Rethinking the HIPAA Security Rule: Why Forward Path 2025 Might Be the Better Way Forward

Late last year, the US Department of Health and Human Services (HHS) introduced a more prescriptive regulatory framework for the HIPAA Security Rule, which comes at a critical time.

As the industry faces unprecedented numbers of breach-related sensitive record exposures, it’s clear healthcare organizations and their supporting partners need to do more to protect patient data, but is the Notice of Proposed Rulemaking (NPRM) to update the HIPAA Security Rule the answer?

The Health Sector Coordinating Council (HSCC) leans toward no, with fears the proposed changes are neither practical nor effective for real-world healthcare environments.

Instead, HSCC has proposed an alternative—Forward Path 2025— a more collaborative process across the industry to develop a more modern, and workable, healthcare cyber policy.

The key, ultimately, will be establishing the connection between effective regulatory response and the ongoing security challenges that prompted it.

What are the NPRM changes?

HHS published the HIPAA Security Rule NPRM in December of 2024, with an open public comment period through March 7, 2025.  At this time, the comment period remains open.

Highlights of the proposed changes:

• Creating mandatory safeguards with limited exceptions
• More rigorous risk analysis requirements, including asset inventories, incident response plans, network mapping, disaster recovery plans, and more
• Stricter business associate oversight, including written compliance verification for technical safeguards
• Mandatory technical controls like MFA
• Annual compliance audits

HSCC concerns

HSCC’s core criticism centers on NPRM’s failure to reflect years of collaborative public-private work, including the widely adopted Health Industry Cybersecurity Practices (HICP) and other consensus-based frameworks.

HSCC argues that the proposed rule either ignores or misrepresents these existing resources — resources organizations can scale and implement to directly address modern healthcare threats.

Additionally, other industry associations have also voiced concerns about the high cost, complexity, and limited security benefits of complying with the NPRM as written.

The College of Healthcare Information Management Executives (CHIME), for example, emphasized the complexity and scope would necessitate significant investments in time, resources, and personnel. This could potentially divert attention and funds away from other critical areas.

CHIME also highlighted that additional regulatory burdens could hurt rural hospitals and the patients they serve.

The HSCC alternative

HSCC is advocating for a year-long collaborative approach, modeled after the development of the NIST Cybersecurity Framework, which emphasizes policy creation through industry-government consensus, rather than top-down regulation.

HSCC proposes structured workshops and consultations to co-design a modernized cybersecurity framework that aligns with NIST standards and incorporates realistic, phased implementation mandates.

“I think there is a general support and even applause for the effectiveness of the NIST Cybersecurity Framework as a generalized set of controls that are applicable, not just across critical infrastructure, but are being mandated in federal agencies, as well,” Greg Garcia, executive director of the Healthcare and Public Health Sector Coordinating Council Cybersecurity Working Group, explained during a recent Clearwater Cyber Briefing.

The council stresses that cybersecurity policy must be both enforceable and feasible — especially for providers with fewer resources. If not, it may increase burdens on already-vulnerable healthcare segments.

Instead of proceeding with NPRM, HSCC proposes Forward Path 2025, which focuses on setting clear outcomes (the “what”) while allowing the industry to determine the most practical and scalable ways to achieve them (the “how”).

What is Forward Path 2025?

Where the NPRM is rigid, the HSCC plan is flexible. It would allow healthcare organizations to develop cybersecurity programs tailored to their specific needs, rather than merely checking items off a lengthy list of requirements — requirements that may not apply to their unique environments or business objectives.

The initiative also addresses:

• Financial support to make cybersecurity upgrades feasible for smaller organizations.
• Better communication channels to share security threats and solutions.
• Workforce development to address the serious healthcare cybersecurity talent shortage.
• Streamlined regulations to eliminate confusion and conflicting requirements so healthcare organizations can actually understand and meet standards.

The foundation of Forward Path is direct industry input. These recommendations reflect the realities that CISOs, compliance leaders, provider executives, and health IT teams face every day. That makes the proposed expectations more achievable across large hospital systems, small clinics, and everything in between.

Just as important, Forward Path doesn’t expect healthcare providers to absorb the burden alone.

It advocates for federal funding and incentives to support cybersecurity investments, especially for rural, urban safety-net, and other under-resourced organizations.

It also promotes phased implementation, so organizations can build capacity and meet expectations without jeopardizing operations or patient care delivery.

Forward Path emphasizes greater accountability from technology vendors and third-party partners that handle or transmit patient data. It argues these business associates should meet the same cybersecurity standards as the providers they serve.

This would address some of the risks created by recent high-profile third-party breaches.

Forward Path also draws on what already works, like NIST CSF, focusing on measurable outcomes, not prescriptive controls. That means it defines what organizations must do, while giving them flexibility in how to achieve it.

This balance of structure and autonomy is essential for a healthcare where threats evolve fast.

The initiative also encourages federal agencies to collaborate instead of working in silos. This could eliminate some of the challenges associated with overlapping rules and give providers ideas about straightforward compliance pathways.

Healthcare organizations could then redirect their energy from regulatory questions to what truly matters — proactively safeguarding patient information and ensuring a continuum of care.

Key Challenges and Unanswered Questions

Forward Path 2025 may offer a more realistic and scalable alternative to the NPRM, but several challenges still need to be addressed.

One major concern is accountability. If much of the model is voluntary, how do we ensure expectations are actually met? In a system where responsibility is shared between providers, vendors, and regulators, it’s not always clear who owns the outcome—or where liability begins and ends.

There’s also the risk of fragmentation. Flexibility is important, but without consistent guardrails, organizations could implement wildly different controls, weakening sector-wide defense. To drive real improvement, we need clarity on what success looks like and how it will be measured.

And finally, while collaboration takes time, we can’t afford to wait too long. Cyberattacks are escalating, and some fear that another year spent in planning could leave healthcare even more vulnerable.

These aren’t reasons to abandon Forward Path—but they are realities that must be accounted for as we move ahead.

There’s No Easy Answer

Electronic patient health information (ePHI) moves through a vast, interconnected ecosystem—health systems, cloud platforms, medical devices, and other technologies and services provided by third-party vendors. They all depend on one another, and yet, no two organizations are the same. What’s feasible for a large Integrated Delivery Network may be out of reach for a rural hospital or small clinic.

That’s why a one-size-fits-all mandate rarely works in healthcare. It sounds good in theory, but in practice it can lead to wasted resources, implementation delays, or worse—new gaps in security and care delivery.

Still, doing nothing isn’t an option. Every day, cyberattacks shut down hospitals, delay treatments, and put patients at risk. The debate between HHS and HSCC reflects the larger truth: there are no simple solutions to a complex, dynamic problem.

So, where do we go from here?

We focus on what can be done right now.

What You Can Do Now

No matter how the regulatory debate unfolds, one thing is clear: risk analysis isn’t just a compliance requirement, it’s the foundation of an effective cybersecurity program. It’s how you uncover where your organization is most vulnerable, allocate resources where they matter most, and demonstrate diligence in the face of growing scrutiny from regulators and threat actors alike.

If you’re not aligned with OCR’s expectations, now is the time. The agency has made it clear: a valid HIPAA risk analysis must address all systems that touch ePHI and include the 9 required elements—from asset inventory to risk determination. This is the standard against which enforcement actions are measured, and the starting point for building a defensible, prioritized, and adaptive cybersecurity strategy.

Here’s where to focus:

• Start with an OCR-Quality® Risk Analysis.
  Meet the 9 elements. Identify where ePHI lives, assess threats and vulnerabilities, evaluate current controls, and assign risk levels based on likelihood and impact. A checkbox approach won’t cut it.
• Document it. Defend it. Act on it.
  A well-executed risk analysis gives you more than a report—it gives you leverage. Use it to guide funding, prioritize action, and respond with confidence if OCR comes calling.
• Develop a risk-based management plan.
  Your plan should translate analysis into action. Define what needs to be fixed, who owns it, how long it will take, and what it will cost. Update it regularly as your environment evolves.
• Know what you’re protecting.
  You can’t manage what you can’t see. Maintain a current inventory of systems, applications, data flows, and third-party vendors. This isn’t just good practice—it’s part of compliance.
• Don’t go it alone.
  If you lack internal bandwidth or expertise, seek outside help. Virtual CISOs, managed services, and regional collaboratives can help scale your efforts and bring structure to your program.

The bottom line: risk is how you get ahead of threats, justify investment, and build a defensible security posture. It’s not a side task, it’s the center of everything.

Connect with Clearwater

While these regulatory conversations continue, you can’t slow your cybersecurity focus. HIPAA is, and must remain, a critical foundation for protecting patient data.

A well-executed HIPAA security and compliance program, centered on documented risk analysis and responsive risk management, can provide structure, clarity, and a proactive defense, even as new frameworks and regulations emerge.