The Office for Civil Rights has kept its HIPAA Security Rule overhaul, the NPRM published December 27, 2024, on the regulatory agenda for May 2026 finalization. The runway is real, and it is closing. Centers that treat the next two quarters as preparation rather than implementation are going to be implementing under enforcement pressure instead.
The case for moving now does not require imagination. The Change Healthcare breach notification list grew to roughly 192.7 million individuals as of July 2025, the largest healthcare breach ever notified in the United States. OCR has continued to settle ransomware cases through 2025 and into 2026, with a consistent theme: failure to conduct an accurate, enterprise-wide risk analysis, and failure to act on the risks it would have surfaced. Settlements are not landing on organizations that had perfect security. They are landing on organizations that could not show they had looked.
What the Proposed Rule Tightens
The 2024 NPRM moves the Security Rule away from "addressable" flexibility and toward explicit, auditable requirements. The directional changes worth planning around now include written policies and procedures with named owners, asset inventories and network maps maintained as living documents, mandatory multi-factor authentication, defined vulnerability scanning and penetration testing cadences, documented incident response with restoration targets, and tightened expectations on business associate agreements.
None of these are exotic. All of them are findable in a competent audit. The question for most ASCs is not whether to implement them, it is whether to implement them on your schedule or on OCR schedule.
What To Ship Before Finalization
1. Complete an asset inventory and network map
Every endpoint, server, medical device, network appliance, cloud service, and SaaS application that touches ePHI. Owner, location, data flows, and current patch state. If the document does not exist or was last updated in 2023, you do not have one.
2. Deploy MFA on all administrative and clinical accounts
Not just email. Not just VPN. EHR, billing, imaging, remote access, cloud admin consoles, vendor portals that hold patient data. Exceptions need to be documented and time-bound.
3. Run biannual vulnerability scans, on a calendar
Internal and external. With remediation tracked to closure. A scan report sitting in an inbox is not a control; a tracked remediation log is.
4. Write the incident response runbook you would actually use
Roles, contact tree, evidence preservation, breach assessment workflow, notification timelines, and explicit restoration targets, the proposed rule contemplates a 72-hour critical-system restoration objective. Tabletop it at least once before finalization.
5. Refresh every BAA
Cybersecurity language, incident notification timelines, audit rights, subcontractor obligations. The Change Healthcare aftermath made clear how much downstream exposure rides on a vendor controls. A BAA written in 2018 is almost certainly silent on what you now need it to say.
Quick win
Pull your three highest-risk vendor relationships, your EHR, your clearinghouse, and whoever holds your backups. Confirm each has a current BAA, a recent SOC 2 or equivalent attestation, and a documented incident notification SLA. If any of those three is missing for any of those three vendors, that is this week work.
The EHR Integration Angle
Most ASC breach exposure travels through integrations: HL7 feeds, API connections to billing and analytics, device interfaces, scheduling syncs. Every integration is a trust boundary that needs an owner, an inventory entry, an authentication method that meets the new standard, and a monitoring story. The Security Rule overhaul will read those integrations more strictly than the current rule does.
How DocForms Helps
HIPAA Compliance keeps the risk analysis, asset inventory, policy set, and training records aligned to the Security Rule as it stands and as it is being finalized, so the artifacts an OCR investigator would ask for exist in one place, with dates and owners.
Vendor Management tracks every business associate, the BAA on file, its cybersecurity language, the latest attestation, and renewal dates, turning vendor risk from a spreadsheet exercise into a monitored program.
Incident Reporting paired with EHR Integration captures security events, ties them to affected systems and data flows, and drives the response workflow, including the 72-hour restoration clock the proposed rule is pointing toward.