HHS has proposed major updates to the HIPAA Security Rule that will significantly raise the bar for how all covered entities protect electronic protected health information (ePHI). If you are a small medical, dental, behavioral health, or home health practice, you will feel this shift even if you do not have internal IT or security staff.
This article explains the proposed changes in plain English, what they mean for small practices, and what practical steps you can take without hiring a full-time CISO.
1. “Addressable” is going away: optional becomes mandatory
Historically, the HIPAA Security Rule split safeguards into “required” and “addressable.” Many small practices treated “addressable” as “optional if we do not have time or budget,” especially for more advanced technical controls.
Under the new proposal, HHS would eliminate this distinction and make all implementation specifications required, with only limited exceptions. In practice for small practices, this means:
- Encryption of ePHI at rest and in transit is expected, not a best-effort goal.
- Multi-factor authentication (MFA) is required for ePHI access, except in narrow, justified cases.
- Network segmentation, secure configurations, and hardened systems are part of baseline hygiene, not “enterprise-only” features.
- Regular vulnerability scanning and at least annual penetration testing become standard expectations.
For small practices, this shift from “we will get to it later” to “we must show how we comply” is one of the biggest cultural impacts of the NPRM.
2. Risk analysis must be real, current, and written
Most small practices have something they call a “risk assessment” – often a one-time checklist from their EHR or a basic template filled out years ago. The proposed rule expects more structure and specificity.
HHS wants a written risk analysis that:
- Uses a current technology asset inventory and network map.
- Identifies reasonably anticipated threats and vulnerabilities to ePHI.
- Assigns risk levels based on likelihood and impact, not gut feel.
- Drives which safeguards you prioritize and how quickly you act.
For small practices, the implication is that you need to know what you have, where it sits on your network, how it could be compromised, and how you decided what to fix first. That is a very different conversation than “we bought a secure EHR, so I think we are covered.”
3. Documentation is now front-and-center evidence
The NPRM emphasizes documentation of your Security Rule program, not just having tools and processes in place. Regulators and cyber insurers are increasingly aligned on one question: “Can you show me?”
Small practices will need to maintain, and periodically update:
- A written risk analysis tied to a real inventory and network map.
- Written policies and procedures for access control, incident response, backups, and vendor management.
- Records of vulnerability scans, penetration tests, and other evaluations and how you responded.
- Documentation of exceptions where you cannot fully implement a safeguard, and what compensating controls you put in place instead.
This can feel like “paperwork,” but in an investigation or claim review, it becomes your best evidence that you acted reasonably and in good faith.
4. Stronger technical safeguards: what they look like in a small practice
The proposed changes align closely with what HHS and industry already recommend as cybersecurity performance goals and what cyber insurers increasingly require. For small practices, these translate into a concrete set of technical expectations.
Encryption everywhere ePHI lives
- Encrypt ePHI at rest on servers, laptops, databases, and backups, and in transit over networks, with only limited, documented exceptions.
- For many practices, that means confirming your EHR, storage, and backup solutions meet these requirements and documenting where they do.
Multi-factor authentication for ePHI access
- Require MFA for staff and admins accessing ePHI, including remote access, VPNs, cloud EHRs, and administrative tools that can reach PHI.
- This significantly reduces the impact of stolen passwords, which remains a major driver of healthcare breaches.
Network segmentation and hardened configurations
- Segment your network so that guest Wi-Fi, front-office workstations, clinical systems, and administrative servers are separated.
- Disable unnecessary ports and services that attackers routinely exploit, based on findings from your risk analysis and scanning.
Backups and recovery with separate protections
- Maintain backups of ePHI and critical systems that are logically or physically separated from your primary environment.
- Protect backups with their own access controls and test restoration regularly so you can recover quickly from ransomware or outages.
Regular vulnerability scanning and periodic penetration testing
- Run vulnerability scans at least every six months and penetration tests at least annually, documenting results and remediation.
- For small practices, this is usually done with a specialized partner instead of trying to build this capability in-house.
These are not “hospital-only” requirements anymore; they are the new baseline for any covered entity that handles ePHI, regardless of headcount.
5. Why small practices will feel this the most
HHS repeatedly acknowledges that what is “reasonable and appropriate” depends on the size, complexity, resources, and technical capabilities of each entity. Small and rural practices still have flexibility in how they meet requirements, and may rely more on cloud services and vendors.
However, with the removal of “addressable,” more prescriptive risk analysis expectations, and explicit testing and documentation requirements, the overall floor is clearly higher. At the same time:
- Healthcare remains the most expensive industry for breaches, and small practices are well-represented in breach and enforcement statistics.
- OCR has already shown a willingness to fine small medical practices, not just large hospital systems, when they fall short.
- Cyber insurers continue to tighten underwriting, focusing on the very same controls HHS is emphasizing: MFA, EDR, backups, and incident response planning.
In other words, small practices are in the hardest position: the same regulatory expectations, the same threat landscape, and the least internal capacity to design and run a security program.
6. Practical, right-sized steps small practices can take now
This is where an outcome-focused, business-first approach matters. You do not need a massive project plan, but you do need a structured, prioritized roadmap that fits your size and budget.
Here is a practical sequence small practices can follow over the next 6–12 months.
Step 1: Commission a real, HIPAA-aligned risk analysis
- Engage a partner who understands healthcare and HIPAA to perform a risk analysis that includes an up-to-date asset inventory and simple network map.
- Expect clear, business-oriented findings: which risks are most likely to cause downtime, lost revenue, or regulatory exposure in your specific practice.
Step 2: Clean up identity and access (including MFA)
- Implement MFA for all ePHI access, prioritizing remote access, EHRs, and privileged accounts.
- Eliminate shared logins, enforce unique user accounts, and tighten role-based access so staff only see what they need.
Step 3: Validate encryption and backups with evidence
- Confirm encryption is enabled for laptops, servers, cloud storage, and backups, and capture screenshots or reports as evidence.
- Review your backup design to ensure backups are segmented, access-controlled, and tested; document test results and any gaps you discover.
Step 4: Segment and harden the network with your IT partner
- Work with your IT provider to segment the network into logical zones: clinical systems, business systems, guest networks, and administrative tools.
- Disable unnecessary services and ports identified during scanning and document these changes.
Step 5: Establish a lightweight policy set and testing cadence
- Build a concise, practical set of security policies: access control, incident response, backup and recovery, vendor risk management, and acceptable use.
- Schedule twice-yearly vulnerability scanning and an annual penetration test, and track remediation against each report.
This is not about turning your practice into a hospital IT shop. It is about making sure your controls, documentation, and decisions are strong enough to stand up to real-world events and regulatory scrutiny.
7. Where a vCISO fits for small practices
Most small practices cannot justify a full-time Chief Information Security Officer, even though they face the same HIPAA Security Rule as large health systems. That is exactly the gap the virtual CISO (vCISO) model is designed to close.
A healthcare-focused vCISO can help you:
- Translate the new HIPAA Security Rule into a 12- to 18-month roadmap that respects your budget and avoids disruption to patient care.
- Build a defensible risk analysis, asset inventory, and documentation set that you can reuse for OCR, cyber insurance, and payer questionnaires.
- Coordinate your MSP, EHR vendor, and other third parties so encryption, MFA, segmentation, backups, and testing work together as a coherent program.
- Prepare you proactively for the new expectations instead of reacting after a breach, fine, or denied insurance claim.
For small practices, “Security That Speaks Business” means more than avoiding buzzwords; it means designing a security program that protects your patients, your reputation, and your revenue with the least possible friction on your staff. The HIPAA Security Rule is changing, but with the right guidance, compliance and security can finally feel manageable instead of overwhelming.
