What is the deadline for submitting comments on the NPRM?

Public comments are due on March 7, 2025, 60 days after the NPRM was published in the Federal Register.

Will the current security rule remain in effect during the rulemaking process?

Yes, the current security rule remains in effect while the department undertakes this rulemaking and notice of the effective date of the new requirements will be determined at a later date.

How will these changes impact my organization’s current cybersecurity practices?

Organizations will need to enhance their cybersecurity practices, update documentation, and implement new compliance measures to align with the proposed changes.

What does my organization need to do now?

Covered entities and business associates are not required to take any immediate action beyond continuing to comply with the current HIPAA Security Rule. However, you should engage with stakeholders to prepare for the implementation of the proposed changes and submit comments on the NPRM. Review the new requirements to evaluate the updates needed to all policies, procedures, risk analyses, and implementation requirements as required by the new rule.

What resources are available to help organizations prepare for these changes?

Organizations can refer to the NPRM document, HHS guidance, and consult with security and compliance experts for assistance in navigating the new requirements.

Article

Proposed changes to HIPAA security rule to enhance cybersecurity for ePHI

Jan. 16, 2025 · Authored by Troy Hawes

In response to increasing cybersecurity threats in the healthcare sector, a proposed update to the HIPAA Security Rule aims to strengthen protections for electronic protected health information (ePHI).

This Notice of Proposed Rulemaking (NPRM) was issued by the Office of civil rights (OCR) at the U.S. Department of Health and Human Services (HHS) Dec. 27, 2024 and published in the Federal register Jan. 6, 2025. Public comments on the NPRM are due March 7, 2025.

Impact on healthcare covered entities

Under the proposed changes to the HIPAA Security Rule, covered healthcare entities and their business associates will have stricter reporting, technology, and network asset assessments, and enhanced risk management and compliance requirements, including an annual compliance audit. Additionally, the rule imposes stricter regulations governing contingency planning and response. Key elements of this proposed legislation include:

Increased protections for patient data. Healthcare organizations will be required to implement multifactor authentication, segment their networks to minimize the risk of intrusions spreading between systems, and encrypt patient data to ensure that even if it is stolen, it remains inaccessible.
Emphasis on risk management. A greater emphasis on risk analysis and incident response planning will require organizations to be proactive in their cybersecurity strategies. This includes a written assessment of the current technical state, reasonably anticipated threats and potential vulnerabilities, and risk level for each threat and vulnerability.
Unified implementation specifications. All implementation specifications will be classified as required, eliminating the distinction between “required” and “addressable” specifications.
Documentation Requirements.