On December 27, 2024, the HHS Office for Civil Rights published a Notice of Proposed Rulemaking that would overhaul the HIPAA Security Rule for the first time since the 2013 Omnibus Rule. For ambulatory surgery centers, the proposal is less about new philosophy and more about closing every loophole the original rule left open in 2003.
The comment window closes March 7, 2025. Even if the final rule looks different, and it will, the direction of travel is clear enough that ASCs can start preparing without betting on specific language.
What is actually changing
The headline shift is the elimination of the long-standing distinction between addressable and required implementation specifications. Under the proposal, everything becomes required, with narrow documented exceptions. That alone reshapes how compliance officers approach the rule, because the polite ambiguity that has covered a lot of ASC risk assessments for two decades simply goes away.
The other proposed changes read like a modern security baseline:
- Encryption in transit and at rest for all electronic protected health information, with very limited exceptions.
- Multi-factor authentication for access to systems holding ePHI.
- Biannual vulnerability scans and annual penetration testing.
- Network segmentation so a breach in scheduling does not become a breach in the EHR.
- Technology asset inventory and a network map, both updated at least annually.
- 72-hour incident response and restoration targets for systems supporting ePHI.
For a typical ASC running an EHR, an anesthesia information system, an imaging archive, and a handful of vendor portals, the asset inventory requirement alone is a real exercise.
Why this matters more for ASCs than the headlines suggest
ASCs are smaller than hospitals, but they share the same threat surface: scheduling tied to PHI, vendor remote access for device support, frequent BAA churn, and clinical staff who genuinely need fast access to records between cases. That combination has produced a steady stream of OCR enforcement actions against smaller outpatient providers, and the proposed rule is partly a response to those investigations.
If the rule is finalized close to its current form, two things become much harder to defend: an incomplete inventory of where ePHI actually lives, and a BAA portfolio that has not been refreshed in years.
What to start now
Three workstreams pay off regardless of how the final rule lands.
1. Build the asset inventory you will need anyway
Map every system that touches ePHI: EHR, PACS, anesthesia record, transcription, billing, secure messaging, patient portal, scheduling, and every vendor with remote access. Note where data is stored, where it moves, and who owns the relationship. This is also the document a surveyor or breach investigator will ask for first.
2. Refresh BAAs and vendor security posture
Pull every Business Associate Agreement. Confirm encryption commitments, breach notification timing, subcontractor flow-down, and incident response coordination. Vendors that cannot answer basic security questions in 2025 will not be able to meet a tightened rule in 2026.
3. Roll out MFA on every clinical and administrative system
MFA is the single highest-leverage control mentioned in the NPRM and is already an OCR expectation in practice. If staff resistance is the obstacle, phase it: administrative systems first, then clinical, with documented exceptions where workflow truly cannot accommodate it.
Quick win
Pick one system this week, the scheduling platform is a good candidate, and produce a one-page record of what ePHI it holds, where it stores it, who has access, and which vendor supports it. That page is the template for every other system in your environment.
What not to do
Do not rewrite the security policy stack against draft language. Comments may move the rule meaningfully, and rewriting twice is more expensive than rewriting once. The work to do now is inventory, vendor diligence, and authentication, all of which stand on their own.
How DocForms helps
Three modules carry most of the load for this kind of regulatory shift.
- Vendor Management tracks BAAs, expiration dates, security attestations, and the systems each vendor touches, so the BAA refresh stops being a spreadsheet exercise and becomes a workflow.
- EHR Integration ties access logs, user provisioning, and authentication events into the same compliance record, which is where MFA rollout evidence ultimately needs to live.
- Incident Reporting gives the documented intake, escalation, and timeline tracking required to demonstrate a 72-hour response posture, well before a real event tests it.