HIPAA Security Rule update: Policy changes to consider now

Recent breach trends and proposed updates to the HIPAA Security Rule indicate a meaningful shift in regulatory expectations, particularly around policy discipline, governance, and the operationalization of security controls. 

The U.S. Department of Health and Human Services Office for Civil Rights has proposed the first substantive revision to the Security Rule since 2013, which introduces new mandatory requirements and elevates several safeguards that were previously considered addressable to required baseline expectations. These changes, expected to take place soon, expand technical and administrative obligations, including documentation, risk analysis cadence, asset visibility, and contingency planning. 

Large-scale breach events in the healthcare industry continue to demonstrate how gaps in policies, procedures, and oversight allow localized control failures, such as inconsistent access controls, incomplete encryption, or weak vendor governance, to scale into enterprise-wide incidents. In parallel, OCR enforcement activity has increasingly emphasized not just the presence of policies, but whether they are sufficiently detailed, kept current, and supported by repeatable processes that align with how systems are actually operated. 

In this context, organizations may benefit from proactively reviewing and updating key policy and procedure domains, particularly those related to risk management, access controls, asset inventory, incident response, and third-party oversight, to align with the proposed HIPAA Security Rule requirements. Addressing these areas ahead of the final rule may help reduce implementation risk, avoid compressed remediation timelines, and support a more sustainable compliance posture once enforcement begins. 

Why this matters now  

The proposed HIPAA Security Rule signals a clear move away from flexibility in how safeguards are implemented. Several controls that were historically treated as addressable or implemented inconsistently are proposed to become mandatory expectations across covered entities and business associates.

Examples include: 

• Encryption of electronic protected health information at rest and in transit 
• Multi-factor authentication for systems accessing sensitive data 
• Formal technology asset inventories and network maps 
• Defined vulnerability scanning and penetration testing activities 
• Documented recovery objectives, requiring critical systems to be restored within defined time frames 

Although many organizations have implemented some of these controls in practice, they have not always been consistently documented, governed, or enforced through formal policy. As a result, organizations that delay updates to policies, procedures, and governance structures until the final rule is issued may face compressed timelines and increased compliance risk. Proactively aligning documentation, ownership models, and oversight mechanisms with the proposed requirements allows organizations to address underlying readiness gaps before regulatory expectations become enforceable. 

What regulators are signaling through the proposed rule 

Through the proposed updates to the HIPAA Security Rule, OCR has indicated that long-standing compliance gaps, particularly related to risk analysis, access management, third-party oversight, and documentation, are likely to face increased regulatory scrutiny. OCR has cited common deficiencies observed during investigations as a primary driver of the proposed changes, suggesting that future enforcement expectations may be shaped directly by prior compliance failures. 

Much of the discussion surrounding the proposed rule focuses on technical safeguards. These requirements, however, cannot operate effectively without a supporting policy and governance framework. As enforcement expectations evolve, regulators are increasingly expected to assess not only whether controls exist, but whether written policies clearly define ownership, execution, escalation, and oversight, and whether those policies are reflected in how security activities are performed on an ongoing basis. 

The table below highlights representative key policy domains that are likely to receive increased scrutiny. This sample list is based on OCR enforcement trends, published guidance, and the proposed HIPAA Security Rule updates, and outlines examples of what regulators are increasingly expecting to see documented by healthcare provider organizations. 

How Kodiak supports policy readiness 

• We partner with healthcare organizations. Kodiak conducts focused policy analyses to assess alignment with anticipated regulatory expectations and to identify gaps, ambiguities, or outdated language, helping your organization prioritize practical and defensible updates.  
• Targeted updates. Many organizations’ policies were written for a more flexible regulatory environment. Proposed 2026 HIPAA Security Rule changes may require updates to clearly reflect enforceable expectations, such as defined governance and ownership, documented risk management practices, formalized access and monitoring standards, and alignment with cloud-based and third-party operating models. 
• Kodiak emphasizes policies that are executable in day-to-day operations, helping organizations reduce regulatory risk, avoid last-minute remediation, and move beyond checkbox compliance as enforcement evolves. If you have questions about the HIPAA Security Rule update or how Kodiak can help you prepare, contact our IT risk experts today.