2025 Proposed HIPAA Security Rule Changes

Monday, January 27, 2025    



Much Needed Update to HIPAA coming in 2025.

A long overdue update the HIPAA Security Rule, last updated in 2013, is currently being drafted. Many things have changed in digital healthcare since the rules’ last update and today, the healthcare industry is near wholly reliant upon technology for the delivery of services to patients. This includes a rapid expansion of medical devices and other IoT systems, the widespread use of AI and in particular Machine Learning (ML) to mine vast data lakes of medical information now being generated by the industry. The updated rules also take account of widespread use of cloud and virtual technologies and includes provision for even newer technologies including virtual reality, and quantum computing.

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996, at a time when few hospitals or health insurance groups had made the transition to digital records and most users considered a 28.8kbps internet connection to be fast. WiFi, mobile devices, and 5G cellular were still distant dreams as was the meaningful exchange of information in digital format between all those involved in treating patients. The HIPAA Security Rule in particular, was considered out of date the moment it was published, although the act’s Privacy Rule has faired better. In 2009 the HITECH act updated the security requirements of HIPAA Covered Entities (CEs) and Business Associates (BAs) to take account of changes in technology and some major ambiguities in the language of the original rule. A further Omnibus update took place in 2013 for similar reasons.


What is Happening?

On December 27th, HHS OCR announced a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to strengthen cybersecurity protections for electronic protected health information (ePHI). The rule “seeks to strengthen cybersecurity by updating the Security Rule’s standards to better address ever-increasing cybersecurity threats to the health care sector.

What is Changing?

The NPRM proposes to strengthen the Security Rule’s standards and implementation specifications with new proposals and clarifications, including:

  • Remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required with specific, limited exceptions.

  • Require written documentation of all Security Rule policies, procedures, plans, and analyses.

  • Update definitions and revise implementation specifications to reflect changes in technology and terminology.

  • Add specific compliance time periods for many existing requirements.

  • Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.

  • Require greater specificity for conducting a risk analysis. New express requirements would include a written assessment that contains, among other things: A review of the technology asset inventory and network map.

  • Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI.

  • Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems.

  • An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.

  • Require notification of certain regulated entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.

  • Strengthen requirements for planning for contingencies and responding to security incidents. Specifically, regulated entities would be required to, for example: Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.

  • Perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration.

  • Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents.

  • Implement written procedures for testing and revising written security incident response plans.

  • Require regulated entities to conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements.

  • Require that business associates verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate.

  • Require encryption of ePHI at rest and in transit, with limited exceptions.

  • Require regulated entities to establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner. New express requirements would include: Deploying anti-malware protection.

  • Removing extraneous software from relevant electronic information systems.

  • Disabling network ports in accordance with the regulated entity’s risk analysis.

  • Require the use of multi-factor authentication, with limited exceptions.

  • Require vulnerability scanning at least every six months and penetration testing at least once every 12 months.

  • Require network segmentation.

  • Require separate technical controls for backup and recovery of ePHI and relevant electronic information systems.

  • Require regulated entities to review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures.

  • Require business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

  • Require group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.
HHS OCR has requested feedback on the proposed rule changes be received from REs by March 7, 2025, after which the new rule will be drafted, and a final rule enacted approximately 6 months after that.

Most of these proposed requirements are already being followed by larger and better funded HIPAA CEs, though not all BAs it seems. The proposed rules spell out in a more granular format, each of the ‘required’ and ‘addressable’ rules that CEs and BAs should already be following. What was considered ‘addressable’ is now however, a ‘requirement’ under the proposed rule changes.

Of Specific Interest:

  • Language of the proposed rule change removes the distinction between ‘Covered Entity’ (CE) and ‘Business Associate’ (BA) and instead employs the term ‘Regulated Entity’ (RE).

  • Removal of distinction between ‘required’ and ‘addressable’. All are now requirements and must be implemented. Time limits are added to meet requirements and to become compliant.

  • Changes various terms in the HIPAA Security Rule such as ‘electronic media’ to take account of the wider use of VOIP technologies, telehealth, digital messaging, cloud, and AI.

  • A complete asset inventory of all network-connected assets is now required along with a network map that illustrates the movement of ePHI throughout the RE network. This needs to be updated at least every 12 months or when new assets are joined to the network.

  • Each RE needs to know where all of its PHI resides on its network and in which systems, whether owned and operated by the RE or some other entity.

  • Makes it a requirement for network segmentation between operational and IT networks.

  • Requires improved regular testing and security risk analysis that includes:
  • technology asset inventory and network map.
  • improved identification of threats, vulnerabilities, and risks to the CIA of PHI

  • Requires improved audit of access to PHI by users.

  • Requires improved business continuity, contingency planning, and security incident response capabilities.

  • Requires the use of multi-factor authentication.

  • Sets minimum 24-hour notification time. This applies for BAs to notify CEs, and for subcontractors to notify BAs.

What is Impacted?

If a Regulated Entity (RE) is fully compliant with the HIPAA Security Rule (as updated by HITECH and Omnibus) then very little changes. However, this is unlikely. The updated Security Rule proposal itself states that while conducting an audit of regulated entities against the current Security Rule, OCR found that “94 percent failed to implement appropriate risk management activities sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”

This means that most REs have some work to do in order to catch up with existing Security Rule requirements, let alone the additional effort that will be required to come up to speed with the updated requirements. It also means that more effective risk assessment and analysis is required moving forward.

The intent of this proposed rule change is to remove inconsistent application of the Security Rule across REs. In so doing, it removes the option for ‘reasonableness and appropriateness’ in connection with the costs of security controls, along with often misinterpreted ‘addressable’ implementation specifications to mean they are ‘optional’. These are now ‘required’ and are mandatory.

Furthermore, the rule changes introduce the need to evaluate the ‘effectiveness’ of security controls in supporting the resiliency of the regulated entity. ‘Resiliency’ refers to the entity’s ability to withstand and recover from adverse events. In this regard the changes appear to recognize the vulnerability of REs to denial of service (DOS) and ransomware attacks, and the need to protect against these ‘availability’ attacks through increased resiliency.

This implies the need for much improved business continuity, disaster recovery, and security incident response capabilities so that REs can be back up and running quickly following an incident or attack. It also implies the need for more resiliency in technology architectures using n+2 architectures where a second or third copy of an application can be used in times of need and switched into production quickly. The protracted healthcare downtimes that have impacted the industry recently have been largely caused by single points of failure, an encrypted EMR or other core system with no hot or warm standby, or the ransoming of a critical third party like Change Healthcare as examples.


In Conclusion.

This long-awaited update to healthcare industry security requirements will help to address the chronic imbalance between a growing number of attackers and a largely weak and ill prepared cyber defense across payers and providers. It is intended to lead to massive improvements in security risk assessment and analysis, and the speedy remediation of identified security vulnerabilities. As such, the new rules should reduce the number of successful cyber-attacks, and thus will help to ensure that hospitals and other delivery partners are available in times of medical need by patients and the communities that they serve. Furthermore, these changes will help to reduce growing patient safety concerns, including increased morbidity and mortality when hospitals are under attack.

The need to identify and keep track of connected assets, to know where data resides and moves across medical networks, and to segment operational and IT networks under the proposed rules will be a real deal changer for security. This is well known as the weakest link and is often referred to as the ‘open back door to healthcare security.’ Medical networks and IT / IoT have changed greatly over recent years, as has our reliance upon technologies to diagnose, monitor, treat, and manage patients in our largely digital healthcare system. It's therefore vital that our security controls keep pace with these and other changes.






Subscribe to our periodic posts via email to periodic new posts so you don't miss them.

Original stories and articles may be republished without charge provided that attribution is provided to the source and author. Articles written for, and published first elsewhere, are subject to the republishing terms and conditions of the host site.