Healthcare practices nationwide are closely watching the proposed HIPAA Security Rule updates that could reshape how organizations handle HIPAA compliant cloud backup and data protection requirements. While these changes remain in the proposal stage, understanding what’s coming can help your practice prepare for potentially stricter compliance standards.
What the Proposed HIPAA Changes Mean
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a Notice of Proposed Rulemaking in December 2024 that would significantly update the HIPAA Security Rule for the first time since 2013. The proposal aims to strengthen cybersecurity protections for electronic protected health information (ePHI) by aligning with modern security frameworks from NIST and CISA.
Key proposed changes include:
• Eliminating the distinction between “required” and “addressable” implementation specifications
• Making encryption mandatory for ePHI at rest and in transit
• Requiring multi-factor authentication (MFA) for all system access handling ePHI
• Mandating annual comprehensive risk analyses
• Strengthening business associate oversight requirements
These updates directly impact how practices use cloud storage, backup systems, and file sharing platforms that handle patient data.
Impact on Cloud Storage and Backup Systems
The proposed rule would make encryption a mandatory requirement rather than an “addressable” safeguard. This means your practice’s HIPAA compliant cloud storage and backup solutions would need to meet specific encryption standards.
Proposed encryption requirements:
• AES-256 encryption for data at rest (stored files, databases, backups)
• TLS 1.2 or higher for data in transit (file transfers, cloud synchronization)
• NIST-aligned key management practices
• Documentation of encryption implementation and management
For backup systems specifically, the proposal emphasizes offline backup capabilities to protect against ransomware attacks. Your HIPAA compliant cloud backup strategy would need to demonstrate immutable storage options and regular recovery testing.
Multi-Factor Authentication Requirements
Under the proposed changes, MFA would become mandatory for all users accessing systems containing ePHI, not just remote access scenarios. This expansion means:
• Staff accessing patient records from any location or device
• Administrative accounts managing cloud storage and backup systems
• Third-party vendors requiring system access
• HIPAA compliant file sharing platforms and applications
Practices would need to maintain enrollment reports, document any exceptions, and ensure consistent MFA implementation across all ePHI-handling systems.
Preparing Your Practice Now
While the rule isn’t finalized, proactive preparation can position your practice for compliance success and improved security posture.
Immediate assessment steps:
• Inventory all cloud services handling patient data, including storage, backup, and sharing platforms
• Document current encryption status for each system and identify gaps
• Evaluate MFA implementation across all ePHI-accessing applications
• Review business associate agreements to understand shared security responsibilities
• Test backup and recovery procedures to ensure 72-hour restoration capabilities
Policy and procedure updates:
• Develop comprehensive asset inventories and data flow maps
• Create incident response procedures aligned with faster reporting requirements
• Establish regular vulnerability scanning and penetration testing schedules
• Document risk analysis procedures for annual compliance reviews
Timeline and Next Steps
The proposed rule is expected to be finalized around May 2026, with an effective date approximately 60 days after publication. Organizations would then have 180 days to achieve full compliance with most provisions.
Projected timeline:
• Spring 2026: Final rule publication
• Summer 2026: Rule becomes effective
• Late 2026/Early 2027: Full compliance deadline
This timeline provides healthcare practices with approximately 18-24 months to implement necessary changes, making now an ideal time to begin preparation efforts.
What This Means for Your Practice
The proposed HIPAA Security Rule updates represent a significant shift toward mandatory cybersecurity safeguards that reflect current threat landscapes. While still in proposal form, these changes signal OCR’s commitment to stronger data protection standards.
For practice managers and healthcare administrators, preparation should focus on conducting comprehensive security assessments, upgrading encryption and MFA implementations, and strengthening vendor management processes. Working with experienced healthcare IT partners can help ensure your cloud storage, backup, and file sharing systems meet both current and anticipated future requirements.
By taking proactive steps now, your practice can maintain regulatory compliance, protect patient data more effectively, and avoid the costs associated with last-minute compliance efforts. The investment in stronger security infrastructure today will pay dividends in reduced breach risk and operational continuity tomorrow.
