The Department of Health and Human Services (HHS) proposed changes to the HIPAA Security Rule at the turn of the 2025 New Year to address several systemic issues and better protect electronic protected health information (ePHI).
The Notice of Proposed Rulemaking (NPRM) outlined several reasons for these changes, including the significant evolution in the healthcare environment since the Security Rule was last revised in 2013.
Why is the HIPAA Security Rule being revised?
Here are the top reasons for the proposed rule change:
- Changes in technology (e.g., cloud and AI adoption)
- Increases in breaches and sophisticated cyberattacks
- Inconsistencies in compliance (e.g., establishing written policies without technical deployment)
- Misalignment with other cybersecurity guidelines
- Court decisions affecting enforcement
- Lack of accountability and enforcement
- Outdated definitions and terms for specificity (e.g., MFA not previously defined)
- Deficient incident response capabilities
The healthcare industry specifically has seen substantial technological advancements and an increased reliance on digital cloud-based systems for core business functions such as appointment scheduling, telehealth visits, and patient records management. These advancements have introduced new vulnerabilities and opportunities for cyberattacks, in addition to the emerging adoption of AI.
Another driving factor for the proposed changes is the alarming increase in breaches and cyberattacks targeting healthcare organizations. Between January 1 – December 31, 2024, covered entities notified the Department of Health and Human Services Office for Civil Rights (HHS OCR) of 585 incidents. These incidents highlight the need for stronger security measures to protect ePHI and prevent unauthorized access.
The Department also observed inconsistencies in how regulated entities comply with the existing Security Rule requirements. Some entities struggled to implement adequate security measures or considered many of them optional, leading to gaps in protection and an increased risk of breaches. The proposed modifications clarify compliance obligations and provide more explicit guidance on implementing security standards.
When will the new HIPAA Security Rule go into effect?
The rulemaking process for the HIPAA Security Rule started with the NPRM released in August of 1998. The total timeline elapsed a little over 4.5 years, and the 2013 update took roughly 2.5 years.
If you apply the law of averages to those two timespans, you could surmise it might be 3.5 years until the Compliance Date of the new Security Rule (roughly the summer of 2028). One might also deduce, however, that the reduction in rulemaking time is a trend and could continue, especially with heightened cyber threats. So, we could anticipate a Final Rule and Compliance Date in as early as 2027.
One advantage HHS has for a faster and smoother timeline is precedent. A similar measure is now in place for regulated entities in the Defense Industrial Base under the Department of Defense (DOD). The DOD published the final rule for the Cybersecurity Maturity Model Certification (CMMC) Program in late 2024, which requires third-party assessments and arguably more accountability than the latest HIPAA NPRM recommends.
What are the most significant proposed changes?
The latest NPRM proposes many changes, including 22 additions, modifications, or clarifications to definitions. Below are the top five proposed changes with the greatest organizational impact.
1. Removal of “addressable implementation specifications”
(Section 164.306—Security Standards: General Rules), making all new and existing implementation specifications “required”
2. Required stronger documentation
Technology asset inventory, network map including data movement, policies and procedures, system restoration procedures, and incident response plans
3. Audits and analysis
- Written risk analysis and updated inventories at least every 12 months
- Compliance audit at least every 12 months
- Review and test all technical controls deployed for each implementation specification at least once every 12 months
- Technical verification and certification from business associates validating their deployment of safeguards at least every 12 months
- Pen-testing at least every 12 months
- Vulnerability scanning at least every six months
4. Expanded and expedited reporting
- Regulated entities are to notify any other applicable regulated entities of terminated employees no later than 24 hours after the workforce member’s authorization changes or terminates
- Business associates to notify covered entities of breach and contingency plan activation within 24 hours
5. Added or enhanced technical controls
MFA, ePHI encryption at rest and in transit, backup and recovery of ePHI and systems, network segmentation, anti-malware software, and technology to monitor real-time activity on information systems
Documentation Grows in Importance
The proposed modifications emphasize the need for regulated entities to maintain comprehensive and up-to-date documentation of their security policies and procedures. This includes detailed records of risk analyses, risk management plans, and the implementation of security measures. The goal is to demonstrate compliance and enable more efficient oversight and enforcement by the HHS OCR.
Additionally, the changes will require entities to document their incident response plans and procedures more thoroughly.
This includes maintaining records of security incidents, the steps taken to mitigate and remediate those incidents, and the outcomes of those actions. By doing so, the Department aims to ensure that entities are prepared to respond to security threats and breaches promptly and effectively. A growing number of healthcare organizations use managed services like a Managed Data Detection and Response (MDDR) solution to address this.
The proposed rule also requires more detailed documentation of workforce training and awareness programs. Entities will need to keep records of training sessions, the content covered, and the attendance of their workforce members. This ensures employees are trained on security policies and procedures and understand their responsibilities in protecting ePHI, even when using AI.
Entities must also evaluate their security measures and document the results, including methods used, findings, and corrective actions. HHS wants to ensure that entities continuously assess and improve their security practices through these formal records and ultimately address emerging threats and vulnerabilities.
What proposed changes will impact AI and its use?
The Department recommends that before entities deploy an AI solution, they understand the “type and amount of ePHI accessed by the AI tool, to whom the data is disclosed, and to whom the output is provided.” This understanding must be documented and represented in the network map for data movement and the technology asset inventory. Additionally, regular risk analysis should include AI software throughout its use and lifecycle.
Entities must also apply other implementation specifications to AI, such as monitoring activity and revoking access to AI solutions after termination. Lastly, the use of AI will need to be included in business associate agreements and verified to be deployed in alignment and compliance with the HIPAA Security Rule.
Next steps for your organization and the HIPAA Security Rule
After reading the 125-page NPRM, you can submit comments to HHS by March 7, 2025, addressing any gaps, confusion, or drawbacks in the proposed changes. There are a total of 10 requests for comments and one request for information:
- Section 160.103—Definitions
- Section 164.304—Definitions
- Section 164.306—Security Standards: General Rules
- Section 164.308—Administrative Safeguards
- Section 164.310—Physical Safeguards
- Section 164.312—Technical Safeguards
- Section 164.314—Organizational Requirements
- Section 164.316—Documentation Requirements
- Section 164.318—Transition Provisions
- Section 164.320—Severability
- New and Emerging Technologies Request for Information
All the proposed changes are rooted in HHS OCR’s findings during investigations, known attacks, actions of other federal departments, and the latest changes in cybersecurity standards. Regulated entities should review their current policies, practices, and procedures to ensure they align with the proposed NPRM changes, as these requirements are unlikely to change or reduce significantly.
Visibility and analysis are key themes among changes, and organizations will need to assess their current technology stack’s ability to visualize the flow of ePHI and where it resides. Without a solution or platform that can identify ePHI in all information systems, teams will find it challenging to meet the forthcoming changes.
Organizations will, furthermore, need a platform with automated technical policies and procedures that apply protections to all ePHI in the data estate.
Encrypting ePHI at rest across cloud infrastructure (Azure, Google Cloud, AWS, etc.) and SaaS platforms alike can be a challenge for most Data Security Platforms (DSP), for example. Investing in the right processes and technology now will prove beneficial once new ruling reaches final publication.
-1.png)