What a Possible HIPAA Security Update Could Mean This Year

HIPAA security requirements have not seen a major overhaul in years, but that does not mean they have stayed static. Technology, threats, and enforcement expectations have continued to evolve. In recent months, renewed attention on healthcare cybersecurity legislation has also raised questions about whether HIPAA security requirements could be revisited. 

While no final changes have been issued, industry and regulatory signals suggest a stronger emphasis on how healthcare businesses protect data in practice, not just on paper. At VGM Forbin, we work with healthcare businesses, HME businesses, and HME providers every day that are balancing compliance, operational efficiency, and growing technology demands. Understanding where attention may be headed can help teams prepare without overreacting or making unnecessary changes. 

Why HIPAA Security Is Being Revisited 

When the HIPAA Security Rule was first written, cloud platforms, remote work, and connected systems looked very different than they do today. Most healthcare providers and HME businesses now rely on a mix of email platforms, collaboration tools, cloud storage, third‑party applications, and integrated systems that move data constantly. 

At the same time, broader healthcare cybersecurity efforts continue to move forward at the federal level. Industry analysis has pointed to proposed legislation focused on strengthening cybersecurity protections across healthcare, which could influence how HIPAA security expectations evolve. 

From our work supporting healthcare providers through managed IT, Microsoft 365 environments, and secure website platforms, we consistently see the same challenge. Security requirements may be defined at a high level, but real risk often comes from how systems are configured, connected, and used day to day. 

The Shift Toward How Security Is Implemented 

One of the clearest themes emerging from regulatory guidance, enforcement activity, and healthcare cybersecurity discussions is a shift toward execution. It is no longer enough for healthcare businesses to say safeguards exist. Providers and HME teams are increasingly expected to show how those safeguards function within real workflows. 

This includes how access is controlled, how activity is monitored, and how risks are reassessed as systems evolve. Security is being treated less as a static requirement and more as an ongoing operational responsibility. 

This is where many healthcare providers benefit from a trusted digital and technology partner. VGM Forbin helps healthcare and HME businesses align security controls across systems, ensure configurations match real‑world usage, and reduce the gaps that often appear as digital and technology environments grow. 

Risk Assessments May Carry More Weight 

Risk assessments have always been required under HIPAA, but they are often treated as a checkbox exercise. That approach is becoming harder to defend. 

As healthcare cybersecurity requirements receive more scrutiny, healthcare providers and HME businesses may be expected to demonstrate that risk assessments are current, specific, and actively used to guide decisions. Generic or outdated assessments may no longer be sufficient, especially as systems change due to remote work, new applications, or expanded data sharing. 

Through our IT and security services, VGM Forbin helps healthcare businesses move beyond one‑time assessments and toward an ongoing understanding of risk. This includes documenting changes, reviewing access regularly, and making informed updates as environments evolve. 

Configuration and Access Controls Matter More Than Ever 

Modern healthcare environments rely heavily on platforms that bring many tools together. Email, files, chat, meetings, and documents often live in a single ecosystem. That convenience also increases the importance of correct configuration. 

Access controls remain one of the most common areas of weakness identified during investigations. Over‑permissioned users, shared accounts, and unclear ownership can all increase exposure without being immediately obvious. 

If HIPAA security requirements are clarified or tightened, configuration and access management are likely to remain a core focus. VGM Forbin works closely with healthcare providers and HME businesses to ensure Microsoft 365 environments, websites, and supporting systems are configured intentionally, not simply assumed secure. 

Third‑Party Tools Remain a Risk Area 

Many healthcare businesses rely on third‑party tools to improve productivity or fill functional gaps. While these tools can be valuable, they also introduce additional responsibility. 

Business associate agreements, data handling practices, and integration methods all matter. If an external tool touches protected health information, healthcare providers are expected to understand how data flows, where it is stored, and who can access it. 

VGM Forbin helps healthcare and HME teams evaluate vendors, integrations, and workflows with security in mind. The goal is not to limit innovation, but to ensure new tools align with HIPAA expectations and existing safeguards. 

Training and Awareness Are Part of Security 

Technical safeguards are only one part of compliance. How staff use systems every day plays a significant role in overall risk. 

Training that focuses solely on policy language often misses the mark. What tends to matter more is practical guidance that reflects real workflows. Employees should understand how to use the tools they rely on safely, what to avoid, and when to ask questions. 

As part of our ongoing support, VGM Forbin helps teams understand how security expectations apply in practice. This includes role‑based guidance and clear guardrails that support productivity without introducing unnecessary risk. 

Looking Ahead 

Whether or not formal updates arrive this year, the direction is clear. Security expectations continue to move toward transparency, accountability, and real‑world effectiveness. Healthcare businesses and HME providers that focus on understanding their environments, maintaining consistency, and addressing risk proactively are better equipped to respond to change. 

HIPAA compliance has always been about protecting patient information. As healthcare cybersecurity requirements continue to evolve, having a trusted partner like VGM Forbin can help healthcare and HME businesses navigate change with confidence, clarity, and continuity. 

Ready to Prepare Without Overreacting? 

Possible changes to HIPAA security requirements can feel overwhelming, especially when details are still emerging. The right next step is not rushing into new tools or major system changes. It is understanding where your current environment stands and identifying practical improvements that reduce risk today. 

VGM Forbin’s healthcare IT security and compliance services help healthcare businesses stay prepared without unnecessary disruption. Through managed IT, cybersecurity, Microsoft 365 configuration, and HIPAA‑aligned digital platforms, VGM Forbin partners with healthcare teams to support secure systems that stand up to real‑world scrutiny. Whether requirements change this year or not, our focus is helping you stay confident, supported, and ready. 

Talk With an Expert 

If you’re unsure how potential HIPAA security updates, healthcare cybersecurity legislation, or evolving enforcement trends could impact your healthcare or HME business, you don’t have to navigate it alone. VGM Forbin works with healthcare providers and HME businesses to assess current environments, reduce risk, and support secure, compliant systems without unnecessary disruption. 

Whether you want a second set of eyes on your IT setup, guidance on Microsoft 365 security, or help aligning your website and digital tools with HIPAA expectations, our team is here to help. 

Start with a conversation

Common Questions We’re Hearing 

Q: Is HIPAA changing right now? 

No final changes have been issued. However, proposed healthcare cybersecurity legislation and ongoing regulatory discussions suggest that HIPAA security expectations may be clarified or strengthened. Many healthcare businesses and HME providers are reviewing their safeguards now rather than waiting for formal updates. 

Q: Do we need to replace our systems to stay compliant? 

In most cases, no. HIPAA compliance is rarely about replacing technology. It is about how systems are configured, connected, and managed. Many healthcare and HME businesses already have the right tools in place but benefit from better alignment, documentation, and oversight. 

This is where managed IT and cybersecurity support for HME busineses can help reduce risk without disrupting daily operations. 

Q: What areas are most likely to be impacted? 

Current guidance and enforcement trends continue to focus on risk assessments, access controls, vendor oversight, and documentation. These areas are often where gaps appear as healthcare environments become more complex. 

VGM Forbin works with healthcare teams to address these gaps using practical, repeatable processes, and not one‑time checklists. 

Q: How can we prepare without disrupting operations? 

Preparation does not have to be disruptive. Reviewing access permissions, confirming risk assessments are current, validating vendor relationships, and ensuring staff understand security expectations are all practical steps. 

These efforts are often supported through secure Microsoft 365 environments for healthcare teams and ongoing IT oversight. 

Q: How does VGM Forbin help 

VGM Forbin supports healthcare businesses through managed IT services, cybersecurity and risk management, Microsoft 365 configuration, and HIPAA‑aligned website platforms. We help teams understand how systems work together, identify risk, and make informed decisions without unnecessary complexity. 

For public‑facing risk, our HIPAA‑compliant healthcare website solutions help ensure security, accessibility, and compliance are addressed together. 

Why work with VGM Forbin? 

VGM Forbin has more than 25 years of experience supporting healthcare businesses and HME providers across IT, security, and digital platforms. HIPAA compliance is treated as an ongoing process, supported by practical guidance, reliable support, and healthcare‑specific expertise. 

If you are unsure how potential HIPAA security updates, healthcare cybersecurity legislation, or evolving enforcement trends could impact your organization, our team can help you assess your current environment and identify practical next steps. Learn more about our HIPAA-aligned IT and security support for healthcare and HME businesses.