It’s October 2025, and the HIPAA Security Rule is on the verge of its biggest update in decades. The Department of Health and Human Services (HHS) issued proposed changes earlier this year, and while they are not yet final, healthcare organizations can’t afford to wait.
The proposed updates—requiring asset inventories, encryption, multi-factor authentication (MFA), regular testing, and formal incident response plans—signal where compliance is heading. As the year winds down, Q4 2025 is the perfect time to prepare.
Download our free HIPAA Checklist
Where We Stand in October 2025
- January 2025: HHS published the Notice of Proposed Rulemaking (NPRM) for the HIPAA Security Rule.
- March 2025: The public comment period closed, with nearly 5,000 comments submitted.
- Now: OCR is reviewing comments and drafting the final rule, expected late 2025 or 2026. (Hipaa Journal)
Until then, the current HIPAA Security Rule still applies, but organizations that act early will reduce compliance risk and strengthen their security posture.
As Adam Zeineddine put it on the HIPAA Insider Show:
“These regulations shouldn’t be scary. They’re just catching up with modern security practices.”
🎥 Want to hear the full discussion?
Current Rule vs. Proposed 2025 Updates
Here’s a quick comparison of what’s in place now versus what HHS has proposed.
| Category | Current HIPAA Security Rule | Proposed 2025 Updates (NPRM) |
| Safeguards | Mix of “required” and “addressable” controls (flexible). | Removes distinction — nearly all safeguards become mandatory. |
| Asset Management | Risk analysis required, but no explicit asset inventory. | Requires a written technology asset inventory and data flow maps updated annually. |
| Access Controls | Passwords, IDs, logoff controls required; MFA optional. | Mandatory MFA, session timeouts, role-based access, access revoked within 1 hour of termination. |
| Encryption | Encryption “addressable” (optional with justification). | Mandatory encryption of ePHI at rest and in transit. |
| Testing | Requires “regular” review, no set frequency. | Vulnerability scans every 6 months + annual penetration testing. |
| Incident Response | Contingency planning required, details flexible. | Requires a written incident response plan, annual testing, and recovery of critical systems within 72 hours. |
| Business Associates | Must sign BAAs, obligations less specific. | Must notify covered entities within 24 hours of contingency activation; aligned obligations. |
| Documentation | Flexible, varies by entity. | Requires detailed documentation of risk analyses, policies, test results, and version histories. |
⚠️ Note: These changes are still proposed and subject to modification before the final rule. See the HHS fact sheet for official details.
Q4 2025 HIPAA Readiness Roadmap
Here’s a practical sprint plan you can follow from now through December.
October 2025: Kickoff & Discovery
- Form a readiness task force with IT, compliance, and leadership.
- Conduct a gap assessment against proposed updates using our checklist.
- Start asset inventory & data flow mapping for all systems handling PHI.
👉 Deliverables: Task force established, leadership briefed, gap analysis report, draft inventory.
November 2025: Implement Core Safeguards
- Enforce MFA on EHRs, portals, and administrator accounts.
- Encrypt PHI at rest and in transit.
- Draft or update incident response plan with clear roles and timelines.
- Train staff on security basics and incident response procedures.
👉 Deliverables: MFA live, encryption verified, IR plan drafted, training complete.
December 2025: Test, Document & Plan Ahead
- Run a vulnerability scan; schedule pen test for early 2026.
- Conduct a tabletop IR exercise to test your plan.
- Update compliance documentation (risk analysis, logs, policies).
- Review business associate agreements for alignment.
- Create a 2026 roadmap for advanced projects like segmentation and continuous monitoring.
👉 Deliverables: Vulnerability scan complete, IR test done, documentation updated, BA oversight improved, 2026 plan in place.
Quick Wins by Year-End
By December 2025, your organization should have:
- MFA and encryption enforced on PHI systems.
- A working draft asset inventory and data flow map.
- A written, tested incident response plan.
- A completed vulnerability scan.
- Reviewed BA contracts for alignment.
Final Takeaways
The HIPAA Security Rule updates of 2025 represent the biggest compliance shift in years. But as Gil Vidals advised on the HIPAA Insider Show:
“Instead of looking at the entire mountain, chip away at it one step at a time.”
🎧 Prefer to listen on the go? Stream the full episode on Spotify
By acting in Q4 2025, you’ll enter 2026 with the foundation already in place. That means fewer surprises, lower compliance risk, and a stronger security posture.
👉 Stay ahead of compliance: Request a discovery call
