New HIPAA Security Rule Coming in 2025

Office for Civil Rights has proposed new HIPAA security requirements for ePHI in the first major Security Rule update in a decade

The environment in which healthcare is provided in the U.S. has changed dramatically. Cyberattacks, ransomware crimes, and data breaches have increased significantly throughout the healthcare industry. The HHS Office for Civil Rights (OCR), which enforces the HIPAA Security Rule, continues to find the same compliance failures with every audit and investigation.

These are just a few of the issues that prompted the OCR, on December 27, 2024, to issue a Notice of Proposed Rulemaking to update HIPAA Security Rule requirements to further strengthen cybersecurity protections for electronic protected health information (ePHI). It will be the first major update to the Security Rule in more than ten years—and it is long overdue.

The Security Rule specifies national data protection standards for health plans, healthcare clearinghouses, healthcare providers, and their business associates—known collectively as “regulated entities.” Compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule is mandatory, although many providers and their business associates still struggle with incomplete compliance. The ePHI under their management remains at serious risk until they achieve full compliance.

The Proposed Rule intends to strengthen cybersecurity by updating not only security requirements but also implementation specifications to more effectively address escalating cybersecurity threats that exploit incomplete compliance. Compliance failures have led to staggering data breaches at Change Healthcare, Akumin Imaging, and other large covered entities as well as smaller medical centers and private practices. In fact, the industry experienced a more than 100% increase in large data breaches between 2018 and 2023. In a new record, more than 167 million individuals were affected by large security breaches in 2023.

Compliance Timeline

Given the known milestones, it is likely that the Final Rule could become law by mid-year, and that compliance with the new HIPAA security requirements could be due by the end of 2025.  

• The Proposed Rule was published in the Federal Register on January 6, 2025, beginning a 60-day public comment period.
• The comment period will close on March 7, 2025, after which the Proposed Rule will be revised to incorporate appropriate comments.
• That Final Rule will become law when published in the Federal Register and the Code of Federal Regulations (CFR).
• From that date, healthcare providers, business associates, and other regulated entities will have 180 days to comply with the new requirements. (Revisions mandated for Business Associate Agreements may have a somewhat longer compliance period.)

Until the new Security Rule is finalized, approved, and published, the current HIPAA Security Rule will remain in full effect and will continue to be enforced by the OCR.

Proposed Requirements Get Serious about ePHI, Business Associate Security, Health Plan Compliance

It is important to understand that numerous protections currently suggested in the existing HIPAA Security Rule will become required in the new rule. Data encryption and multifactor authentication are just two of many examples. Note: The term “relevant electronic information systems,” used frequently below, refers to systems that house, process, store, or otherwise handle ePHI.

According to the Proposed Rule published in the Federal Register on January 6, the new requirements, specifications, and clarifications enumerated below will update the current HIPAA Security Rule to better protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). The Proposed Rule requires actions by the OCR as well as by healthcare regulated entities.

New Actions Required by OCR

• Remove distinction between “required” and “addressable” implementation specifications to make all implementation specifications “required” (with some specific, limited exceptions).

• Update definitions and revise implementation specifications to reflect changes in technology and terminology since 2013.

• Assign specific time periods for compliance with many of the existing requirements where timing has not been specified.

New Actions Required by Regulated Entities

• Develop written documentation of all Security Rule policies, procedures, plans, and analyses.
• Conduct a compliance audit at least once every 12 months to ensure compliance with the Security Rule requirements.
• At least once every 12 months, and also in response to a change in a regulated entity’s environment or operations that may affect ePHI, develop and revise a technology asset inventory and a network map that illustrates the movement of ePHI throughout the entity’s electronic information system(s).
• Provide the required expanded specificity for conducting a risk analysis, including a written assessment that contains, among other things: 
  • A  review of the technology asset inventory and network map.  
  • Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI.
  • Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems.
  • An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
• Notify certain regulated entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.
• Strengthen contingency planning and security incident responses through the following required actions:
  • Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.
  • Perform an analysis of the relative criticality of the electronic information systems and technology assets to determine the priority for restoration.
  • Establish written security incident response plans and procedures documenting (1) how workforce members are to report suspected or known security incidents and (2) how the regulated entity will respond to suspected or known security incidents.
  • Implement written procedures for testing and revising written security incident response plans.
• Encrypt ePHI at rest and in transit (with limited exceptions) as an additional data protection.
• Establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner, including:
  • Deploying anti-malware protection.
  • Removing extraneous software from relevant electronic information systems.
  • Disabling network ports in accordance with the regulated entity’s risk analysis.
• Employ multi-factor authentication (with limited exceptions) to ensure only authorized users are able to access ePHI.
• Complete vulnerability scans at least every six months and penetration testing at least once every 12 months.
• Segment networks that connect with relevant electronic information systems, applying appropriate technical controls, such as multiple firewalls, to isolate and protect high-value assets and data. Reference CISA Publication Layering Network Security Through Segmentation for more information.
• Implement separate technical controls for backup and recovery of ePHI and relevant electronic information systems.
• Review and test the effectiveness of certain security measures at least once every 12 months (replacing the current general requirement to "maintain security measures").
• Business associates must verify at least once every 12 months, to their covered entities, that they have deployed the technical safeguards required by the Security Rule to protect ePHI through a written analysis of their relevant electronic information systems by a subject matter expert with written certification that the analysis has been performed and is accurate. Business associate subcontractors must provide the same verification to business associates at least once every 12 months.  
• Business associates must notify covered entities upon activation of their contingency or incident response plans without unreasonable delay, but no later than 24 hours after activation. Business associate subcontractors must provide the same notification to their business associates without unreasonable delay, but no later than 24 hours after activation.
• Group health plans must include in their plan documents requirements for their plan sponsors to (1) comply with the administrative, physical, and technical safeguards of the Security Rule, and (2) ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule.
• Group health plan sponsors must notify their group health plans upon activation of their contingency or incident response plans without unreasonable delay, but no later than 24 hours after activation.

Summary

Full compliance with the HIPAA Security Rule is essential to safeguard data and systems from hacking, ransomware, and other security incidents that lead to costly healthcare data breaches. New HIPAA security requirements proposed by the HHS Office for Civil Rights on January 6, 2025 address changes in the healthcare industry and advances in cybersecurity that have occurred since the last major Security Rule update in 2013. The new requirements also address compliance failures commonly found by the OCR during its audits and investigations.

As enumerated above, the proposed new HIPAA security requirements are significant, specific, and extensive. Regulated entities must bring their organizations into full compliance with the Final Rule within six months, or by year-end 2025 according to the current timeline. It is not too early to begin implementing the proposed new requirements, and our experienced team of cybersecurity and compliance experts is available to share insights, offer guidance, and provide implementation assistance.