Alert

Proposed Changes to HIPAA Security Rule to Enhance Cybersecurity for ePHI

Troy Hawes, Managing Director, Cybersecurity Consulting Services
January 16, 2025
LinkedIn Share Button Twitter Share Button Other Share Button Other Share Button

In response to increasing cybersecurity threats in the health care sector, a proposed update to the HIPAA Security Rule aims to strengthen protections for electronic protected health information (ePHI).

This Notice of Proposed Rulemaking (NPRM) was issued by the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) December 27, 2024 and published in the Federal Register January 6, 2025. Public comments on the NPRM are due March 7, 2025. 

Impact on Health Care Covered Entities

Under the proposed changes to the HIPAA Security Rule, covered health care entities and their business associates will have stricter reporting, technology, and network asset assessments, and enhanced risk management and compliance requirements, including an annual compliance audit. Additionally, the rule imposes stricter regulations governing contingency planning and response. Key elements of this proposed legislation include:

  • Increased protections for patient data. Health care organizations will be required to implement multifactor authentication, segment their networks to minimize the risk of intrusions spreading between systems, and encrypt patient data to ensure that even if it is stolen, it remains inaccessible.
  • Emphasis on risk management. A greater emphasis on risk analysis and incident response planning will require organizations to be proactive in their cybersecurity strategies. This includes a written assessment of the current technical state, reasonably anticipated threats and potential vulnerabilities, and risk level for each threat and vulnerability.  
  • Unified implementation specifications. All implementation specifications will be classified as required, eliminating the distinction between “required” and “addressable” specifications.
  • Documentation Requirements. Written documentation of all security rule policies, procedures, plans, and analyses will be mandatory.
  • Incident Response and Contingency Planning. Entities must establish written procedures for restoring certain relevant information systems and data within 72 hours and develop security incident response plans.
  • Technical Safeguards. Encryption of ePHI at rest and in transit will be mandated, along with multifactor authentication and regular vulnerability scanning.

Additional Responsibilities for Business Associates

Business associates must verify compliance with technical safeguards annually. They must also notify covered entities of contingency plan activations within 24 hours.

Additional Requirements for Group Health Plans

Group health plans must incorporate provisions requiring compliance with the security rule and timely notifications of contingency plan activations.

FAQ

What is the deadline for submitting comments on the NPRM?

Public comments are due on March 7, 2025, 60 days after the NPRM was published in the Federal Register.

Will the current security rule remain in effect during the rulemaking process?

Yes, the current security rule remains in effect while the department undertakes this rulemaking and notice of the effective date of the new requirements will be determined at a later date.

How will these changes impact my organization’s current cybersecurity practices?

Organizations will need to enhance their cybersecurity practices, update documentation, and implement new compliance measures to align with the proposed changes.

What does my organization need to do now?

Covered entities and business associates are not required to take any immediate action beyond continuing to comply with the current HIPAA Security Rule. However, you should engage with stakeholders to prepare for the implementation of the proposed changes and submit comments on the NPRM.  Review the new requirements to evaluate the updates needed to all policies, procedures, risk analyses, and implementation requirements as required by the new rule.

What resources are available to help organizations prepare for these changes?

Organizations can refer to the NPRM document, HHS guidance, and consult with security and compliance experts for assistance in navigating the new requirements.

We’re Here to Help

For help navigating the revised regulations, contact your Moss Adams professional.

Additional Resources

Ask a Question

The material appearing in this communication is for informational purposes only and should not be construed as legal, accounting, tax, or investment advice or opinion provided by Moss Adams LLP or its affiliates. This information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials have been prepared by professionals, the user should not substitute these materials for professional services, and should seek advice from an independent advisor before acting on any information presented. Moss Adams LLP and its affiliates assume no obligation to provide notification of changes in tax laws or other factors that could affect the information provided.

Related Topics

Article
Mitigate Cyberthreats with HHS Guidance
Reinforce cyber defenses for your health care organization with new cybersecurity performance goals from HHS.
Article
Article
Enhance Efficiency to Protect Data
Health care organizations can leverage System and Organization Controls (SOC), HIPAA, and HITRUST frameworks to maintain security and compliance.
Article
Article
FTC Privacy Protection Rule Impacts Health Care
The Federal Trade Commission amends privacy protection rules impacting health care breach reporting requirements.
Article
Article
HIPAA Reproductive Health Care Privacy Rule
Federal ruling on HIPAA privacy related to reproductive care could impact compliance, data security, and patient trust.
Article
View More

Contact Us with Questions