For the first time in over a decade, the U.S. Department of Health and Human Services (HHS) has proposed significant updates to the HIPAA Security Rule. These proposed changes are designed to strengthen cybersecurity protections for electronic protected health information (ePHI), in response to the alarming rise in cyberattacks targeting the healthcare industry.Ā
If these updates are finalized, healthcare practices will face stricter compliance requirementsāmaking cybersecurity a top priority for every healthcare provider. But what exactly does this proposed rule mean for your practice? Letās break it down.Ā
Why Is HIPAA Being Updated?
While technology has rapidly evolved since the original HIPAA Security Rule was enacted, cybercriminals have evolved even faster. Healthcare organizations have become prime targets for cyberattacks, with a 102% increase in large-scale data breaches over the past five years (Source: HIPAA Journal).Ā
Key statistics driving the HIPAA update:Ā
- A 1002% increase in the number of individuals affected by healthcare breaches since 2019 (Source: InfoSecurity Magazine)Ā
- An 89% increase in hacking-related incidents targeting healthcare providersĀ
- 167 million individuals affected by healthcare breaches in 2023 aloneĀ
With these escalating threats, the HHS recognizes that current HIPAA Security Rule standards are no longer enough to protect patient data. The newly proposed rule includes mandatory cybersecurity safeguards to address modern threats and strengthen healthcare organizationsā defenses.Ā
When Will These HIPAA Changes Take Effect?
These updates are still in the proposal stage. The HHS has opened a 60-day public comment period (beginning January 6, 2025), allowing healthcare providers to voice concerns or suggestions before the rule is finalized.Ā
Once the comment period closes, the final version of the rule could take effect within the next year. Healthcare practices should start preparing now to avoid compliance challenges later.Ā
Ensure Your Practice Is Ready for the Proposed HIPAA Changes
Whatās Changing in the Proposed HIPAA Security Rule
The proposed Notice of Proposed Rulemaking (NPRM) outlines key updates that will impact how healthcare practices manage cybersecurity and HIPAA compliance.
1. Annual HIPAA Security Audits
The proposed update introduces a requirement for healthcare practices to conduct a HIPAA Security Rule compliance audit every year. If your practice hasnāt been doing regular security risk assessments (SRA), itās time to get that process in place. These audits are designed to identify any vulnerabilities in your systems and IT infrastructure, helping you stay ahead of potential threats. Itās not just about checking off a regulatory boxāitās about protecting patient data and ensuring your practice is operating securely. Annual audits give you a chance to fix vulnerabilities before they become major issues, so itās definitely something youāll want to prioritize as these new rules move forward.Ā
2. Stricter Risk Analysis Requirements
Another important change is the stricter risk analysis requirements. Healthcare practices will now need to regularly assess their technology systems to identify and address any vulnerabilities. Your risk assessments will need to be more thorough and include tracking the movement of ePHI, identifying potential threats, and evaluating the risks of cyberattacks. This deeper analysis helps you understand where your systems might be exposed and gives you a clearer path to improving security. Itās no longer just about having a basic understanding of risksāthis update calls for a detailed, ongoing assessment to stay ahead of potential issues. By conducting more detailed risk analysis, youāll be in a better position to protect sensitive information and ensure your practice is always in compliance
3. Stronger Incident Response & Contingency Plans
The new rule emphasizes having a well-documented incident response plan in place. Healthcare practices will now be required to have written procedures to restore electronic health records within 72 hours if a breach or ransomware attack occurs. If you havenāt created a cybersecurity incident response plan yet, itās essential that you do so now. Having a clear, actionable plan will allow your practice to react quickly and minimize damage if an attack happens. The goal is to ensure your patientsā data is secured and to keep your practice running smoothly in the face of a security breach. Being prepared isnāt just about complianceāitās about maintaining trust and minimizing downtime when the unexpected happens.Ā
4. Enhanced Security Measures
Healthcare practices will need to implement several key security measures as part of the updated HIPAA rule. These include encrypting all ePHI, using multi-factor authentication (MFA) for accessing protected health data, and setting up network segmentation to limit access to sensitive information. Youāll also need to conduct vulnerability scans every 6 months and penetration testing every year, in addition to strengthening anti-malware protections. If you havenāt adopted these safeguards yet, itās time to start planning. The goal of these measures is to prevent breaches and keep sensitive patient data safe, no matter what. With cyber threats constantly evolving, these security measures will help your practice stay protected and compliant with HIPAA requirements.Ā
Get Prepared for the New HIPAA Compliance Requirements
5. Business Associate & Vendor Oversight
Lastly, the rule introduces the need for healthcare practices to verify that their business associates and third-party vendors meet HIPAAās security requirements. This means doing an annual check to ensure that the vendors you work with are properly safeguarding patient data. Many healthcare practices rely on third-party vendors, from cloud services to EHR providers, so itās important to ensure that these partners are up to speed on security. The new rule makes it clear that youāll need to hold your vendors accountable and have proof of their compliance. If youāre not already doing this, nowās the time to start. This step is crucial in protecting your practice from external threats and ensuring HIPAA compliance across the board.Ā
How Your Healthcare Practice Can Prepare for the HIPAA Security Rule Update
Even though these changes arenāt final yet, itās critical to get ahead of potential compliance gaps. Hereās how your practice can stay proactive:Ā
- Conduct a Security Risk Assessment (SRA)āIdentify vulnerabilities and improve cybersecurity protections before new regulations take effect.Ā
- Review & Update Security PoliciesāEnsure your incident response plans, vendor agreements, and risk assessments are aligned with proposed HIPAA requirements.Ā
- Implement Stronger Cybersecurity MeasuresāIf your practice hasnāt yet deployed encryption, MFA, or regular penetration testing, now is the time to begin making changes.Ā
- Work with an IT Security ExpertāUnderstanding HIPAAās complex security requirements can be challenging. A trusted cybersecurity partner can help you navigate compliance and protect patient data.Ā
Final Thoughts: Donāt Wait to Strengthen Your Security
The proposed HIPAA Security Rule update signals that healthcare cybersecurity is under greater scrutiny than ever. Healthcare practices must adapt to stricter security requirementsāor risk compliance violations down the line.Ā
At Meriplex, we specialize in helping healthcare providers navigate HIPAA compliance and strengthen their cybersecurity posture. Our Security Risk Assessment (SRA) provides a clear, actionable roadmap to protect your practice against cyber threats while staying ahead of potential regulatory changes.Ā
