The 2025 Proposed HIPAA Security Rule: What Providers Need to Know

The HIPAA Security Rule has remained largely unchanged for over 15 years. In the final days of the Biden Administration, the Office for Civil Rights (OCR) issued a proposed rule to significantly revise and modernize the Security Rule. This update responds to growing cybersecurity threats—such as ransomware, hacking, and other forms of data breaches—and aims to align compliance standards with current technological realities. The proposed changes impose more stringent and specific requirements on covered entities and business associates to safeguard electronic protected health information (ePHI).

Webinar Objectives

This program is designed to help attorneys, compliance professionals, and technology advisors better support healthcare providers and organizations in understanding and meeting the expanded requirements of the proposed HIPAA Security Rule. Attendees will gain insights into key changes, practical compliance strategies, and how to prepare for increased enforcement activity in this evolving regulatory landscape.

Webinar Agenda

I. Introduction & Background

• History and purpose of the HIPAA Security Rule
• Key terminology and foundational principles

II. Overview of the Proposed Revisions

• Summary of significant changes
• Key areas of enhanced compliance obligations
• Updates to risk analysis and risk management expectations

III. Addressing Modern Threats and Technologies

• Cybersecurity risks: ransomware, phishing, unauthorized access
• Incorporating new standards for encryption, authentication, and system monitoring

IV. Operational Impacts and Common Compliance Challenges

• Real-world examples of vulnerabilities and enforcement actions
• Practical tips for policy updates, training, and incident response

V. Next Steps and Resources

• Preparing for the final rule and potential implementation timeline
• Tools, templates, and references for ongoing compliance
• Live Q&A and discussion

Webinar Highlights

• Prepare attendees to meet the new, strengthened risk analysis requirements, including the mandated development of a technology asset inventory and a detailed network map.
• Identify updated requirements for HIPAA compliance audits and what organizations must do to stay audit-ready.
• Discuss new provisions for emergency preparedness and contingency planning, emphasizing enhanced expectations for continuity and recovery.
• Explain the elimination of the “required” vs. “addressable” distinction, and how this change significantly raises the bar for compliance.
• Describe new mandates for encryption and multi-factor authentication (MFA) to secure access and protect electronic protected health information (ePHI).

Who Should Attend

Attorneys, in-house counsel, Privacy officers, Security officers