The U.S. Department of Health and Human Services (HHS) in January published a "Notice of Proposed Rule Making (NPRM) which includes significant updates to the the Security Standards for the Protection of Electronic Protected Health Information (ePHI) ("Security Rule") under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act)".
This marks the first major overhaul for HIPAA in over a decade. These changes aim to address the evolving cybersecurity landscape and better protect the confidentiality, integrity, and availability of electronic protected health information (ePHI).
Among the many proposed changes, one of the most significant is the shift in encryption requirements for electronic protected health information (ePHI). Encryption, which was previously considered an "addressable" recommended safeguard, will now be explicitly "required" both in transit and at rest, marking a critical step toward strengthening data security.
Since the last major update to the HIPAA Security Rule in 2013, the healthcare industry has become increasingly reliant on advanced computer and network technologies. While this dependence has brought numerous benefits, it has also led to a significant rise in data breaches and cyberattacks targeting ePHI.
As of January 28, 2025, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reported 725 data breaches involving 500 or more records in 2024. This marks the third consecutive year with over 700 large-scale breaches reported. Alarmingly, these incidents exposed, stole, or unlawfully disclosed the records of 82% of the U.S. population in 2024.
The Security Rule revisions are proposed to increase the cybersecurity for ePHI by addressing:
The proposed updates introduce several new requirements for HIPAA-covered entities that cover incorporating modern cybersecurity practices. These changes include:
Encryption of ePHI: Electronic protected health information (ePHI) must be encrypted both at rest and in transit, including when transmitted via mobile devices.
Technology Asset Inventory: A proposed requirement mandates the development of a comprehensive technology asset inventory, along with mapping the movement of ePHI across assets and information systems.
Annual Reviews and Risk Assessments: The technology asset inventory and network map must be reviewed at least annually, with a risk assessment conducted to identify potential threats and vulnerabilities.
Contingency and Incident Response Plans: Entities must prepare contingency plans and security incident responses to ensure systems and data can be recovered within 72 hours following a cyberattack.
Annual Security Audits: Covered entities and business associates will be required to conduct annual security audits, with covered entities also verifying that business associates have completed their audits.
Vulnerability Scans and Penetration Testing: Vulnerability scans must be performed twice a year, while penetration tests and other security tests are required at least annually, with all findings documented.
Mandatory Cybersecurity Measures: Entities must implement specific cybersecurity measures, including multi-factor authentication, network segmentation, and anti-malware protection.
Enhanced Risk Analysis Requirements: Risk analyses must include a detailed review of the technology asset inventory and network map, identification of all reasonably anticipated threats and vulnerabilities, and an assessment of each threat's level of risk and likelihood of exploitation.
One notable and impactful change proposed moving from what were "addressable" implementation specifications to "required" implementation specifications. This limits regulated entities' "flexibility of approach" which was seen as reasonable initially but is no longer adequate given "...the clearly documented failure of regulated entities to fully implement the policies and procedures required by the Security Rule...".
Whilst this update to HIPAA is at the "proposed" stage, it may come into effect as soon as the end of 2025 depending on the feedback received during the comment period which concluded on the 7th of March. As such, it is important for HIPAA-covered entities to understand their current level of HIPAA compliance and perform their due-diligence to prepare for the proposed HIPAA changes.
Following the update to the HIPAA Enforcement Rule, which eliminated the affirmative "did not know" defense for penalties related to HIPAA violations, it has become crucial for covered entities and business associates to stay informed about changes to HIPAA regulations.
While there are numerous sources of HIPAA-related news, the most reliable and up-to-date information on HIPAA changes can be found directly on the HHS website.
StratoKey offers a robust Data Protection Platform designed to help organizations comply with the updated HIPAA Security Rule. Key features include:
StratoKey's platform supports industries such as health services, pharmaceuticals, biotechnology, community health research, and medical device manufacturing. It enhances compliance efforts by providing tools for data protection, security monitoring and hardening of security controls in line with HIPAA and NIST requirements.
The proposed updates to the HIPAA Security Rule represent a critical step forward in safeguarding ePHI against modern cybersecurity threats. Organizations should prepare for these changes now by assessing their current security measures and exploring solutions like StratoKey to help with meeting the upcoming new Security Rule requirements.
Talk to us today about our StratoKey Data Protection Platform and how we can help to assist in meeting HIPAA Security Rule Safe Harbor with NetSuite, Pipedrive, Salesforce, ServiceNow, SAP Business ByDesign, Jira and Confluence.