As a healthcare provider, are you aware of the following public list? HHS Breach List
As you can see, it’s a database you never want your organization’s name to appear in.
To push all healthcare-related businesses toward stronger cybersecurity practices, U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) last December to update the HIPAA Security Rule. This proposal is part of a broader federal push to strengthen cybersecurity across critical infrastructure—including healthcare.
If your organization handles protected health information (PHI), NOW is your window to get ahead of sweeping cybersecurity changes.
The comment period for this proposed rule closed in March 2025, and the final rule is expected to be published later this year or in early 2026. That means healthcare organizations have a rare opportunity: time to prepare before heightened cybersecurity requirements take effect.
What’s Coming
The proposed updates are significant. They include:
- Eliminating the distinction between “required” and “addressable” implementation specifications—everything will be required.
- Mandating written documentation of all security policies, procedures, and risk analyses.
- Requiring a technology asset inventory and network map, updated at least annually.
- Adding specific compliance timeframes for many existing requirements.
- Demanding more detailed risk analyses, including how ePHI flows through your systems.
These changes are designed to make HIPAA compliance more proactive and resilient in the face of rising cyber threats.
Why You Should Act Now
Cyberattacks on healthcare organizations are increasing in frequency and severity. And if your organization suffers a breach that impacts 500 or more individuals – a level even small practices meet very easily – it could end up on that HHS Breach Portal linked to at the top of this post.
Being listed there isn’t just a regulatory issue, it’s a reputational one. Patients, partners and competitors can all see it. And once you’re on that list, it’s hard to rebuild trust.
What You Can Do in the Second Half of 2025
At KaufmanIT, we recommend using the remainder of this year to:
- Conduct a Gap Assessment
Identify where your current cybersecurity practices fall short of the proposed rule. - Implement Continuous Monitoring
Tools like our SecureKIT™ Shield provide 24/7 vulnerability scanning, malicious traffic filtering and more for healthcare environments. - Document Everything
Start building or updating your written policies, procedures and risk analyses now—don’t wait for the final rule. - Train Your Team
Human error remains the leading cause of breaches. Regular training is essential.
Final Thought
The proposed HIPAA Security Rule changes are coming—and they’re coming fast. Use the second half of 2025 to prepare, protect your organization and avoid the consequences of being reactive.
If you’re unsure where to start, KaufmanIT offers assessments, training and managed services designed specifically for healthcare providers. Let’s make sure your organization stays compliant – and off the breach list.
HIPAA Cybersecurity FAQ – 2025 Updates
- What’s changing in HIPAA’s cybersecurity rules for 2025?
All implementation specifications are likely to become mandatory, plus organizations must document policies, procedures and risk analyses in writing. - Why is the HHS Breach Portal important?
It publicly lists healthcare organizations that have experienced HIPAA violations or data breaches—making reputational damage a real risk. - What’s the biggest cybersecurity threat to healthcare today?
Phishing attacks are surging, meaning human error remains the leading cause of breaches. - How can healthcare companies stay compliant?
Conduct gap assessments, implement continuous monitoring tools and train staff regularly on security best practices. - What does KaufmanIT offer to help?
We provide SecureKIT™ Shield for real-time threat detection, HIPAA compliance support and tailored cybersecurity solutions for healthcare providers.