Does the proposed HIPAA Security Rule require encryption and MFA for AI systems?
The 2025 NPRM proposes to make a number of currently "addressable" safeguards mandatory — including encryption of ePHI and multi-factor authentication — and to add controls like network segmentation, which would reach AI systems handling ePHI. Because it is…
Answer.
The 2025 NPRM proposes to make a number of currently "addressable" safeguards mandatory — including encryption of ePHI and multi-factor authentication — and to add controls like network segmentation, which would reach AI systems handling ePHI. Because it is still a proposed rule, the requirements are not yet in force and may change before finalization. Planisphere measures model behaviour and is not the system of record for ePHI safeguards; confirm final requirements with counsel.
The mark behind the answer.
ePHI safeguards · 2025 NPRM cyber-modernization (PROPOSED).
More on HIPAA Security Rule.
Prepare evidence for HIPAA Security Rule review.
First evidence record within 21 days of access · re-runs in a single business day. Planisphere measures model behaviour and emits a reproducible, sha-pinned record — it does not certify, file, or give legal advice.