By Framework · HIPAA
The HIPAA safeguards are about to become mandatory
HIPAA is getting its first major Security Rule overhaul in two decades, and it removes the line between required and addressable. Encryption, multi-factor authentication, vulnerability scanning, and an annual risk analysis are set to become mandatory for every covered entity and every business associate that touches protected health information.
The landscape
The safeguards are no longer optional
The proposed Security Rule update is the biggest change since the rule was adopted. It makes once-addressable safeguards mandatory: encryption of protected health information at rest and in transit, multi-factor authentication, regular vulnerability scanning, and a documented risk analysis every year. The final rule is expected in 2026, with a compliance clock of roughly 240 days once it lands. Around it sit the HITECH breach-notification regime and, for many organizations, HITRUST and PCI DSS.
Enforcement has followed the risk. Regulators set a record for large healthcare breaches in the last year, and third-party involvement in those breaches doubled, which is why the new rule puts business associates squarely on the hook.
Why it is hard
Protected data lives far beyond the hospital
Protected health information does not stay with the covered entity. It flows to billing services, cloud vendors, analytics providers, and a long chain of business associates, each one in scope and each a place a breach can start. A single safeguard, say access management, has to answer to the Security Rule, to HITRUST, and often to PCI at the same time.
Managed separately, that is duplicated evidence, gaps between systems, and a program trying to prove a mandatory risk analysis it has not run in a form an auditor will accept.
How SimpleRisk fits
One control library, every obligation
SimpleRisk treats HIPAA the way it should be treated: as one connected set of controls, mapped once and proven to an auditor, a certifier, or the Office for Civil Rights.
- Map once, satisfy many. Through the Secure Controls Framework, one control maps across HIPAA, HITRUST, NIST, PCI DSS, and 250-plus frameworks, so you test once and satisfy many at the same time.
- Run the risk analysis the rule requires. Perform, document, and repeat the annual risk analysis that is the single most-cited HIPAA finding, and keep it current instead of reconstructing it.
- Cover every business associate. Track third-party and vendor risk against the same controls, so the fastest-growing source of breaches is not a blind spot.
- Prove it on demand. Define tests, run audits, and produce exactly the evidence an OCR investigation or a HITRUST assessment requires.
Be ready for the new Security Rule, not scrambling for it
Start a free trial or book a demo, and see how SimpleRisk maps your controls to the safeguards HIPAA is about to make mandatory.
Start a free trial