Skip to Content

Where are CISOs focusing in 2025? Download Report

Dark teal and black gradient

Blog

Proposed Changes to HIPAA Rules: What You Need to Know  

In January 2025, the Department of Health and Human Services (HHS) has proposed significant updates to the HIPAA Security Rule, impacting the way healthcare organizations and their partners conduct their security practices. As a response to the changing cybersecurity landscape and the risks associated, the new proposal attempts to address potential threats to sensitive data.  

The Health Insurance Portability and Accountability Act (HIPAA) has long been a cornerstone of protecting sensitive health information. The HHS’s proposed changes aim to enhance cybersecurity protections and ensure that covered entities and business associates are better equipped to handle emerging threats.  

As these proposed changes are evaluated for inclusion into future requirements (likely to be finalized in 2026), healthcare organizations are beginning to consider the ways in which their operations and security practices may have to evolve in the future. 

Removing “Required” vs. “Addressable” Requirements 

One of the most notable proposed changes is the removal of the distinction between “required” and “addressable” implementation specifications. Under the current rule, some specifications are mandatory (“required”), while others are flexible based on the entity’s risk assessment (“addressable”). The proposed rule would make all implementation specifications mandatory, with specific, limited exceptions1

Why it matters: This change aims to eliminate ambiguity and ensure a consistent level of security across all covered entities and business associates. It simplifies compliance by providing clear, uniform requirements. But the more stringent requirements mean that organizations that have received leniency over “addressable” practices may have to adjust their practices.  

New Documentation Requirements 

The proposed rule introduces new documentation requirements to enhance transparency and accountability. These include: 

Multi-Factor Authentication (MFA) and Enhanced Encryption Standards 

To bolster security, the proposed rule includes new requirements for multi-factor authentication (MFA) and enhanced encryption standards1

  • MFA: Organizations will need to implement MFA for accessing systems that contain ePHI. This additional layer of security helps prevent unauthorized access, even if passwords are compromised. 
  • Enhanced Encryption: The rule proposes stricter encryption standards to protect ePHI both in transit and at rest. This ensures that sensitive information remains secure, even if intercepted by malicious actors. 

Comprehensive Documentation of Risk Management Activities 

The proposed changes emphasize the importance of comprehensive documentation of risk management activities2. This includes: 

  • Risk Management Plans: Organizations must develop and maintain detailed risk management plans that outline the measures taken to mitigate identified risks. 
  • Change Management Controls: The rule introduces requirements for technical and non-technical evaluations prior to changes in the entity’s environment. This ensures that any modifications do not inadvertently introduce new vulnerabilities. 

Assessments of Third-Party Vendors 

Recognizing the risks posed by third-party vendors, the proposed rule includes new requirements for assessing the security practices of business associates2

  • Vendor Assessments: Organizations must conduct thorough assessments of their third-party vendors to ensure they comply with HIPAA requirements. This includes evaluating their security controls, policies, and procedures. 
  • Ongoing Monitoring: Regular monitoring of third-party vendors is essential to ensure continued compliance and address any emerging risks. 

Annual Compliance Assessments 

To maintain compliance, the proposed rule mandates annual compliance assessments1. These assessments will help organizations identify and address any gaps in their security posture. 

  • What we offer: Our team can perform these annual compliance assessments, providing you with a comprehensive evaluation of your security measures and ensuring that you remain compliant with the latest HIPAA requirements. 

How to Move Forward 

The proposed changes to the HIPAA Security Rule represent a significant step forward in strengthening cybersecurity protections for ePHI. But these changes may have practical implications for the organizations subject to HIPAA compliance.  

Although the proposal is not yet published as a final rule, the increasingly urgent need to address cybersecurity threats indicate that these or similar changes will likely be accepted. Now is a good time to begin evaluating security practices to ensure your operations are compliant when the rules eventually come down.  

Ready to ensure compliance with the proposed HIPAA changes? Contact us today to learn how we can help you navigate these updates and maintain a robust cybersecurity posture. 

About the Author

Justin Graham is the Manager for the Healthcare and Federal practices at Tevora.

Explore More In-Depth Compliance Resources

View Our Resources