Today, we’re talking about one of the most important—but often misunderstood—phrases in HIPAA: “reasonable and appropriate.” This isn’t just vague legal language. It’s a standard that shapes how healthcare organizations secure patient data. And in 2025, the expectations behind that phrase have changed.
So, what does “reasonable and appropriate” actually mean today? Whether you’re a compliance officer, IT manager, clinic administrator, or wearing all three hats, this post is designed to help you understand how to meet today’s standards—and how to avoid the kind of mistakes that lead to investigations and fines.
HIPAA’s Security Rule has always been scalable. That means it was built to flex depending on the size, complexity, and capabilities of your organization. A two-person clinic in a rural town isn’t expected to implement the same exact safeguards as a multi-state health system.
That’s why the rule uses flexible terms like “reasonable” and “appropriate”—and avoids rigid checklists.
But here’s the catch: that flexibility is shrinking.
Enforcement trends show that OCR is interpreting “reasonable” with far less leniency—especially around repeat issues like:
Outdated software
Weak access controls
Incomplete Security Risk Analyses
In the past, many organizations relied on basic checklists. You had a policy? Great. You listed a risk in your SRA? Check.
But now, regulators want to see what you’ve done about it.
The biggest shift in 2025 is this: Documentation alone is no longer enough.
OCR expects organizations to:
Identify real-world risks
Take concrete action
Keep that process active and ongoing
Example: If your SRA shows users still have access to PHI after leaving the org, don’t just note it. Show what you’re doing to fix it—whether that’s automating terminations, updating policies, or retraining managers.
Let’s look at what “reasonable and appropriate” means across HIPAA’s three safeguard categories:
This includes risk analyses, risk management, policies, and training.
Reasonable in 2025 means:
Your SRA is up-to-date—not from three years ago
Risk management is a real process, not just a binder
Training reflects today’s threats—like phishing and mobile device use
Controlling physical access to systems and devices.
Reasonable in 2025 means:
Logging off shared workstations
Securing devices after hours
Encrypting laptops and phones, especially if device loss has been a concern
This covers access controls, audit logging, and encryption.
Reasonable in 2025 means:
No shared logins
Access controls are individualized and role-based
You’re actually reviewing audit logs
Recent enforcement tells the real story:
Comstar (2023) was fined $100,000 for never completing a proper risk analysis.
Another provider was penalized for not removing PHI access from former employees.
Warby Parker (2025) was fined $1.5 million after a breach exposed 200,000 individuals’ ePHI. Why? Because they failed to implement basic access controls—something that should’ve been caught in a risk analysis.
The pattern?
Not just the presence of risk, but the failure to act on it.
Start with your Security Risk Analysis.
Haven’t updated it in over a year? It’s time. Don’t rely on a template—do a real review.
Build or update your Risk Management Plan.
Prioritize issues, assign owners, set deadlines. Using outdated systems? Set a timeline to upgrade.
Reevaluate vendors.
Do you assess business associate risks before sharing PHI? Ask for evidence of their safeguards. Sign Business Associate Agreements.
Tighten access controls.
Are you removing access within 24 hours of someone leaving? Tracking remote access? These are easy audit wins—or fails.
Improve your training.
OCR wants quality and frequency. Teach phishing awareness. Talk about device loss. Update regularly.
Old-Minimum Approach:
SRA done in 2021 and forgotten
Password weaknesses noted, nothing changed
One-time onboarding training
Vendors assumed secure—no proof
Reasonable and Appropriate in 2025:
SRA updated annually
MFA in place, staff trained
Phishing simulations twice a year
Vendors evaluated before contracts
System access terminated within 24 hours
Same HIPAA rule. Very different outcomes.
OCR has made it clear: they’re focusing on SRAs, vendor oversight, and access management. More updates to the Security Rule could be coming soon.
And with AI tools, ransomware, and cloud-based EHRs on the rise, what’s “reasonable” is constantly evolving.
That’s why your best strategy is this:
Review regularly.
Document clearly.
Follow through.
Not sure where you stand?
Start with your Security Risk Analysis. Don’t wait for an audit to find out where the gaps are.
And if you need support, our team at Medcurity can help.
Copyright 2024 Medcurity, All Rights Reserved
