In response to increasing cybersecurity threats in the healthcare sector, a proposed update to the HIPAA Security Rule aims to strengthen protections for electronic protected health information (ePHI).
This Notice of Proposed Rulemaking (NPRM) was issued by the Office of civil rights (OCR) at the U.S. Department of Health and Human Services (HHS) Dec. 27, 2024 and published in the Federal register Jan. 6, 2025. Public comments on the NPRM are due March 7, 2025.
Impact on healthcare covered entities
Under the proposed changes to the HIPAA Security Rule, covered healthcare entities and their business associates will have stricter reporting, technology, and network asset assessments, and enhanced risk management and compliance requirements, including an annual compliance audit. Additionally, the rule imposes stricter regulations governing contingency planning and response. Key elements of this proposed legislation include:
- Increased protections for patient data. Healthcare organizations will be required to implement multifactor authentication, segment their networks to minimize the risk of intrusions spreading between systems, and encrypt patient data to ensure that even if it is stolen, it remains inaccessible.
- Emphasis on risk management. A greater emphasis on risk analysis and incident response planning will require organizations to be proactive in their cybersecurity strategies. This includes a written assessment of the current technical state, reasonably anticipated threats and potential vulnerabilities, and risk level for each threat and vulnerability.
- Unified implementation specifications. All implementation specifications will be classified as required, eliminating the distinction between “required” and “addressable” specifications.
- Documentation Requirements.


