Healthcare GRC

HIPAA’s New Security Rule: The NPRM is Coming, and CMS is Already Enforcing the Future

Brittany brown

Brittany Brown

Senior Consultant, Advisory Services, Coalfire

November 21, 2025
Web Image Healthcare GRC Microsite EDE

The Notice of Proposed Rule Making (NPRM) for the Health Insurance Portability and Accountability Act (HIPAA) Security Rule has been released. Have you reviewed the NPRM, and are you prepared for what’s ahead? While the ruling is in a proposed state, do not assume it lacks enforceability. History shows that many of these requirements have already been enforced through frameworks like the Minimum Acceptable Risk Standards for Exchanges (MARS-E) and the Non-Exchange Entity Governance, Risk Management, and Compliance (NEE GRC), and now through the Acceptable Risk Controls for ACA, Medicaid, and Partner Entities (ARC-AMPE), its successor. 

The reality is, if CMS is already enforcing it, chances of the NPR M requirements coming to fruition are high.  

This blog analyzes several HIPAA Security Rule NPRM requirements in comparison to CMS’s ARC-AMPE framework to demonstrate that the proposed standards are already being enforced by CMS. While not every change is addressed, this comparison provides actionable insights and serves as a best-practice guide for implementing new measures or strengthening existing controls. 

 

Comparing NPRM Standards to CMS ARC-AMPE Requirements 

HIPAA Security Rule NPRM Standard ARC-AMPE Requirements  
Patch Management 
  • § 164.308(c)(1): Within 15 calendar days of identifying the need to patch, update, or upgrade the configuration of a relevant electronic information system to address a critical risk in accordance with this paragraph (a)(4)(ii)(C), where a patch, update, or upgrade is available; or, where a patch, update, or upgrade is not available, within 15 calendar days of a patch, update, or upgrade becoming available.
  • § 164.308(c)(2) Within 30 calendar days of identifying the need to patch, update, or upgrade the configuration of a relevant electronic information system to address a high risk in accordance with this paragraph (a)(4)(ii)(C), where a patch, update, or upgrade is available; or, where a patch, update, or upgrade is not available, within 30 calendar days of a patch, update, or upgrade becoming available. 
  • RA-05(d):  Remediate legitimate vulnerabilities identified during vulnerability or scanning within the following timeframes: Critical severity within fifteen (15) calendar days, High severity within thirty (30) calendar days, Moderate severity within ninety (90) calendar days, and Low severity within one (1) year in accordance with the organization’s assessment of risk. 

 

Security Awareness and Training 
  • §164.308(a)(11)(ii)(3)(B) A covered entity or business associate must provide security awareness training as follows:
  • §164.308(a)(11)(ii)(3)(B) ( 1): As required by paragraph (a)(11)(ii)(A) of this section, to each member of its workforce by no later than the compliance date, and at least once every 12 months thereafter.
  • §164.308(a)(11)(ii)(3)(B) ( 2): As required by paragraph (a)(11)(ii)(A) of this section, to each new member of its workforce within a reasonable period of time but no later than 30 days after the person first has access to the covered entity's or business associate's relevant electronic information systems. 
  • AT-02(a): Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): (1)As part of initial training for new users and within at least every one (1) year thereafter; and (2) 2. When required by system changes or following organization-defined events. Organization-defined events include assessment or audit findings; security or privacy incidents; and changes to applicable laws (to include privacy laws), Executive Orders, directives, regulations, policies, standards, and guidelines. 

 

Documentation Requirements 
  • § 164.316(b)(3):Review and update documentation at least once every 12 months and within a reasonable and appropriate period of time after a security measure is modified. 
  • PM-01 (b):Review and update the organization-wide information security program plan at least every one (1) year and following organization-defined events; and
  • PM-01 (c): Protect the information security program plan from unauthorized disclosure and modification. 
Transmission Security 
  • § 164.312(g):Deploy technical controls to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network; and review and test the effectiveness of such technical controls at least once every 12 months or in response to environmental or operational changes, whichever is more frequent, and modify as reasonable and appropriate. 
  • SC-08: Protect the confidentiality and integrity of transmitted information.
  • SC-08(01): Implement cryptographic mechanisms to prevent unauthorized disclosure of information and detect changes to information during transmission.
  • SC-08(01) (ARC-AMPE Supplemental Control Requirements & Guidance): Use the latest published FIPS 140-compliant encryption standards or protected distributed systems to protect Personally Identifiable Information (PII), ensuring the information's confidentiality and integrity during transmission.
  • SC-08(02): Maintain the confidentiality and integrity of information during preparation for transmission and during reception. 
Multifactor Authentication  
  • § 164.312(a)(ii)(A): Deploy multi-factor authentication to all technology assets in the covered entity's or business associate's relevant electronic information systems to verify that a person seeking access to the relevant electronic information system(s) is the user that the person claims to be.
  • § 164.312(a)(ii)(B):  Deploymulti-factor authentication for any action that would change a user's privileges to the covered entity's or business associate's relevant electronic information systems in a manner that would alter the user's ability to affect the confidentiality, integrity, or availability of electronic protected health information. 
  • IA-02: Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.
  • IA-02 (ARC-AMPE Supplemental Control Requirement & Guidance): Employ effective identity proofing and authentication processes, compliant with the latest published NIST SP 800-63, Digital Identity Guidelines document suite, as amended.
  • IA-02(01): Implement multi-factor authentication for access to privileged accounts.
  • IA-02(02): Implement multi-factor authentication for access to non-privileged accounts. 
Penetration Testing 
  • § 164.312(h)(iii)(B): Penetration testing must be performed at least once every 12 months or in accordance with the covered entity's or business associate's risk analysis required by § 164.308(a)(2), whichever is more frequent. 
  • CA-08: Conduct penetration testing at least every one (1) year on organization-defined systems or system components as agreed with the penetration testers in the Rules of Engagement.  

Now What?

According to Reginfo.gov, the Final Action on the HIPAA Security Rule NPRM is scheduled for May 2026, which means organizations must start preparing now for significant compliance updates. The era of optional safeguards is over; prepare your organization now to identify and close potential gaps. While the NPRM preserves flexibility in approach, it must be backed by a comprehensive risk analysis. This includes identifying threats and vulnerabilities to electronic protected health information (ePHI), assessing the likelihood and potential impact of those risks, and selecting reasonable, appropriate measures to mitigate them. Organizations that act early will not only reduce risk but also position themselves as leaders in security and trust. 

NPRM Compliance Readiness Checklist 

1. Review NPRM Requirements 

  • Read the proposed HIPAA Security Rule changes in detail.
  • Identify new or updated control areas that impact your organization.
  • Consult with legal and compliance teams to interpret regulatory language and confirm obligations. 

2. Perform a Risk Analysis & Gap Assessment 

  • Conduct a comprehensive risk analysis to identify threats and vulnerabilities to ePHI.
  • Evaluate likelihood and impact of risks; prioritize mitigation strategies.
  • Compare current posture against NPRM and CMS ARC-AMPE standards.
  • Document gaps and create a remediation plan with timelines and owners. 

3. Update Policies & Procedures 

  • Revise security policies to align with NPRM expectations.
  • Ensure documentation reflects best practices. 

4. Enhance Technical Safeguards 

  • Implement technical implementation gaps identified from the gap analysis (e.g., encryption, access controls, audit logging, etc.).
  • Validate configurations against compliance benchmarks, such as CIS (Center for Internet Security) standards. 

5. Train Workforce 

  • Prepare updated HIPAA security training for rollout when the Final Rule is implemented. 

6. Monitor & Audit Regularly 

  • Schedule internal and/or external audits for compliance readiness.
  • Use findings to continuously improve controls.
  • Assign an owner to track changes and coordinate updates.  

Coalfire’s Healthcare GRC Advisory team has extensive experience guiding healthcare organizations in adhering to HIPAA regulatory requirements and preparing for the HIPAA Security Rule Notice of Proposed Rule Making.  Our team has a series of white papers available to help your organization prepare for the changes.  

Coalfire helps operationalize HIPAA risk analyses, application risk assessments, and facility assessments utilizing frameworks such as NIST 800-53. Our approach turns compliance requirements into practical security improvements and measurable risk reduction.  

 

References: 

1. Department of Health and Human Services. (2024). HIPAA Security Rule [Notice of proposed rulemaking]. Federal Register. https://www.federalregister.gov/d/2024-30983/ 

2. Centers for Medicare & Medicaid Services. (2025). Acceptable Risk Controls for ACA, Medicaid, and Partner Entities (ARC-AMPE), Version 1.0.3. System Security and Privacy Plan for ACA Administering Entities, Volume II. 

3. Centers for Medicare & Medicaid Services. (2021). Minimum Acceptable Risk Standards for Exchanges (MARS-E), Version 2.2. CMS Security and Privacy Implementation Guidance. 

4. Centers for Medicare & Medicaid Services. (2024). Enhanced Direct Enrollment (EDE) Program Security and Privacy Framework. CMS Center for Consumer Information and Insurance Oversight. 

5. National Institute of Standards and Technology. (2017). Digital Identity Guidelines (NIST Special Publication 800-63-3). U.S. Department of Commerce. https://doi.org/10.6028/NIST.SP.800-63-3 

6. Office of Management and Budget. (2025). HIPAA Security Rule [Proposed rule]. Reginfo.gov. https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202504&RIN=0945-AA22 

ARC-AMPE 101