Newly Proposed Updates to the HIPAA Security Rule

2025 is starting off with a bang, with the US Department of Health and Human Services (HHS) issuing proposed updates to the HIPAA Security Rule. The HIPAA Security Rule has been in place since 2003 and saw its last round of updates in 2013, making it long overdue for new updates given the changes in technology since then. The proposal draft is a whopping 393 pages, which is indicative of how robust these updates will be. Comments on these proposed changes are due by March 7, 2025. 

Overview of the Proposed Updates and Their Impact

To read the full draft, click here.

Below is an overview of the proposed updates, organized by their potential impact on covered entities:

🔴 High Impact

• Annual Audit Requirements: Entities must conduct compliance audits at least annually to verify adherence to security rules. Effectiveness of security measures must be tested and evaluated at least annually.
  • This change will be costly to implement, if it is not already implemented within your organization. This will impact smaller organizations with lower profit margins much more than larger organizations with higher profit margins. There is substantial time and money that goes into hiring out external auditors on an annual basis.
• Network Security Measures: Network segmentation is mandatory.
  • This change may require a substantial amount of time and money into adding more layers to organizational networks, making sure that network segmentation is adequately achieved and managed. This will require more resources for hardware, software, and personnel.
• Business Associate Security Validation: Business associates and contractors must annually verify and certify the deployment of required technical safeguards.
  • Ensuring that all business associates and contractors are adequately deploying technical safeguards is not new, but annual re-verification is something few organizations do. Resourcing a team for annual re-review of all vendors for a covered entity will greatly increase the burden on procurement processes .
• Ongoing Security Testing: Vulnerability scans must occur every six months, and penetration testing at least annually.
  • Vulnerability scanning and penetration testing is a costly service to implement, making the impact substantial for those organizations that do not already have this process implemented.

🟠 Moderate Impact

• Required Risk Analysis: Entities must conduct detailed, written risk assessments, identifying threats, vulnerabilities, and risk levels.
  • Risk assessments can be done internally or externally, with varying costs to each option. Internal risk assessments will introduce the need for more personnel and time dedicated to properly conducting and managing these. External risk assessments won’t require as much time as they will money.
• Removal of “addressable” implementation specifications: All implementation specifications are required, with limited exceptions.
  • The switch from “addressable” to “required” implementation specifications will decrease the flexibility for organizations to adhere to the control set. While there are exceptions still, they will be significantly limited. Organizations may have to implement new processes and procedures, or expand upon existing processes and procedures to meet these control requirements.
• Enhanced Contingency Planning: Required written procedures for restoring systems within 72 hours, prioritizing critical assets, and testing security incident response plans.
  • Contingency planning is a detailed process that is specific to each organization and requires the time and effort of a large number of employees to create. Contingency plans should already exist, but the need to update them will take time and effort to adequately complete.
• Access Change Notifications: Certain entities must be notified within 24 hours of workforce access modifications.
  • This may not be an existing process for organizations, and implementing this process will require more time and effort from existing personnel. Additional policies and procedures will need to be created to address this control.

🟢 Low Impact - These requirements should already be met through existing processes prior to the newly proposed updates. Since the HIPAA Security Rule hasn’t been updated since 2013, there are inevitable updates to be made to meet current industry best practice.

• Modernized Standards: Updates to definitions and implementation specifications reflect technological advancements.
• Defined Compliance Deadlines: Specific timeframes for meeting existing requirements.
• Required Asset Inventory and Network Map: Entities must maintain an updated asset inventory and network map, reviewed at least annually or after operational changes affecting ePHI.
• Requirement of Comprehensive Documentation: Written policies, procedures, plans, and analyses must be maintained.
• Multi-Factor Authentication: Required for system access, with limited exceptions.
• Backup and Recovery Safeguards: Separate technical controls are required for secure ePHI backups and system recovery.
• Mandatory Encryption: ePHI must be encrypted at rest and in transit, with limited exceptions.
• Technical System Controls: Entities must enforce anti-malware protection, software restrictions, and network port security based on risk assessments.
• Timely Contingency Plan Activation Alerts: Business associates and subcontractors must notify covered entities within 24 hours of activating contingency plans.
• Group Health Plan Compliance: Plans must ensure sponsors and agents adhere to Security Rule safeguards and report contingency activations within 24 hours.

These newly proposed changes will really ramp-up the requirements of HIPAA covered entities and will enhance security, but will be financially and operationally costly. Organizations that are covered entities should familiarize themselves with the newly proposed requirements and prepare for the potential implementation of these. It is encouraged that upon review of the proposal to submit comments by March 7, 2025.