Categories
Blog

HHS proposes additional rules for HIPAA Security Rule 2025

Home » Blog » HHS proposes additional rules for HIPAA Security Rule 2025

The HHS proposes additional rules for HIPAA Security Rule 2025

The US Department of Health and Human Services (HHS) has proposed a new set of major updates to the Health Insurance Portability and Accountability Act (HIPAA). Although there were many minor updates between 2013 and 2023, this is the first major set of updates after 11 years!

The first notice of the update (Notice of Proposed Rulemaking (NPRM) was made on 27 December 2024.  

Let us have a glimpse at the proposed updates. 

Purpose of updates to HIPAA 

The purpose of HIPAA is to ensure that the entities implement the security measures, policies, and procedures to ensure that electronic health information remains private, confidential, and secure without affecting the integrity of the information protected. The regulation is aimed at healthcare organizations of all sizes and types.

2024 was a menacing year for healthcare organizations, with a rise in cyber threats that have threatened their data and impeded their operations.

The OCR (Office of Civil Rights) has seen a massive uptick in data breaches reported in the healthcare sector, with ransomware being the most common threat.

The largest data breach on Change Healthcare has impacted millions of people, and the number is predicted to grow. There has been a 102% increase in large data breaches (data breaches with 500 or more records compromised) reported, with over 180 million exposed comprising people’s personal protected health information.

The set of updates titled “The HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information” seeks to help organizations strengthen their cybersecurity against evolving and frequent cyber threats.

The key requirements proposed

Some of the key requirements that were proposed as part of the new HIPAA regulation are as follows: 

Inventory of Technology Assets and Network Map 

Entities must develop and revise technology asset inventory and a network map demonstrating how ePHI moves throughout their information systems regularly or every 12 months. It must also specify the impact of the change in the entity’s environment on ePHI.

Risk assessment and analysis 

The regulation requires entities to perform a security review of their technological assets inventory and network map, identifying risks and threats that could harm the confidentiality, integrity, and availability of ePHI. They must also evaluate the impact and severity of those risks and threats based on the possibility that threat actors will exploit the vulnerabilities. 

HIPAA compliance audit 

All entities, as per the new regulations, must conduct HIPAA compliance whether they are adhering to the latest HIPAA Security Rule compliance audit at least every 12 months. 

Incident response and contingencies 

There should be a clear set of procedures for an effective restoration of electronic information systems and data within 72 hours. Restoration must be prioritized on the criticality of systems and technology assets. They must form systematic procedures (in writing) for incident response and implement procedures for the effective improvement of IR through testing and revision.  

Enhanced security measures 

They must implement measures to ensure a fundamental level of security including: 

  • Encryption measures for all the ePHI in transit and at rest 
  • Enable Multi-factor Authentication 
  • Segment networks 
  • Conduct vulnerability scanning every 6 months and penetration testing every 12 months 
  • Implement anti-malware protection measures  
  • Remove all the unessential software 
  • Disable all the network ports based on risk analysis 
  • Identify and implement technical controls for the backup and recovery of ePHI and electronic information systems 

Notification requirements  

All the subject entities must notify within 24 hours in case of change or termination of access to ePHI or electronic information system by a member of a workforce. Business associates are required to notify in case of implementation of contingency plans within 24 hours of implementation. 

Annual security and technical review of business associates and contractors 

Business associates and their contractors are required to get their technical security measures reviewed by subject matter experts against the recommended technical security measures every 12 months.  

Group health security review  

Group healthcare providers must document in their plan requiring sponsors of group health plans to implement administrative physical and technical measures as per the requirements stated in HIPAA. 

The regulation is subject to a 60-day comment period. All comments must be submitted by entities before March 7. Security Rule will later be added to the Federal Register before the inauguration of President Trump. The final decision will be taken by the Trump-Vance administration. It has received huge support from both parties since both believe in prioritizing healthcare’s cybersecurity. 

HIPAA Security Rule 2025: Key updates proposed

Are you looking to discover and bridge HIPAA compliance gaps? We can help.

Start Here>

Latest Post

All
Blog