People
The surge in cyberattacks across the U.S. healthcare system has been matched by tightening enforcement of data privacy rules. The compliance bar is about to rise and requires operational and investment planning.
The Department of Health and Human Services (HHS) is preparing a sweeping refresh that will fundamentally transform how covered entities and business associates must safeguard electronically-protected health information.
As seen in the below figure, the number of violations pursued by the agency’s Office for Civil Rights (OCR) is already climbing, detailed on the ‘Wall of Shame’ on its website and fueled in part by the expansion of agentic AI services that require additional safeguards from providers.
This is not a compliance refresh. It is a structural recalibration of accountability.
The rise in significant healthcare data breaches triggered a Notice of Proposed Rulemaking in December 2024 that proposed sweeping changes following more than a decade of incremental guidance and voluntary frameworks.
While there has been significant pushback on some elements by industry, the administration has continued consultations that indicate the effort will continue.
OCR's message is unambiguous. The proposed rule seeks to eliminate the long-standing ambiguity of "addressable" implementation specifications — a term that led many organizations to treat critical controls as optional. Compliance will be verified through demonstrated technical enforcement, not documentation of intent.
Organizations should begin building the business case internally now. OCR estimates compliance with the proposed Security Rule updates will cost the industry approximately $9 billion in the first year, with ongoing annual costs of around $6 billion.
For large health systems, payers, and business associates, this means capital investment decisions are no longer optional — they are strategic imperatives. Smaller and rural providers face the steepest challenge, as legacy systems, workforce gaps, and constrained budgets create structural barriers to implementation.
The key changes explained
The proposed rule introduces a host of prescriptive requirements that span IT, compliance, governance, and executive leadership and require operational shifts.
All security rule specifications become effectively mandatory with the removal of the "required vs. addressable" distinction. The limited exceptions make full compliance the default assumption, with no room for selective interpretation.
The foundational step is that organizations must develop and maintain a comprehensive inventory of all hardware and software that creates, receives, maintains, or transmits ePHI. It requires an annually updated network map illustrating ePHI movement.
Risk analysis standards are elevated to include specific review of asset inventories, identification of all reasonably anticipated threats, vulnerability assessments, and risk-level ratings for each identified threat-vulnerability pairing. Annual reassessment is required.
Mandatory technical controls
The proposed rule elevates several previously voluntary Cybersecurity Performance Goals (CPGs) to required status, including:
Multi-Factor Authentication (MFA) across all relevant systems
Encryption of all ePHI at rest and in transit
Network segmentation
Anti-malware protection
Patch management
Disabling unused network ports
Organizations must establish written procedures capable of restoring critical systems and data within 72 hours of a disruption. Incident response plans must be tested and revised regularly, with system criticality factored into restoration prioritization.
Security measure reviews, penetration testing, and vulnerability scans must occur on defined cycles — with penetration tests required at least annually and vulnerability scans at least every six months.
Annual verification of business associates' and subcontractors' security measures is now explicitly required. That closes a gap that has historically been a vector for third-party breaches. What Organizations Should Do Right Now
No final rule has been issued or date set for enforcement, but the consultation process continues and waiting isn’t a defensible posture. OCR is actively incorporating the spirit of the proposed rule into its audit and enforcement priorities. Organizations that begin aligning now will be far better positioned when the final rule drops.
Here is where to start:
Conduct a HIPAA Security Gap Assessment — Benchmark current administrative, physical, and technical safeguards against the proposed requirements. Identify control gaps, legacy system limitations, and documentation deficiencies.
Build a Technology Asset Inventory — If you don't have a current, accurate map of where ePHI lives, flows, and is processed across your enterprise, this is your highest-priority action. Everything else depends on it.
Stand Up or Validate MFA and Encryption — These controls are no longer nice-to-have. Organizations that have deferred encryption due to legacy infrastructure complexity must now assess whether system modernization is a compliance necessity, not just a technology decision.
Formalize Your Incident Response Program — Tabletop exercises are among the most effective mechanisms for stress-testing your incident response and contingency plans against the proposed 72-hour recovery requirement. They surface gaps in roles, escalation paths, and system restoration sequencing before a real incident does.
Revisit Your Business Associate Agreements and Oversight Program — Third-party risk is no longer a background concern. Annual verification of BA security measures will be a formal requirement. Your vendor management program must be up to the task.
Update Your Notice of Privacy Practices — Independent of the Security Rule NPRM, the February 16, 2026 compliance deadline for updated Notices of Privacy Practices under 42 CFR Part 2 is already in effect for organizations that handle substance use disorder records. This is a near-term obligation that should not be overlooked amid the larger Security Rule conversation.
How AlixPartners can help
HIPAA compliance is no longer a legal checkbox — it is an enterprise risk issue that requires the intersection of legal, technical, operational, and executive perspectives. At AlixPartners, our team of privacy, cybersecurity, and data governance professionals brings deep regulatory fluency and hands-on implementation experience to help organizations navigate this landscape.
We offer a full spectrum of capabilities aligned to the new HIPAA demands:
Program & Policy Assessments — We conduct risk and maturity assessments of your current security program, deliver actionable findings, and help you build a prioritized remediation roadmap.
Information Asset Mapping — We help you understand the full lifecycle of ePHI across your organization, build defensible asset inventories, and create the network maps the proposed rule will require.
Privacy Incident Response — When a breach happens, we lead technically complex fact investigations and control testing exercises to help you respond with speed and precision.
Serving as Interim CISOs and DPOs — For organizations without the internal bench strength to navigate this transition, we provide executive-level leadership as interim CISOs and Data Privacy Officers — providing stability and direction precisely when it matters most.
Independent Monitoring and Regulatory Response — If OCR comes knocking, we can serve as independent monitors or assessors, helping you remediate findings and respond to formal inquiries.
The Bottom Line
The proposed HIPAA Security Rule update represents a long-overdue reckoning for an industry that has historically underinvested in cybersecurity relative to the sensitivity of the data it holds. Organizations that treat this moment as just another compliance cycle will find themselves underprepared. Those that treat it as a strategic inflection point and an opportunity to rebuild security architecture on a modern, defensible foundation — will emerge stronger.
