Compliance
HIPAA updates: what to know about verification, risk analysis, and encryption
Estimated reading time: 6 minutes
HIPAA security expectations are evolving. The Office for Civil Rights (OCR) is paying closer attention to how practitioners protect electronic health information, and the Department of Health and Human Services (HHS) has proposed updates that focus on three familiar safeguards that matter to small practices:
These updates are part of a broader effort to strengthen healthcare cybersecurity and make expectations clearer for everyone, including solo and small-group practices.
👉 If you're new to the HIPAA Security Rule or want a quick refresher, our HIPAA Questions and Answers guide offers a simple overview of the basics and how they apply in everyday practice.
Understanding what's being proposed now helps you plan for any adjustments you may need to make. And even if the rules don't officially change, these shifts line up with today's online security risks, so they're still worth considering for the health of your practice.
Let's take a quick look at each update. We'll go through what they are, why they're important, and the steps you can take now to make sure your practice is as secure as possible.
TL;DR: HIPAA may strengthen requirements in three areas that matter to small practices: multi-factor authentication, risk analyses, and encryption. These proposals reflect the HHS's ongoing focus on improving healthcare cybersecurity and strengthening common safeguards. Even if the rules haven't officially changed yet, it's helpful to understand what's being proposed and how to stay a step ahead.
What to do next: Turn on two-step verification, complete a yearly risk analysis, and check whether encryption is enabled on the tools you use most often.
Proposed HIPAA Updates Facts
- The HHS Office for Civil Rights announced increased risk analysis enforcement in October, 2024.
- In December of the same year, the HHS proposed several updates to the HIPAA Security Rule.
- They were written in response to a rise in cyberattacks on healthcare organizations.
- The proposed changes were open for comment until March 7, 2025, and have not been finalized. The final rule is on HHS' regulatory agenda for May 2026.
Multi-factor authentication and HIPAA: what's being proposed
Multi-factor authentication (aka MFA or two-step verification) keeps your accounts safe by adding an extra step to your sign-in process.
You've probably already used it. Whenever you sign in to an account with an email address and password, and then receive a code by text message, that's MFA.
Why multi-factor authentication matters under HIPAA
MFA adds an extra layer of security. It reduces breaches caused by stolen passwords.
How HIPAA could change its requirements
Right now, the HIPAA Security Rule doesn't require MFA. Potential updates could include it for the first time.
👉 Next steps: Most computer services, like Hushmail, already have two-step verification ready to go. The next time you sign in to your computer or any work account, check your settings for two-step verification and turn it on.
Risk analysis and HIPAA: what's being proposed
In a risk analysis (aka risk assessment), you take a close look at how you protect client data and identify gaps that could expose protected health information (PHI).
You should already be conducting regular risk analyses, especially since the OCR has stepped up enforcement in this area.
Why risk analysis matters under HIPAA
A risk analysis helps you identify potential blind spots and account for them in your security practices. A good risk assessment can go a long way towards preventing a security breach. It also shows the HHS that you take compliance seriously.
How HIPAA could change its requirements
Right now, the Security Rule doesn't specify how covered entities should conduct a risk analysis, what information it should include, or how often to conduct one.
The proposed updates would add more specificity. If they were to come into effect, you would be required to create a written inventory of all technologies used to hold and/or transmit PHI. You would also be required to list all the places/systems the information touches (e.g., a desktop computer, laptop, email, etc.). And a risk assessment would be required at least once every 12 months.
👉 Next steps: If you have never done a risk analysis, or aren't sure if you're doing it correctly, check out our article: How to do your HIPAA risk assessment (with template).
You should also conduct at least one every year. If you haven't done one in the last 12 months, either schedule it on your calendar or chat with your team (if you have one) about getting the ball rolling.
Encryption and HIPAA: what's being proposed
Encryption is a critical technology that helps safeguard client information. Now, more than ever, it's a must-have for a secure healthcare practice.
Encryption digitally scrambles messages to keep them safe from prying eyes.
Why encryption matters under HIPAA
Encryption makes it difficult, if not impossible, for a third party to snoop on sensitive information. When you use encryption, even if someone breaks into your system, they won't be able to understand the information they access.
How HIPAA could change its requirements
Right now, encryption is an "addressable" requirement, meaning it's highly recommended but not strictly required. The proposed updates to the Security Rule could make encryption mandatory.
👉 Next steps: Most computer systems have encryption ready to go. Start with your operating system (Windows or iOS), then go to your settings and turn on encryption. Next, work through your other computer services (like your email and EHR), then enable encryption in them too. Here's how to use encryption in Hushmail.
HIPAA security updates: where to learn more
HIPAA updates can feel intimidating, but understanding what's being proposed now can help you make informed decisions ahead of time.
To take a deeper dive into each of these potential updates, consider checking out these articles:
- Does HIPAA require multi-factor authentication? What small practices need to know
- Is HIPAA enforcing risk analysis more strictly? What small practices need to know
- Does HIPAA require encryption? What small practices need to know
👉 Looking for a full overview of HIPAA basics? Our HIPAA Questions and Answers guide explains the Security Rule, PHI, technical safeguards, and more in simple, everyday language.
Running a secure practice is possible, one safeguard at a time (and small steps add up quickly).
.jpg?noresize&width=460&name=Therapist%20and%20client%20(3).jpg)