For over two decades, the HIPAA Security Rule has drawn a distinction between required and addressable implementation specifications. That distinction is about to disappear. The proposed update to the HIPAA Security Rule, published by the OCR in January 2025, eliminates the addressable category entirely. If finalized, every implementation specification under the Security Rule will be mandatory, with only narrow, specifically defined exceptions.
This is the single largest structural change in the proposed rule, and it will have a significant impact on how covered entities and business associates approach compliance. The rule was proposed in 2024, and there is bipartisan support for strengthened healthcare cybersecurity requirements, given the surge in healthcare data breaches over the past several years. Once the changes are implemented, regulated entities would have 240 days to comply. For organizations that have been treating “addressable” as a synonym for “optional,” the shift will be especially jarring.
In this article, we’ll break down what addressable safeguards were, why they’re going away, what replaces them, and how your organization should prepare.
What “Addressable” Was Supposed to Mean
Under the current Security Rule, implementation specifications fall into two categories: required and addressable. Required specifications must be implemented as written. Addressable specifications offer more flexibility. When a specification is designated as addressable, a covered entity must assess whether the safeguard is reasonable and appropriate for its environment. If the entity determines that it is, the safeguard must be implemented. If the entity determines that it is not, the entity must document why, and either implement an equivalent alternative measure or accept the risk.
The intent was practical. HIPAA applies to organizations of wildly different sizes and technical complexity, from multi-hospital systems to solo practitioners. Addressable specifications were designed to give smaller or less complex organizations room to tailor their security controls to their specific risk profile and resources. A five-person dental practice, for example, might not need the same encryption infrastructure as a regional health plan. The addressable framework allowed that practice to evaluate the safeguard, consider alternatives, and document its reasoning.
How Addressable Became Optional
The problem is that a significant number of regulated entities interpreted “addressable” to mean “optional.” OCR has stated this explicitly in the preamble to the proposed rule: despite years of guidance clarifying that addressable does not mean optional, compliance gaps have persisted. Organizations skipped safeguards like encryption at rest, multi-factor authentication (MFA), and audit controls, not because they conducted a formal risk analysis and documented a valid alternative, but because the addressable label gave them a perceived off-ramp. In many cases, there was no documentation at all. The safeguard was simply never implemented, and no one questioned it until a breach investigation brought it to light.
The result has been a patchwork of security postures across the healthcare industry. Some organizations implemented addressable safeguards rigorously. Others treated them as suggestions. OCR’s enforcement experience, particularly in breach investigations, has repeatedly revealed that organizations lacked basic protections that were technically required under the addressable framework but had never been implemented or documented. This inconsistency is one of the primary drivers behind the proposed change.
What the Proposed Rule Changes
The proposed update to the Security Rule removes the distinction between required and addressable entirely. Under the new framework, all implementation specifications are mandatory. CEs and BAs will be expected to implement every safeguard prescribed by the rule, with flexibility only in how they implement them, not whether they do.
Several safeguards that were previously addressable will become explicitly required. The most notable examples include encryption of electronic protected health information (ePHI) at rest and in transit, multi-factor authentication for all access points to systems containing ePHI, and audit controls that track and monitor access to ePHI. Beyond these specific safeguards, the proposed rule also requires organizations to perform and document an audit of their implementation of every administrative, technical, and physical safeguard at least once every 12 months. Each of these requirements was already expected under the addressable framework for most organizations, but the proposed rule eliminates any ambiguity.
The proposed rule does include limited exceptions. For encryption, if an organization is using a technology asset that does not support current encryption standards, the entity may establish a written migration plan and implement encryption within a reasonable timeframe. Another exception applies when a patient explicitly requests that their information be transmitted in an unencrypted format under the Right of Access provisions. But these are narrow carve-outs, not the broad flexibility that the addressable category previously provided.
The Impact on Small and Mid-Sized Practices
For organizations that have been diligent about evaluating and implementing addressable safeguards, the operational impact may be modest. The proposed rule largely formalizes what these organizations were already doing. The heavier burden falls on practices that relied on the addressable label to defer or avoid safeguards they found costly or complex to implement.
Small and mid-sized practices will feel this most acutely. Mandatory encryption across all ePHI, at rest and in transit, will require investment in technology and, in some cases, infrastructure upgrades. MFA implementation across every system that touches ePHI will add complexity to daily workflows, particularly in practices where shared workstations or quick-access environments are the norm. Annual compliance audits, technology asset inventories, and network mapping requirements will demand time and expertise that many smaller organizations simply do not have in-house.
HHS has estimated that the proposed rule will increase annual HIPAA compliance costs by roughly $4.6 billion across all regulated entities. Industry groups have pushed back, arguing that the requirements impose unfunded mandates on organizations that are already resource-constrained. The tension between stronger security standards and the financial realities of small healthcare operations is real, and it remains to be seen how much the final rule will adjust in response to the more than 2,800 public comments submitted during the comment period.
Getting From Addressable to Mandatory
Regardless of whether the final rule mirrors the proposed version or arrives with modifications, the direction is clear: the era of treating addressable safeguards as optional is over. Organizations that begin preparing now will be in a significantly stronger position when the compliance clock starts.
Start by conducting a gap analysis against the proposed requirements. Identify which addressable specifications your organization has not fully implemented and assess what it will take to close those gaps. Pay particular attention to encryption, MFA, and audit controls, as these are the areas where the largest compliance deficits tend to exist in small practices. For each gap, document the current state, the required state under the proposed rule, and the resources needed to bridge the difference.
Review your technology asset inventory. The proposed rule requires a documented inventory of all technology assets that may impact the confidentiality, integrity, or availability of ePHI, along with a network map showing how ePHI moves through your systems. If you don’t have this documentation today, building it will take time, and it will also inform every other compliance decision you make going forward.
Update your business associate agreements. The proposed rule introduces new verification requirements, including annual written certifications from BAs confirming that required technical safeguards are in place. Your existing BAAs may not contain the language necessary to support these obligations.
Finally, budget for the transition. Whether the compliance timeline ends up being 180 days, 240 days, or longer, the financial and operational investment required to meet mandatory safeguard requirements will be substantial for organizations that have deferred these measures. Starting early gives you the runway to implement changes incrementally rather than scrambling to comply under deadline pressure.
The Flexibility Is in the “How,” Not the “Whether”
The elimination of addressable safeguards represents a philosophical shift in how HIPAA approaches security. The message from OCR is unambiguous: the baseline is going up, and the flexibility that allowed organizations to opt out of critical protections is going away. What remains is the flexibility to implement safeguards in a manner appropriate to your organization’s size and complexity. That’s an important distinction, and it’s one that well-structured compliance programs can use to their advantage.
At Axeleos, we help healthcare organizations navigate regulatory changes like these without guesswork. Sentraeus360 is built to help covered entities and business associates identify compliance gaps, implement required safeguards, and maintain the documentation that regulators expect. If the proposed Security Rule has you rethinking your compliance posture, that’s the right instinct. Contact us today to get ahead of the change.