Articles & Blogs
HIPAA Security rule changes for 2025
The U.S. Department of Health and Human Services (HHS) issued a notice to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to strengthen cybersecurity protections for electronic protected health information (ePHI). The modifications are intended to combat rising cyber threats in the healthcare sector by updating national standards for covered entities and their business associations.
The proposal coincides with broader efforts, including the National Cybersecurity Strategy and HHS’ Healthcare Sector Cybersecurity Plan, which prioritizes enhanced cybersecurity enforcement, accountability, and best practices for critical infrastructure.
Key Proposals to Strengthen the HIPAA Security Rule Include:
- Uniform Requirements: Eliminate the distinction between “Required” and “Addressable” implementation specifications, making all specifications mandatory with limited exceptions.
- Written Documentation: Mandate written documentation for all Security Rule policies, procedures, plans, and analyses.
- Updated Standards: Revise definitions and specifications to reflect technological and terminological changes.
- Compliance Timelines: Establish specific timeframes for compliance with many existing requirements.
- Asset Inventory & Network Mapping: Technology asset inventories and network maps should be updated at least annually or following any significant changes.
- Enhanced Risk Analysis: Mandate written risk assessments with asset reviews, threat identification, and risk evaluation.
- Access Change Notifications: Notify regulated entities within 24 hours when workforce access to ePHI is modified or terminated.
- Incident Response & Contingency Planning: Mandate system restoration within 72 hours, prioritized recovery, and tested incident response plans.
- Annual Compliance Audits: Conduct compliance audits at least once a year.
- Business Associate Verification: Require business associates to verify safeguards for ePHI and certify their accuracy annually.
- Encryption: Mandate encryption for ePHI at rest and in transit, with limited exceptions.
- Technical Controls: Deploy anti-malware, remove unnecessary software, and disable unused network ports to mandate consistent configurations.
- Multi-Factor Authentication: Mandate its use, with limited exceptions.
- Vulnerability Management: Perform vulnerability scans biannually and penetration testing annually.
- Network Segmentation: Require segmentation to improve security.
- Backup and Recovery: Establish separate technical controls for backups and recovery systems.
- Annual Security Reviews: Replace general security maintenance with mandatory annual reviews and tests of security measures.
- Contingency Notifications: Business associates and subcontractors must notify covered entities within 24 hours of activating contingency plans.
- Group Health Plan Safeguards: Mandate plan sponsors to implement Security Rule safeguards, ensure agents comply, and notify plans of contingency activations within 24 hours.
While the Department is undertaking this rulemaking, the current Security Rule remains in effect. Get in touch with Accorian for assistance with HITRUST or HIPAA compliance at info@accorian.com.
For more details, visit https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html.