For the first time in over a decade, the U.S. Department of Health and Human Services (HHS) has proposed significant updates to the HIPAA Security Rule. These proposed changes are designed to strengthen cybersecurity protections for electronic protected health information (ePHI), in response to the alarming rise in cyberattacks targeting the healthcare industry.Â
If these updates are finalized, healthcare practices will face stricter compliance requirementsâmaking cybersecurity a top priority for every healthcare provider. But what exactly does this proposed rule mean for your practice? Letâs break it down.Â
Why Is HIPAA Being Updated?
While technology has rapidly evolved since the original HIPAA Security Rule was enacted, cybercriminals have evolved even faster. Healthcare organizations have become prime targets for cyberattacks, with a 102% increase in large-scale data breaches over the past five years (Source: HIPAA Journal).Â
Key statistics driving the HIPAA update:Â
- A 1002% increase in the number of individuals affected by healthcare breaches since 2019 (Source: InfoSecurity Magazine)Â
- An 89% increase in hacking-related incidents targeting healthcare providersÂ
- 167 million individuals affected by healthcare breaches in 2023 aloneÂ
With these escalating threats, the HHS recognizes that current HIPAA Security Rule standards are no longer enough to protect patient data. The newly proposed rule includes mandatory cybersecurity safeguards to address modern threats and strengthen healthcare organizationsâ defenses.Â
When Will These HIPAA Changes Take Effect?
These updates are still in the proposal stage. The HHS has opened a 60-day public comment period (beginning January 6, 2025), allowing healthcare providers to voice concerns or suggestions before the rule is finalized.Â
Once the comment period closes, the final version of the rule could take effect within the next year. Healthcare practices should start preparing now to avoid compliance challenges later.Â
Whatâs Changing in the Proposed HIPAA Security Rule
The proposed Notice of Proposed Rulemaking (NPRM) outlines key updates that will impact how healthcare practices manage cybersecurity and HIPAA compliance.
1. Annual HIPAA Security Audits
The proposed update introduces a requirement for healthcare practices to conduct a HIPAA Security Rule compliance audit every year. If your practice hasnât been doing regular security risk assessments (SRA), itâs time to get that process in place. These audits are designed to identify any vulnerabilities in your systems and IT infrastructure, helping you stay ahead of potential threats. Itâs not just about checking off a regulatory boxâitâs about protecting patient data and ensuring your practice is operating securely. Annual audits give you a chance to fix vulnerabilities before they become major issues, so itâs definitely something youâll want to prioritize as these new rules move forward.Â
2. Stricter Risk Analysis Requirements
Another important change is the stricter risk analysis requirements. Healthcare practices will now need to regularly assess their technology systems to identify and address any vulnerabilities. Your risk assessments will need to be more thorough and include tracking the movement of ePHI, identifying potential threats, and evaluating the risks of cyberattacks. This deeper analysis helps you understand where your systems might be exposed and gives you a clearer path to improving security. Itâs no longer just about having a basic understanding of risksâthis update calls for a detailed, ongoing assessment to stay ahead of potential issues. By conducting more detailed risk analysis, youâll be in a better position to protect sensitive information and ensure your practice is always in compliance
3. Stronger Incident Response & Contingency Plans
The new rule emphasizes having a well-documented incident response plan in place. Healthcare practices will now be required to have written procedures to restore electronic health records within 72 hours if a breach or ransomware attack occurs. If you havenât created a cybersecurity incident response plan yet, itâs essential that you do so now. Having a clear, actionable plan will allow your practice to react quickly and minimize damage if an attack happens. The goal is to ensure your patientsâ data is secured and to keep your practice running smoothly in the face of a security breach. Being prepared isnât just about complianceâitâs about maintaining trust and minimizing downtime when the unexpected happens.Â
4. Enhanced Security Measures
Healthcare practices will need to implement several key security measures as part of the updated HIPAA rule. These include encrypting all ePHI, using multi-factor authentication (MFA) for accessing protected health data, and setting up network segmentation to limit access to sensitive information. Youâll also need to conduct vulnerability scans every 6 months and penetration testing every year, in addition to strengthening anti-malware protections. If you havenât adopted these safeguards yet, itâs time to start planning. The goal of these measures is to prevent breaches and keep sensitive patient data safe, no matter what. With cyber threats constantly evolving, these security measures will help your practice stay protected and compliant with HIPAA requirements.Â
5. Business Associate & Vendor Oversight
Lastly, the rule introduces the need for healthcare practices to verify that their business associates and third-party vendors meet HIPAAâs security requirements. This means doing an annual check to ensure that the vendors you work with are properly safeguarding patient data. Many healthcare practices rely on third-party vendors, from cloud services to EHR providers, so itâs important to ensure that these partners are up to speed on security. The new rule makes it clear that youâll need to hold your vendors accountable and have proof of their compliance. If youâre not already doing this, nowâs the time to start. This step is crucial in protecting your practice from external threats and ensuring HIPAA compliance across the board.Â
How Your Healthcare Practice Can Prepare for the HIPAA Security Rule Update
Even though these changes arenât final yet, itâs critical to get ahead of potential compliance gaps. Hereâs how your practice can stay proactive:Â
- Conduct a Security Risk Assessment (SRA)âIdentify vulnerabilities and improve cybersecurity protections before new regulations take effect.Â
- Review & Update Security PoliciesâEnsure your incident response plans, vendor agreements, and risk assessments are aligned with proposed HIPAA requirements.Â
- Implement Stronger Cybersecurity MeasuresâIf your practice hasnât yet deployed encryption, MFA, or regular penetration testing, now is the time to begin making changes.Â
- Work with an IT Security ExpertâUnderstanding HIPAAâs complex security requirements can be challenging. A trusted cybersecurity partner can help you navigate compliance and protect patient data.Â
Final Thoughts: Donât Wait to Strengthen Your Security
The proposed HIPAA Security Rule update signals that healthcare cybersecurity is under greater scrutiny than ever. Healthcare practices must adapt to stricter security requirementsâor risk compliance violations down the line.Â
At Meriplex, we specialize in helping healthcare providers navigate HIPAA compliance and strengthen their cybersecurity posture. Our Security Risk Assessment (SRA) provides a clear, actionable roadmap to protect your practice against cyber threats while staying ahead of potential regulatory changes.Â
