Proposed HIPAA Security Rule Overhaul Could Mandate All Security Specs, Raising Compliance Costs for Healthcare Providers
What Happened — The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a 125‑page proposal that would eliminate the “required vs. addressable” distinction in the HIPAA Security Rule, making virtually every implementation specification mandatory and requiring written documentation for all security policies and procedures. The proposal is still under review, with the final rule expected in May 2026.
Why It Matters for TPRM —
- Mandatory controls increase the compliance burden on health‑care vendors and their subcontractors, potentially affecting contract negotiations and risk‑based pricing.
- Failure to meet the stricter rule could trigger civil penalties, reputational damage, and heightened scrutiny from regulators and investors.
- Vendors that cannot demonstrate compliance may become high‑risk third‑party partners for covered entities and business associates.
Who Is Affected — Health‑care providers, health‑information technology vendors, EHR/EMR platforms, payroll and billing services, and any third‑party that processes, stores, or transmits protected health information (PHI).
Recommended Actions —
- Review existing contracts for HIPAA compliance clauses and assess whether current security controls meet the proposed “all‑mandatory” specifications.
- Conduct a gap analysis against the draft rule to identify documentation and technical shortfalls.
- Engage with vendors to obtain updated attestations of compliance and adjust service‑level agreements (SLAs) accordingly.
Technical Notes — The proposal does not introduce a new vulnerability; it changes regulatory expectations. It would require written evidence for all security policies, risk analyses, and mitigation plans, effectively expanding the scope of required controls across network, endpoint, and data‑handling layers. Source: DataBreachToday