The proposed HIPAA Security Rule update, published by the Office for Civil Rights (OCR) in January 2025, represents the most significant overhaul of healthcare cybersecurity requirements in over a decade. The changes are sweeping: mandatory encryption, required multi-factor authentication (MFA), elimination of the distinction between “required” and “addressable” safeguards, annual compliance audits, technology asset inventories, network mapping, and new business associate verification obligations. For large hospital systems with dedicated compliance departments and seven-figure security budgets, these changes will require significant effort. For small practices, they could be transformational.

This article focuses specifically on how the proposed rule will affect small and mid-sized healthcare practices: the five-provider orthopedic group, the solo-practitioner behavioral health office, the three-location dental practice. These are the organizations with the fewest resources and the most ground to cover, and they deserve a clear picture of what’s coming and how to prepare.

The Flexibility You Relied On Is Disappearing

Under the current Security Rule, certain implementation specifications are designated as “addressable,” which gives organizations the flexibility to evaluate a safeguard, determine whether it’s reasonable and appropriate for their environment, and either implement it, implement an equivalent alternative, or document why it isn’t applicable. For many small practices, the addressable category became an informal off-ramp for safeguards that felt too expensive or too complex to implement. Encryption at rest? Addressable. MFA? Addressable. Audit controls? Addressable.

The proposed rule eliminates that distinction entirely. Every implementation specification becomes mandatory, with only narrow, specifically defined exceptions. The flexibility that remains is in how you implement the safeguards, not whether you implement them. For practices that have been diligent about evaluating and documenting their addressable decisions, the transition may be manageable. For those who treated “addressable” as “optional” without documentation, the gap between the current posture and the new baseline could be substantial.

Encryption Becomes Non-Negotiable

The proposed rule requires encryption of all electronic protected health information (ePHI) at rest and in transit. Under the current rule, encryption was an addressable specification, and many small practices opted not to implement full encryption, particularly for data at rest on local workstations and servers. That option goes away under the proposed rule.

For practices using cloud-hosted EHR systems, encryption in transit is likely already handled by the vendor. Encryption at rest may also be covered depending on the platform. But ePHI doesn’t live only in the EHR. Think about the billing spreadsheet saved to the office manager’s desktop. The scanned intake forms that are stored on a shared drive. The patient communication logs in an email inbox. Every location where ePHI resides, whether it’s a server, a workstation, a laptop, or a USB drive, will need to be encrypted. Small practices will need to audit where their data lives and ensure encryption coverage across all of it.

The proposed rule does include a limited exception: if a technology asset does not support current encryption standards, the organization may establish a written migration plan and implement encryption within a reasonable timeframe. But this is a temporary bridge, not a permanent exemption.

MFA Everywhere

Multi-factor authentication will be required for all access points to systems containing ePHI, whether remote or on-site. This is one of the changes most likely to create workflow friction in small practices, particularly those that rely on shared workstations where multiple staff members need quick access throughout the day.

Under the proposed rule, every user who accesses a system containing ePHI will need to authenticate using at least two factors. The days of a shared login pinned to the break room wall or a single password that everyone on the team knows are over. Each staff member will need their own credentials, and every login will require a second verification step. For practices that have already implemented MFA for remote access but not for on-site systems, the scope of this requirement will expand significantly.

The operational impact is real. Clinicians and staff accustomed to quick-access workflows will need to adjust. Practices should begin evaluating MFA solutions that balance security requirements with clinical workflow needs, such as proximity-based authentication badges or biometric options that minimize friction while meeting the standard.

Annual Audits, Asset Inventories, and Network Maps

The proposed rule introduces three documentation requirements that will hit small practices hard, not because they’re technically complex, but because most small practices have never done them at all.

First, regulated entities will be required to perform and document an audit of their implementation of every administrative, technical, and physical safeguard at least once every 12 months. This goes well beyond the periodic risk assessment that HIPAA already requires. It’s a comprehensive, documented review of whether each safeguard is in place and functioning as intended.

Second, the proposed rule requires a technology asset inventory: a documented list of every device, system, and application that creates, receives, stores, or transmits ePHI. For a five-person dental practice, this might include the EHR system, the imaging workstation, the front desk computer, the office Wi-Fi router, a handful of tablets, the billing software, and the practice’s email platform. Every one of those assets needs to be documented.

Third, the proposed rule requires a network map illustrating how ePHI moves through the organization’s electronic information systems, showing how data enters, exits, and flows between systems. Most small practices have never mapped their data flows. Building this documentation from scratch will take time, but it is also one of the most valuable exercises a practice can undertake, because you cannot protect what you cannot see.

Business Associate Obligations Tighten

Small practices are heavily dependent on third-party vendors for services that larger organizations handle internally: cloud-hosted EHRs, managed IT providers, billing services, patient communication platforms, and scheduling software. Each of these vendors is likely a business associate under HIPAA, and the proposed rule introduces new requirements that will affect how practices manage those relationships.

Under the proposed rule, business associates will be required to verify at least once every 12 months, through a written analysis by a subject matter expert, that they have deployed the technical safeguards required by the Security Rule. Covered entities will need to obtain these written certifications annually. Business associates will also be required to notify covered entities within 24 hours of activating a contingency plan and within 24 hours of any change in or termination of a workforce member’s access to the covered entity’s ePHI.

For small practices that signed a BAA three years ago and never revisited it, this is a significant operational shift. Existing BAAs will likely need to be updated to accommodate these new verification and notification obligations. The proposed rule gives organizations one year after the effective date of the final rule to update their BAAs, but starting those conversations with vendors early will ease the transition.

The Cost Question

HHS has estimated that the proposed rule will increase annual HIPAA compliance costs by roughly $4.6 billion across all regulated entities. Industry groups have pushed back hard, arguing that the requirements impose unfunded mandates on organizations that are already resource-constrained. Multiple healthcare associations submitted comments describing the proposed rule’s requirements as “rigid, one-size-fits-all” standards that will divert limited resources away from patient care.

For small practices, the cost concern is not abstract. Implementing full encryption, deploying MFA across all systems, conducting annual audits, building asset inventories, and updating BAAs all require either staff time or outside expertise, and often both. The question is not whether these costs are justified in principle; the question is how to absorb them without compromising the practice’s financial stability. Prioritizing the highest-risk gaps first, leveraging cloud-based solutions that bundle compliance features, and engaging a compliance partner that understands the small-practice environment are strategies that can make the transition more manageable.

In the end, the message is clear: other highly regulated industries have been adhering to requirements like these for years. The healthcare industry is truly the last regulated industry that has skirted the obligation to implement the best practices mandated by the NPRM.

The Rule Isn’t Final Yet, But the Direction Is Clear

The proposed rule is still moving through the regulatory process. Over 2,800 public comments were submitted during the comment period, and the final rule may look different from the proposal in meaningful ways. There is bipartisan support for strengthened healthcare cybersecurity requirements, so some version of these changes is likely to move forward. If finalized as proposed, regulated entities would have 180-240 days to comply.

Small practices that begin preparing now will have a significant advantage over those that wait until the final rule is published. Conduct a gap analysis against the proposed requirements. Start building your asset inventory. Evaluate your encryption and MFA posture. Review your BAAs. These steps are valuable regardless of the final rule’s specific provisions because they strengthen both your compliance and security posture.

At Axeleos, we built Sentraeus360 for exactly this moment. Our platform helps small and mid-sized healthcare practices navigate regulatory changes without enterprise-level resources, providing the tools to identify gaps, implement required safeguards, and maintain the documentation that auditors and regulators expect. Contact us today to start preparing on your terms.