Proposed Major Overhaul to HIPAA Security Rule Could Transform Healthcare Cybersecurity

For the first time in more than a decade, the U.S. Department of Health and Human Services (HHS) has proposed significant updates to the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  The new proposed regulations—published earlier this month—seek to strengthen the confidentiality, integrity, and availability of electronic protected health information (ePHI) in an era of unprecedented cybersecurity threats. If finalized, these changes will fundamentally alter how covered entities and business associates protect patient data, requiring more rigorous safeguards and documentation than ever before. The proposed regulations come on the heels of the Health Infrastructure Security and Accountability Act (HISAA) introduced before Congress in September of 2024, which instructed HHS to establish minimum cybersecurity standards.  

Why Is This Update Needed?

A key impetus for the proposal is the steep rise in cyberattacks targeting the healthcare sector. Hospitals, insurers, and other HIPAA-regulated entities increasingly rely on electronic systems for everything from appointment scheduling to claims processing, making them prime targets for ransomware and other forms of cybercrime. Recognizing that the existing HIPAA Security Rule dates back to 2003—with minimal revisions in 2013—HHS intends for the proposed rule to address the growing sophistication of cyberattacks, encourage alignment with established frameworks such as the NIST Cybersecurity Framework, and keep pace with modern healthcare technologies, including telehealth and interconnected systems.

 The proposed update to the HIPAA Security Rule fulfills many of the same objectives set forth in the aforementioned HISAA bill.

Key Proposed Changes

Although HIPAA’s Security Rule has historically allowed flexibility by distinguishing between “required” and “addressable” implementation specifications, the proposed revisions would eliminate this distinction entirely. Under the new rule, all implementation specifications become mandatory. Below are some of the most significant updates that covered entities and business associates should prepare for:

1. Annual Risk Analysis and Written Inventory

• Detailed Risk Analysis: Covered entities must conduct a more comprehensive annual risk assessment, documenting threats, vulnerabilities, and the likelihood and impact of each.

• Technology Asset Inventory & Network Map: Organizations must create a written inventory of all technology assets and maintain an up-to-date network map of the flow of ePHI. These documents must be reviewed and updated at least annually—or sooner if a major change occurs.

2. Enhanced Risk Management and Incident Response

• Risk Management Plan: Entities must develop and implement a written plan detailing the steps they will take to mitigate identified risks to ePHI.

• Incident Response and Disaster Recovery: Organizations must test and update their incident response plans at least annually. They must also be able to restore critical IT systems and ePHI within 72 hours following a disaster or system failure.

3. Stricter Access Controls

• Terminated Employee Access: The new rule requires covered entities to remove or disable system access for terminated employees promptly—no later than one hour after employment ends.

• Unique Passwords and MFA: Default passwords must be changed, and multi-factor authentication (MFA) must be deployed on all systems that handle ePHI, unless certain limited exceptions apply (e.g., unsupported legacy devices).

4. Technical Safeguards: Encryption, Segmentation, and Scanning

• Mandatory Encryption: Encryption of ePHI (both at rest and in transit) would become a strictly required safeguard, with only narrow exceptions (e.g., unsupported medical devices).

• Network Segmentation: Entities must segment networks to isolate critical ePHI systems from other parts of their IT environment.

• Vulnerability Scanning and Penetration Testing: Organizations must scan for vulnerabilities at least every six months and conduct penetration tests annually.

5. Business Associate Agreements (BAAs)

• Verification of Technical Safeguards: Covered entities must obtain written verification from business associates at least once every 12 months, confirming the associates’ technical compliance with HIPAA security measures.

• 24-Hour Contingency Plan Notification: Business associates would be required to notify covered entities within 24 hours after activating a contingency plan (for example, in response to a ransomware attack).

6. Regular Compliance Audits and Security Awareness Training

• Annual Internal/External Audits: The proposed rule mandates annual audits of compliance with all Security Rule standards.

• Security Awareness Training: Organizations must conduct security awareness training at least annually for all workforce members with access to ePHI.

7. Data Backup and Recovery Requirements

• Frequent Backup Copies: The rule requires creating and maintaining backups of ePHI at intervals no older than 48 hours.

• Testing and Alerts: Real-time alerts must be implemented for backup failures, and testing of the backup system must occur monthly.

Practical Effects on HIPAA-Covered Entities

Given the comprehensive scope of these proposals, regulated entities need to begin evaluating their cybersecurity posture. Key actions include:

• Updating Policies and Procedures: Written policies must be revised to reflect new technical safeguards, documentation practices, and annual review requirements.

• Revising BAAs: Contracts with business associates will need provisions for 24-hour contingency notifications and annual technical compliance verifications.

• Budgeting for Increased Cybersecurity Efforts: The mandated annual audits, frequent vulnerability scans, MFA deployments, and comprehensive backup systems may require additional resources, staffing, or outside expertise.

• Planning for Transition: Many of the new requirements (e.g., eliminating addressable implementations, mandatory encryption, and detailed incident response plans) will significantly raise the bar for compliance.

Timeline and Next Steps

• Public Comment Period: Stakeholders have until March 7, 2025, to submit feedback on the proposed rule.

• Final Rule Publication: After considering public comments and potential changes under the next administration, HHS will issue a final rule.

• Compliance Deadline: Entities will have at least 180 days after the final rule’s publication date to align with the new requirements.

By way of executive order, the Trump administration has implemented a government-wide regulatory freeze that could disrupt the above outlined timeline. In the interim, the current HIPAA Security Rule remains in effect. Covered entities and business associates are encouraged to remain proactive by conducting robust risk assessments and strengthening cybersecurity measures now, rather than waiting for the final rule.

Conclusion

The proposed overhaul of the HIPAA Security Rule marks a potential watershed moment for healthcare cybersecurity. By mandating enhanced safeguards, standardized annual reviews, and meticulous documentation, HHS aims to bolster the healthcare industry’s defenses against an ever-growing tide of cyber threats. Organizations may consider preparing for significant operational changes—and may want to submit comments if they have concerns or insights regarding the new requirements.

We will continue to track data privacy developments throughout the coming year as the new administration takes office. If you have any questions about the evolving consumer data privacy landscape and how emerging requirements may affect your business, please reach out to us at contact@rittergallagher.com.