HIPAA Final Rule: A 180-Day Action Plan for Small Practices

HHS finalized the most significant update to the HIPAA Security Rule since 2013. The updated rule, published in early 2025, sets enforcement for approximately 180 days after the effective date, putting the compliance deadline somewhere around late 2026 or early 2027. If you run a healthcare practice, dental office, or any business that handles electronic protected health information (ePHI) in Texas, the compliance clock is running.

The core change is straightforward: controls that were previously “addressable” are now mandatory. Multi-factor authentication, encryption, penetration testing, and business associate verification are no longer things you can document your way out of. We covered the proposed rule in detail and published a full compliance checklist earlier this year. This post focuses on what the finalized rule means for small practices specifically, and what to prioritize with limited time and budget.

The “Addressable” Loophole Is Closed

Under the previous rule, certain HIPAA controls were classified as “addressable” rather than “required.” HHS intended this to mean “implement it, find an equivalent, or explain in writing why you can’t.” In practice, most small practices treated “addressable” as “optional.” A 15-person dental office that didn’t encrypt laptops could document that encryption was too expensive and technically burdensome, and that satisfied auditors.

The finalized rule eliminates the addressable category. Every specification is now required. For practices that relied on documented exceptions for MFA, encryption, or network segmentation, those exceptions no longer hold. The impact falls hardest on small covered entities that have been operating under the assumption that their size excused them from full compliance.

Five Requirements That Will Cost You If You Wait

Not every change in the final rule requires the same level of effort. These five carry the biggest compliance risk and the longest lead times for small practices.

MFA on every system that touches ePHI. Every login to an EHR, billing platform, email system, cloud storage, VPN, or remote access tool that handles patient data must require multi-factor authentication. Single-factor credentials with a documented exception are no longer acceptable.

For practices using cloud-based EHR platforms like Athenahealth or eClinicalWorks, MFA is usually available but not always enforced. For on-premises systems, enabling MFA may require additional identity management tools such as Microsoft Entra ID with MFA. Covered entities must implement MFA for all users, not just administrators or remote staff.

Encryption at rest and in transit. All ePHI must be encrypted on workstations, servers, laptops, mobile devices, and removable media using NIST-consistent standards. Email containing patient information must be encrypted in transit. BitLocker on Windows endpoints and TLS enforcement on email are the minimum baseline. If you have unencrypted laptops that leave the office, that is a violation on day one of enforcement.

Annual penetration testing. The finalized rule makes penetration testing an explicit annual requirement for all covered entities. The previous rule required risk analysis but didn’t specifically mandate pen testing. Vulnerability scanning at least every six months is also required. If you’ve never contracted a pen test, expect the procurement and scoping process to take 4 to 6 weeks before the first engagement begins.

Annual business associate written verification. Business associates must provide written verification at least once per year that they are meeting the cybersecurity obligations in their BAA. This goes beyond the current requirement to simply have a signed BAA on file. Your EHR vendor, billing service, IT provider, cloud backup company, document shredding service, and any other vendor that handles ePHI on your behalf must all provide this verification. If a vendor can’t or won’t comply, you need to find a compliant alternative or document the risk and your mitigation plan.

Technology asset inventory and network map. You must maintain a current inventory of every device and system that stores, processes, or transmits ePHI, along with a network map showing how patient data flows through your environment. This inventory must be updated at least annually and feeds directly into your risk assessment. Many small practices have no documented inventory at all, which makes every other control harder to implement correctly.

Your 180-Day Priority Sequence

With roughly 180 days between the effective date and the enforcement deadline, small practices need to sequence their work carefully. Trying to do everything at once leads to incomplete implementations that fail audits anyway.

Days 1 through 30: Assessment and planning. Conduct a HIPAA gap assessment against the finalized rule requirements. Inventory every system that handles ePHI. Identify which controls you already have, which you partially have, and which are missing entirely. This assessment determines your budget and your project plan for everything that follows.

Days 30 through 90: MFA and encryption. These are the two controls that take the longest to deploy and create the most compliance risk if they’re missing. Enable MFA on every ePHI-touching system, starting with your EHR and email, then expanding to cloud storage, VPN, and billing platforms. Deploy BitLocker on all Windows endpoints. Configure TLS enforcement on email. Test everything before enforcing it organization-wide to avoid locking staff out of critical systems during patient hours.

Days 90 through 120: Business associate review. Pull every BAA on file. Flag any vendor that handles ePHI but doesn’t have a current agreement. Contact each business associate to request written verification of their security controls. Start renegotiating BAAs that don’t include specific cybersecurity obligations and 24-hour incident notification requirements. This process involves vendor cooperation and often moves slowly, so don’t leave it until the final month.

Days 120 through 150: Penetration testing and vulnerability scanning. Contract with a qualified provider and complete your first annual penetration test. Run vulnerability scans across your environment and remediate critical findings. Document the results and your remediation steps. These records become audit evidence that demonstrates compliance to OCR investigators.

Days 150 through 180: Documentation and training. Finalize your incident response plan and conduct a tabletop exercise. Complete your technology asset inventory and network map. Ensure all staff have received updated HIPAA security awareness training that covers the new requirements. Compile your compliance documentation into a package that you can produce for auditors on request.

The Overlap With Cyber Insurance

The controls required by the finalized HIPAA rule align closely with what cyber insurance carriers now verify during underwriting. MFA, encryption, endpoint protection, penetration testing, and documented incident response plans are standard carrier requirements. Investing in HIPAA compliance simultaneously strengthens your insurance posture, and carriers are increasingly offering premium credits to organizations that can demonstrate these controls. If your practice is approaching an insurance renewal, closing HIPAA gaps first may reduce your premium.

Start Before the Deadline Pressure Hits

Every covered entity in the country faces the same 180-day window. That means the pool of qualified HIPAA compliance consultants, pen testing firms, and managed IT providers will get tighter as the deadline approaches. Practices that start early get their pick of vendors, negotiate better terms, and have time to fix issues that surface during implementation. Practices that wait will compete for the same limited resources at higher costs and with less room for error.