Admin Log In Let's Talk

What the proposed HIPAA Security Rule changes mean for your training program

  • Photo of Ethena Team
    Ethena Team

Note: This post reflects the proposed HIPAA Security Rule as published in the Federal Register on January 6, 2025. The final rule has not been published as of this writing. Specific requirements may change. This post is for informational purposes and does not constitute legal advice.

The last time the HIPAA Security Rule saw a meaningful update, cloud infrastructure was in its infancy, ransomware wasn't a household word, and most healthcare records were still on paper. That was 2003. In the two decades since, healthcare became one of the most targeted industries for cyberattacks.

Now, the Department of Health and Human Services Office for Civil Rights (HHS/OCR) is finalizing a rule that would overhaul the Security Rule for the first time in its history. A final rule was targeted for May 2026, though a short delay is possible. If and when it does publish, if it stays as proposed, regulated entities would have 240 days to comply.

If you work in healthcare compliance, this could be one of the more consequential shifts your program has faced in decades.

What is actually changing in the HIPAA Security Rule?

The proposed rule, published in January 2025, does two big things: it raises the baseline for everyone, and it tightens the compliance obligations on business associates specifically.

Currently, the Security Rule distinguishes between "required" and "addressable" implementation specifications. "Addressable" has historically given organizations room to document why they're taking a different approach. The proposed rule eliminates that distinction entirely. Every implementation specification becomes a hard requirement.

The proposed technical controls are specific and prescriptive:

  • Encryption: All ePHI must be encrypted at rest and in transit
  • Multi-factor authentication: Required across all systems
  • Continuous monitoring: Systems must be monitored for anomalous activity
  • Vulnerability scanning and penetration testing: Both required, on documented timelines
  • Patch management: Specific timelines and processes required
  • Network segmentation: Required to limit lateral movement
  • Anti-malware protections: Mandatory
  • Audit and access logs: Must be maintained
  • Annual testing of technical controls: Required

That's a significant departure from the current framework, which is largely technology-neutral and allows organizations to determine how to achieve compliance outcomes. The proposed rule names the controls. There's not much room left for interpretation.

How does the risk analysis requirement change?

If there's one area where the proposed rule imposes the most new work, it's risk analysis.

Under the current framework, organizations conduct a "periodic" risk analysis. The proposed rule requires a formal risk analysis at least annually, and it has to cover every system, device, application, service, cloud environment, subcontractor, and integrated technology that touches ePHI. That includes ePHI across multiple clients and ePHI sitting in shared systems.

Before a compliant risk analysis can happen, organizations must first build and maintain a comprehensive, accurate, current technology asset inventory, along with maps of how ePHI moves through their environment. If you don't have a complete picture of where ePHI lives, you can't assess risk to it.

The analysis itself must be formal, documented, and repeatable. Written methodologies. Documented risk ratings with rationale. Tracked mitigation plans run through to completion. Written verification by qualified personnel. OCR can request the full package during a compliance review or breach investigation.

For business associates, this is particularly significant. Covered entities would be required to obtain annual written verification that their business associates have actually implemented the required technical safeguards. The era of signing a business associate agreement and calling it done is ending.

What are the new incident response requirements?

Under the current Breach Notification Rule, business associates have up to 60 days to notify a covered entity after a breach. The proposed Security Rule update would require notification within 24 hours when there's an emergency or other occurrence affecting electronic information systems, including when contingency plans are activated.

That's a meaningful tightening. It requires formal incident response plans with defined roles, incident classification criteria, response timelines, post-incident analysis, and detailed documentation. Organizations that treat incident response as a checklist exercise will need to build real programs.

What does the proposed HIPAA Security Rule mean for training?

Here's where it gets relevant for compliance leaders who oversee training programs specifically.

The security awareness training standard at 45 CFR ยง 164.308(a)(5) already applies to all workforce members with access to IT systems, not just those who handle PHI directly. The proposed rule carries more explicit expectations around what that training covers and more detailed documentation requirements around it. Business associate agreements are also expected to incorporate cybersecurity training obligations.

But there's a deeper implication that's getting real attention from healthcare compliance leaders: training needs to be tailored to each workforce member's actual role and access profile.

Think about what that looks like inside a mid-sized healthcare organization. A physician managing patient records, a front-desk coordinator checking eligibility, a finance analyst processing claims who never enters a clinical setting, a practice manager overseeing multiple locations, and an IT administrator provisioning system access are all subject to the same HIPAA security training requirement. But the risks they face, and the behaviors compliance teams are trying to shape, look completely different.

Training a finance analyst on patient exam room privacy protocols wastes everyone's time. Training clinical staff only on technical encryption standards misses the risks they actually encounter. One-size-fits-all compliance training has always been a compromise. The proposed rule pushes organizations to move past it.

Why role-based HIPAA training is hard to do at scale without AI

For smaller or mid-sized healthcare organizations, the math here gets challenging fast. Building a separate custom HIPAA course from scratch for every distinct role isn't realistic. That used to require an instructional designer, a development platform like Articulate, and months of storyboarding and production work. Compliance teams simply don't have the time, the budget, or the headcount.

The organizations that have tried to solve this problem on their own typically end up in one of two places: either they keep the same universal training and document why it's "good enough" for each role, or they build one custom course and it immediately becomes outdated.

For healthcare organizations with hundreds of locations and thousands of staff, the seat time problem compounds everything. If your organization's compliance training suite runs two hours and you've got thousands of associates plus a physician group, every percentage point of wasted seat time is a meaningful clinical and operational cost. Shorter, role-relevant training isn't just a regulatory preference. It's also a business case.

How AI customization makes role-based HIPAA training achievable

This is where modern compliance training tools are genuinely useful for healthcare compliance teams right now.

Ethena's Compass AI Training Agent lets compliance teams start with an existing HIPAA or cybersecurity course from Ethena's library and quickly build role-specific versions. A compliance officer describes the relevant risk context for a particular role: what systems they access, what patient data exposure they have, what the real risks look like in their day-to-day work. Compass builds a customized version of that training without requiring an instructional design team or a separate authoring tool.

Compass also pulls in your organization's actual policies as source material, so the training reflects what your workforce is actually expected to do, not just what the regulation says in the abstract. A finance team member gets training grounded in minimum necessary access and what ePHI looks like in their workflows. Clinical staff get scenarios they'd actually recognize. The content lands because it's relevant.

For organizations facing the proposed rule's role-tailoring expectations, this approach makes the task manageable. You're not rebuilding your entire training library. You're taking courses that already exist and using AI to make them specific.

What should compliance leaders do right now?

The final rule hasn't been published yet, and it may look somewhat different from the proposed version once OCR incorporates the substantial feedback it received. A more deregulation-friendly administration could also scale back some requirements. But the core direction is clear. These changes are coming in some form.

Compliance leaders can get ahead now by:

  • Running a gap analysis against the proposed technical controls before the final rule publishes, so you're not starting from scratch when the clock starts
  • Auditing and building your asset inventory to establish where ePHI lives across your systems, vendors, and cloud environments
  • Reviewing business associate agreements to understand what annual verification obligations will look like for both sides
  • Mapping your workforce roles against their ePHI access profiles to identify where training needs to be differentiated
  • Evaluating your current training to understand where role-based customization is overdue, especially for organizations with a mix of clinical and non-clinical staff

The 240-day compliance window sounds generous until you account for everything that has to happen inside it: gap analysis, new policy documentation, vendor assessments, updated agreements, technical control implementation, training updates, and testing. Organizations that start the work before the final rule drops will be in a much better position.

Ethena's library includes HIPAA, cybersecurity, and data privacy courses that are already being used by healthcare compliance teams, and Ethena's Compass AI Training Agent is built for exactly the kind of role-based tailoring the proposed rule pushes organizations toward. If you're thinking through what your HIPAA training program needs to look like when the final rule arrives, let's talk.

Articles

View All
Articles

10 HR & Compliance training courses your employees need in 2026 and beyond

TL;DR Run-of-the-mill HR training courses aren't getting the job done. Sure, they check the annual compliance training box, but they don't impact company culture or create more inclusive workplaces. Heck,...

8 min read
Articles

Sexual Harassment Training Requirements by State (2026)

TL;DR Sexual harassment training requirements in the United States are a patchwork. There's no single federal mandate, but a growing set of state and local laws means employers, especially those...

14 min read
Articles

AI in Hiring: 5 Employment Laws Every HR Team Should Know in 2027

TL;DR AI is showing up in more parts of the employment lifecycle every quarter, from resume screening and skills assessments to scheduling and performance reviews. The rules around these tools...

12 min read
Articles

Ethena vs. EasyLlama: the top 7 reasons companies leave for Ethena

Last updated: May 2026 Most of the teams who leave EasyLlama for Ethena started there for the same reason: it was the most modern option they could actually get budget...

6 min read