In a significant move to enhance healthcare cybersecurity, the U.S. Department of Health and Human Services (HHS) has proposed substantial updates to the HIPAA Security Rule. The Notice of Proposed Rulemaking, issued on January 6, 2025, aims to strengthen the protection of electronic protected health information (ePHI) in response to growing cybersecurity threats in the healthcare sector.
Key Changes Proposed
The proposed modifications represent the most comprehensive update to HIPAA's Security Rule since its inception. The most notable changes are highlighted below.
Mandatory Requirements
The proposal eliminates the distinction between "required" and "addressable" implementation specifications, making all specifications mandatory, with specific, limited exceptions. This change signals a more rigorous approach to cybersecurity compliance.
Enhanced Documentation and Monitoring
HIPAA regulated entities will be required to maintain detailed documentation of all Security Rule policies, procedures, plans, and analyses. In addition, they will be required to develop and regularly update technology asset inventories and network maps showing ePHI movement throughout their systems at least annually.
Stricter Security Controls
The proposed rule introduces several new technical requirements:
Mandatory encryption of ePHI both at rest and in transit, with limited exceptions and with some subject to certain conditions.
Implementation of multi-factor authentication, with limited exceptions.
Regular vulnerability scanning (every six months) and penetration testing every 12 months.
Review and test the effectiveness of certain security measures at least every 12 months.
Deployment of anti-malware protection.
Removal of unnecessary software from systems.
Separate technical controls for backup and recovery of ePHI and relevant systems.
Incident Response and Recovery
HIPAA regulated entities will be required to establish more robust incident response capabilities, including:
72-hour system restoration following an incident.
Written security incident response plans.
Immediate notification protocols (within 24 hours) for workforce member access changes.
Regular testing of incident response procedures.
Business Associate Requirements
The proposal includes new obligations for business associates and their downstream business associates, including:
Providing an annual verification of their technical safeguards required by the HIPAA Security Rule through analysis of a subject matter expert along with a written certification that the analysis was performed and is accurate.
Notifying covered entities and first-party business associates within 24 hours of their contingency plan being activated.
What's Next?
Covered entities, business associates, stakeholders, and others can submit their comments to the proposed changes before the comment period closes on March 7, 2025.
The Proposed Rulemaking for the HIPAA Security Rule can be viewed on the Federal Register.
While these proposed changes are under consideration, the current HIPAA Security Rule remains in effect. In the interim, covered entities and business associates should begin evaluating their current security posture against the new proposed requirements to prepare for potential implementation of the final rule.
The information provided is for general informational purposes only and not intended as legal advice or opinion for any individual matter. Legal development or changes in law or regulations may in the future and the content here may not be the most up-to-date legal or other information at the time of reading. You should consult your own attorney for any legal advice you may require.
If you would like to explore how Venus Caruso can assist you, contact Venus today using the website’s contact form or by email to venus@carusolawoffice.com.