In January 2025, the U.S. Department of Health and Human Services (HHS) proposed pivotal updates to the HIPAA Security Rule aimed at enhancing cybersecurity measures for electronic protected health information (ePHI). These changes respond to the escalating threat of cyberattacks in the healthcare sector, with a clear goal to create a more secure and resilient framework and strengthen protections for sensitive health data.
Although a specific effective date for the changes has not yet been announced, once the rule is finalized, the new provisions go into effect typically after about 180 days, allowing covered entities and business associates time to implement necessary updates.
To provide a rough estimate:
- If the final rule is issued in mid or late 2025, the updates would likely take effect by late 2025 or early 2026.
The following sections outline the proposed critical changes and their implications for healthcare entities and business associates.
Uniform Implementation Specifications
One significant shift in the proposed rule is the elimination of the distinction between “required” and “addressable” implementation specifications. Historically, the HIPAA Security Rule allowed organizations to tailor their approach to addressing the rule based on their size, resources, and environment. Now, with all specifications potentially becoming mandatory, entities would have to implement uniform security measures with limited exceptions, provided they are justified through robust documentation.
This proposed change seeks to level the playing field, ensuring consistency across organizations in their cybersecurity practices. While it simplifies the compliance landscape, smaller organizations accustomed to flexibility may face operational and financial challenges in adapting to these more rigid requirements. The ultimate aim, however, is to bolster the integrity of ePHI security across the board, reducing risks and strengthening trust in healthcare systems.
Mandatory Documentation
The emphasis on accountability is evident in the proposed requirement for comprehensive documentation. Under the proposed rules, entities would maintain written records of all security-related policies, procedures, plans, and risk analyses. This documentation extends to contingency plans, incident response strategies, and network configurations.
By formalizing the documentation process, HHS underscores the importance of preparedness and transparency. These records not only facilitate smoother compliance audits but also provide a roadmap for addressing vulnerabilities. While the administrative burden may seem daunting, the enhanced clarity and accountability are expected to drive better outcomes in cybersecurity resilience.
Asset Inventory and Network Mapping
Another cornerstone of the proposed changes is the requirement for a detailed technology asset inventory and network mapping. Organizations would be required to identify and catalog all devices, applications, and systems involved in managing ePHI, as well as document the flow of data within their networks. Additionally, organizations would need to ensure their asset inventory includes smart devices that are connected to the Internet of Things (IoT) and medical IoT devices, as these devices can also present serious risks to the security of ePHI.
Further, any technology asset inventory and network map would be required to take into account the processes that involve movement of ePHI into and outside of a regulated entity’s systems, including those that involve another entity. For example, a network map must include technology assets used by a business associate. Finally, a process to routinely update the required inventory and network map must be implemented to reflect the evolving technological landscape.
This provision addresses a long-standing issue in healthcare—the lack of visibility into network assets and data flows. By mandating these measures, HHS aims to empower organizations to better identify vulnerabilities, prevent unauthorized access, and respond effectively to potential breaches. While the initial setup might require significant investment, the long-term benefits in risk management and compliance far outweigh the costs.
Enhanced Risk Analysis
A deeper, more structured approach to risk analysis is central to the proposed updates. Entities would be required to identify threats and vulnerabilities comprehensively, assess their risk levels, and document mitigation strategies. This proactive approach ensures organizations stay ahead of potential cyber threats by addressing weaknesses before they can be exploited.
The proposed updates also state regulated entities must conduct risk assessments of the cybersecurity threats of new Artificial Intelligence (AI) tools. As noted within the proposed rule, “The regulated entity’s risk analysis must include consideration of, among other things, the type and amount of ePHI accessed by the AI tool, to whom the data is disclosed, and to whom the output is provided.”
Access Termination Notifications
Timeliness in managing user access is critical. Under the proposed rule, entities would notify relevant workforce members within 24 hours of changes or terminations in their access to ePHI systems. This measure minimizes the risk of insider threats and reduces the window of opportunity for unauthorized data access.
Contingency Planning and Incident Response
The proposed rule also highlights the importance of contingency planning and incident response. Organizations would be required to establish procedures to restore lost systems and data within 72 hours of an incident and create comprehensive security incident response plans. These requirements aim to minimize disruptions to patient care and operational functionality during cybersecurity events.
Annual Compliance Audits and Business Associate Verification
To reinforce adherence to the Security Rule, HHS proposes mandatory annual compliance audits for all covered entities. Additionally, business associates, who play a crucial role in handling ePHI, must verify annually that they have implemented the necessary safeguards. This move extends accountability to the broader ecosystem of healthcare data management.
The proposed updates to the HIPAA Security Rule represent a significant evolution in how healthcare organizations approach cybersecurity. By mandating uniform specifications, enhancing risk analysis requirements, and emphasizing detailed documentation, HHS aims to create a more robust framework for protecting ePHI.
Further, additional frameworks and guidelines have been created to increase regulations around the adoption of standards for the protection of ePHI including these:
- NIST’s Cyber Security Framework (CSF) version 2.0
- HHS 405(d) Program’s Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients
- FTC’s Start with Security: A Guide for Business
- HHS’ Cybersecurity Performance Goals
While HHS’s proposed changes may present challenges, particularly for smaller entities, the focus on resilience and security aligns with the urgent need to counteract the growing threat of cyberattacks. Organizations are encouraged to review these proposals and participate in the public comment process to help shape the future of healthcare cybersecurity.
If you would like additional guidance related to the proposed updates to the HIPAA Security Rule or any matter related to compliance with the HIPAA Security Rule, our executives are happy to assist.
