HIPAA 2.0: Your Biggest Questions Answered 

As organizations prepare for the changes coming with the notice of proposed rulemaking for the HIPAA Security Rule—dubbed ‘HIPAA 2.0’ colloquially—many professionals have pressing questions about how the new regulations will impact their data security, privacy policies, and compliance strategies. During a recent webinar on HIPAA 2.0, attendees had the opportunity to ask direct questions to a panel of experts, including Nadia Fahim-Koster, EVP at Meditology, and Ryan Tully, Chief Product Officer at Spirion.  

Below, we highlight the most important questions asked during the webinar—along with expert insights on what your organization needs to know to stay compliant.  

 Q1: How Does the Removal of “Addressable” Security Safeguards Impact Compliance?  

Expert Answer (Nadia Fahim-Koster):  
“The removal of addressable safeguards means that all remaining security measures must now be fully implemented—no exceptions. Previously, organizations could justify alternative methods if they couldn’t meet a specific requirement (like encryption). Now, those alternative justifications won’t be an option.”  

What this means for you:  

• If you previously used workarounds for security measures, you’ll need to fully implement the required safeguards.  

• Encryption is now mandatory—if your systems don’t support it, you must upgrade or replace them.  

• Conduct a security risk assessment to identify gaps where addressable controls were used and take action to comply with the new requirements.  

💡 Pro Tip: Prioritize the most critical safeguards first. Start by ensuring that encryption, access controls, and network security measures meet HIPAA 2.0’s new requirements. If resources are tight, focus on high-risk areas first, like systems that store or process PHI, then work your way out.  

 Q2: Does HIPAA 2.0 Expand Compliance Requirements to Non-ePHI Systems?  

Expert Answer (Nadia Fahim-Koster):  
“Yes, HIPAA 2.0 expands compliance requirements to include systems that don’t contain Electronic Protected Health Information (ePHI) but could impact its confidentiality, integrity, or availability.”  

What this means for you:  

• All systems on your network are now in scope unless you can prove they are segmented from ePHI.  

• Example: If a printer, IoT device, or file server is on the same network as your ePHI system, it must also meet compliance standards—even if it doesn’t directly store PHI.  

• Organizations must conduct comprehensive risk assessments to evaluate all IT assets and implement network segmentation to isolate PHI.  

💡 Pro Tip: If you don’t already have network segmentation in place, now is the time to implement it. This will limit the attack surface and reduce compliance burden.    

Q3: How Will Business Associate Agreements (BAAs) Change Under HIPAA 2.0?  

Expert Answer (Ryan Tully):  
“Business Associates are now required to notify Covered Entities within 24 hours if they activate their contingency plan due to a security incident.”  

What this means for you:  

• Review and update all BAAs to include the new 24-hour breach notification requirement.  

• Ensure Business Associates have an incident response plan aligned with HIPAA 2.0 standards.  

• Conduct vendor security assessments to verify they are meeting compliance requirements.  

💡 Pro Tip: If you rely on third-party vendors, now is the time to audit their security measures to ensure they won’t put your organization at risk.    

Q4: How Should Organizations Prepare for Stricter Enforcement?  

Expert Answer (Nadia Fahim-Koster):  
“Readiness is key. HIPAA 2.0 is designed to close security gaps and improve accountability, so we expect more aggressive enforcement actions.”  

What this means for you:  

• Conduct a full security risk assessment to identify compliance gaps before regulators do.  

• Implement stronger encryption, access controls, and network segmentation.  

• Strengthen your incident response plan and conduct tabletop exercises to test your team’s readiness.  

• Train employees regularly on security best practices—most breaches occur due to human error.  

💡 Pro Tip: Don’t wait for an official enforcement date—start preparing now to avoid fines, audits, and reputational damage.    

Q5: What’s the Biggest Overlooked Risk in HIPAA Compliance?  

Expert Answer (Ryan Tully):  
“One of the biggest overlooked risks is the human element—employees, contractors, and even leadership can be a security risk if they’re not properly trained. Most HIPAA violations result from human error, not technical failures.”  

What this means for you:   

• Conduct regular phishing simulations to test employee awareness.  

• Enforce strict access controls—limit PHI access to only those who need it.  

• Implement strong password policies and Multi-Factor Authentication (MFA).  

• Ensure employees understand their role in protecting PHI.  

💡 Pro Tip: Your workforce is your first line of defense against cyber threats—make security training a top priority to prevent costly mistakes.    

Final Takeaways from the Webinar  

• HIPAA 2.0 eliminates “addressable” security safeguards—making all security measures mandatory.  

• All networked systems are now in scope—even those that don’t store ePHI.  

• Business Associates must notify Covered Entities of security incidents within 24 hours—update your BAAs now.  

• Expect stricter enforcement—conduct a risk assessment and strengthen your security posture now.  

• The biggest overlooked risk is human error—invest in training and awareness programs.  

HIPAA 2.0 is bringing major changes, and organizations must act now to ensure compliance and avoid costly penalties.  

What’s your biggest concern about HIPAA 2.0? Reach out to our experts to discuss how your organization can prepare!