Does the proposed HIPAA Security Rule require encryption and MFA for AI systems?

The 2025 NPRM proposes to make a number of currently "addressable" safeguards mandatory — including encryption of ePHI and multi-factor authentication — and to add controls like network segmentation, which would reach AI systems handling ePHI. Because it is…

register 09 · Compliance pins· HIPAA Security Rule
01 ·

Answer.

Healthcare regulation · HIPAA Security Rule.

The 2025 NPRM proposes to make a number of currently "addressable" safeguards mandatory — including encryption of ePHI and multi-factor authentication — and to add controls like network segmentation, which would reach AI systems handling ePHI. Because it is still a proposed rule, the requirements are not yet in force and may change before finalization. Planisphere measures model behaviour and is not the system of record for ePHI safeguards; confirm final requirements with counsel.

02 ·

The mark behind the answer.

HIPAA Security Rule can require evidence around clinical workflows, ePHI boundaries, change control, or patient-impactin…

ePHI safeguards · 2025 NPRM cyber-modernization (PROPOSED).

→ Full reference for HIPAA Security Rule

03 ·

More on HIPAA Security Rule.

Other questions this mark answers.

Prepare evidence for HIPAA Security Rule review.

First evidence record within 21 days of access · re-runs in a single business day. Planisphere measures model behaviour and emits a reproducible, sha-pinned record — it does not certify, file, or give legal advice.