The Department of Health and Human Services (HHS) has proposed a sweeping update to the HIPAA Security Rule, and one provision stands out: annual penetration testing will be required for all covered entities and business associates.
This is not optional. There is no size exemption. Whether you are a large hospital system, a regional health plan, or a two-person chiropractic office, the proposed rule applies to you.
What Changed?
In late 2024, HHS published a Notice of Proposed Rulemaking (NPRM) to modernize the HIPAA Security Rule. The existing rule, largely unchanged since 2013, distinguished between "required" and "addressable" implementation specifications. That distinction allowed smaller organizations to document why certain controls were not reasonable for them.
The proposed update eliminates the "addressable" category entirely. All specifications become required. Among the new mandates:
- Annual penetration testing of systems that store, process, or transmit electronic protected health information (ePHI)
- Vulnerability scanning every six months
- Written risk analysis with specific asset inventories and threat assessments
- Network segmentation and encryption of ePHI at rest and in transit
- Incident response plan testing at least annually
Who Does This Apply To?
Every HIPAA covered entity and business associate. That includes:
- Hospitals and health systems
- Physician practices and clinics of any size
- Dental offices and optometry practices
- Pharmacies, including independent and compounding pharmacies
- Health insurance companies and health plans
- Clearinghouses
- IT vendors, billing companies, cloud providers, and any other business associate handling ePHI
There is no carve-out for small practices. A solo practitioner with an EHR system is subject to the same pentesting requirement as a large hospital network.
Timeline: When Does This Take Effect?
The comment period on the proposed rule closed in early 2025. HHS is expected to publish the final rule in 2026. Once published, covered entities and business associates will have approximately 180 days to comply.
That is not a lot of time to stand up a pentesting program from scratch, especially if you have never had one. Organizations should start planning now rather than waiting for the final rule.
Not sure where your organization stands? Schedule a free scoping call and we will help you determine what is in scope and what it takes to get compliant. Talk to Zio Security.
What Does a Pentest Actually Involve?
A penetration test is a controlled, authorized attempt to identify exploitable vulnerabilities in your systems and network. Unlike a vulnerability scan (which is automated and surface-level), a pentest involves a skilled professional manually probing your environment for weaknesses that automated tools miss.
For most healthcare organizations, an external penetration test covers:
- Reconnaissance of your internet-facing systems and services
- Vulnerability identification across web applications, VPNs, email gateways, and remote access portals
- Exploitation of identified weaknesses to demonstrate real-world impact
- Reporting with clear findings, severity ratings, proof-of-concept evidence, and prioritized remediation steps
A quality pentest report should be understandable by both technical staff and non-technical leadership, and it should satisfy auditor requirements.
Do I Need a Special Certification for My Pentester?
The proposed rule does not mandate a specific certification. What matters is that the testing is performed by a qualified professional using industry-accepted methodology.
Certifications like OSCP (Offensive Security Certified Professional) and PNPT (Practical Network Penetration Tester) are widely recognized in the industry and demonstrate hands-on testing ability, not just theoretical knowledge. These are practical, exam-based certifications where candidates must actually compromise systems to pass.
The key is choosing a pentester who does real manual testing, not a firm that runs an automated scan and calls it a pentest.
What This Means for Small Practices
This is where the impact will be felt most. Large health systems already have security programs and regular pentesting schedules. Small and mid-size practices often do not.
If you run a small clinic, dental office, or pharmacy, here is what you should be thinking about right now:
- Budget for it. An external pentest for a small practice typically runs between $4,500 and $8,000 depending on scope. This is a fraction of the cost of a HIPAA breach, which averaged $10.93 million in 2023 according to IBM.
- Find a qualified firm now. Once the rule is finalized, demand for pentesting services will spike. Firms that are available today may have months-long wait lists tomorrow.
- Understand your scope. Know what systems handle ePHI. Your EHR, patient portal, email system, and any cloud services that touch patient data are all in scope.
- Use it as a roadmap. A good pentest report does not just list problems. It gives you a prioritized plan to fix them. Treat it as a security improvement tool, not just a compliance checkbox.
Not sure where to start? Zio Security works with small and mid-size healthcare practices across Florida. We scope the engagement to your environment and deliver audit-ready reports your insurance carrier and compliance team can use. Talk to us about getting ahead of the deadline.
The Bottom Line
Annual pentesting for HIPAA-covered organizations is coming. The final rule is expected in 2026 with a 180-day compliance window. There is no size exemption, and the "addressable vs. required" distinction that let smaller organizations defer security controls is going away.
Organizations that start planning now will be in a much stronger position than those that wait for the final rule to scramble.
Need a HIPAA-Compliant Pentest?
Our certified penetration testers deliver clear, audit-ready reports. Get ahead of the new HIPAA requirements before the rush.
Book a Call