In January 2025, the U.S. Department of Health and Human Services (HHS) proposed significant amendments to the HIPAA Security Rule. These proposed changes aim to strengthen cybersecurity measures protecting electronically protected health information (ePHI) in response to the escalating frequency and sophistication of cyberattacks targeting the healthcare sector. ​

Why a Rule Change Now?

The healthcare industry has witnessed a dramatic increase in cyber threats, with over 167 million individuals affected by significant breaches in 2023 alone—a record high. And, if trends in the field are any indication, the rise of such attacks doesn’t show any signs of slowing down. 

Thus, this new rule aims to close some perceived gaps in the Security Rule to meet these challenges. 

Proposed Modifications to the Security Rule

The Notice of Proposed Rulemaking (NPRM) introduces several critical updates to the HIPAA Security Rule, including:​

1. Codifying Mandatory Implementation Specifications: The proposal seeks to eliminate the current distinction between “required” and “addressable” implementation specifications, making all specifications mandatory, with limited exceptions. This change aims to standardize security measures across all covered entities and business associates. ​
2. Comprehensive Documentation Requirements: Entities must maintain written documentation of all security policies, procedures, plans, and analyses. This includes developing a technology asset inventory and a network map illustrating the movement of ePHI within electronic information systems. ​
3. Enhanced Risk Analysis and Management: The NPRM mandates regular risk analyses to identify potential vulnerabilities to ePHI. These analyses must be reviewed, verified, and updated annually or in response to environmental or operational changes impacting ePHI. ​
4. Strengthened Access Controls: The proposed rule requires implementing multi-factor authentication (MFA) for accessing ePHI, with limited exceptions for certain legacy systems and specific medical devices. Additionally, encryption of ePHI at rest and in transit would become mandatory to ensure data confidentiality and integrity. ​
5. Incident Response and Contingency Planning: Covered entities and business associates must establish written security incident response plans detailing procedures for reporting, mitigating, and recovering from security incidents. The proposal also introduces a “criticality analysis” to prioritize the restoration of electronic systems and mandates the ability to restore critical systems and data within 72 hours of an event. ​
6. Regular Compliance Audits and Testing: Entities must conduct annual compliance audits to ensure adherence to requirements. This includes vulnerability scanning at least every six months and penetration testing at least once every twelve months to identify and address security weaknesses proactively. ​
7. Vendor and Business Associate Oversight: The NPRM emphasizes rigorous oversight of business associates. Covered entities must assess the risks of entering into agreements with business associates based on written verifications of their technical safeguards. Business associates are required to notify covered entities within plans. ​

Implications for HIPAA Compliance

These proposed modifications will necessitate substantial changes to existing HIPAA compliance programs if finalized. Organizations will need to:​

• Allocate Resources for Implementation: The proposed changes are projected to incur significant costs, with estimates of $9 billion in the first year and $6 billion annually for the subsequent four years. Entities must plan for these financial implications while balancing enhanced security needs. ​
• Update Policies and Procedures: To align with the new mandates, comprehensive revisions to security policies and procedures, including documentation practices, risk management strategies, and incident response protocols, will be required.​
• Invest in Technology and Training: Implementing MFA, encryption, and regular system testing will require technological upgrades and ongoing staff training to ensure effective adoption and compliance.​
• Enhance Vendor Management: Strengthened oversight of business associates will be critical, necessitating thorough assessments and continuous monitoring of third-party compliance with HIPAA standards.​

What Are Stakeholders Saying?

The proposed rule has elicited varied responses from stakeholders. While general agreement exists on the need for improved cybersecurity measures, concerns have been raised about the practicality and financial burden of implementing these requirements, particularly for smaller healthcare providers. Some organizations argue that the mandates may be overly prescriptive and challenging to implement without substantial support. ​

Remain HIPAA Compliant with Continuum GRC

As cyber threats continue to evolve, these changes aim to enhance the protection of ePHI, ensuring patient trust and safety. Healthcare organizations must proactively assess the impact of these proposals and prepare to adapt their compliance strategies to meet the forthcoming requirements.

Continuum GRC is a cloud platform that stays ahead of the curve, including support for all certifications (along with our sister company and assessors, Lazarus Alliance). 

• FedRAMP
• StateRAMP
• NIST 800-53
• FARS NIST 800-171 & 172
• CMMC
• SOC 1 & SOC 2
• HIPAA
• PCI DSS 4.0
• IRS 1075 & 4812
• COSO SOX
• ISO 27001 + other ISO standards
• NIAP Common Criteria
• And dozens more!

We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and learn how we can help protect its systems and ensure compliance.