A practical readiness guide for stronger compliance, better cybersecurity, and fewer surprises when the rules change
HIPAA compliance has always required healthcare organizations to protect patient information. But for many providers, business associates, and healthcare vendors, HIPAA has often been treated as a documentation exercise: maintain policies, complete annual training, sign business associate agreements, and revisit risk assessments when there is time.
That mindset is quickly becoming outdated.
What many people are calling “HIPAA 2.0” is not a brand-new law or an official government term. It is the industry shorthand for the proposed modernization of the HIPAA Security Rule, issued by the U.S. Department of Health and Human Services’ Office for Civil Rights to strengthen cybersecurity protections for electronic protected health information, or ePHI. HHS has made clear that the current Security Rule remains in effect while the rulemaking process continues.
The practical takeaway is simple: healthcare organizations should not wait until a final deadline appears to start preparing.
The proposed changes point to a future where HIPAA compliance is less about having security policies on paper and more about proving that your organization has the right safeguards implemented, tested, documented, and continuously improved.
That shift matters because healthcare is no longer only a compliance target. It is a cybersecurity target.
Download the Free HIPAA 2.0 Readiness Toolkit
Why HIPAA Security Readiness Matters More Than Ever
Healthcare organizations hold some of the most sensitive data in the economy: diagnoses, medications, insurance information, Social Security numbers, billing details, patient contact information, and clinical records. When that data is exposed, the damage can extend far beyond regulatory fines.
Patients lose trust. Operations get disrupted. Providers may lose access to critical systems. Claims can stall. Appointments may be delayed. And leadership teams are left trying to answer a difficult question:
Could we have proven that our safeguards were reasonable, current, and effective before the incident happened?
That question is becoming more important because HHS has reported a sharp rise in large healthcare breaches. From 2018 to 2023, large breach reports increased by 102%, while the number of individuals affected increased by 1002%. In 2023 alone, over 167 million individuals were affected by large breaches.
OCR enforcement activity also continues to highlight a recurring theme: risk analysis and ransomware preparedness matter. In April 2026, OCR announced four HIPAA Security Rule ransomware settlements affecting more than 427,000 individuals and noted that its Risk Analysis Initiative had reached 13 completed investigations. OCR emphasized that regulated entities are required to conduct an accurate and thorough assessment of risks and vulnerabilities to ePHI.
That is why HIPAA 2.0 readiness should not be viewed as “future compliance work.”
It should be viewed as a current cybersecurity priority.
What Is Changing Under the Proposed HIPAA Security Rule Update?
The proposed HIPAA Security Rule update is designed to make cybersecurity expectations more specific and more measurable. While the final rule may differ from the proposal, the direction is clear: organizations will be expected to understand where ePHI lives, how it moves, who can access it, what risks exist, and what evidence proves those risks are being managed.
According to HHS, the proposed rule includes several significant updates, including removing the distinction between “required” and “addressable” implementation specifications, requiring written documentation of Security Rule policies and analyses, requiring technology asset inventories and network maps, strengthening risk analysis requirements, requiring annual compliance audits, requiring encryption of ePHI at rest and in transit with limited exceptions, requiring multi-factor authentication with limited exceptions, requiring vulnerability scanning at least every six months, requiring penetration testing at least every 12 months, and requiring network segmentation.
That is a lot to digest.
For healthcare leaders, the better way to think about it is this:
HIPAA 2.0 readiness is about moving from “we believe we are compliant” to “we can prove we are prepared.”
The Five Readiness Areas Healthcare Organizations Should Review Now
1. Your ePHI Environment
Many organizations cannot confidently answer one of the most basic HIPAA security questions:
Where does ePHI live?
It may be inside your EHR, billing systems, imaging platforms, patient portals, email, cloud storage, file shares, backups, endpoint devices, third-party applications, and vendor-managed systems.
The proposed rule places greater emphasis on maintaining a technology asset inventory and a network map that shows how ePHI moves through relevant systems. HHS specifically identifies asset inventory and network mapping as part of the proposed update.
Start by asking:
- What systems create, receive, maintain, or transmit ePHI?
- Which vendors touch ePHI?
- Where is ePHI stored outside the EHR?
- Are backups included in the inventory?
- Do remote users, mobile devices, or cloud systems introduce additional exposure?
- Is there a clear owner for each system?
Without this visibility, risk analysis becomes guesswork.
2. Your Risk Analysis and Gap Management Process
Risk analysis is not new under HIPAA. It is already foundational to the current Security Rule. HHS guidance states that conducting a risk analysis is the first step in identifying and implementing safeguards that comply with the Security Rule.
The problem is that many organizations treat risk analysis as a once-a-year document instead of an ongoing management process.
A useful HIPAA risk analysis should help you answer:
- What threats could affect the confidentiality, integrity, or availability of ePHI?
- What vulnerabilities exist in systems that store or process ePHI?
- How likely is each threat to exploit each vulnerability?
- What would the impact be?
- Which risks require remediation first?
- Who owns each remediation task?
- What evidence proves the issue was addressed?
This is where many organizations struggle. They may have a risk assessment, but not a risk register. They may have findings, but not remediation owners. They may have recommendations, but no timeline, budget, or proof of completion.
That gap can become painful during an audit or after an incident.
3. Your Technical Safeguards
HIPAA has always required appropriate administrative, physical, and technical safeguards to protect ePHI. HHS describes the Security Rule as requiring safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information.
The proposed update makes several technical expectations more specific.
Healthcare organizations should review whether they have implemented, documented, and tested controls such as:
- Multi-factor authentication
- Encryption for ePHI at rest and in transit
- Endpoint protection and anti-malware controls
- Secure configuration standards
- Vulnerability scanning
- Penetration testing
- Network segmentation
- Access control and termination procedures
- Backup and recovery controls
- Audit logging and monitoring
The key is not simply whether a tool exists. The key is whether the organization can demonstrate that the control is deployed, configured correctly, reviewed, and tied back to risk.
For example, having MFA enabled for some users may not be enough. Leadership should understand where MFA is enforced, where exceptions exist, why those exceptions exist, who approved them, and what compensating controls are in place.
4. Your Incident Response and Recovery Readiness
A written incident response plan is helpful. A tested incident response plan is better.
The proposed rule would strengthen contingency planning and security incident response expectations, including written procedures for restoring certain systems and data within 72 hours, criticality analysis to prioritize restoration, written incident response procedures, and procedures for testing and revising incident response plans.
That means organizations should start asking more practical questions:
- When was our incident response plan last tested?
- Do workforce members know how to report a suspected security incident?
- Who makes decisions during a ransomware event?
- How quickly can we restore critical systems?
- Are backups segmented from production systems?
- Have we tested backup restoration, or only confirmed that backups exist?
- Do we have current contact information for vendors, legal counsel, cyber insurance, and leadership?
- Do we understand breach notification requirements and decision points?
The worst time to discover confusion is during an active incident.
5. Your Vendor and Business Associate Oversight
Business associates are a critical part of HIPAA readiness. Healthcare organizations increasingly rely on external vendors for EHR hosting, billing, IT support, analytics, marketing platforms, cloud services, telehealth tools, payment processing, and managed services.
But signing a Business Associate Agreement is not the same as managing vendor risk.
The proposed update includes annual verification expectations for business associates related to technical safeguards. HHS states that business associates would need to verify at least once every 12 months that they have deployed technical safeguards required by the Security Rule through written analysis by a subject matter expert and written certification.
Healthcare organizations should begin reviewing:
- Which vendors create, receive, maintain, or transmit ePHI?
- Do all applicable vendors have current BAAs?
- Do vendor contracts include security and incident notification expectations?
- Are vendors reviewed annually?
- Can vendors provide evidence of safeguards?
- Are subcontractors addressed?
- Is there a documented process for vendor offboarding?
Vendor risk is often where hidden exposure lives.
A Simple HIPAA 2.0 Readiness Gut Check
Before downloading any checklist or starting a formal assessment, leadership teams can begin with six questions:
- Can we identify every system, vendor, and location where ePHI is stored, processed, or transmitted?
- Do we have a current risk analysis that connects threats, vulnerabilities, likelihood, impact, and remediation priorities?
- Can we prove that key safeguards like MFA, encryption, backups, logging, vulnerability scanning, and access controls are implemented and reviewed?
- Have we tested our incident response and recovery procedures in the last 12 months?
- Do we have current vendor documentation, BAAs, and evidence of third-party security oversight?
- If OCR, a client, cyber insurer, or executive team asked for evidence tomorrow, could we produce it quickly?
A “no” or “not sure” answer does not mean your organization is failing.
It means you have an opportunity to get ahead of the change.
Common Mistakes to Avoid
Mistake 1: Waiting for the Final Rule
It may feel reasonable to wait until the rule is final. But many of the proposed requirements reflect security practices that are already important today. MFA, encryption, asset inventory, tested backups, vendor oversight, and risk analysis are not just compliance tasks. They are basic cyber resilience measures.
Waiting may save effort in the short term, but it can create a bigger remediation burden later.
Mistake 2: Assuming the EHR Covers Everything
Your EHR may be central to your ePHI environment, but it is rarely the only place ePHI exists. Email attachments, exports, scanned documents, billing systems, analytics platforms, cloud folders, and vendor systems often contain sensitive information.
HIPAA readiness requires looking beyond the obvious systems.
Mistake 3: Treating Policies as Proof
Policies matter, but policies alone do not prove operational readiness.
A policy may say MFA is required. Evidence shows where MFA is actually enabled.
A policy may say backups are maintained. Evidence shows whether those backups were tested.
A policy may say access is terminated promptly. Evidence shows whether deprovisioning happened on time.
The future of HIPAA readiness is evidence-driven.
Mistake 4: Reviewing Vendors Only Once
A vendor that was low risk two years ago may not be low risk today. Their services may have changed. Their access may have expanded. Their subcontractors may have changed. Their security posture may have weakened.
Vendor oversight should be recurring, documented, and tied to ePHI exposure.
Mistake 5: Completing a Risk Assessment Without a Remediation Plan
A risk assessment that identifies gaps but does not produce action is incomplete from a business perspective.
Every meaningful finding should have an owner, priority, due date, status, and evidence of completion.
What Healthcare Organizations Should Do in the Next 30, 60, and 90 Days
First 30 Days: Get Visibility
Start by building or updating your ePHI inventory. Identify systems, vendors, data flows, access points, backups, and high-risk workflows. Confirm who owns each system and where documentation lives.
Focus on answering: What do we have, where is it, and who is responsible for it?
Next 60 Days: Identify and Prioritize Gaps
Use your inventory to review current safeguards. Look for gaps in MFA, encryption, logging, backups, vulnerability management, access control, vendor oversight, and incident response.
Focus on answering: What is missing, what matters most, and what should be fixed first?
Next 90 Days: Build Evidence and Improve Readiness
Begin documenting remediation activity. Test incident response procedures. Validate backups. Review vendor documentation. Organize policies, procedures, risk analysis materials, training records, and security evidence in a way that can be retrieved quickly.
Focus on answering: Can we prove what we have done?
Download the Free HIPAA 2.0 Readiness Toolkit
HIPAA 2.0 readiness can feel overwhelming when you are trying to interpret proposed requirements, manage vendors, protect ePHI, support users, and keep operations running.
That is why we created the HIPAA 2.0 Readiness Toolkit.
It is designed to help healthcare organizations and business associates turn the proposed Security Rule changes into practical next steps.
Inside the toolkit, you will find:
✔ HIPAA 2.0 Readiness Assessment Worksheet
Score your current readiness and identify areas that need attention.
✔ Risk Analysis & Gap Assessment Template
Document risks, vulnerabilities, impact, likelihood, and remediation priorities.
✔ PHI Asset Inventory Checklist
Map systems, vendors, applications, users, and locations where PHI or ePHI may exist.
✔ Vendor & Business Associate Review Guide
Evaluate BAAs, vendor access, security controls, and third-party oversight practices.
✔ Incident Response Preparedness Checklist
Review your ability to detect, respond to, recover from, and document security incidents.
✔ Documentation & Audit Readiness Tracker
Organize the evidence you may need for audits, reviews, insurance requests, or internal governance.
Final Thought
HIPAA 2.0 readiness is not just about preparing for a regulatory update.
It is about building a stronger security foundation around patient data, reducing the likelihood of disruption, and giving leadership confidence that the organization can prove its safeguards are working.
The organizations that start now will be in a better position when the rule is finalized.
More importantly, they will be in a better position the next time a cyber incident, vendor issue, audit request, or leadership question puts their HIPAA readiness to the test.