Proposed Changes to HIPAA Rules: What You Need to Know
In January 2025, the Department of Health and Human Services (HHS) has proposed significant updates to the HIPAA Security Rule, impacting the way healthcare organizations and their partners conduct their security practices. As a response to the changing cybersecurity landscape and the risks associated, the new proposal attempts to address potential threats to sensitive data.
The Health Insurance Portability and Accountability Act (HIPAA) has long been a cornerstone of protecting sensitive health information. The HHS’s proposed changes aim to enhance cybersecurity protections and ensure that covered entities and business associates are better equipped to handle emerging threats.
As these proposed changes are evaluated for inclusion into future requirements (likely to be finalized in 2026), healthcare organizations are beginning to consider the ways in which their operations and security practices may have to evolve in the future.
Removing “Required” vs. “Addressable” Requirements
One of the most notable proposed changes is the removal of the distinction between “required” and “addressable” implementation specifications. Under the current rule, some specifications are mandatory (“required”), while others are flexible based on the entity’s risk assessment (“addressable”). The proposed rule would make all implementation specifications mandatory, with specific, limited exceptions1.
Why it matters: This change aims to eliminate ambiguity and ensure a consistent level of security across all covered entities and business associates. It simplifies compliance by providing clear, uniform requirements. But the more stringent requirements mean that organizations that have received leniency over “addressable” practices may have to adjust their practices.
New Documentation Requirements
The proposed rule introduces new documentation requirements to enhance transparency and accountability. These include:
- Asset Inventories and Data Flow Diagrams: Organizations will be required to maintain a written inventory of technology assets and a network map that illustrates the movement of electronic protected health information (ePHI) throughout their systems2. This documentation must be updated at least annually and whenever there are significant changes to the environment.
- Enhanced Risk Analysis: The risk analysis process will need to be more specific, including a written assessment that identifies all reasonably anticipated threats, potential vulnerabilities, and the security measures in place to protect ePHI2. This analysis must also consider evolving threats like ransomware and supply chain vulnerabilities.
Multi-Factor Authentication (MFA) and Enhanced Encryption Standards
To bolster security, the proposed rule includes new requirements for multi-factor authentication (MFA) and enhanced encryption standards1.
- MFA: Organizations will need to implement MFA for accessing systems that contain ePHI. This additional layer of security helps prevent unauthorized access, even if passwords are compromised.
- Enhanced Encryption: The rule proposes stricter encryption standards to protect ePHI both in transit and at rest. This ensures that sensitive information remains secure, even if intercepted by malicious actors.
Comprehensive Documentation of Risk Management Activities
The proposed changes emphasize the importance of comprehensive documentation of risk management activities2. This includes:
- Risk Management Plans: Organizations must develop and maintain detailed risk management plans that outline the measures taken to mitigate identified risks.
- Change Management Controls: The rule introduces requirements for technical and non-technical evaluations prior to changes in the entity’s environment. This ensures that any modifications do not inadvertently introduce new vulnerabilities.
Assessments of Third-Party Vendors
Recognizing the risks posed by third-party vendors, the proposed rule includes new requirements for assessing the security practices of business associates2.
- Vendor Assessments: Organizations must conduct thorough assessments of their third-party vendors to ensure they comply with HIPAA requirements. This includes evaluating their security controls, policies, and procedures.
- Ongoing Monitoring: Regular monitoring of third-party vendors is essential to ensure continued compliance and address any emerging risks.
Annual Compliance Assessments
To maintain compliance, the proposed rule mandates annual compliance assessments1. These assessments will help organizations identify and address any gaps in their security posture.
- What we offer: Our team can perform these annual compliance assessments, providing you with a comprehensive evaluation of your security measures and ensuring that you remain compliant with the latest HIPAA requirements.
How to Move Forward
The proposed changes to the HIPAA Security Rule represent a significant step forward in strengthening cybersecurity protections for ePHI. But these changes may have practical implications for the organizations subject to HIPAA compliance.
Although the proposal is not yet published as a final rule, the increasingly urgent need to address cybersecurity threats indicate that these or similar changes will likely be accepted. Now is a good time to begin evaluating security practices to ensure your operations are compliant when the rules eventually come down.
Ready to ensure compliance with the proposed HIPAA changes? Contact us today to learn how we can help you navigate these updates and maintain a robust cybersecurity posture.