Decoding the Latest HIPAA Security Rule Proposals for 2025

What You Need to Know About the New HIPAA Security Rule Proposals

The Health Information Portability and Accountability Act (HIPAA) Security Rule has largely avoided substantial change since the Health Information Technology for Economic and Clinical Health Act (HITECH) updated it back in 2013. Last year, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to update the HIPAA Security Rule. These changes are none too soon, as cyber attacks continue to accelerate in the healthcare sector. Some data shows an increase of over 1000% in the number of people affected by healthcare cyber attacks since 2018.

The proposed rule attempts to modernize the Security Rule with cybersecurity best practices, address common deficiencies and provide more guidance to covered entities and their business associates.

This proposed rule to upgrade the HIPAA Security Rule addresses current and future cybersecurity threats. It would require updates to existing cybersecurity safeguards to reflect advances in technology and cybersecurity, and help ensure that doctors, health plans, and others providing health care meet their obligations to protect the security of individuals’ protected health information across the nation.” said OCR Director Melanie Fontes Rainer.

The proposed changes essentially formalize many current best practices you may already have incorporated into your GRC program. However, it’s a great idea to use this opportunity to assess what gaps will remain in your program if and when the new proposed rule is adopted. It also includes new requirements to tie compliance with industry standards and frameworks like NIST.

Key Proposed Changes to the HIPAA Security Rule

What are some of the key changes in the proposed change? Here are a few highlights. This list is not exhaustive but it contains some critical changes to consider.

If your policies and procedures aren’t written, they didn’t happen.

The rule would require all policies, procedures, analyses and plans in writing and be produced when requested. This necessitates a formal, centralized policy management tool to maintain visibility and versioning of your documentation.

Less confusion on “addressable” standards

In the past addressable meant some wiggle room and “required” meant mandatory. The new regulation removes that ambiguity around implementation specifications and makes all implementation specifications required with limited exceptions.

Develop and maintain an asset and a network map showing ePHI

This should be constantly revisited, but at the least reviewed and updated once a year and when material changes in the environment may affect the data flow. Mapping this in a homegrown system won’t work here because you’ll need to have prior versions available to demonstrate the evolution of your data flows.

Beefing up business resiliency

The proposed changes emphasize planning for contingencies and responding to security incidents. This change reinforces the critical importance of a Business Continuity / Disaster Recovery tool in your organization to capture testing and remediation of failure points in the BCDR plans.

    • Have a written procedure to restore within 72 hours.
    • Analyze information system criticality to establish restoration priorities.
    • Establish written security incident response plans and procedures.
    • Document testing procedures and timelines.

Encryption and multi-factor authentication mandates

With few exceptions, the new rule would require encryption of PHI in motion and at rest. And, enable multi-factor authentication on critical systems.

Enhanced business associate management

The proposed rule requires consistent and ongoing validation of business associates’ compliance with the Security Rule by a subject matter expert every year. Automating requests to third parties (and 4th parties) for validation will be crucial to show how you’ve operationalized this requirement.

And much more. You can read a fact sheet from the OCR here.

What This Means for Your Organization

  • Monitoring the Rulemaking Process: Keep an eye on the proposed rule as it navigates through the rulemaking process.
  • Assessing Your Current Security Posture: Evaluate current cybersecurity practices and identify gaps in compliance with the proposed requirements. Leverage a complete GRC tool that encompasses policy, BCDR, incident and third-party risk management.
  • Planning for Implementation Costs and Resources: Begin planning for the implementation of the proposed changes, considering potential costs and resource requirements. What tools do you need to fully manage the proposed changes?
  • Updating Business Associate Agreements: Review and update business associate agreements to reflect the new requirements. Track the updates in a holistic third-party risk management solution that includes engagement-level tracking and management of fourth-parties and beyond.
  • Improving Documentation Practices: Ensure that all policies, procedures, plans and analyses are documented in writing and versioned.

Looking Ahead: Timeline and Next Steps

The OCR accepted comments on the proposed rule through March 7, 2025. The final rule may not be promulgated until 2026 and may change substantially. Its future is also dependent upon the current administration continuing to move forward with the proposed regulation. We will keep you updated.

Share This Story. Choose Your Platform.

Related Posts