Prepare for New Proposed HIPAA Security Rule Changes

A new proposed rule aims to strengthen cybersecurity protections for electronic protected health information (ePHI) in response to the rapid advancement of technology and the increasing frequency of cyberattacks on the health care industry.

On December 27, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

Given the critical role ePHI plays in the health care sector, comprehending these proposed changes is paramount. Understanding how these modifications can fortify your organization against potential cyber threats may not only facilitate compliance but can also help protect patient data and maintain trust.

Key changes in the proposed HIPAA rule

The proposed rule introduces several significant changes health care organizations need to be aware of:

Technical standards

Entities covered by HIPAA will be required to achieve specific technical standards such as encryption at rest and in transit, and multifactor authentication — with additional elements required for business associates and group health plans.

Updated definitions

The rule updates definitions of terms like confidentiality and introduces new definitions such as multifactor authentication. It also enhances administrative, technical, and physical safeguards. The proposal additionally removes the “addressable” implementation specification, making all specifications “required” with fewer exceptions than in the past.

New technologies

The rule specifically addresses new technologies in health care, including artificial intelligence, quantum computing, virtual reality, and applied reality. Health care organizations must conduct risk assessments of the cybersecurity threats posed by these new tools.

Clarifications and compliance

The rule provides clarifications on the 2013 HIPAA Security Rule and emphasizes the importance of security measures that bolster an organization’s ability to recover from security breaches. It also introduces specific compliance time periods for many existing requirements.

Implications for health care organizations

The proposed changes have several implications for health care organizations:

Enhanced security measures

Organizations will need to implement stronger security measures to protect ePHI, including encryption, multifactor authentication, regular vulnerability scanning and penetration testing.

Compliance and risk assessments

Annual compliance audits will be required to comply with the new standards. Additionally, business associates will now be required to annually assess compliance with the Security Rule.

Conducting thorough risk assessments will be crucial, especially for new technologies. This includes identifying potential threats and vulnerabilities and assessing the risk level for each.

Documentation

Organizations must maintain detailed documentation of all Security Rule policies, procedures, plans, and analyses.

How to prepare

To prepare for these changes, health care organizations should:

• Review and update security policies — Proactively confirm all security policies and procedures are up to date and compliant with the new standards.
• Conduct risk assessments — Regularly conduct risk assessments to identify and address potential threats and vulnerabilities, including proposed requirements in preparation.
• Implement technical safeguards — Deploy necessary technical safeguards such as encryption, multifactor authentication, and anti-malware protection.
• Train staff — Provide training for staff on the new security measures and help them understand their roles in protecting ePHI.
• Stay informed — Keep up to date with the latest developments in cybersecurity and HIPAA regulations to support ongoing compliance.