Healthcare organizations across the country are closely watching the proposed changes to the HIPAA Security Rule. 

The question is simple, but the answer is not: what should we be doing now? 

Some headlines refer to these updates as “HIPAA 2.0.” That phrase may be useful shorthand in industry conversations, but it is not the official term used by the U.S. Department of Health and Human Services. The official language is the HIPAA Security Rule Notice of Proposed Rulemaking, often shortened to HIPAA Security Rule NPRM. 

That distinction matters. 

The current HIPAA Security Rule remains the enforceable standard today. Healthcare organizations are not yet required to comply with every proposed change as though it were final. Still, the NPRM provides healthcare leaders with a clear view of where federal cybersecurity expectations may be headed. The proposal emphasizes stronger safeguards for electronic protected health information, including multi-factor authentication, encryption, asset inventories, network maps, vulnerability management, penetration testing, recovery planning, annual audits, and business associate verification. 1 

For executives, compliance officers, practice administrators, CIOs, and IT leaders, the practical question is not whether every proposed requirement will become final exactly as written. 

The better question is this: 

Would your organization be ready if these expectations became reality? 

That is where readiness work becomes valuable. Many proposed safeguards already align with sound healthcare cybersecurity practices. Organizations that begin assessing gaps now will likely be better positioned no matter how the final rule evolves.

HIPAA 2.0 At a Glance

  • “HIPAA 2.0” is not an official HHS term. The official reference is the HIPAA Security Rule NPRM.  
  • The current HIPAA Security Rule remains in effect today.  
  • The proposed rule places more emphasis on MFA, encryption, asset inventories, network maps, risk analysis, vulnerability management, penetration testing, recovery planning, annual audits, and business associate verification.  
  • Healthcare organizations should treat the NPRM as a readiness roadmap, not a reason to panic.  
  • Many proposed safeguards already reflect cybersecurity practices that healthcare organizations should be evaluating.  
  • Readiness depends on more than policies. Organizations need evidence, tested recovery procedures, vendor oversight, and executive visibility.  
  • A structured assessment can help leaders prioritize the next 90 days instead of trying to fix everything at once.  

What Is the HIPAA Security Rule NPRM?

The HIPAA Security Rule NPRM is a proposed update from HHS intended to strengthen cybersecurity protections for electronic protected health information (ePHI). 

The proposal reflects a healthcare environment that looks very different from the one many current HIPAA requirements were built around. Healthcare organizations now depend on cloud applications, electronic health records, remote access, mobile devices, connected medical equipment, third-party vendors, telecommunications platforms, and distributed workforces. 

That creates an opportunity. 

It also creates more points of exposure. 

The proposed rule would modify the existing HIPAA Security Rule to provide more specific instructions around how covered entities and business associates protect ePHI against internal and external threats. 2 

Simple Definition 

The HIPAA Security Rule NPRM is a proposed federal rulemaking effort that would update how healthcare organizations and business associates protect electronic protected health information. It is proposed, not final. 

Healthcare leaders should understand three things right away: 

  1. The proposed rule is not the current enforceable standard.  
  2. The existing HIPAA Security Rule remains in effect.  
  3. Many proposed safeguards are already useful readiness priorities.  

The right response is not to wait passively. It is to understand your current state, identify gaps, and build a practical roadmap. 

If your team is unsure where to begin, DataTel’s free HIPAA Readiness Assessment can help identify gaps across access controls, resilience and recovery, compliance and audit readiness, and governance and risk. 

Current HIPAA Security Rule vs. Proposed HIPAA Security Rule Updates 

The current HIPAA Security Rule establishes administrative, physical, and technical safeguard requirements for ePHI. HHS describes the Security Rule as a national set of standards for protecting certain health information maintained or transmitted electronically. 3 

The proposed updates do not replace the current rule today. They point toward a more specific and evidence-driven future.

Current HIPAA Security Rule 

Proposed HIPAA Security Rule Updates 

Flexible, scalable implementation approach 

More prescriptive cybersecurity expectations 

Encryption is often treated as addressable 

Stronger expectations for encryption at rest and in transit 

General risk analysis requirements 

Greater specificity around risk analysis documentation 

Limited explicit MFA language 

Significant emphasis on MFA 

Recovery planning is required 

More detailed restoration expectations, including written procedures tied to a 72-hour objective 

Vendor oversight expectations exist 

Stronger business associate verification expectations 

Policies and procedures are important 

Operational evidence and validation receive greater emphasis 

Security testing may vary by organization 

More attention on vulnerability scanning, penetration testing, and segmentation 

The direction is clear. Regulators want healthcare organizations to demonstrate that safeguards are not only documented but also working.

 

Why Healthcare Organizations Are Paying Attention 

 

For many healthcare organizations, the proposed changes to the HIPAA Security Rule are not just a compliance issue. 

 

They are an operational issue. 

 

When a cyber incident affects a healthcare environment, the disruption rarely stays inside the IT department. Staff may lose access to the EHR. Scheduling may slow down. Phones may stop routing correctly. Referrals may stall. Billing may be delayed. Patients may struggle to reach the practice. 

 

That is why healthcare cybersecurity readiness must include continuity of patient care. 

 

Data protection matters. So does availability. 

 

This is also where DataTel Cybersecurity and managed IT support enter the broader resilience conversation. The goal is not simply to install safeguards. The goal is to help healthcare organizations identify issues faster, respond with less confusion, and maintain operations under high pressure. 

Is HIPAA 2.0 an Official Regulation? 

No. 

“HIPAA 2.0” is an industry nickname. It is not the official name of a federal regulation. 

Healthcare organizations should use more precise language when discussing compliance planning, board reporting, and vendor conversations. The better terms are: 

  • Proposed HIPAA Security Rule updates  
  • HIPAA Security Rule NPRM  
  • Proposed rule  
  • Proposed modifications to the HIPAA Security Rule  

 

This language keeps the distinction clear. It also helps avoid a common mistake: treating every proposed safeguard as if it were already final and enforceable. 

Are the Proposed HIPAA Security Rule Changes Already in Effect? 

No. 

The current HIPAA Security Rule remains in effect. The proposed rule is still part of the federal rulemaking process. 

That does not mean healthcare organizations should ignore it. 

The NPRM is useful because it shows where expectations may be going. It also highlights areas where many organizations already have known gaps: authentication, encryption, asset visibility, recovery testing, vendor oversight, and documentation. 

For many leaders, the proposed rule is a prompt to ask better questions. 

  • Do we know where ePHI lives? 
  • Can we prove MFA is enabled where it matters most? 
  • Have we tested recovery, or do we simply have backups? 
  • Can we show evidence of vendor oversight? 

 

Those are readiness questions. They are also leadership questions. 

What Is Changing in the Proposed HIPAA Security Rule? 

The proposed changes to the HIPAA Security Rule focus on specificity, accountability, and validation. 

Historically, HIPAA has allowed flexibility, enabling organizations to implement safeguards based on their size, complexity, capabilities, and risks. That flexibility remains important. A large health system and a small specialty practice do not operate the same way. 

Still, flexibility can create inconsistency. 

The NPRM responds to that concern by proposing more detailed requirements across several cybersecurity areas.

HIPAA MFA Requirement Expectations 

Multi-factor authentication, or MFA, receives significant attention in the proposed rule. 

Current HIPAA regulations do not explicitly require MFA in every circumstance. However, MFA has become one of the most important safeguards against credential theft and unauthorized access. 

That matters because stolen credentials can open the door to email, patient portals, cloud systems, remote access platforms, billing systems, administrative applications, and EHR environments. 

MFA does not solve every access problem. It does reduce one of the most common ways attackers gain entry. 

For healthcare organizations, the practical starting point is to review MFA coverage across: 

  • Remote access  
  • Email  
  • Cloud applications  
  • Administrative accounts  
  • EHR access  
  • Vendor access  
  • Privileged accounts  
  • Backup and recovery systems  

 

For a deeper technical breakdown, see Does HIPAA Require MFA, Encryption, Vulnerability Scanning, and Network Segmentation? 

Encryption Expectations 

Encryption is another major area of focus. 

Under the current HIPAA Security Rule, encryption has historically been treated as an addressable implementation specification. That does not mean optional in the casual sense. It means organizations must assess whether encryption is reasonable and appropriate, and if not, document why an alternative safeguard is used. 

The proposed updates would strengthen expectations around encryption of ePHI at rest and in transit. 

Healthcare organizations should review where ePHI is stored, transmitted, backed up, and accessed. That may include: 

  • EHR systems  
  • Cloud storage  
  • Email  
  • Patient portals  
  • Mobile devices  
  • Laptops  
  • File shares  
  • Backup repositories  
  • Vendor platforms  
  • Telehealth systems  

 

Encryption is not only a technical control. It is part of risk reduction, breach impact management, and patient trust. 

Asset Inventories and Network Maps 

Organizations cannot protect what they cannot identify. 

That is why asset inventories and network maps receive more attention in the proposed rule. 

During real incidents, one of the first challenges is often basic visibility. What systems exist? Which ones store or transmit ePHI? What vendors connect to them? Which devices are unsupported? Which applications are cloud-hosted? Which systems are essential to clinical operations? 

A reliable asset inventory should include more than a spreadsheet of computers. 

It should help leaders understand: 

  • Hardware  
  • Software  
  • Cloud services  
  • Network devices  
  • Endpoints  
  • Medical devices  
  • Vendor connections  
  • Data flows involving ePHI  
  • Critical business and clinical dependencies  

 

This is where DataTel’s Network and Server Management support can connect infrastructure visibility with practical cybersecurity planning. 

Risk Analysis Requirements 

Risk analysis has always been foundational to HIPAA compliance. The proposed rule would add greater specificity around how organizations identify risks, evaluate threats, document findings, and prioritize remediation. 

A HIPAA risk analysis is not the same as a vulnerability scan. 

A scan identifies technical weaknesses. A risk analysis looks more broadly at ePHI, threats, vulnerabilities, safeguards, likelihood, impact, vendors, workflows, and organizational context. 

That distinction matters because two organizations can have the same technical vulnerability but very different risk levels. 

A vulnerability on a lightly used internal system is different from a vulnerability affecting a system tied to patient scheduling, remote access, or EHR availability. 

For a deeper explanation, see HIPAA Risk Analysis vs. Vulnerability Scan: What Healthcare Practices Often Miss 

Vulnerability Scanning and Continuous Visibility 

The proposed rule places more emphasis on identifying and managing technical weaknesses. 

Vulnerability scans can help uncover: 

  • Missing patches  
  • Outdated software  
  • Unsupported operating systems  
  • Misconfigured systems  
  • Weak network services  
  • Known software vulnerabilities  
  • Exposed internet-facing assets  

 

But scanning is only the beginning. 

The real work is prioritization. Healthcare organizations need a repeatable process for reviewing findings, assigning ownership, remediating high-risk issues, documenting progress, and connecting technical findings to broader risk management. 

A vulnerability report sitting in a folder does not reduce risk by itself. 

A managed process does. 

Healthcare organizations that need support turning findings into action may benefit from DataTel Cybersecurity services, especially when internal IT teams are stretched thin. 

Vulnerability Scan vs. Penetration Test 

These terms are often used together, but they are not the same. 

Vulnerability Scan 

Penetration Test 

Identifies known technical weaknesses 

Tests whether weaknesses can be exploited 

Often automated 

Usually includes hands-on security testing 

Produces a list of findings 

Shows practical attack paths and impact 

Helps with continuous visibility 

Helps validate whether safeguards work 

Useful for routine risk management 

Useful for deeper security validation 

Answers “What might be weak?” 

Answers “What could an attacker actually do?” 

Both can support cybersecurity readiness. Neither replaces a HIPAA risk analysis. 

Network Segmentation and Containing Risk 

Many healthcare networks grew gradually. 

A new application was added. A vendor needed access. A medical device was connected. A phone system was upgraded. A cloud service became essential. Over time, the network became more connected than anyone intended. 

That creates risk. 

If an attacker compromises one device, weak segmentation may make it easier to move into other systems. In a healthcare setting, that movement can affect patient records, communications, billing, imaging, scheduling, and administrative operations. 

Network segmentation helps limit that spread. 

Good segmentation can help organizations: 

  • Isolate sensitive systems  
  • Limit attacker movement  
  • Protect critical applications  
  • Reduce ransomware impact  
  • Support incident containment  
  • Improve resilience during outages  
  • Strengthen compliance visibility  

 

Not every system needs the same level of access. EHR systems, finance platforms, administrative workstations, medical devices, guest networks, and vendor connections should not all be treated the same. 

Backup and Recovery Are Not the Same Thing 

Backups are important. 

They are not a recovery strategy by themselves. 

Healthcare organizations often discover this the hard way. A backup may exist, but restoration may take longer than expected. The backup may be incomplete. Critical applications may be missing. Dependencies may not be documented. The staff member who knows the process may be unavailable. 

Recovery is broader than data preservation. 

Backup 

Recovery 

Creates copies of data 

Restores systems and operations 

Focuses on preservation 

Focuses on continuity 

May run automatically 

Requires planning, roles, and testing 

Answers “Do we have the data?” 

Answers “Can we operate again?” 

Supports resilience 

Delivers resilience when validated 

Can exist without operational testing 

Requires exercises and proof 

For healthcare organizations, the recovery question is not just “Can we restore files?” 

It is “Can we keep serving patients?” 

That includes EHR access, phones, scheduling, prescriptions, referrals, billing, network access, identity systems, and staff communications. 

For a deeper dive, see The 72-Hour Recovery Objective: How Healthcare Practices Can Prepare for EHR, Phone, and Network Downtime 

Understanding the Proposed 72-Hour Restoration Objective 

One of the most discussed portions of the proposed rule concerns written procedures for restoring certain relevant systems and data within 72 hours. 

Healthcare leaders are paying attention because three days of downtime can create serious operational strain. 

A prolonged outage may affect: 

  • Patient care  
  • Scheduling  
  • Referrals  
  • Prescription workflows  
  • Revenue cycle operations  
  • Patient communications  
  • Staff productivity  
  • Vendor coordination  
  • Compliance response  

 

The proposed 72-hour objective should prompt a practical question: 

If a ransomware attack or a major outage occurred tomorrow, could we restore the systems needed to support patient care within 3 days? 

Many organizations are not sure. 

That uncertainty is useful. It shows where readiness work should begin. 

Organizations already thinking about cyber incident timing may also find DataTel’s healthcare CIRCIA resource useful, especially where incident reporting expectations, operational coordination, and downtime planning intersect. See CIRCIA for Healthcare: Are You 72-Hour Ready? and 72 Hours vs. Existing Notification Clocks 

Business Associate Verification and Vendor Accountability 

Healthcare organizations depend on vendors. 

That includes EHR providers, billing platforms, cloud services, managed IT providers, telecommunications vendors, cybersecurity providers, consultants, data storage platforms, and software integrations. 

Each relationship creates value. 

Each also creates risk. 

Historically, many organizations treated a signed Business Associate Agreement (BAA) as the primary evidence of vendor readiness. BAAs remain important. They define obligations and responsibilities related to protected health information. 

But a signed contract does not prove security controls are working. 

A BAA does not verify: 

  • MFA usage  
  • Encryption practices  
  • Recovery readiness  
  • Security monitoring  
  • Incident response processes  
  • Vulnerability management  
  • Subcontractor oversight  
  • Backup testing  
  • Privileged access controls  

 

The proposed rule places more emphasis on business associate accountability and verification. 

For healthcare leaders, the practical takeaway is clear: vendor risk is organizational risk. 

For more guidance, see Are BAAs Enough for HIPAA? What Healthcare Organizations Should Ask Vendors and Business Associates 

Annual Audits and Compliance Validation 

Many organizations prepare for compliance reviews only when something forces the issue. 

An audit notice arrives. A cyber insurance questionnaire is due. A contract requires evidence. A regulator asks questions after an incident. 

That reactive model creates stress. 

The proposed rule points toward a more continuous approach to validation. Annual reviews can help organizations confirm that safeguards are still effective, documentation is up to date, and remediation efforts are progressing. 

Annual validation may include: 

  • Access reviews  
  • Risk analysis updates  
  • Vulnerability management reports  
  • Security testing results  
  • Backup and recovery test records  
  • Vendor reviews  
  • Incident response exercises  
  • Policy reviews  
  • Audit log reviews  
  • Executive reporting  

 

This is where many organizations discover the gap between documentation and evidence. 

A policy says what should happen. 

Evidence shows what did happen. 

For a closer look at this issue, see HIPAA Policies Are Not Enough: What Evidence Healthcare Organizations Need to Prove Readiness 

What Healthcare Organizations Often Get Wrong About HIPAA Cybersecurity 

The proposed HIPAA Security Rule updates have sparked important conversations. They have also exposed several common misunderstandings.

Mistake 1: Assuming Compliance Equals Security 

Compliance and security are connected, but they are not identical. 

An organization may have policies in place and still have serious operational risk. Security depends on whether safeguards work in real environments, under real pressure, with real users and vendors involved. 

Mistake 2: Treating a Vulnerability Scan as a HIPAA Risk Analysis 

A vulnerability scan identifies technical weaknesses. 

A HIPAA risk analysis evaluates the risk to ePHI across systems, people, processes, vendors, and safeguards, as well as the likelihood and impact. 

Both matter. They are not interchangeable. 

Mistake 3: Assuming a Signed BAA Solves Vendor Risk 

A BAA is a legal agreement. It is not a security assessment. 

Healthcare organizations increasingly need evidence that vendors can protect ePHI, maintain resilience, communicate during incidents, and support recovery. 

Mistake 4: Believing Backups Guarantee Recovery 

Backups matter, but recovery depends on tested restoration procedures, documented dependencies, clear roles, and operational continuity planning. 

A backup that cannot be restored fast enough may not support patient care when it matters most. 

Mistake 5: Thinking HIPAA Is Only an IT Responsibility 

Cybersecurity affects clinical operations, compliance, finance, leadership, vendors, communications, and patient trust. 

The strongest programs treat HIPAA readiness as an organization-wide responsibility. 

Mistake 6: Waiting for the Final Rule Before Acting 

The proposed rule may change before it becomes final. 

That is not a reason to delay practical improvements. MFA, encryption, recovery testing, asset visibility, vendor oversight, and evidence collection are already meaningful risk reduction priorities.

What These Proposed HIPAA Security Rule Changes Could Mean for Healthcare Organizations 

The most important takeaway is not one specific safeguard. 

It is the overall direction. 

The proposed HIPAA Security Rule changes point toward stronger cybersecurity maturity, more specific documentation, better recovery planning, and clearer accountability. 

Healthcare organizations may need to answer questions like: 

  • Can we demonstrate MFA coverage?  
  • Can we verify encryption practices?  
  • Do we know where ePHI exists?  
  • Do we maintain accurate asset inventories?  
  • Have we tested restoration procedures?  
  • Can we show vendor oversight evidence?  
  • Do we document vulnerability remediation?  
  • Can leadership see cybersecurity risk in plain language?  
  • Do we have a practical 90-day roadmap?  

 

For many organizations, the challenge is not knowing that cybersecurity matters. 

The challenge is knowing what to do first. 

That is why a structured readiness assessment can be so useful. It helps leaders move from general concern to practical prioritization.

A Practical HIPAA Readiness Roadmap 

Preparing for potential HIPAA Security Rule changes does not require rebuilding your entire environment overnight. 

It does require structure. 

Step 1: Understand Your Current State 

Start with visibility. 

Evaluate: 

  • Identity and access management  
  • MFA deployment  
  • Encryption coverage  
  • Asset inventories  
  • Network maps  
  • Recovery procedures  
  • Backup testing  
  • Vendor oversight  
  • Logging and monitoring  
  • Risk analysis documentation  
  • Cybersecurity governance  

 

Without a clear baseline, improvement efforts can become scattered. 

Step 2: Prioritize High-Risk Areas 

Not every gap carries the same risk. 

Start with areas that affect ePHI protection, patient care continuity, and incident containment. Common priorities include: 

  • MFA expansion  
  • Privileged access controls  
  • Endpoint protection  
  • Vulnerability remediation  
  • Backup validation  
  • Recovery testing  
  • Network segmentation  
  • Vendor reviews  
  • Executive reporting  

 

This is where DataTel Co-Managed IT can help internal IT teams that need extra cybersecurity depth, escalation support, or project execution capacity. 

For organizations without a full internal IT function, DataTel Fully Managed IT can provide broader support across help desk, cybersecurity, cloud, devices, networks, servers, vendors, and strategic planning. 

Step 3: Build Evidence, Not Just Policies 

Healthcare organizations should be able to produce evidence that security activities are happening. 

Examples include: 

  • MFA reports  
  • User access reviews  
  • Risk analysis records  
  • Vulnerability scan results  
  • Remediation logs  
  • Backup testing records  
  • Recovery exercise notes  
  • Incident response documentation  
  • Vendor assessment records  
  • Security monitoring reports  
  • Audit logs  

 

This evidence supports audits, insurance reviews, executive oversight, and incident response. 

It also helps leaders understand whether the program is working. 

Step 4: Strengthen Recovery and Resilience 

Recovery planning should account for clinical operations, not just servers. 

That means identifying the systems and workflows required to keep care moving during disruption. 

Include: 

  • EHR access  
  • Phone systems  
  • Scheduling  
  • Billing  
  • Patient communications  
  • Prescriptions  
  • Referrals  
  • Identity systems  
  • Cloud applications  
  • Vendor dependencies  
  • Staff communication plans  

 

Healthcare organizations that rely heavily on voice and communications infrastructure should also think about continuity planning through that lens. A phone outage is not just a telecom issue when patients cannot reach providers. 

For executive-level planning, see Healthcare Cyber Resilience: How to Reduce Risk Without Disrupting Patient Care 

Step 5: Create a Continuous Improvement Process 

Cybersecurity readiness is not a one-time project. 

Technology changes. Vendors change. Staff changes. Threats change. Clinical workflows change. 

A stronger approach includes routine review, measurable progress, and leadership visibility. 

The goal is not perfection. 

The goal is steady, defensible improvement.

What Healthcare Leaders Should Do in the Next 90 Days 

A 90-day roadmap gives healthcare organizations a practical way to move forward without overwhelming the team. 

Days 1 to 30: Establish the Baseline 

Start with the basics. 

  • Complete a readiness assessment.  
  • Review MFA coverage across critical systems.  
  • Identify where ePHI is stored, transmitted, and accessed.  
  • List critical systems tied to patient care.  
  • Confirm who owns decisions on cybersecurity, compliance, and recovery.  
  • Identify vendors that support ePHI or critical operations.  

 

Not sure where your organization stands? Take DataTel’s free HIPAA Readiness Assessment to identify gaps across access controls, resilience and recovery, compliance and audit, and governance and risk. 

Days 31 to 60: Validate Controls and Evidence 

Move from assumptions to proof. 

  • Review encryption practices.  
  • Validate backup success and restoration capability.  
  • Review vulnerability scan findings.  
  • Confirm vendor security documentation.  
  • Gather access review evidence.  
  • Update risk analysis documentation.  
  • Identify missing logs, reports, or audit trails.  

 

This is also a good time to explore the DataTel Cyber Risk Hub, especially if leadership needs a clearer view of exposure, maturity, domain risk, Microsoft 365 posture, or insurance readiness. 

Days 61 to 90: Prioritize and Execute 

Turn findings into a plan. 

  • Rank remediation projects by risk.  
  • Test recovery procedures.  
  • Document lessons learned.  
  • Build an executive reporting cadence.  
  • Assign owners and due dates.  
  • Address high-risk vendor gaps.  
  • Plan longer-term improvements around segmentation, monitoring, and resilience.  

 

By day 90, leaders should have more than a list of concerns. They should have a working roadmap. 

How DataTel Helps Healthcare Organizations Move from Uncertainty to Readiness 

Many healthcare organizations understand the importance of cybersecurity. The harder part is knowing where to begin, what to prioritize, and how to keep daily operations moving while improvements are made. 

DataTel helps healthcare organizations evaluate readiness across four practical areas.

Access Controls 

This includes: 

  • MFA readiness  
  • Identity management  
  • Privileged access controls  
  • User lifecycle management  
  • Remote access security  

Resilience and Recovery 

This includes: 

  • Backup validation  
  • Recovery planning  
  • Downtime preparedness  
  • Communications continuity  
  • Operational recovery priorities  

Compliance and Audit Readiness 

This includes: 

  • Documentation review  
  • Evidence collection  
  • Monitoring visibility  
  • Reporting capabilities  
  • Audit preparation support  

Governance and Risk 

This includes: 

  • Risk analysis support  
  • Vendor oversight  
  • Security program maturity  
  • Remediation roadmaps  
  • Executive reporting  

Take DataTel’s Free HIPAA Readiness Assessment 

Know where your HIPAA readiness gaps are before they lead to an audit, downtime, or security issues. 

Take DataTel’s free HIPAA Readiness Assessment to score your organization across: 

  • Access controls  
  • Resilience and recovery  
  • Compliance and audit readiness  
  • Governance and risk  

 

The assessment also provides: 

  • Readiness scoring  
  • Clinical downtime exposure insights  
  • Prioritized recommendations  
  • A practical 90-day roadmap  

 

Start here: Take the HIPAA Readiness Assessment 

DataTel brings together managed IT, cybersecurity, networking, communications, cloud support, vendor coordination, and compliance-focused technology guidance. Learn more about the company’s background and approach on the About DataTel page. 

The goal is practical: reduce risk while supporting patient care.

Conclusion

The proposed changes to the HIPAA Security Rule represent one of the most important healthcare cybersecurity conversations in years. 

The proposal is not final. The current HIPAA Security Rule remains in effect. 

Still, the direction is hard to miss. 

Healthcare organizations are being pushed toward greater visibility, stronger access controls, better recovery planning, more formal vendor oversight, stronger documentation, and stronger evidence that safeguards are working. 

That is a healthy shift. 

Cybersecurity readiness is no longer only a compliance issue. It is a patient care issue. It is a business continuity issue. It is a leadership issue. 

Organizations that begin now will be better prepared for whatever comes next, whether the final rule changes, timelines shift, or expectations continue to rise through audits, insurance reviews, vendor contracts, and patient trust. 

Start with what you can see. Assess the gaps. Prioritize the next 90 days. 

Then keep moving. 

Frequently Asked Questions

What is HIPAA 2.0?

HIPAA 2.0 is not an official government term. It is an industry nickname commonly used to refer to the proposed HIPAA Security Rule updates. The official term is the HIPAA Security Rule Notice of Proposed Rulemaking, or HIPAA Security Rule NPRM. 

No. The proposed changes remain part of the federal rulemaking process. The current HIPAA Security Rule remains in effect. 

The HIPAA Security Rule NPRM is a proposed HHS update that would modify the current Security Rule to strengthen cybersecurity protections for electronic protected health information. 

Current HIPAA regulations do not explicitly require MFA in every circumstance. However, MFA is widely recognized as an important safeguard against credential theft, and the proposed rule places significant emphasis on MFA. 

Under the current HIPAA Security Rule, encryption has historically been treated as an addressable implementation specification. The proposed rule would strengthen expectations around encryption for ePHI at rest and in transit. 

The current Security Rule does not prescribe one universal vulnerability scanning schedule. However, identifying and managing vulnerabilities is an important part of effective cybersecurity and risk management

Current HIPAA regulations do not explicitly mandate penetration testing in every circumstance. The proposed updates place more emphasis on validating security controls and identifying weaknesses. 

A vulnerability scan identifies technical weaknesses. A HIPAA risk analysis evaluates risks to ePHI across systems, people, processes, vendors, safeguards, likelihood, and potential impact.

The NPRM discusses written procedures designed to restore certain relevant systems and data within 72 hours. Healthcare organizations should view this as a prompt to evaluate recovery planning, system dependencies, and patient care continuity.

No. Backups are important, but healthcare organizations should also test restoration procedures, document recovery roles, understand system dependencies, and evaluate whether critical operations can continue during an outage.

Healthcare organizations should assess their current readiness, review MFA and encryption practices, update risk analysis documentation, validate backup and recovery capabilities, evaluate vendor oversight, improve evidence collection, and build a prioritized 90-day roadmap.