Read this if your organization is subject to HIPAA regulations.
For over two decades, the HIPAA Security Rule has remained largely unchanged, aside from extending its scope beyond covered entities to include business associates. During this time, cybersecurity threats in the healthcare sector have grown significantly, and the US Department of Health and Human Services Office for Civil Rights (OCR) has gained extensive enforcement experience.
To address evolving threats and regulatory challenges, OCR has issued proposed modifications to the Security Rule, introducing stricter security controls, mandatory encryption requirements, and a shift away from “addressable” implementation specifications. While these changes aim to improve data security, they also introduce new compliance burdens that could be challenging for many regulated entities.
Key proposed changes to the HIPAA security rule
1. Greater specificity in security requirements
Historically, the HIPAA Security Rule provided flexibility by outlining broad security categories without mandating specific implementation measures. While this adaptability allowed organizations to tailor their security programs, it also created compliance ambiguities and enforcement challenges. The newly proposed rule introduces more detailed and prescriptive requirements, including:
- Asset inventory and network mapping
- Organizations must maintain a comprehensive inventory of technology assets, including identification, version, accountability, and location.
- A network map illustrating the movement of ePHI across systems is required.
- Risk analysis and patch management
- Annual review and update of risk analysis and risk management plans.
- Mandatory patching of critical risks within 15 days and high risks within 30 days.
- Access control and workforce security
- Termination of workforce access to ePHI within one hour of employment cessation.
- 24-hour notification requirement when a workforce member loses access at another regulated entity.
- New employees must complete security training within 30 days of system access.
- Network security and monitoring
- Mandatory network segmentation to prevent lateral movement in case of a breach.
- Real-time system monitoring to detect unauthorized activity and alert workforce members.
- Authentication and identity management
- Mandatory multifactor authentication for system access and privilege changes.
- Implementation of strong password policies aligned with industry standards.
- Security testing and incident response
- Annual penetration testing and biannual vulnerability scanning to identify risks.
- Establishment of a security incident response plan with annual testing.
- Backup and disaster recovery enhancements
- ePHI backups must occur at least every 48 hours, with a 72-hour recovery time for critical systems.
- Monthly testing of data restoration processes.
2. Elimination of “addressable” implementation specifications
Under the current rule, certain security measures are designated as “addressable,” meaning that organizations can implement them based on reasonableness and appropriateness, or document why an alternative measure was chosen. The proposed rule eliminates this flexibility, making previously addressable requirements mandatory.
Encryption of ePHI at rest and in transit will be required in nearly all cases.
Limited exceptions apply only when:
- A technology asset does not support encryption and the organization has a migration plan.
- A patient explicitly requests unencrypted communication and acknowledges the risks.
- Encryption is unavailable in an emergency situation.
- The system is FDA-regulated and certain conditions apply.
This raises concerns about operational feasibility, as the rule does not explicitly allow common unencrypted communications such as text-based appointment reminders or patient notifications.
3. Expanded documentation and compliance verification
The proposal significantly expands compliance documentation, verification, and reporting obligations. Regulated entities would be required to:
- Conduct annual security audits to verify compliance.
- Obtain written security attestations from business associates every 12 months, including:
- A cybersecurity expert’s written analysis confirming technical safeguards.
- A certification verifying the accuracy of the analysis.
- Review and test policies and procedures annually, including:
- Patch management
- Risk analysis updates
- Workforce sanctions
- Media disposal and reuse
- Contingency plans
4. Stricter enforcement and compliance obligations
OCR is shifting toward greater enforcement accountability, making it clear that merely having a policy in place is no longer sufficient. The proposed rule would require regulated entities to:
- Demonstrate that security measures are actively deployed and operational.
- Ensure that implemented controls are continuously monitored and updated.
- Regularly test compliance through internal audits and external verification.
This change was prompted in part by a court ruling (University of Texas M.D. Anderson Cancer Center v. HHS), which found that OCR’s enforcement authority was limited when entities had encryption mechanisms in place but were not consistently using them. The new rule seeks to close that gap by requiring proof of actual implementation and functionality.
Implementation timeline and potential regulatory outlook for proposed HIPAA Security Rule changes
Public comments were due by March 7, 2025. If finalized, organizations will have 240 days to comply (60 days after the final rule is published, plus an additional 180 days). Business associate agreements must be updated within one year of the final rule’s effective date.
With the recent change in administration, there is uncertainty about whether the rule will be finalized under the new administration. However bipartisan consensus exists on the need for stronger healthcare cybersecurity. The Trump administration previously enforced the HIPAA Security Rule similarly to Democratic administrations. While Trump’s general approach is deregulatory, this proposal may still advance due to the ongoing threat of healthcare data breaches.
Key areas for stakeholder feedback
With the March 7, 2025, deadline approaching, regulated entities should evaluate the potential impact of the proposed changes and consider submitting comments to OCR on:
- Operational feasibility of annual policy reviews, audits, and compliance testing.
- Burden of obtaining written security attestations from all business associates.
- Additional exceptions for encryption mandates, particularly for patient-initiated communications.
- Clarification on shared security responsibilities in cloud computing environments.
- Refinement of the definition of “security incidents” to exclude unsuccessful breach attempts.
Next steps for regulated entities
Given the likelihood of increased enforcement, organizations should begin preparing now by:
- Assessing current security practices against the proposed requirements.
- Identifying gaps in encryption, risk analysis, and workforce training policies.
- Reviewing business associate agreements for necessary updates.
- Preparing for increased audit and verification obligations.
- Engaging in industry advocacy to ensure feasible and practical implementation standards.
By proactively addressing these upcoming changes, regulated entities can position themselves for compliance while minimizing operational disruptions.
BerryDunn’s healthcare consulting team has the expertise your organization needs to ensure compliance with HIPAA. Learn more about our team and services.