HHS Proposes Changes to the HIPAA Security Rule

Home » Insights » HHS Proposes Changes to the HIPAA Security Rule

by | January 14, 2025

On January 6, 2025, the United States Department of Health and Human Services published a notice of proposed rulemaking (NPRM) to update HIPAA’s Security Rule. The update to the Security Rule focuses on strengthening cybersecurity protections for electronic protected health information by addressing changes in health care delivery, increased cyberattacks, and observations by the Office for Civil Rights.

What is the Security Rule?

The HIPAA Security Rule requires clinics, physicians, hospitals, pharmacies, and other healthcare providers, as well as their business associates (e.g., consultants, subcontractors, billing companies, transcriptionists, and other vendors) to protect patients’ electronically stored protected health information. The Rule requires certain administrative, physical, and technical safeguards to protect the confidentiality and security of patient information.

Already, covered entities and their business associates must assess their security risks and have safeguards in place. Entities must have policies and procedures for security measures, implement device security, and ensure compliance by their workforces. As of now, the Security Rule does not dictate the specific measures entities must take to comply with the Rule; however, the proposed changes would tighten security by outlining specific measures all covered entities and business associates must take.

What the NPRM Proposes

If promulgated, the update to the Security Rule would require covered entities and business associates to, among other things:

  • Establish security incident response plans and implement procedures for testing and revising those plans at least one per year
  • Document in writing all policies, procedures, plans, and analyses required by the Security Rule
  • Create a network map of the entity’s electronic protected health information
  • Obtain written verification at least once per year that a business associate has implemented the technical safeguards required by the Security Rule
  • Identify, prioritize, and apply software update patches for systems that create, receive, maintain, or transmit electronic protected health information
  • Establish additional strict security measures, including:
    • Multi-factor authentication
    • Anti-malware protection
    • Electronic protected health information encryption
    • Network segmentation
    • Periodic vulnerability scanning
    • Create and maintain backups of IT systems and test its effectiveness

What’s Next?

The NPRM comment period is open until early March 2025, and HHS will likely take time to consider the new regulation. Although the proposed rules may or may not be promulgated as amendments to the Security Rule, HIPAA-regulated entities should consider implementing the technical safeguards mentioned in the proposal. Whether you are a covered entity like a healthcare provider, or a business associate like a consultant, medical billing company, or transcriptionist, our Data & Privacy Law attorneys can assist you with HIPAA compliance. Contact us today for help establishing security incident response plans, testing, or implementation.