By Chris Morrison, Director of Governance & Compliance at Harmony Healthcare IT
As Director of Governance and Compliance at Harmony Healthcare IT, I focus on analyzing how evolving regulatory requirements translate into practical obligations for healthcare data platforms, particularly where security, compliance, and long‑term data stewardship intersect. This includes closely evaluating how proposed regulatory changes may affect legacy systems and archival environments that store ePHI.
That lens is especially important as the HIPAA Security Rule approaches a significant update, with final changes expected as early as May and enforcement likely beginning in late 2026 or early 2027. While the final rule has not yet been released, the proposal provides a clear message to CIOs and other health IT leaders: security requirements are becoming more explicit, enforcement priorities are sharpening, and longstanding assumptions about what is “in scope” are narrowing.
In particular, the proposal reinforces a broader interpretation of scope, underscoring that systems that store or transmit ePHI, whether active or archived, are subject to Security Rule requirements aligned with modern cybersecurity practices.
Here are four key takeaways from the proposed rule that every health IT leader should pay attention to:
1. “Addressable” Safeguards May Be Eliminated
Historically, the HIPAA Security Rule allowed certain safeguards to be treated as “addressable,” which many organizations interpreted as optional if risks appeared low or systems were not actively used. The proposed update removes that distinction. All safeguards become required, and organizations must determine how—rather than whether—to implement them. That change has real implications for legacy and archival environments. Even if a system exists solely to retain historical clinical data, organizations are still expected to apply baseline safeguards, document any technical limitations, and implement compensating controls to manage risk.
The proposal also reinforces that Security Rule requirements apply to any system that creates, receives, maintains, or transmits ePHI. In practice, that means safeguards are expected to be applied more consistently wherever ePHI lives, including systems that have historically been treated as lower risk simply because they store or retain data rather than support active clinical workflows.
Key takeaway: Systems that have historically been treated as lower risks, such as legacy systems or data archives, may now require closer scrutiny under the Security Rule if they store or retain ePHI.
2. Encryption and Multi-Factor Authentication (MFA) Extend Far Beyond the EHR
The proposed rule makes it clear that encryption and strong authentication aren’t limited to the core EHR. These protections are expected wherever ePHI is created, received, maintained, or transmitted. By explicitly defining MFA and strengthening technical safeguard requirements, the proposal removes much of the ambiguity around what “reasonable” authentication looks like today.
In practical terms, this brings added scrutiny to environments that store ePHI, including encryption of data at rest and in transit, as well as how users authenticate into systems. As a result, secondary systems and historical data stores may need to be assessed against modern security baselines.
Key takeaway: Organizations may need to take a closer look at how historical and secondary systems that store ePHI are secured, as expectations around encryption and authentication now extend well beyond the EHR.
3. Asset Inventories and ePHI Data Flow Mapping Are Explicitly Required
The proposed rule places a stronger emphasis on having clear, documented visibility into where ePHI lives and how it moves across systems. HHS is calling for more explicit administrative safeguards, including written inventories of technology assets and systems that create, receive, maintain, or transmit ePHI, along with documentation that supports accurate risk analysis and ongoing risk management.
Just as importantly, the proposal highlights the need to understand how ePHI flows between systems and environments, especially when data is shared, transferred, or retained over time. In practice, this pushes organizations to move beyond informal knowledge and toward a more complete, documented view of their data landscape
Key takeaway: Increasing visibility into where ePHI resides may surface legacy and archival systems that have accumulated over time—and that now need to be reviewed under current Security Rule expectations if they store or retain ePHI.
“As the health care environment and the operations of regulated entities evolve, so must the protections for ePHI and the information systems used to create, receive, maintain, or transmit it.”
— HIPAA Security Rule Proposed Update
4. Availability and Recoverability Are Now Core Expectations
The proposed rule also reinforces that availability and recoverability are fundamental parts of security compliance. In addition to protecting ePHI from unauthorized access, HHS makes clear that safeguards are expected to ensure data remains available and recoverable in the event of a security incident or operational disruption.
Key takeaway: Expectations around availability and recoverability extend to all systems that store ePHI, bringing archived and historical data into scope for resilience planning, not just access controls.
A Critical Consideration
Taken together, the proposed changes significantly narrow the gray area around systems that have traditionally operated in the background. HHS reinforces that Security Rule requirements apply to any system that creates, receives, maintains, or transmits ePHI, regardless of whether it supports active clinical workflows or functions as a secondary repository.
In practical terms, if ePHI lives in a system—even one kept solely for access, retention, or historical reference—the same baseline expectations apply across security, governance, and resilience.
Preparing for What Comes Next
While the final rule may continue to evolve, the proposed provide a clear signal about where security and enforcement priorities are headed. Healthcare organizations that begin evaluating current vendors, legacy applications and archival environments storing or managing PHI may be better positioned to respond efficiently once requirements are finalized.
This foundation is also increasingly critical as organizations leverage AI‑driven tools across clinical, operational, and research settings. AI initiatives depend on secure, governed data environments—where ePHI is protected consistently, access is controlled, and data flows are clearly understood. The same safeguards that support Security Rule compliance also underpin the responsible use of AI in healthcare.
How Harmony Healthcare IT Can Help
Harmony Healthcare IT supports healthcare organizations as they navigate complex clinical data environments, including legacy systems and archival platforms. Our solutions are designed to preserve secure access to historical clinical data while aligning with evolving expectations around governance, availability, and risk management.
If your organization is evaluating how upcoming HIPAA Security Rule changes may affect legacy or archived clinical data, our team can help assess risk, document data flows, and plan a compliant path forward. Contact us today.
