For two decades, HIPAA’s Security Rule gave you an escape hatch.
Half its safeguards were “addressable”, meaning if encryption or MFA was inconvenient, you could write a memo explaining why you skipped it and move on. Plenty of teams built their entire compliance posture on that one word.
That hatch is being welded shut.
What’s on the table
OCR's proposed overhaul of the Security Rule, the first serious rewrite since 2003, eliminates the "addressable" category entirely. Required means required. The headline changes:
Encryption of ePHI at rest and in transit becomes mandatory. Most teams encrypt in transit (HTTPS) and quietly skip at-rest. That stops working.
MFA required across every system that touches ePHI.
A maintained, annually-updated asset inventory and network map tied to your security risk analysis.
Annual penetration testing and vulnerability scanning every six months.
Incident response and restoration within 72 hours.
One honest caveat: this is still a proposal. The spring 2026 finalization window came and went with no final rule, and OCR hasn't committed to a new date. It could land late this year, slip into 2027, or shift in the details. But the direction isn't ambiguous and once it's final, you'll have roughly 180–240 days to comply. That is nowhere near enough runway to retrofit encryption across a production environment from scratch.
Why this hits AWS teams first
Here's the uncomfortable part. The controls going mandatory are exactly the ones that AWS environments quietly fail:
Encryption at rest → the unencrypted EBS volume attached before anyone set an account policy. The S3 bucket without default encryption. The Lambda dumping full request payloads, PHI included into an unencrypted CloudWatch log group.
MFA everywhere → the IAM users spun up during a sprint that never got MFA. The root account guarded by a password and good intentions.
Asset inventory + network map → most Seed-to-Series-B teams genuinely cannot produce one on demand.
72-hour detection and restoration → can you actually detect an intrusion that fast, and rebuild from clean backups inside three days?
On that last point: attackers sat inside Episource's AWS environment for about ten days before anyone noticed, a textbook misconfiguration-plus-detection-gap that exposed millions of records. Under the proposed rule, a ten-day dwell time isn't just a bad week. It's a documented control failure.
And the volume isn't slowing. As of this month, OCR's breach portal lists 772 healthcare breaches of 500+ individuals for 2025, affecting roughly 140 million people. IBM still ranks healthcare the most expensive industry to get breached in — an average of $7.42M per incident.
What I'd do this week
You don't need the final rule to do the work that's obviously coming:
Run an at-rest encryption sweep — EBS, S3, RDS, EFS, and CloudWatch log groups. Anything holding or logging ePHI without a KMS key is a finding.
Pull an MFA report from IAM. Every human, plus the root account. No exceptions, no "we'll get to it."
Generate an asset inventory you could hand an auditor. AWS Config plus a resource map beats a spreadsheet someone forgot to update.
Confirm CloudTrail is centralized and immutable (S3 Object Lock), with GuardDuty and Security Hub actually wired to alert a human.
None of this requires the rule to be final. All of it makes you safer today.
If you want a second set of eyes, a Transivone AWS security audit maps your environment against exactly these controls — and tells you what an auditor will find before they do.
Let’s set up a 30-minute scoping call.
Stay encrypted, Manan Transivone
Cloud security & compliance for health tech teams that can't afford to be the next breach headline.