What HIPAA compliance actually requires of a covered entity
HIPAA compliance is not a checklist; it is a documented program. The 2024 proposed Security Rule update raises the bar substantially.
HIPAA compliance is a term that gets used as if it were a binary status, a thing a healthcare organization either has or does not have. In practice, it is a program, not a status, and the bar for what counts as a program has been moving steadily upward. The proposed Security Rule update HHS issued in December 2024 (the first major revision since 2013) raises the bar substantially. Covered entities that have been treating HIPAA as a paperwork exercise are about to find out how big the gap is.
The starting point is who is regulated. HIPAA applies to covered entities, which are healthcare providers that transmit health information electronically in connection with covered transactions, health plans, and healthcare clearinghouses. It also applies to business associates, which are vendors that create, receive, maintain, or transmit protected health information on behalf of a covered entity. The distinction matters because the substantive obligations differ in detail, but both categories owe the core duties to safeguard PHI, to notify on breach, and to contract appropriately with their own downstream vendors.
The substantive program has three pillars, and the proposed Security Rule update sharpens each of them.
The Privacy Rule controls the permitted uses and disclosures of protected health information. The covered entity must have a Notice of Privacy Practices, must honor patient rights (access, amendment, accounting of disclosures, request for restrictions, request for confidential communications), and must train its workforce on the rules. The 2024 proposed amendments do not change much on the Privacy Rule side beyond clarifying timelines and patient request mechanics, but the Privacy Rule remains the part of HIPAA where the largest enforcement actions still happen.
The Security Rule controls the safeguards for electronic protected health information, and this is where the December 2024 proposed update is most aggressive. The historical Security Rule allowed covered entities to choose between “required” and “addressable” implementation specifications, with “addressable” meaning the entity could decide whether and how to implement the safeguard based on a risk analysis. The proposal eliminates that flexibility for most safeguards, making them required across the board. The proposal also imposes specific technical requirements that the original rule left general: mandatory multi-factor authentication, encryption of ePHI in transit and at rest with limited exceptions, annual penetration testing, a written and rehearsed incident response plan, and detailed asset inventory and network mapping. None of this is novel in commercial cybersecurity; it has been baseline for years. What is new is that HHS is proposing to make it the legal floor under HIPAA.
The Breach Notification Rule controls what happens after a breach. A covered entity must notify affected individuals within sixty days of discovery of a breach of unsecured PHI, must notify HHS at the same time for breaches affecting 500 or more individuals, and must notify prominent media outlets when the breach reaches 500 individuals in a single state or jurisdiction. The penalty tiers under HIPAA scale with the level of culpability, from civil penalties for reasonable-cause failures to significantly higher penalties for willful neglect that is not corrected.
The compliance posture I see most often is a binder of policies adopted at one point in time, a workforce training video everyone clicks through once a year, and a risk analysis last updated three CIOs ago. That posture was thin under the existing rules and is going to be untenable under the rules that are now in proposed form. The Office for Civil Rights has been clear in its recent resolution agreements that paper compliance does not satisfy HIPAA. Investigators ask for the risk analysis, the corrective action plan responding to the risk analysis, the incident response plan, the most recent tabletop exercise documenting that the incident response plan works, and the contemporaneous evidence that workforce training actually occurred. Organizations that cannot produce those documents on request are in the worst position to negotiate the resolution.
The practical takeaway in 2026 is to read the proposed Security Rule update with your IT and compliance teams, identify the specific safeguards your organization does not currently meet, and start the work now rather than waiting for the final rule. The transition periods will be measured in months, not years, and the controls in question take real time to implement and document. HIPAA compliance has always been a program. It is about to become a more demanding one.