As the healthcare industry continues to become more digital and interconnected, ensuring the privacy and security of patient information is more critical than ever. The Health Insurance Portability and Accountability Act (HIPAA) has long been the cornerstone of safeguarding patient health information.
However, as technology evolves, so must the regulations that protect it. On January 6, 2025, the U.S. Department of Health and Human Services (HHS) published a Notice of Proposed Rule Making (NPRM) in the federal register proposing substantive updates to the HIPAA Security Rule for the first time since 2013. The proposed changes include many new cybersecurity requirements focused on strengthening protection of electronic protected health information (ePHI) to ensure that patient ePHI is protected in today’s digital world.
HHS is currently seeking public comments on the proposed rulemaking now through March 7, 2025. At the end of the comment period, a final rule will be published after the comments are reviewed and considered – likely sometime in 2026. Thereafter, HIPAA-regulated entities will be given a six-month grace period to implement the new requirements before enforcement begins.
Here’s a breakdown of some of the key proposed changes and what they mean for healthcare organizations:
1. Enhancing Risk Analysis
A key part of HIPAA compliance has always been conducting accurate and thorough risk assessments — but the new proposals go further. Healthcare organizations will be expected to implement a more robust and systematic approach to identifying and mitigating risks to ePHI. This includes regular risk analyses, including: a review of the technology asset inventory and network map; the identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI; the identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems; and an assessment of the risk level for each identified threat and vulnerability based on the likelihood that each identified threat will exploit the identified vulnerabilities.
These updates emphasize that risk management is not a one-time exercise, but an ongoing process that needs to be actively managed and updated as new threats and technologies emerge.
2. Regular Testing of Systems & Security Measures
The proposed changes require the development and regular revision of a technology asset inventory and network map illustrating the movement of ePHI through the regulated entity’s electronic information systems on an ongoing basis, but at least annually. Regulated entities will also be required to conduct Security Rule compliance audits annually, review and test security measures annually, perform penetration tests annually, and conduct vulnerability scans at least once every six months. Through regular testing, healthcare organizations will be able to identify deficiencies in their systems and measures before cyber criminals do.
3. Improved Technical Safeguards
With the rise of cyber threats like ransomware and data breaches, technical safeguards are more important than ever. The proposed changes call for healthcare organizations to update and enhance encryption standards by ensuring that ePHI is encrypted both at rest and in transit. The proposed changes also require regulated entities to adopt multi-factor authentication, implement anti-malware software, extend technical safeguard controls required for computer workstations to mobile devices.
These technical safeguards align with cybersecurity best practices and enhance the protection of ePHI. For example, stronger encryption of data at rest and in transit ensures that, even if unauthorized access occurs, the data remains unreadable. Similarly, requiring multi-factor authentication to access sensitive data adds an extra layer of protection.
4. Incident Response and Reporting
In today’s cybersecurity landscape, breaches are not a matter of “if” but “when.” The proposed changes place a stronger emphasis on how healthcare organizations should respond to security incidents and breaches. For example, the proposed changes require the development of written procedures for restoring data within 72 hours, including restoration priority based on how critical the data is, in the event of a security incident. Regulated entities will also be required to have in place contingency plans that are updated and tested regularly.
The goal is to ensure that organizations act quickly and transparently when an incident occurs, minimizing the impact on patients and restoring security and data access as quickly as possible.
5. Strengthening Privacy and Security Safeguards
The nature of healthcare is changing — think telemedicine, remote patient monitoring, and mobile health apps. While these innovations bring new opportunities for care, they also introduce new risks to patient data security. The proposed updates aim to strengthen privacy and security safeguards for new and emerging technologies.
For example, the proposed rule aims to strengthen security standards by clarifying that “addressable” implementation specifications in the current Security Rule are required unless an exception applies, dispelling any belief that the Security Rule’s implementation specifications are optional. These updates recognize the need for robust security in the age of mobile devices, cloud computing, and telehealth and make clear that all Security Rule requirements must be implemented.
6. Business Associate Cybersecurity
Recognizing the immeasurable number of business associates supporting health care organizations, and the role that business associates and their subcontractors play in the modern healthcare industry, the proposed changes require covered entities and business associates to receive annual verification that their business associates and subcontractors have deployed the technical safeguards required by the Security Rule. Business associates will also be required to notify covered entities no later than 24 hours following an activation of their contingency plan.
This proposed change requires business associates and their subcontractors to engage a subject matter expert to assess their relevant electronic information systems for compliance with the Security Rule. This will ensure that business associates and subcontractors protect ePHI in accordance with the Security Rule.
Why These Changes Matter
The proposed updates to the HIPAA Security Rule are a reflection of the evolving threat landscape and technological advances in healthcare. They are designed to strengthen security, improve patient trust, and ensure that health data remains safe in an increasingly digital world. With cyberattacks becoming more frequent and sophisticated, healthcare organizations can no longer afford to be complacent about their security practices.
If your organization hasn’t already, it’s time to review your current security measures, risk management strategies, and incident response plans. These proposed changes should serve as a wake-up call to ensure that you’re not only meeting current compliance requirements but are also prepared for the challenges of the future.
Conclusion
The proposed changes to the HIPAA Security Rule are an important step in the ongoing effort to safeguard patient data. By tightening security requirements and addressing emerging technologies, these updates ensure that HIPAA remains a relevant and effective framework in today’s healthcare landscape.
While the full details of these changes are yet to be finalized, healthcare organizations should start preparing now to align with these evolving standards. The future of healthcare data security is here — and it’s crucial to stay ahead of the curve.