The HIPAA Security Rule is headed for its most significant overhaul since 2013. The proposed rule published by HHS in January 2025 would eliminate the distinction between “required” and “addressable” safeguards, making virtually all implementation specifications mandatory. Whether finalization arrives on OCR’s projected mid-2026 timeline, in a slimmed-down form, or on a longer track shaped by the current administration’s regulatory priorities, the direction of travel is unambiguous.
For behavioral health organizations managing dozens of vendor relationships, that direction creates an immediate problem. The business associate agreements on file today were negotiated under a framework the proposed rule explicitly removes. The gap between what those agreements cover and what the modernized rule would demand is measurable. And the time to close it is before finalization, when you still control the timeline.
The BAA Requirements Hiding in the Proposed Rule
Most BAAs in circulation follow a familiar pattern: permissible uses and disclosures, breach notification obligations, and a general commitment to “appropriate safeguards.” That language satisfied the current rule’s flexibility. The proposed rule rewrites the expectations.
Three specific provisions in the NPRM would reshape what a BAA must contain (HHS OCR, 2025). First, business associates would be required to notify covered entities within 24 hours of activating a contingency plan. Many existing agreements still reference “reasonable time” or “without unreasonable delay” for incident communication.
Second, BAs would need to provide written verification that they have deployed required technical safeguards, validated annually by a cybersecurity subject matter expert and certified by a person with authority at the BA (Federal Register NPRM, 2025). Third, covered entities would be required to assess the risk of entering or maintaining a BAA based on those written verifications, making vendor due diligence a continuous obligation.
Beyond these structural changes, the proposed rule would mandate encryption of ePHI at rest and in transit, multi-factor authentication across all systems handling ePHI, network segmentation, and the ability to restore critical systems within 72 hours of an incident (HHS Cybersecurity Performance Goals, 2024). Every one of those requirements would need to flow into vendor agreements. A BAA that doesn’t require what the rule requires has become a liability document with your organization’s name on it.
The Vendor Categories That Should Keep Compliance Officers Up at Night
Behavioral health organizations carry a vendor risk profile that makes BAA gaps especially dangerous. Cloud-based EHR platforms handle massive volumes of sensitive clinical data. Telehealth providers manage complex data flows across state lines. Substance use disorder programs layer 42 CFR Part 2 protections on top of HIPAA requirements, creating consent and segmentation obligations that most generic BAAs don’t address.
Then there’s the category no one wants to talk about: AI tools that entered clinical workflows without formal vendor agreements. If a clinician adopted an AI-powered documentation assistant, a transcription service, or a note-generation tool without procurement vetting, the organization has an unmanaged vendor relationship handling ePHI. Under the proposed rule, that relationship would need full BAA coverage, annual safeguard verification, and contingency plan notification provisions. The vendor you forgot to inventory is the one most likely to create your next compliance exposure.
OCR isn’t waiting for the final rule to enforce the standards that already exist. Vendor security gaps remain one of the most reliable paths through which an organization’s safeguards are bypassed (Xpio Health, 2025). The agency’s Risk Analysis Initiative, launched in late 2024, has produced seven enforcement actions in its first six months, including settlements with business associates for ransomware incidents, misconfigured servers, and years-long gaps in risk analysis documentation (HHS OCR Resolution Agreements, 2025). Phase 3 HIPAA compliance audits are underway, targeting 50 covered entities and business associates with a specific focus on Security Rule provisions relevant to hacking and ransomware prevention (HHS OCR NPRM, 2025). The enforcement environment is tightening now, independent of when the proposed rule finalizes.
Building the Inventory Before the Rule Builds It for You
The practical response is a sequenced audit that can begin this quarter. Start by inventorying every vendor relationship that touches PHI, including informal tools, free-tier AI services, and subcontractor arrangements that may not have surfaced during the original BAA process. This inventory is itself a proposed requirement of the NPRM, which would mandate written technology asset inventories and network maps updated at least annually (HHS OCR NPRM Factsheet, 2025).
Next, compare every agreement signed before 2025 against the proposed mandatory requirements. The NPRM includes a transition period for existing BAAs, but that grace period assumes you know which agreements need updating. You can’t take advantage of the on-ramp if you don’t know which vehicles are on the road.
Finally, tier vendors by PHI volume and access level to prioritize renegotiation. A cloud EHR platform holding records for 10,000 patients carries different risk weight than a printing vendor that handles appointment reminder mailers. The tiering determines where to invest negotiation energy first.
The real shift is organizational. BAA management moves from a filing exercise to an active vendor risk governance discipline. Organizations that build the verification infrastructure now, annual SME validation, documented safeguard assessments, contingency notification protocols, will have a repeatable process in place when the final rule arrives. Those that wait will be standing up the infrastructure under regulatory scrutiny, on a timeline they no longer control.
The proposed Security Rule’s trajectory is clear even as the final provisions take shape. OCR received nearly 4,750 public comments and is reviewing each one (Federal Register NPRM, 2025). The rule may arrive in a slimmed-down form. It may arrive on schedule. Either way, the organizations that treated this window as preparation time will be the ones that are audit-ready, insurable, and ahead of the compliance curve.
When was the last time you compared your vendor agreements against what regulators are actually moving toward? Xpio Health helps behavioral health organizations assess vendor risk, audit existing agreements, and build the verification infrastructure the modernized Security Rule demands. If your BAAs haven’t been reviewed since 2024, let’s start the conversation.
#BehavioralHealth #PeopleFirst #XpioHealth
References
- HHS Office for Civil Rights. HIPAA Security Rule Notice of Proposed Rulemaking to Strengthen Cybersecurity for Electronic Protected Health Information. HHS.gov. 2025. https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html
- HHS Office for Civil Rights. HIPAA Security Rule NPRM Factsheet. HHS.gov. 2025. https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html
- HHS. HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information. Federal Register. 2025. https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information
- HHS. Healthcare and Public Health Sector Cybersecurity Performance Goals. HHS.gov. 2024. https://hhscyber.hhs.gov/performance-goals.html
- HHS Office for Civil Rights. Resolution Agreements and Civil Money Penalties. HHS.gov. 2025. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
- Xpio Health. The Trapdoor Beneath Your Network: How Vendor Gaps Sink Your Safeguards. Xpio Health. 2025.https://xpiohealth.com/articles/the-trapdoor-beneath-your-network-how-vendor-gaps-sink-your-safeguards
