2025 Proposed HIPAA Security Rule | What To Know

On January 6, 2025, the Department of Health and Human Services (HHS) published a proposed rule in the Federal Register containing major revisions to the HIPAA Security Rule. If finalized, this would be the first major update to the rule in over a decade.

The recent NPRM (Notice of Proposed Rulemaking) reflected on the changing face of healthcare, rising cyberattacks, and new technologies that were not considered under the last rule. “This proposed rule is an important step toward ensuring health care providers, patients, and communities are not only better positioned to respond in the event of a cyberattack but are more secure and resilient,” said HHS Deputy Secretary Andrea Palm.

The HIPAA Security Rule became effective on April 21, 2005, implemented to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). Since that time, however, almost every stage of modern healthcare has come to depend on stable and secure computer and network technologies.

The update is all the more important because of the alarming increase in data breaches in healthcare. According to HHS, large breaches in 2023 alone affected more than 167 million individuals, so strong cybersecurity measures need to be taken for the healthcare sector.

The forward-looking nature of the rule was reflected by HHS Office for Civil Rights Director Melanie Fontes Rainer when she said, “This proposed rule to upgrade the HIPAA Security Rule addresses current and future cybersecurity threats.” In order to close these gaps in compliance, new administrative, technical, and physical safeguards have been devised to help deal with such emerging threats.

Key Changes in the Proposed HIPAA Security Rule Update

1. Elimination of “Addressable” vs. “Required” Distinction

The proposal removes the distinction between “addressable” and “required” implementation specifications, making all safeguards mandatory with limited exceptions.

2. Enhanced Technical Safeguards

• Mandatory Encryption: All ePHI must now be encrypted using secure algorithms.
• Network Segmentation: Required where “reasonable and appropriate” based on risk analysis.
• Multi-Factor Authentication (MFA): Implementation of MFA for ePHI access.

3. New Administrative Safeguards

• Technology Asset Inventory: Develop and maintain an inventory of all technology assets.
• Annual Compliance Audits: Regulated entities must conduct audits at least once every 12 months.
• Business Associate Certifications: Business associates must annually verify compliance with the Security Rule’s technical safeguards through a written analysis by a subject matter expert and provide certification. This requirement extends to business associate contractors.

4. Expanded Risk Analysis Requirements

• Vulnerability Scanning: Perform scans at least every six months.
• Penetration Testing: Conduct annual penetration tests.
• Annual Security Measure Reviews: Test effectiveness of security measures yearly.

5. Stricter Security Requirements

Implementation of new technical safeguards including patch management, login attempt limitation procedures, and configuration management.

6. New Definitions

The rule introduces new definitions for key terms such as MFA, Risk, Threat, and Vulnerability to enhance clarity and consistency in implementation.

7. Small and Rural Providers

While recognizing the unique challenges faced by small and rural healthcare providers, the rule emphasizes that they are not exempt from ePHI protection requirements. It aims to provide flexibility through:

• Scalable implementation based on organization size and complexity.
• Encouragement of cloud-based services and managed security providers.
• Proposed technical assistance and resources tailored for small and rural providers.

Moving Forward

A public comment period is open for the proposed HIPAA Security Rule updates, running until March 7, 2025. Healthcare organizations, stakeholders, and interested parties can review the proposed changes and submit their feedback during this time. Comments can be submitted electronically at https://www.regulations.gov by searching for Docket ID number HHS-OCR-0945-AA22, or by mail to the U.S. Department of Health and Human Services, Office for Civil Rights.

HHS has also scheduled a Tribal consultation meeting for February 6, 2025, from 2 p.m. to 3:30 p.m. Eastern Time. This meeting is specifically for Tribal officials and interested parties to provide input on the proposed modifications to the HIPAA Security Rule. Those wishing to participate can register through the provided Zoom link.

If the proposed rule is finalized, most regulated entities would have 180 days from the effective date to comply with the new requirements. HHS may consider providing a longer transition period for certain aspects, such as modifying business associate agreements and other written arrangements.

How TestPros Can Help

TestPros offers HIPAA compliance services and can assist organizations in meeting these new requirements by:

1. Conducting comprehensive security assessments aligned with the updated HIPAA Security Rule.
2. Implementing and testing encryption protocols for ePHI.
3. Performing regular vulnerability scans and penetration tests.
4. Assisting with the development and maintenance of technology asset inventories.
5. Providing guidance on network segmentation and multi-factor authentication implementation.
6. Offering training and support for annual compliance audits and security measure reviews.

Don’t wait for the final rule to be implemented. Start preparing now to ensure your organization is ready to meet these enhanced cybersecurity standards. Contact TestPros today to schedule a consultation and learn how we can help you stay ahead of the curve in healthcare cybersecurity compliance.