Here’s a conversation that happens in small medical habits every day.
The office manager is reviewing HIPAA rules. She sees that data scrambling is listed as an “addressable” setup spec under the Security Rule. She looks it up. She reads that addressable means the group can check whether it’s “fair and right” given their situation. She concludes: optional. She moves on.
Six months later, a laptop gets stolen from a staff member’s car. The hard drive wasn’t encrypted. Breach notice follows. Then an OCR review. Then a fine.
University of Rochester Medical Center paid $3 million for losing an unencrypted laptop and flash drive. MD Anderson Cancer Center was hit with $4.3 million in penalties over unencrypted laptops and thumb drives — even though their own policy required data scrambling; they were just slow to implement it. Fresenius Medical Care settled for $3.5 million over five separate breaches involving stolen unencrypted devices.
This is one of the most expensive misunderstandings in healthcare rule-keeping — and it’s about to become impossible to make, because the rules are changing.
What “Addressable” Actually Means Under the HIPAA Security Rule
When HHS wrote the HIPAA Security Rule back in 2003, they created two categories of setup specs: required and addressable.
Required was simple: you must do it. Full stop.
Addressable was more nuanced. It meant: you must check whether this safeguard is fair and right for your group. If it is, you implement it. If it genuinely isn’t — because of your size, tech skills, or risk profile — you record why, and you implement an equivalent alternative measure instead.
The key word there is instead. Not “skip.” Not “defer until later.” Not “ignore entirely.”
The original intent was flexibility, not exemption. A solo physician in a paper-based rural practice might have a different data scrambling story than a 200-person multi-specialty group. HHS wanted to accommodate that reality without a one-size-fits-all mandate.
What they got instead was widespread confusion — and a lot of habits treating “addressable” as a polite way of saying “optional if you don’t feel like it.”
Which HIPAA protections Are “Addressable” (and Why That Matters)
The Security Rule lists dozens of addressable setup specs. You probably recognize some of them:
- data scrambling of ePHI at rest and in transit (SS 164.312(a)(2)(iv) and SS 164.312(e)(2)(ii))
- Automatic logoff from workstations (SS 164.312(a)(2)(iii))
- Audit controls and system action reviews (SS 164.312(b))
- Person login checks verification steps (SS 164.312(d))
- team training on security policies (SS 164.308(a)(5))
Notice what’s on that list: data scrambling, multi-factor login checks steps, training. These are not exotic cybersecurity measures — they’re basics. And for years, habits have been skipping them because they misread the word “addressable” as “optional.”
OCR has said as much publicly. In the proposed rulemaking published January 6, 2025, HHS explicitly acknowledged that “some regulated groups have incorrectly interpreted ‘addressable’ setup specs to be ‘optional’ rules, resulting in rule-keeping gaps and increased risks to ePHI.”
That’s the federal government politely saying: you got this wrong, and people got hurt because of it.
The written records rule Most Practices Skip
If your practice ever did the addressable analysis correctly and decided a particular safeguard wasn’t fair for your situation, you were supposed to record three things:
- Why the standard doesn’t apply to you
- What equivalent alternative you implemented instead
- How that alternative protects ePHI to the same degree
Show that written records to an OCR investigator after a breach and you’re in fair shape. Show up with no written records, no analysis, and no alternative measures — just a blank space where that safeguard should be — and you’re in a very different conversation.
Most habits that skipped addressable protections did zero written records. They just skipped. That’s not a rule-keeping decision; that’s a gap. And it’s the kind of gap that turns a manageable fine into a headline.
What’s Changing: The 2025 Proposed Security Rule
In January 2025, HHS published a Notice of Proposed Rulemaking that would at its core overhaul the HIPAA Security Rule for the first time since 2003.
The headline change: the addressable/required distinction is being eliminated entirely.
Under the proposed rule, virtually everything becomes a mandatory rule. No more checking whether data scrambling is “fair and right” for your practice. It’s required. No more deciding that automatic logoff doesn’t fit your workflow. Required. No more flexibility rationale.
New Specific, Measurable rules
The proposed rule also adds rules that don’t exist today:
- data scrambling of all ePHI at rest and in transit — AES-256 and TLS 1.2 or higher namely called out
- Multi-factor login checks for all access to ePHI systems
- Annual security risk reviews (not just “regular” — annually)
- Penetration testing every 12 months
- weak spot scans every 6 months
- Audit log retention for a minimum of 6 years
- Network segmentation rules
The comment period closed March 7, 2025. The final rule is expected around May 2026, with a 240-day rule-keeping window after publication. But a coalition of industry associations led by CHIME has petitioned HHS to withdraw the proposed rule, so the timeline could shift. Either way, “expected in 2026” doesn’t mean you have until 2026 to start thinking about this.
Why You Should Act Now, Not When the Final Rule Drops
There are two reasons not to wait.
First, the current addressable rules already require more than most habits are doing. The new rule isn’t introducing data scrambling as a novel concept — it’s clarifying that data scrambling was always the expectation unless you had a written down, justified reason otherwise. OCR can and does look into habits under the current rules, and gaps in addressable protections absolutely factor into those reviews. Just ask the habits that paid millions over unencrypted laptops.
Second, getting in line with the proposed rule is a project, not a switch you flip. Implementing data scrambling across all devices, deploying MFA, setting up a real audit log system, running a proper risk review — this takes time and budget. Practices that start now will be ready when the final rule drops. Practices that wait for the final rule to publish will be scrambling.
What to Do Right Now: A 5-Step Action Plan
Step 1: Run an Honest Inventory
Go through the current list of addressable setup specs and ask yourself three questions for each one:
- Do we have this in place?
- If not, do we have written down justification for why not?
- If not that either, do we have an equivalent alternative that genuinely provides the same protection?
If the answer to all three is “no” — you have a gap. Document it, prioritize it, and start handling it before a breach forces the conversation.
Step 2: Encrypt Everything
Make sure data scrambling is happening on all devices — laptops, workstations, tablets, phones — and in all data transfers. Full-disk data scrambling (BitLocker for Windows, FileVault for Mac) is free and built into the operating system. There is virtually no defensible reason to leave devices unencrypted in 2026.
Step 3: Implement Audit Controls
Make sure you have something resembling audit controls. You need to know who accessed what patient data, when, and from where. The new rule will require 6 years of audit log retention.
Step 4: Train Your team
Make sure your staff has received written down security training in the last 12 months. Not just a “we talked about it at a meeting” — actual training with attendance records and content written records.
Step 5: Document Your Decisions
For any addressable spec you haven’t fully implemented, write down your reasoning today. Even imperfect written records is infinitely better than none.
The Bottom Line on “Addressable” vs. “Required”
These aren’t novel rules. They’re the basics that the proposed rule is essentially forcing habits to confront. The myth that “addressable” means “optional” has cost habits real money — millions in fines, millions more in breach fixes costs. HHS is removing the ambiguity entirely for a reason.
The enforcement numbers speak for themselves. $6.6 million in HIPAA fines in 2025, with addressable safeguard gaps showing up in case after case. Do the work now, on your schedule, instead of later under pressure.
Related Reading
- The New HIPAA Security Rule Is Coming — Everything that’s changing and when it takes effect
- MFA Is About to Be Required for HIPAA — The addressable safeguard that’s going mandatory
- How to Run a Risk review That Won’t Get You Fined — The foundation of every rule-keeping decision
- $6.6 Million in HIPAA Fines in 2025 — Real enforcement cases and what triggered them
- HIPAA Fines Just Went Up — New Penalty Amounts for 2026 — Updated penalty tiers you need to know
The myth that “addressable” means “optional” has cost habits real money in fines and breach fixes. HHS is removing the ambiguity entirely for a reason. Get ahead of it.
Need help auditing your current protections or building a in line security program? One Guy Consulting offers affordable HIPAA rule-keeping packages starting at affordable. Explore HIPAA rule-keeping services