Understanding the Proposed Changes to the HIPAA Security Rule

The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) has proposed significant updates to the HIPAA Security Rule to address growing and evolving threats to sensitive healthcare information. The Notice of Proposed Rulemaking (NPRM) to modify HIPAA, aim to close gaps in current standards by introducing more stringent requirements for risk management, technical safeguards, and organizational processes. Let’s examine the proposed changes and the potential impact on your healthcare organization.

Why the HIPAA Security Rule is Changing

The healthcare industry has faced a 264% increase in ransomware attacks in recent years, highlighting vulnerabilities in existing security frameworks. These cyberattacks, coupled with increased regulatory scrutiny, have led the HHS to modernize the HIPAA Security Rule.

The proposed updates aim to strengthen cybersecurity practices, clarify compliance requirements, and ensure that PHI remains secure across advanced technological landscapes, including cloud environments.

Ultimately, the regulators are catching up with practices that healthcare organizations should already be leveraging to protect sensitive data.

Key Proposed Changes to the HIPAA Security Rule

Eliminating Ambiguity in Implementation Specifications

• What’s Changing: Under this new rule, all implementation specifications will be mandatory, eliminating the distinction between “required” and “addressable.” Organizations must now document all Security Rule policies, procedures, plans, and analyses in writing.
• Implications: This clarification leaves no room for misinterpretation. Every control will need to be implemented, putting greater emphasis on thorough documentation and execution.
• Action Steps: To ensure your organization stays compliant, take the time to review existing implementation standards and address areas where compliance may have been overlooked, while also maintaining clear, well-documented policies.

Upgraded Risk Analysis Requirements

• What’s Changing: To protect sensitive PHI and ensure compliance, organizations need to conduct thorough risk analyses, including creating a detailed technology asset inventory and network map to track PHI movement while identifying potential threats, vulnerabilities, and risk levels.
• Implications: Risk management processes will require more precision and routine updates to secure systems effectively and address vulnerabilities proactively.
• Action Steps: To stay ahead in protecting sensitive data like PHI, leverage cloud-based tools to create real-time asset inventories and movement maps, while conducting quarterly risk assessments to ensure compliance and address potential vulnerabilities effectively.

Bolstered Contingency and Incident Response Plans

• What’s Changing: The proposed change would require organizations to have written contingency plans to restore critical systems and data within 72 hours. It would also mandate detailed incident response plans outlining clear reporting processes and response strategies. 
• Implications: Organizations need more robust contingency frameworks and efficient response mechanisms to manage security breaches and data recovery.
• Action Steps: Test contingency plans against real-world scenarios to validate response times, and train workforce members to recognize and report security incidents promptly.

Strengthened Auditing and Testing Standards

• What’s Changing: The proposed changes require businesses to conduct annual compliance audits, perform vulnerability scans every six months, and carry out penetration tests once a year. 
• Implications: Regular audits and testing will enhance oversight, but could challenge smaller organizations with more limited resources.
• Action Steps: Healthcare organizations can consider partnering with external cybersecurity and compliance firms for audits and advanced testing. Organizations can enhance their healthcare cloud security by integrating automated scanning tools. These tools proactively detect potential threats or anomalies, allowing issues to be addressed before they escalate. 

Enhanced Business Associate Oversight

• What’s Changing: The new rule change requires business associates and their contractors to annually verify, through expert analysis and written certification, that they have implemented Security Rule safeguards to protect PHI. Additionally, business associates must notify covered entities (and subcontractors must notify business associates) within 24 hours of activating contingency plans.
• Implications: Accountability for business associates has increased, necessitating enhanced vendor oversight to ensure they comply with Security Rule requirements. 
• Action Steps: To prepare for this update, organizations should update business associate agreements to include annual reporting requirements, and ensure compliance by requesting and reviewing their documentation, including security certifications.

Expanded Technical Safeguards

• What’s Changing: Organizations should strengthen data security by encrypting all electronic protected health information (PHI) both in transit and at rest. Implement multi-factor authentication (MFA), use anti-malware protection, and regularly fix vulnerabilities to ensure robust protection. Additionally, group health plans must ensure their sponsors follow strict Security Rule safeguards—covering administrative, physical, and technical protections—and require agents handling PHI to do the same. 
• Implications: These clarified safeguards will ensure stronger protection against cyber attacks and significant system upgrades, especially for legacy infrastructure. 
• Action Steps: To prepare, organizations should consider the transition to cloud platforms with integrated technical safeguards, encryption, and MFA while scheduling routine vulnerability scans to proactively address weaknesses.

Compliance and Monitoring Enhancements

• What’s Changing: New regulations now mandate annual reviews and testing of security measures, replacing the previous general maintenance requirements. Additionally, group health plan sponsors are required to implement compliance safeguards and provide notification to relevant entities within 24 hours if contingency plans are activated.
• Implications: A more dynamic approach to monitoring security practices is necessary to meet these stricter rules, and timely communication with stakeholders will be critical for collaborative compliance.
• Action Steps: Organizations should establish regular monitoring schedules to continually evaluate their security efforts. To set themselves up for success in managing incident responses, organizations should also create standardized communication templates, which enables quicker and more effective notifications during security events.

Preparing for Compliance with New HIPAA Standards

Healthcare compliance officers should adopt a proactive approach to prepare for these new regulations. Here are some practical steps to get ahead:

1. Educate Your Team: Ensure all staff, especially those involved in IT, understand the proposed changes and any impact to their daily workflows.
2. Invest in Scalable Cloud Solutions: Opt for cloud services tailored for healthcare compliance, with built-in tools for encryption, access control, and incident detection.
3. Partner with Compliance-Focused Providers: Choose a partner that offers robust safeguards aligned with healthcare regulations like HIPAA and HITRUST. These providers ensure your cloud solutions meet regulatory requirements by offering built-in compliance tools, such as encryption, access monitoring, and incident management.
4. Conduct a Gap Analysis: Identify areas where current security practices fall short of the proposed regulations, particularly in cloud environments.
5. Enhance Business Associate Oversight: Review contracts and request security certifications from all cloud vendors and business associates.
6. Leverage Automated Tools: Implement automation for monitoring, auditing, and incident response to meet compliance timelines efficiently.
7. Stay Alert to Updates: Comment periods for the proposed rule are active until March 2025, so monitor announcements from HHS and OCR to stay informed.

Preparing for HIPAA Security Rule Changes

The proposed changes to the HIPAA Security Rule represent a pivotal moment for healthcare compliance in the era of advanced technology and cloud computing. By understanding the proposed updates to the HIPAA security rule and implication on their businesses, healthcare organizations can strengthen their security and compliance posture. Compliance officers should prioritize collaboration with IT, legal, and cloud vendors to adapt policies and procedures effectively. With careful planning and strategic investments, organizations can protect patient data while maintaining regulatory compliance.

ClearDATA is ready to help organizations navigate stringent healthcare regulations in the cloud—speak with an expert today.

Speak with an expert

Additional Resources on the proposed changes to the HIPAA Security Rule

1. HIPAA Updates and HIPAA Changes in 2025
2. HIPAA Security Rule NPRM
3. HIPAA Security Rule Notice of Proposed Rulemaking to Strengthen Cybersecurity for Electronic Protected Health Information
4. Office for Civil Rights (OCR)
5. HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information
6. Healthcare Security in 2024: The Cyberthreat Landscape