policy

The HIPAA Security Rule proposal is not the current rule—but it is a useful diligence checklist

HHS proposed substantial cybersecurity changes in late 2024. Buyers should keep proposal status explicit while asking vendors for concrete evidence about today's safeguards and responsibilities.

Practice team reviewing software security responsibilities
Security diligence starts by separating current requirements, proposed changes, and contract evidence.

Keep the rulemaking status in every discussion

OCR issued the proposed update in December 2024 and maintains a page describing the proposal. OCR's Security Rule page separately describes the existing standards for electronic protected health information.

Do not rewrite proposed requirements as current obligations. Check the Federal Register and OCR before relying on status because rulemaking can change.

Use the proposal to sharpen current questions

Ask for the system's architecture and data flow, risk-analysis practices, access controls, multifactor authentication scope, encryption, logging, backup and recovery testing, incident handling, subcontractors, and responsibility boundaries. Request dated evidence rather than a sales assurance.

The appropriate evidence depends on the practice's role, data, contracts, and risk analysis. This guide cannot determine whether a particular organization or product complies with HIPAA.

Create a versioned diligence record

Record the question, vendor answer, supporting document, document date, reviewer, unresolved issue, and contract consequence. Revisit it after material product, infrastructure, or regulatory changes.

A checklist is useful for consistency, but it does not replace qualified legal, privacy, security, and technical review.