HIPAA compliance has always required “reasonable and appropriate” safeguards, but the HIPAA Security Rule Notice of Proposed Rulemaking (NPRM) signals a shift toward much more specific cybersecurity expectations. For Orlando-area medical, dental, behavioral health, and specialty practices, the best time to prepare is before the final rule lands.
According to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights, the NPRM proposes changes that include removing the “required vs. addressable” distinction, requiring written documentation for policies and analyses, and adding explicit expectations like encryption, multi-factor authentication, regular vulnerability scanning, and annual compliance audits.
This article breaks those ideas into 10 practical moves you can begin now. These steps are written for busy healthcare leaders who want reduced risk, fewer surprises, and cleaner evidence if you ever face an audit, incident response, or cyber insurance renewal.
1) Treat “addressable” controls as mandatory starting today
The proposed rule would remove the flexibility many organizations relied on to defer certain safeguards. Even if the final version changes, the direction is clear: regulators want consistent baseline controls across covered entities and business associates.
What to do now: inventory any HIPAA safeguards you marked as “addressable,” and document whether you implemented them, used an alternative, or postponed them. Then build a remediation plan with owners and dates.
2) Build (and maintain) a real technology asset inventory + network map
One of the hardest parts of healthcare cybersecurity is knowing what you have: servers, endpoints, cloud apps, medical devices, remote access tools, and all the paths where ePHI travels. The NPRM calls for an inventory and network map that is updated at least annually and when major changes occur.
What to do now: start with three buckets: (1) endpoints and servers, (2) cloud applications (M365, EHR, billing, secure messaging), (3) “shadow IT” (consumer tools used for convenience). Map how ePHI enters, is stored, and leaves each system.
3) Upgrade risk analysis from a document to an operational process
HIPAA risk analysis often becomes a once-a-year PDF that no one touches. The NPRM calls for greater specificity: tying risk analysis to your asset inventory and network map, identifying reasonably anticipated threats and vulnerabilities, and rating risk levels.
What to do now: operationalize risk analysis by turning findings into a simple tracking board (control gap → risk → remediation → evidence). If you can’t show progress, audits and insurance reviews can get painful fast.
4) Encrypt ePHI at rest and in transit (and prove it)
The NPRM explicitly calls for encryption of ePHI at rest and in transit, with limited exceptions. In real life, encryption gaps usually come from legacy servers, unmanaged laptops, or unencrypted file shares and backups.
What to do now: confirm full-disk encryption on all endpoints (Windows BitLocker), enforce TLS for email and portals, and ensure backups are encrypted. Most importantly, capture evidence: policies, configuration screenshots, and reports that demonstrate encryption is enabled.
5) Require MFA everywhere ePHI can be accessed
Credential theft remains one of the most common ways attackers get into healthcare environments. MFA is one of the highest ROI controls you can deploy, and the NPRM makes it explicit.
What to do now: enable MFA for Microsoft 365, VPN/remote access, EHR access, and any admin portals. If you’re already using Microsoft, Conditional Access policies can reduce MFA fatigue while still protecting high-risk logins.
6) Establish a vulnerability scanning and patch rhythm you can keep
The NPRM proposes vulnerability scanning at least every six months and penetration testing at least annually. Even if your organization is small, the goal is the same: find issues before attackers do.
What to do now: adopt a monthly patch cadence, and a quarterly vulnerability review cycle (more frequent than proposed). For medical devices where patches are complicated, document compensating controls (network segmentation, access restrictions, monitoring).
7) Create an incident response plan that matches real-world operations
Many practices have a binder-based incident response plan that doesn’t reflect how the team actually communicates or makes decisions. The NPRM emphasizes written incident response procedures and testing/revision.
What to do now: define who declares an incident, who talks to the EHR vendor, who handles patient communications, and who contacts legal/cyber insurance. Run a 60-minute tabletop exercise focused on a realistic scenario: a stolen laptop, a compromised mailbox, or ransomware impacting scheduling.
8) Plan for fast recovery: define what must be restored within 72 hours
The NPRM includes an expectation to restore the loss of certain relevant systems and data within 72 hours. That’s a big deal if your backups are slow, incomplete, or untested.
What to do now: identify the “top 5” systems that would stop patient care (EHR, imaging access, phone system, email, scheduling). Then validate backups, define recovery time objectives (RTOs), and test restores. If your current setup can’t meet the target, build a phased plan.
9) Prepare for annual compliance audits with evidence, not opinions
One of the most operationally challenging proposals is an annual compliance audit requirement. The practices that do best are the ones that treat compliance as a living system: policy + control + evidence.
What to do now: start an “evidence folder” structure: access controls, MFA, encryption, backups, vulnerability management, training, vendor management, and incident response. Each month, drop in a few artifacts (reports, screenshots, attestations). This prevents a year-end scramble.
10) Don’t ignore business associates: tighten vendor access and accountability
Even if your internal controls are strong, business associates can be the weakest link. Your EHR vendor, MSP/IT provider, billing partner, and secure messaging tools all touch ePHI.
What to do now: review Business Associate Agreements (BAAs) for security language, confirm which vendors have admin access, and enforce least privilege. If you need a stronger vendor security posture and visibility, PTG’s CyberFence platform helps centralize monitoring and security workflows.
Where PTG can help Orlando healthcare teams
Perez Technology Group (PTG) is an Orlando-based managed IT and cybersecurity provider and Microsoft Partner. We help healthcare organizations translate compliance language into real controls: identity security, device hardening, encryption, backup and recovery testing, and continuous monitoring.
If you want a practical readiness plan aligned to the proposed HIPAA Security Rule direction, contact us for a security assessment and roadmap.
Source note: Proposed changes summarized from HHS OCR’s HIPAA Security Rule NPRM fact sheet (Dec 27, 2024).