OCR collected more than $6.6 million in HIPAA fines in 2025. Risk analysis failures drove nearly every settlement. One of those settlements was a behavioral health provider. And that was under the current rule, the flexible one, the one that let organizations document why a safeguard wasn’t reasonable in their environment and call it compliant. The proposed update to the HIPAA Security Rule would replace that flexibility with mandatory specifications across the board. For behavioral health organizations, the question is no longer whether the rules are changing. It’s whether you’ll be ready when they do.
OCR published the Notice of Proposed Rulemaking in January 2025, collected nearly 5,000 public comments, and has kept finalization on its official regulatory agenda for May 2026 (HHS NPRM Fact Sheet, 2025). Whether the final rule arrives on schedule or in a slimmed-down form later this year, the direction is unmistakable. The compliance clock will likely give organizations 180 to 240 days after publication. That window sounds generous until you inventory what it requires.
What the Proposed Rule Requires and Why It Matters
The most consequential structural change is the elimination of the distinction between “required” and “addressable” implementation specifications (Federal Register, 2025). Under the current rule, “addressable” has allowed organizations to document why a particular safeguard was not reasonable or appropriate in their environment. That flexibility shaped compliance strategies across the industry for two decades. Under the proposed rule, nearly all specifications become mandatory.
The era of treating “addressable” as a synonym for “optional” is ending. The organizations that built their compliance posture on that flexibility are the ones facing the steepest climb.
Beyond that foundational shift, the proposed rule introduces prescriptive technical requirements. Multi-factor authentication would be mandatory for all systems accessing ePHI, aligned with NIST Cybersecurity Framework standards for critical infrastructure (NIST, 2024). Encryption of ePHI at rest and in transit would be required with limited exceptions. Organizations would need to maintain a documented technology asset inventory and network map, updated at least every 12 months. Following a security incident, regulated entities would be required to restore critical systems within 72 hours. And business associates would need to provide annual written certification of their security safeguards.
HHS estimated the first-year cost of compliance at approximately $9 billion across the sector. That figure alone signals the scale of operational change regulators are expecting.
Why This Hits Behavioral Health Organizations Harder
The proposed rule applies uniformly across covered entities and business associates regardless of size, specialty, or budget. That uniformity creates a disproportionate burden for behavioral health organizations, which tend to operate with smaller IT departments, tighter margins, and less mature cybersecurity infrastructure than acute care systems.
Behavioral health settings also carry technology patterns that complicate compliance. Practitioners frequently rely on consumer-facing services like standard email, basic-tier video conferencing, and payment processors that lack automatic log-off, event monitoring, and audit controls. The proposed rule would make those gaps non-compliant with no room for documentation-based exceptions.
The gap between how behavioral health organizations actually use technology today and what the proposed rule will require is wider than most leaders realize. Closing it takes budget, planning, and time you won’t have after the final rule drops.
Telehealth expansion has further widened the attack surface, and the pandemic-era enforcement discretion that gave providers breathing room has ended. For organizations treating substance use disorders, the overlay of 42 CFR Part 2 protections creates dual compliance obligations that demand tighter electronic access controls (HHS, 2024). And psychotherapy notes, which carry additional protections under the Privacy Rule, must now meet the same mandatory encryption and access control standards as all other ePHI.
Three Moves to Make Before the Compliance Clock Starts
The highest-leverage action any behavioral health organization can take right now is completing a current, comprehensive security risk analysis. This is the foundation everything else is built on, and it is the single most cited deficiency in OCR enforcement actions. OCR’s Risk Analysis Initiative has produced more than 11 enforcement actions through early 2026, and the agency has confirmed that Phase 3 HIPAA compliance audits are underway (OCR Risk Analysis Guidance, n.d.). A risk analysis completed today establishes a defensible baseline and identifies where your gaps are before the regulatory deadline forces you to find them under pressure.
Second, inventory your technology assets and map your ePHI data flows. For behavioral health organizations, this means accounting for every EHR endpoint, telehealth platform, messaging tool, and mobile device that touches patient data. Many organizations have never done this comprehensively, and the proposed rule would require it annually.
Third, evaluate your business associate agreements and your vendors’ actual security posture. The proposed rule would require business associates to provide annual written certification of their security safeguards. Vendor security gaps remain one of the most common pathways to downstream breaches, and the current BAA review process at most organizations is not built to catch them (Xpio Health, 2025). Start now by identifying which vendors can demonstrate compliance and which represent unaddressed risk.
Waiting for the final rule to begin this work is the most expensive version of compliance planning available. The proposed requirements are well-documented. The enforcement trajectory is clear. The organizations that end up in OCR settlement announcements are consistently the ones that did not do the foundational work when they had the chance.
Is your organization’s security risk analysis current enough to survive an OCR audit today, or are you relying on a compliance posture built for a rule that’s about to be replaced? Xpio Health helps behavioral health organizations assess their security readiness, close compliance gaps, and build sustainable cybersecurity programs. When you’re ready to evaluate where you stand, reach out for a consultation.
#BehavioralHealth #HIPAACompliance #VendorRiskManagement #PeopleFirst #XpioHealth
References
- HHS. Fact Sheet: Notice of Proposed Rulemaking to Modify the HIPAA Security Rule. HHS.gov. 2025. https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html
- Office of the Federal Register. HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information. Federal Register. 2025. https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information
- OCR. Guidance on Risk Analysis. HHS.gov. n.d. https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html
- HHS. Fact Sheet: 42 CFR Part 2 Final Rule. HHS.gov. 2024. https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html
- NIST. Cybersecurity Framework 2.0. NIST. 2024. https://www.nist.gov/cyberframework
- Xpio Health. The Trapdoor Beneath Your Network: How Vendor Gaps Sink Your Safeguards. Xpio Health Blog. 2025.https://xpiohealth.com/articles/the-trapdoor-beneath-your-network-how-vendor-gaps-sink-your-safeguards
