Proposed HIPAA Cybersecurity Changes: Small Practices Should Start Paying Attention

The policy binder is not enough

For a long time, HIPAA security has often been treated like documentation work. Have a policy. Do the annual training. Complete the risk assessment. Keep moving.

That mindset is getting stale. The proposed rule points toward something more practical and more uncomfortable. OCR appears to be asking healthcare organizations to prove they understand their environment.

What systems matter?
Where does ePHI move?
Who has access?
Which vendors are involved?
What happens if something breaks, gets locked, or gets compromised?

Those are business questions. If a practice cannot answer them clearly, the issue is bigger than paperwork.

The real work starts with visibility

A small medical practice does not need an enterprise security program. It does need to know what it has.

That means having a current inventory of the systems, devices, vendors, and accounts that touch patient information or support the business. Start simple. EHR. Email. Billing. Cloud fax. Imaging. File storage. Backups. Laptops. Mobile devices. Remote access tools. Vendor accounts.

That list usually tells a story pretty quickly. Sometimes it shows that access has not been reviewed in a long time. Sometimes it shows that a vendor has more reach than expected. Sometimes it shows that patient information is moving through tools no one thought about during the last risk assessment.

You cannot protect what you cannot see.

Vendor responsibility needs to be clear

This is one of the biggest weak spots for smaller practices. The practice assumes the IT provider has security covered. The IT provider assumes the EHR vendor owns the application. The EHR vendor secures its own platform but not the rest of the workflow. The billing company has access. The cloud fax vendor has access. Maybe a consultant does too.

Everyone owns a piece. No one owns the whole picture.

That becomes a problem during an incident. A practice should know who to call, what each vendor is responsible for, what access they have, and what they are required to do if something goes wrong. This does not need to be complicated. It does need to be clear.

Risk analysis has to match reality

HIPAA has required risk analysis for years. The issue is that too many assessments are too generic. They look fine in a folder, but they do not describe how the practice actually works.

A useful risk analysis should reflect the real environment. If patient information is sent through a referral process, that should be understood. If vendors access systems remotely, that should be included. If backups exist but have not been tested, that should be known. If former staff or old vendor accounts are still active, that should not be a surprise.

The proposed rule is another reminder that security documentation needs to match reality. Otherwise, it is just paper.

Do not wait for the final rule to fix obvious gaps

Some organizations will wait until the rule is final. That is common. It is also risky.

The final version may change, but the direction is not surprising. Healthcare is a major target. Small practices often rely on outside vendors. Patient data is sensitive. Downtime hurts quickly.

A security incident can cancel appointments, delay billing, damage patient trust, and create legal or insurance problems. That is already true today. The proposed HIPAA changes just put a brighter light on it.

What should a small practice do now?

• Build a real inventory so the practice can explain where patient information lives and moves.
• Review vendor access and make sure responsibility, access, and incident expectations are clear.
• Update the risk analysis so it reflects how the practice actually operates, not a generic template.
• Clarify incident roles so leadership, operations, IT, and vendors know who owns what when things go sideways.
• Fix the gaps that create the most risk first instead of waiting for pressure from a regulator, insurer, attorney, vendor, or patient complaint.

A defensible story is the goal

A small practice does not need perfection. It needs a defensible story.

We know where patient information lives. We know who can access it. We know which vendors support us. We have reviewed the major risks. We know what to do if something happens.

That is a much stronger position than hoping the EHR vendor or IT provider has everything covered.

Get clarity before the pressure hits

Perspectives Cyber and Technology Advisors helps small healthcare practices, nonprofits, and SMBs make sense of cybersecurity and compliance without turning it into a giant corporate exercise.

We help identify what matters, document what exists, find the gaps that create real risk, and work with your IT provider or MSP to get the right things addressed.

If your practice is not sure where it stands, start with a practical advisory conversation.

Related resources

• Compliance & Regulatory Readiness
• Security Program Development
• Cyber Insurance Will Not Save You Unless Your Organization Does Its Part

Official guidance and resources

• HHS OCR HIPAA Security Rule NPRM Fact Sheet
• HHS OCR HIPAA Security Rule NPRM Page
• Federal Register Proposed Rule, January 6, 2025
• HHS OCR Security Rule Guidance

Disclaimer: The proposed HIPAA Security Rule updates discussed in this article are not finalized and remain subject to change. Final language, scope, and enforcement timelines may differ from what is currently proposed. This content is for informational purposes only and does not constitute legal, compliance, or professional advice.