The HIPAA Loophole Is Closing. Is Your Practice Ready?
For years, small healthcare practices could document their way out of security requirements. In 2026, that excuse disappears.
If you run a small medical, dental, or behavioral health clinic, you’ve been able to document your way out of implementing security measures. Up until now.
The Department of Health and Human Services published a new HIPAA Security Rule in January 2025 that changed the game. Gone are the days when anything “addressable” in the healthcare sector could be dodged by tiny practices claiming they’re too small or not in a position to comply.
There were 167 million people affected by healthcare-related breaches in 2023. Breach reports soared 102% from 2018. Ransomware attacks on healthcare have gone through the roof since 2019. And smaller practices are getting pummeled — they’re often running outdated systems, don’t have dedicated security staff, and are exactly what hackers aim for.
HHS is saying they don’t care how many employees your practice has. The same security rules apply to all.
The “Big Four” Requirements
The updated HIPAA Security Rule establishes four technical requirements that healthcare organizations must put in place. No exceptions, no fudging the books.
1. Multi-Factor Authentication
MFA is no longer just for the top brass. It needs to be implemented everywhere — your electronic health record system, email, cloud storage, remote access tools, patient portal admin access. That’s a requirement, not a suggestion.
The Change Healthcare breach, the largest in US healthcare history, happened in part because of a lack of MFA. That’s now Exhibit A for why this matters.
2. Encryption Everywhere
You need to cover all the bases: encrypting data in transit (HTTPS, encrypted emails, secure file transfers) and at rest (encrypted hard drives, databases, backups).
If a server’s hard drives aren’t encrypted and someone walks off with one, that’s a major breach. If backup tapes aren’t encrypted and get lost in the mail, that’s also a problem.
3. Vulnerability Scanning and Penetration Testing
Bi-annual vulnerability scanning and annual penetration testing can be daunting for small practices.
Vulnerability scanning every six months is a breeze with the right tools. But pen testing — where you hire a professional hacker to try and break into your systems — is more involved and expensive.
HHS considered waiving the annual pen testing requirement for small and rural providers. They rejected that idea since “small healthcare providers are at the greatest risk of a breach.”
A Colorado critical access hospital that recovered from a 2019 attack had to pour an enormous amount of staff time and months of recovery into it. That won’t be acceptable under the new rules.
4. 72-Hour Restoration
When something goes wrong, you need documented procedures to restore critical systems within 72 hours. Written disaster recovery procedures, criticality analysis of your systems, tested backup and recovery processes.
Beyond the Big Four
The new rules also require IT teams to tackle:
| Requirement | What It Means |
|---|---|
| Asset inventory | Written list of all devices/systems that touch patient data, updated annually |
| Network maps | Diagram showing how patient data moves through your systems |
| Configuration standards | Documented security configurations for all systems |
| Patch management | Written procedures for applying security updates |
| Vendor verification | Annual written confirmation from business associates |
| Compliance audits | Annual audit of compliance with each Security Rule standard |
The Timeline
The rule was published in the Federal Register on January 6th, 2025. Comment period closes in March, likely finalized in late ’25. The rule goes into effect sixty days later with 180 days to comply.
| Milestone | Date |
|---|---|
| Rule published | January 6, 2025 |
| Comment period ends | ~March 2025 |
| Final rule published | Late 2025 (expected) |
| Rule effective | 60 days after publication |
| Compliance deadline | 180 days after effective date |
If the final rule drops in late ’25, you’re looking at a compliance deadline in mid-’26. Six months to turn around your security posture. That’s a sprint, not a marathon.
The Cost Problem
Small businesses are going to have a real problem with the costs. HHS says the average annualized cost is $1,235, which sounds reasonable until you consider:
- A thorough penetration test runs $5,000–$25,000
- Multi-factor authentication requires software licenses or implementation time
- Encryption at rest might require hardware upgrades for older systems
- Documenting and checking compliance is continuous labor
How Cloud Changes the Equation
When you run your own servers, you’re responsible for every part of the compliance process. Buying hardware, configuring encryption, managing MFA, contracting penetration tests, laying out recovery plans, and convincing auditors.
When you work with a managed cloud provider that understands healthcare, they take on the bulk of the responsibility and hand over the necessary documentation to you.
| Requirement | On-Premise | Managed Cloud |
|---|---|---|
| MFA deployment | You implement | Built into platform |
| Encryption at rest | You configure | Standard, managed |
| Encryption in transit | You verify | Standard, automated |
| Vulnerability scanning | You contract | Automated, continuous |
| Penetration testing | You contract | Can be included |
| 72-hour restoration | You design & test | Built into platform DR |
| Vendor verification | You chase paperwork | We provide documentation |
The Business Associate Catch
One area that will catch many people off guard: vendors that touch patient data — cloud providers, EHR vendors, billing services, backup solutions — will need to provide yearly written analysis of their security posture. Certification that they’ve implemented the necessary safeguards. Assurance from someone with cybersecurity expertise.
Providers who already have HIPAA compliance infrastructure have SOC 2 reports, BAA templates, and audit documentation ready. Companies that have been winging it, claiming they’re “HIPAA compliant,” are going to find themselves in a bind.
What To Do Now
If you’re a small healthcare practice:
- Gap analysis first. Look at where you stand on the big four requirements — MFA, encryption, vulnerability scanning, disaster recovery. Write it all down.
- Assess your vendors. You need them to supply written proof of their security posture. Ask now.
- Budget for a penetration test. You’ll need a professional third party who’ll make an effort to hack into your systems. Get estimates now before demand spikes and prices go up.
- Evaluate your infrastructure. If you’re running on outdated servers, think about whether you can afford to keep up with the compliance grind — or whether it makes sense to shift that burden to a partner.
- Start writing things down. If it’s not in writing, it doesn’t count. Begin formalizing what you’ve been doing informally.
The Bottom Line
Small practices are the ones that will get hit hardest by these changes. They’re less likely to have the resources to set up the compliance needed by the deadline.
The question is: do you want to build the infrastructure and documentation yourself, or work with people who have already done this?
We’ve been in the healthcare compliance game for over 30 years. If you need help talking through what this means for your specific situation, reach out. We’ll give you an honest assessment. And if you call, we actually answer.
Marty Godsey
Rudio LLC
Sources:
- HIPAA Security Rule NPRM, Federal Register 90 FR 898 (January 6, 2025)
- HHS HIPAA Security Rule NPRM Overview
- HHS HIPAA Security Rule Fact Sheet
- OCR Breach Report Portal