Keep the rulemaking status in every discussion
OCR issued the proposed update in December 2024 and maintains a page describing the proposal. OCR's Security Rule page separately describes the existing standards for electronic protected health information.
Do not rewrite proposed requirements as current obligations. Check the Federal Register and OCR before relying on status because rulemaking can change.
Use the proposal to sharpen current questions
Ask for the system's architecture and data flow, risk-analysis practices, access controls, multifactor authentication scope, encryption, logging, backup and recovery testing, incident handling, subcontractors, and responsibility boundaries. Request dated evidence rather than a sales assurance.
The appropriate evidence depends on the practice's role, data, contracts, and risk analysis. This guide cannot determine whether a particular organization or product complies with HIPAA.
Create a versioned diligence record
Record the question, vendor answer, supporting document, document date, reviewer, unresolved issue, and contract consequence. Revisit it after material product, infrastructure, or regulatory changes.
A checklist is useful for consistency, but it does not replace qualified legal, privacy, security, and technical review.
