HIPAA’s Compliance Glow-Up: The End of Addressable Standards
What That Means for Your Security Program
I remember the first time I came across the HIPAA Security Rule as I transitioned from the engineering space to the GRC space.? That shock of learning how long it had been around combined with built-in Opt-Out language caused me to question what little I already knew about the rule given security background.? (We didn’t call it Cyber back then).? More curious, as I talked to peers at other organizations, they knew shockingly very little about it either.? After all, the HIPAA Security Rule has been around since 2003 and it was clear most organization were limboing under its low bar ever since. The rule’s infamous opt-out “addressable” standards gave healthcare organizations a get-out-of-jail-free card for decades. Don’t want to implement a specific safeguard? No problem, just explain why it’s not “reasonable and appropriate” for your setup, slap a justification in your policies, and call it a day.
Well, that party’s over.
The proposed HIPAA Security Rule updates will eliminate the distinction between “required” and “addressable” implementation specifications, making everything mandatory. No more cherry-picking security measures. No more creative excuses about how encryption isn’t “practical.” If it’s in the rule, you’ll have to do it. No more excuses about how the organization needs to monitor and troubleshoot internal-to-internal network connections for “performance” monitoring and troubleshooting.? Let’s face it, that monitoring never amounted to any significance other than saving 2-3 minutes of setting up encryption. Modern TLS minimizes any performance burdens.? ?Period.
This is HIPAA’s Security Rule, compliance led glow-up!? A shift from checkbox flexibility to results oriented accountability. And while it’s long overdue, it’s also a wake-up call for organizations still stuck in 2003, 2005, 2009, 2013, 2016, 2021 or even 2022.
What’s Changing?
Under the current rule, implementation specifications fall into two buckets:
The proposed updates will eliminate the “addressable” category entirely, making all specifications required. This means healthcare organizations will need to adopt a uniform baseline of safeguards, regardless of size or complexity.
Translation: If you’ve been relying on “addressable” to sidestep costly security investments, it’s time to rethink your budget.
Why This Change Matters
Addressable was always a loophole. It allowed organizations to avoid implementing critical safeguards, often prioritizing convenience over security. Sure, some organizations used it responsibly, but others? Not so much.
This shift to mandatory standards:
What This Means for Your Organization
If you’ve been treating HIPAA compliance like an à la carte menu, it’s time to prepare for a full-course meal. Here’s what you need to focus on:
1. Conduct a Gap Analysis
Review your current safeguards against the proposed updates. Identify where you’re relying on “addressable” exceptions and develop a plan to close those gaps.
领英推荐
2. Budget for Mandatory Safeguards
Security upgrades aren’t cheap, but breaches are far more expensive. Think of it as upgrading from a flip phone to a smartphone.? Yes, you’ll spend more upfront, but the functionality will be worth it.? (And no, I don’t mean a modern smartphone flip phone, those few who might have them)
3. Invest in Training
Compliance isn’t just about technology; it’s about people. Train your workforce on new safeguards and ensure they understand why these changes are critical.
4. Engage Leadership
The days of saying “we can’t afford it” are gone. Use quantitative risk analysis to make the case for investments, translating cybersecurity risks into dollar amounts executives can understand.? If your practice isn’t using a Tap ‘n Go technology workflow, it’s an opportunity to invest in a solution that will save time and provide convenience.
Hot Take: Why This Change is a Good Thing
When it comes to addressable controls, pushback typically comes from two camps: Providers and Information Technology teams. To be fair, when I say “IT,” I’m not talking about dedicated Information Security teams. I mean the Networking and Interface teams those who I have often encountered their view of security as an inconvenience rather than a necessity.
Let’s address the IT concerns first. Yes, encryption adds some overhead to performance and visibility on the wire. But in 2025, this argument is as outdated as your infrastructure if it’s old enough to drink. Modern protocols like TLS are fast, efficient, and optimized for secure transactions. If your networking gear struggles to handle it, the problem isn’t encryption.? It’s your decade-old (or two) hardware. It’s time for an upgrade.
Now, onto Providers, who have long pushed back against tighter security, claiming it disrupts workflows and ultimately hurts patient care. To some extent, I agree. Security measures that create friction can slow things down, but the real issue isn’t the controls, it’s the mindset. Let me put it this way: when you visit a doctor’s office, how many times are you asked to confirm your date of birth or provide other identifiers within a 2–3 minute span? Probably multiple times, even while wearing a wristband with your details. And yet, providers balk at security measures like complex passwords, citing inconvenience. If you can ask patients for the same information four times in three minutes, surely logging in securely isn’t too much to ask.
The reality is that post-EMR (2005+), providers require 4–6 FTEs to support their daily jobs, compared to 2–4 FTEs pre-EMR. Technology has added complexity, but it has also enabled better care. The triple constraint of “cheap, fast, or good” applies here: you can’t have all three. Security is non-negotiable in today’s threat landscape, and it’s time for providers to adapt, just as clinical staff have adapted to protocols that protect patients in person.
Here’s the kicker: in the age of technology, the expectation for professionals, especially at the level of M.D., is that they can type and manage a secure passphrase. Typing isn’t “secretarial work” anymore; it’s a basic skill. The notion that physicians should be exempt from IT restrictions because they hold a medical degree has held technology teams hostage for too long. Security doesn’t have to be the enemy of efficiency; it just requires thoughtful implementation and cooperation.
Preventative care is the best care for positive long-term outcomes. This applies not only to healthcare but also to information security. Neglecting either leads to hidden costs that grow over time. In security, the regulatory fines and reputational damage are just the tip of the iceberg. The real financial burden comes in the form of Corrective Action Plans (CAPs), which include:
The House always wins when you gamble with security. Pretending compliance is optional only leaves organizations exposed to growing threats and escalating consequences.
This change will be a headache for organizations that have skated by on the bare minimum. But let’s face it: the current flexibility hasn’t worked. Healthcare breaches are at an all-time high, ransomware attacks are crippling systems, and patients are losing faith in the industry’s ability to protect their data.
This shift forces organizations to stop pretending compliance is optional and start treating security as a core function of healthcare. It’s not about doing the minimum to avoid fines; it’s about building resilience in an increasingly hostile digital world.
?So, are you ready for your glow-up? Or are you still trying to justify why MFA isn’t “reasonable and appropriate”? Let’s talk about it in the comments. ??
?