Civil Rights. Waivers require documented technical justification, a remediation timeline, and compensating controls during the deferral period. The waiver process is designed to be rigorous enough to prevent the kind of systematic avoidance that the addressable framework enabled while acknowledging that legitimate implementation challenges exist.

Mandatory encryption requirements

The proposed rule mandates encryption of all ePHI at rest and in transit, using cryptographic standards specified by NIST. At-rest encryption must use AES-256 or equivalent, applied to all storage media including databases, file systems, portable devices, backup media, and removable storage. In-transit encryption must use TLS 1.2 or higher for all network communications involving ePHI, including internal network traffic between systems within the same facility.

The internal-network encryption requirement is a significant expansion from current practice. Many healthcare organizations encrypt ePHI in transit over public networks but transmit it in cleartext within their internal networks, relying on perimeter security to protect internal communications. The proposed rule rejects this approach, citing the frequency of insider threats and lateral-movement attacks that exploit unencrypted internal traffic. The requirement effectively mandates a zero-trust approach to network encryption within healthcare environments.

Implementation timelines acknowledge the operational complexity of universal encryption deployment. Covered entities have 24 months from the final rule's effective date to achieve full compliance with encryption requirements. Business associates have the same timeline but face additional obligations to certify encryption compliance to their covered-entity partners. The timeline is aggressive given the scope of the requirement, particularly for organizations with large installed bases of legacy medical devices and clinical systems that may not support modern encryption standards.

Legacy-device exemptions are narrowly defined. Medical devices that cannot support encryption due to hardware or firmware limitations may operate under a compensating-controls framework that requires network segmentation, enhanced monitoring, and documented risk acceptance by organizational leadership. The exemption is time-limited and requires organizations to present remediation plans for replacing non-compliant devices. HHS estimates that this exemption will apply to approximately 15 percent of connected medical devices currently in use.

Multi-factor authentication mandate

The proposed rule requires multi-factor authentication for all user access to systems containing ePHI. This includes clinical applications (electronic health records, clinical decision support, radiology systems), administrative systems (billing, scheduling, claims processing), and infrastructure systems (servers, databases, network equipment) that store or process protected health information.

MFA implementation must use at least two factors from different categories: knowledge (passwords, PINs), possession (hardware tokens, mobile devices), or inherence (biometrics). The rule specifically discourages SMS-based one-time passwords due to documented vulnerabilities in the telecommunications infrastructure and recommends FIDO2-compliant authenticators or hardware security keys for high-privilege accounts.

Clinical-workflow considerations receive specific attention. HHS acknowledges that MFA can introduce friction in clinical environments where rapid system access is critical for patient care. The proposed rule permits risk-based MFA exemptions for specific clinical workflows — such as emergency-department workstations and operating-room systems — provided that compensating controls including session timeouts, proximity-based authentication, and enhanced audit logging are implemented. The exemption is designed for genuine clinical-urgency scenarios rather than general clinical convenience.

The MFA requirement applies to remote access, local access, and privileged access equally. Organizations that have implemented MFA only for VPN connections or remote-access portals must extend coverage to all systems containing ePHI, including workstations, clinical applications, and administrative platforms. The universal scope significantly expands the deployment footprint beyond what many organizations have implemented to date.

Recovery time objectives and resilience requirements

The proposed rule establishes a 72-hour maximum recovery time objective (RTO) for critical systems containing ePHI. This is the first time HIPAA has specified a quantitative recovery-time standard, replacing the current rule's general requirement for contingency plans with a measurable, enforceable recovery target.

Critical systems are defined as those whose unavailability would directly impair patient care, prevent access to medical records needed for treatment decisions, or interrupt essential administrative functions such as medication dispensing, laboratory reporting, or clinical communications. Each covered entity must identify its critical systems, document recovery procedures, and demonstrate through annual testing that the 72-hour RTO can be met under realistic disaster scenarios including ransomware attacks.

Backup requirements are strengthened. Organizations must maintain immutable backups of all ePHI stored in environments that are logically and physically separated from production systems. Backup integrity must be verified through regular restoration testing, and backup recovery procedures must be documented in sufficient detail for execution by alternate personnel. The immutable-backup requirement directly addresses the ransomware tactic of encrypting both production data and backup systems to maximize use.

Annual contingency-plan testing must include a full-scale recovery exercise simulating the unavailability of the organization's primary data center or cloud infrastructure. Tabletop exercises alone do not satisfy the testing requirement; HHS requires functional recovery demonstrations that validate end-to-end restoration capability including application recovery, data integrity verification, and user-access restoration within the 72-hour window.

Penetration testing and vulnerability management

The proposed rule introduces mandatory annual penetration testing for all covered entities and business associates, conducted by qualified independent assessors. Penetration tests must cover external-facing systems, internal network infrastructure, web applications, and wireless networks. Social-engineering testing — including phishing simulations targeting employees with ePHI access — is recommended but not required in the initial rule.

Vulnerability scanning must be conducted at least quarterly for all systems containing ePHI, with critical vulnerabilities remediated within 30 days and high-severity vulnerabilities remediated within 60 days. The remediation timelines are mandatory and enforceable, replacing the current rule's general requirement for risk management with specific, measurable obligations.

Findings from penetration tests and vulnerability scans must be documented, tracked to remediation, and reported to organizational leadership. HHS expects that penetration-test findings will inform the organization's risk assessment and drive security-investment prioritization. Organizations that identify critical vulnerabilities through penetration testing but fail to remediate them within the specified timelines face enforcement action regardless of whether the vulnerabilities are exploited.

Compliance timeline and industry impact

The proposed rule is subject to a 60-day public comment period, after which HHS will review comments and publish a final rule. Covered entities and business associates will have 24 months from the final rule's effective date to achieve full compliance, with limited extensions available through the formal waiver process for specific requirements that present documented implementation challenges.

The compliance cost impact is substantial. HHS estimates that the proposed rule will cost the healthcare industry approximately $9 billion over the first five years of implementation, with the largest cost components being encryption deployment, MFA implementation, and backup-infrastructure upgrades. Small healthcare providers — practices with fewer than 50 employees — face proportionally higher compliance burdens and may need to use managed security service providers to meet the new requirements affordably.

Industry reaction has been mixed. Large health systems and hospital networks that have already invested in modern security infrastructure welcome the rule as leveling the playing field and raising the security baseline for the sector. Smaller providers and rural healthcare organizations express concern about the cost and complexity of compliance, particularly the universal encryption and MFA requirements. Business-associate organizations — cloud providers, clearinghouses, and health IT vendors — face cascading compliance obligations that may reshape the healthcare IT vendor environment.

Recommended actions for healthcare organizations

Conduct an immediate gap assessment comparing current security controls against the proposed rule's requirements. Prioritize encryption coverage, MFA deployment scope, and backup-infrastructure resilience as the areas most likely to require significant investment.

Submit comments during the 60-day public comment period, particularly on implementation timelines and legacy-device exemptions. Organizational input can influence the final rule's requirements, especially in areas where the proposed timelines are impractical for specific healthcare settings.

Begin procurement planning for MFA solutions and encryption infrastructure. The 24-month compliance timeline is aggressive given the procurement, deployment, and testing cycles typical of healthcare IT environments. Organizations that begin procurement processes now will be better positioned to meet the deadline.

Review business-associate agreements to assess the cascading compliance obligations created by the proposed rule. Ensure that BAAs include provisions for the new encryption, MFA, and recovery-time requirements, and engage key business associates early to assess their compliance readiness.

Analysis and forecast

The proposed HIPAA Security Rule modernization is the most significant healthcare cybersecurity regulatory development in over a decade. It reflects a regulatory judgment that the healthcare sector's security posture — shaped by years of flexible, risk-based compliance that permitted significant variation in actual security practices — is no longer adequate for the threat environment. The shift from addressable to mandatory requirements sends a clear message: basic security controls are no longer optional.

The rule's effectiveness will depend on enforcement. HHS's Office for Civil Rights has historically been resource-constrained, and the expanded compliance baseline will increase the volume of potential enforcement targets. Whether OCR receives sufficient resources to enforce the new requirements meaningfully will determine whether the rule drives genuine security improvement or becomes another paper-compliance exercise.

For healthcare CISOs, the proposed rule provides long-sought regulatory backing for security investments that organizational leadership has previously deprioritized. The mandatory nature of the requirements transforms security budget requests from discretionary spending proposals into regulatory compliance obligations — a reframing that can unlock resources that were previously unavailable.

More on this topic

Further reading from our research library.

Compliance · Credibility 94/100 · January 28, 2026

PCI DSS 4.0.1 Clarifications Address Targeted Risk Analysis and Client-Side Script Controls

The PCI Security Standards Council has published PCI DSS version 4.0.1, a limited revision that clarifies several requirements that generated widespread confusion during the first year of PCI DSS 4.0 enforcement. Key…

Compliance · Credibility 92/100 · October 1, 2025

NYDFS Cybersecurity amendment deadline nears

NYDFS cybersecurity deadline recap: All amended 23 NYCRR 500 requirements should now be implemented. If you are a covered financial institution that missed the November 2025 deadline, you are facing enforcement risk.…

Compliance · Credibility 92/100 · March 31, 2022

PCI DSS Version 4.0 Published

To capitalize on PCI DSS v4.0’s March 2022 release, payment organizations must realign engineering roadmaps, update governance charters, and renegotiate supplier obligations so that security controls remain resilient as…

Compliance · Credibility 91/100 · March 31, 2022

PCI DSS version 4.0 released

The PCI Security Standards Council published PCI DSS v4.0 on 31 March 2022, expanding requirements for authentication, e-commerce, and risk-based testing with transition timelines into 2025.

Compliance · Credibility 73/100 · March 15, 2020

HHS issues limited HIPAA waiver during COVID-19 emergency

HHS waived certain HIPAA penalties for good-faith telehealth during COVID-19. Healthcare providers can use FaceTime, Skype, and similar platforms without the usual business associate agreement requirements.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• ESG Assurance Operating Guide

  Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published

February 5, 2026

Coverage pillar

Compliance

Source credibility

94/100 — high confidence

Topics

HIPAA Security Rule · Healthcare Cybersecurity · Encryption Mandate · Multi-Factor Authentication · Recovery Time Objectives · Healthcare Compliance

Sources cited

3 sources (federalregister.gov, healthcareinfosecurity.com, hhs.gov)

Reading time

9 min

Source material

1. HHS Proposed Rule: HIPAA Security Rule Modernization — federalregister.gov
2. HIPAA Security Rule Update: Analysis and Compliance Implications — healthcareinfosecurity.com
3. Healthcare Ransomware Trends and HIPAA Enforcement 2025-2026 — hhs.gov