Orlando-area healthcare practices and clinics are under growing pressure: ransomware is getting more aggressive, vendors are more interconnected, and regulators are pushing for clearer evidence that you have baseline controls in place. In late 2024, HHS’ Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) to update the HIPAA Security Rule for the first time since 2013. The direction is unambiguous: less “interpretation,” more specific, testable requirements.
This article translates the proposed changes into a practical preparation plan for small and mid-sized healthcare organizations in Central Florida. Even though it is still a proposed rule, the work you do now strengthens patient safety, reduces downtime risk, and makes future audits dramatically easier.
Why this HIPAA NPRM matters for Orlando healthcare
The proposed modifications are designed to better align HIPAA with modern cybersecurity practices and to address recurring deficiencies OCR sees during investigations. According to the HHS fact sheet, the NPRM proposes removing the “required vs. addressable” distinction (with limited exceptions) and adding more specificity around what regulated entities must do to safeguard ePHI.
For Orlando healthcare organizations, this is especially relevant because:
- Many practices rely on a mix of cloud apps, imaging systems, EHRs, VoIP, and legacy medical devices that are hard to secure consistently.
- Business associates (billing, collections, IT vendors, SaaS providers) expand the attack surface and complicate accountability.
- Downtime can immediately impact patient care, scheduling, and revenue.
What’s being proposed: the requirements that change your day-to-day
Here are the proposed items we see as the most operationally impactful for healthcare providers (and business associates). The bullets below use the NPRM fact sheet language so you can map preparations back to the proposed rule.
1) Encryption becomes expected, not optional
The fact sheet proposes to “require encryption of ePHI at rest and in transit, with limited exceptions.” In practice, this means you should be able to demonstrate encryption across laptops, servers, backups, cloud storage, email workflows, and any remote access paths that handle ePHI.
PTG prep steps: verify BitLocker/FileVault, enforce TLS for email and portals, validate backup encryption, and document exceptions (if any) with compensating controls.
2) MFA everywhere ePHI is accessed
OCR proposes to “require the use of multi-factor authentication, with limited exceptions.” If you are still using single-factor sign-in for email, EHR portals, remote desktop, or VPN, this is the fastest win you can implement.
PTG prep steps: standardize identity with Microsoft 365/Azure AD (Entra ID), implement conditional access, and prioritize MFA on admin accounts and remote access first.
3) A real inventory and network map (updated at least annually)
The fact sheet proposes requiring “a technology asset inventory and a network map” showing ePHI movement “on an ongoing basis, but at least once every 12 months” and after changes that may affect ePHI. This is more than a spreadsheet—think visibility into endpoints, servers, network gear, cloud services, and where ePHI flows.
PTG prep steps: implement managed endpoint visibility, create a living network diagram, and document your ePHI data flows (EHR ↔ imaging ↔ billing ↔ patient portal ↔ backups).
4) Testing becomes part of compliance (scanning + pen testing)
The NPRM fact sheet proposes “vulnerability scanning at least every six months” and “penetration testing at least once every 12 months.” Many small practices do neither consistently, or they do it informally without retaining evidence.
PTG prep steps: schedule a recurring scan program, track remediation tickets, and perform an annual external/internal penetration test (or validated equivalent) with executive-level reporting.
5) Faster recovery expectations: restore key systems within 72 hours
OCR proposes strengthening contingency planning, including written procedures to “restore the loss of certain relevant electronic information systems and data within 72 hours.” That drives concrete requirements for backup design, immutable storage, and recovery testing.
PTG prep steps: define your “relevant systems” (EHR, imaging, identity, file shares, VoIP, scheduling), set recovery time objectives (RTOs), and test restores regularly—not just backups.
6) 24-hour notifications in key situations
The fact sheet proposes a few 24-hour concepts, including “notification … within 24 hours” when a workforce member’s access is changed or terminated, and business associates notifying covered entities upon contingency plan activation “no later than 24 hours” after activation.
PTG prep steps: tighten joiner/mover/leaver workflows, integrate HR offboarding with identity tools, and update business associate agreements and incident runbooks so notifications are operationally feasible.
7) Annual compliance audits
OCR proposes that regulated entities “conduct a compliance audit at least once every 12 months.” This is the difference between hoping you’re compliant and being able to prove it—with evidence.
PTG prep steps: build an annual HIPAA security evidence binder (policies, logs, scans, restore tests, training, vendor attestations) and run a structured internal audit against the Security Rule safeguards.
A practical 90-day preparation plan (what to do now)
If you’re a practice administrator, operations leader, or physician-owner, you don’t need to become a compliance expert. You need a prioritized plan, measurable progress, and a partner who can operationalize it without disrupting patient care.
- Weeks 1–2: baseline visibility. Confirm asset inventory, admin accounts, remote access methods, and where ePHI lives and moves.
- Weeks 3–6: close the big gaps. Enforce MFA, harden email, verify encryption, and eliminate shadow IT storing ePHI.
- Weeks 7–10: resilience upgrades. Validate backups, implement immutable storage where appropriate, and run a documented restore test for critical systems.
- Weeks 11–13: evidence and repeatability. Document policies/procedures, create a recurring scanning cadence, and establish an annual audit calendar.
How PTG helps Orlando healthcare organizations stay HIPAA-ready
Perez Technology Group supports Orlando-area organizations with managed IT, cybersecurity, and practical compliance execution. We help you modernize identity (Microsoft 365), harden endpoints, improve network segmentation, and create the evidence trail you need for audits and cyber insurance—without slowing down your clinicians.
If you want to get ahead of the proposed HIPAA Security Rule changes, start with a gap assessment. We’ll identify your top risks, map them to the NPRM direction, and deliver a prioritized remediation plan.
Book a free IT resilience assessment and we’ll walk through where you stand today and what to tackle next.
Note: This article discusses proposed HIPAA Security Rule modifications described by HHS OCR. The current HIPAA Security Rule remains in effect while rulemaking proceeds.
