By Framework · HIPAA

The HIPAA safeguards are about to become mandatory

HIPAA is getting its first major Security Rule overhaul in two decades, and it removes the line between required and addressable. Encryption, multi-factor authentication, vulnerability scanning, and an annual risk analysis are set to become mandatory for every covered entity and every business associate that touches protected health information.

The landscape

The safeguards are no longer optional

The proposed Security Rule update is the biggest change since the rule was adopted. It makes once-addressable safeguards mandatory: encryption of protected health information at rest and in transit, multi-factor authentication, regular vulnerability scanning, and a documented risk analysis every year. The final rule is expected in 2026, with a compliance clock of roughly 240 days once it lands. Around it sit the HITECH breach-notification regime and, for many organizations, HITRUST and PCI DSS.

HIPAA Security Rule Privacy Rule HITECH HITRUST NIST 800-66 Risk Analysis Business Associates
$2.19M
the maximum civil penalty per HIPAA violation category, per year, and the Office for Civil Rights has now settled or imposed penalties in more than fifty cases, with the failure to perform a risk analysis among the most common findings.

Enforcement has followed the risk. Regulators set a record for large healthcare breaches in the last year, and third-party involvement in those breaches doubled, which is why the new rule puts business associates squarely on the hook.

Why it is hard

Protected data lives far beyond the hospital

Protected health information does not stay with the covered entity. It flows to billing services, cloud vendors, analytics providers, and a long chain of business associates, each one in scope and each a place a breach can start. A single safeguard, say access management, has to answer to the Security Rule, to HITRUST, and often to PCI at the same time.

Managed separately, that is duplicated evidence, gaps between systems, and a program trying to prove a mandatory risk analysis it has not run in a form an auditor will accept.

How SimpleRisk fits

One control library, every obligation

SimpleRisk treats HIPAA the way it should be treated: as one connected set of controls, mapped once and proven to an auditor, a certifier, or the Office for Civil Rights.

  • Map once, satisfy many. Through the Secure Controls Framework, one control maps across HIPAA, HITRUST, NIST, PCI DSS, and 250-plus frameworks, so you test once and satisfy many at the same time.
  • Run the risk analysis the rule requires. Perform, document, and repeat the annual risk analysis that is the single most-cited HIPAA finding, and keep it current instead of reconstructing it.
  • Cover every business associate. Track third-party and vendor risk against the same controls, so the fastest-growing source of breaches is not a blind spot.
  • Prove it on demand. Define tests, run audits, and produce exactly the evidence an OCR investigation or a HITRUST assessment requires.

Be ready for the new Security Rule, not scrambling for it

Start a free trial or book a demo, and see how SimpleRisk maps your controls to the safeguards HIPAA is about to make mandatory.

Start a free trial