The proposed HIPAA Security Rule update eliminates the flexibility that behavioral health teams have relied on for twenty years. The workaround you documented. The consumer-grade tool you justified because nothing better fit the budget. The “addressable” safeguard your organization assessed and set aside. Under the proposed rule, those decisions stop being defensible. And the people who will feel that shift first aren’t in the C-suite. They’re in the session room, at the front desk, and on the telehealth screen.
OCR has kept finalization on its official regulatory agenda for May 2026, with a compliance window of 180 to 240 days after publication (HHS NPRM Fact Sheet, 2025). Whether the final rule arrives on schedule or later this year, the operational changes it demands will land at the workflow level. Understanding what’s coming now is the difference between adapting on your terms and scrambling on OCR’s.
What Changes
Multi-factor authentication will be required for all systems accessing electronic protected health information (Federal Register, 2025). For clinicians moving between sessions, supervisors toggling across platforms, and IT staff managing remote access, this means an additional authentication step on every login. The workflow impact is real. Organizations that plan the rollout poorly will create friction that drives workarounds, and workarounds are exactly what the proposed rule is designed to eliminate.
MFA is a 15-second interruption that prevents a 15-month OCR investigation. The math favors the interruption.
The mandate aligns with NIST Cybersecurity Framework standards for critical infrastructure (NIST, 2024). Environments without MFA remain the primary vector for unauthorized ePHI access. This is the single most common entry point for breaches, and the proposed rule treats it accordingly.
Encryption of ePHI at rest and in transit also becomes mandatory with limited exceptions. This affects laptops, tablets, mobile phones, portable storage, and any device where patient data might reside, even temporarily. A clinician drafting session notes on an unencrypted personal device creates a compliance gap under the proposed rule. A supervisor accessing scheduling data with patient identifiers on an unencrypted tablet creates the same problem.
For telehealth, the encryption mandate means every video platform, messaging tool, and patient portal must meet the standard. The pandemic-era enforcement discretion that gave providers breathing room is over. Platforms that were tolerated during the emergency response period will face full scrutiny under the updated rule.
The Tools You Rely On May No Longer Be Enough
Behavioral health practitioners are more likely than most healthcare providers to rely on consumer-facing services for day-to-day operations. Standard Gmail accounts, basic-tier video conferencing, payment processors, messaging apps, and standard SMS all show up regularly in behavioral health workflows. These tools typically lack the technical capabilities the Security Rule requires: automatic log-off, event monitoring, and audit controls (HIPAA Journal, 2026).
Under the current rule, organizations could document why a consumer-grade tool was “reasonable and appropriate” in their environment and maintain compliance. The proposed rule eliminates that flexibility. If the tool cannot meet the specification, it is non-compliant. The documentation that justified the workaround no longer applies.
Frontline staff are the best source of intelligence on where the real compliance gaps live. They know which tools actually touch patient data every day, and that knowledge is worth more than any external audit.
This is where clinical supervisors and program managers can contribute immediately. You know which platforms your teams use for scheduling, messaging, documentation, and telehealth. You know which tools were adopted informally and never went through an IT review. Flagging those tools now gives leadership time to evaluate alternatives and budget for transitions before the compliance deadline forces a rushed migration.
For organizations subject to 42 CFR Part 2 protections, the compliance bar is even higher. Substance use disorder records require tighter electronic access controls, and tools that cannot enforce role-based permissions or segment Part 2 data create layered compliance risk (Xpio Health, 2025). If your organization serves both general behavioral health and SUD populations, the intersection of these requirements demands careful attention at the operational level.
What You Can Do Now Without Waiting for a Directive
The proposed rule requires a documented technology asset inventory covering every system that touches ePHI, updated at least annually. IT will build the inventory, but frontline staff are the ones who know which apps, devices, and platforms are actually in daily use. The difference between an accurate inventory and a theoretical one is whether the people doing the clinical work contribute what they know.
The proposed rule also requires formal incident response procedures and 72-hour system restoration capability. Frontline staff won’t design those plans, but they will be the first to notice something wrong. Knowing what constitutes a reportable incident and knowing exactly who to contact is the baseline expectation under the updated rule. If your organization’s current training covers incident reporting only in an annual slide deck that no one references afterward, that gap is worth raising now.
Expect annual compliance audits across all Security Rule requirements and more frequent, role-specific training (OCR Risk Analysis Guidance, n.d.). The generic annual checkbox session is giving way to documented, scenario-based training tied to actual job functions. Clinical supervisors and program managers should anticipate owning the training confirmation process for their teams.
And if a vendor’s platform doesn’t support MFA, can’t produce audit logs, or won’t sign a Business Associate Agreement, that information needs to reach leadership before the compliance deadline. The proposed rule would require business associates to provide annual written certification of their security safeguards. Vendors who can’t meet that standard represent risk your organization needs to quantify now.
Leadership sets the compliance direction. Frontline practice determines whether the organization actually meets the standard.
The proposed rule is designed to close the gap between policy on paper and security in practice. Preparing now, even in small operational ways, is how that gap actually closes.
If your team had to pass an OCR compliance audit next month, would every clinician know which tools are approved, how to report an incident, and where patient data actually lives on their devices? Xpio Health works with behavioral health organizations to translate regulatory requirements into operational-level readiness. When your team is ready to prepare, reach out for a consultation.
#BehavioralHealth #HIPAACompliance #VendorRiskManagement #PeopleFirst #XpioHealth
References
- HHS. Fact Sheet: Notice of Proposed Rulemaking to Modify the HIPAA Security Rule. HHS.gov. 2025. https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html
- Office of the Federal Register. HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information. Federal Register. 2025. https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information
- OCR. Guidance on Risk Analysis. HHS.gov. n.d. https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html
- NIST. Cybersecurity Framework 2.0. NIST. 2024. https://www.nist.gov/cyberframework
- Xpio Health. HIPAA and Part 2: Gears Aligned, Systems Synced. Xpio Health Blog. 2025. https://xpiohealth.com/articles/hipaa-and-part-2-gears-aligned-systems-synced
- HIPAA Journal. HIPAA Compliance for Behavioral Health Practices. HIPAA Journal. 2026.https://www.hipaajournal.com/hipaa-compliance-for-behavioral-health-practices/
