In January 2025, the U.S. Department of Health and Human Services (HHS) proposed pivotal updates to the HIPAA Security Rule aimed at enhancing cybersecurity measures for electronic protected health information (ePHI). These changes respond to the escalating threat of cyberattacks in the healthcare sector, with a clear goal to create a more secure and resilient framework and strengthen protections for sensitive health data.
Although a specific effective date for the changes has not yet been announced, once the rule is finalized, the new provisions go into effect typically after about 180 days, allowing covered entities and business associates time to implement necessary updates.
To provide a rough estimate:
- If the final rule is issued in mid or late 2025, the updates would likely take effect by late 2025 or early 2026.
The following sections outline the proposed critical changes and their implications for healthcare entities and business associates.
Uniform Implementation Specifications
One significant shift in the proposed rule is the elimination of the distinction between “required” and “addressable” implementation specifications. Historically, the HIPAA Security Rule allowed organizations to tailor their approach to addressing the rule based on their size, resources, and environment. Now, with all specifications potentially becoming mandatory, entities would have to implement uniform security measures with limited exceptions, provided they are justified through robust documentation.
This proposed change seeks to level the playing field, ensuring consistency across organizations in their cybersecurity practices. While it simplifies the compliance landscape, smaller organizations accustomed to flexibility may face operational and financial challenges in adapting to these more rigid requirements. The ultimate aim, however, is to bolster the integrity of ePHI security across the board, reducing risks and strengthening trust in healthcare systems.
Mandatory Documentation
The emphasis on accountability is evident in the proposed requirement for comprehensive documentation. Under the proposed rules, entities would maintain written records of all security-related policies, procedures, plans, and risk analyses. This documentation extends to contingency plans, incident response strategies, and network configurations.
By formalizing the documentation process, HHS underscores the importance of preparedness and transparency. These records not only facilitate smoother compliance audits but also provide a roadmap for addressing vulnerabilities. While the administrative burden may seem daunting, the enhanced clarity and accountability are expected to drive better outcomes in cybersecurity resilience.
Asset Inventory and Network Mapping
Another cornerstone of the proposed changes is the requirement for a detailed technology asset inventory and network mapping. Organizations would be required to identify and catalog all devices, applications, and systems involved in managing ePHI, as well as document the flow of data within their networks. Additionally, organizations would need to ensure their asset inventory includes smart devices that are connected to the Internet of Things (IoT) and medical IoT devices, as these devices can also present serious risks to the security of ePHI.
Further, any technology asset inventory and network map would be required to take into account the processes that involve movement of ePHI into and outside of a regulated entity’s systems, including those that involve another entity. For example, a network map must include technology assets used by a business associate. Finally, a process to routinely update the required inventory and network map must be implemented to reflect the evolving technological landscape.
This provision addresses a long-standing issue in healthcare—the lack of visibility into network assets and data flows. By mandating these measures, HHS aims to empower organizations to better identify vulnerabilities, prevent unauthorized access, and respond effectively to potential breaches. While the initial setup might require significant investment, the long-term benefits in risk management and compliance far outweigh the costs.
Enhanced Risk Analysis
A deeper, more structured approach to risk analysis is central to the proposed updates. Entities would be required to identify threats and vulnerabilities comprehensively, assess their risk levels, and document mitigation strategies. This proactive approach ensures organizations stay ahead of potential cyber threats by addressing weaknesses before they can be exploited.
The proposed updates also state regulated entities must conduct risk assessments of the cybersecurity threats of new Artificial Intelligence (AI) tools. As noted within the proposed rule, “The regulated entity’s risk analysis must include consideration of, among other things, the type and amount of ePHI accessed by the AI tool, to whom the data is disclosed, and to whom the output is provided.”
Access Termination Notifications
Timeliness in managing user access is critical. Under the proposed rule, entities would notify relevant workforce members within 24 hours of changes or terminations in their access to ePHI systems. This measure minimizes the risk of insider threats and reduces the window of opportunity for unauthorized data access.
Contingency Planning and Incident Response
The proposed rule also highlights the importance of contingency planning and incident response. Organizations would be required to establish procedures to restore lost systems and data within 72 hours of an incident and create comprehensive security incident response plans. These requirements aim to minimize disruptions to patient care and operational functionality during cybersecurity events.
CyberAnnual Compliance Audits and Business Associate Verification
To reinforce adherence to the Security Rule, HHS proposes mandatory annual compliance audits for all covered entities. Additionally, business associates, who play a crucial role in handling ePHI, must verify annually that they have implemented the necessary safeguards. This move extends accountability to the broader ecosystem of healthcare data management.
The proposed updates to the HIPAA Security Rule represent a significant evolution in how healthcare organizations approach cybersecurity. By mandating uniform specifications, enhancing risk analysis requirements, and emphasizing detailed documentation, HHS aims to create a more robust framework for protecting ePHI.
Further, additional frameworks and guidelines have been created to increase regulations around the adoption of standards for the protection of ePHI including these:
- NIST’s Cyber Security Framework (CSF) version 2.0
- HHS 405(d) Program’s Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients
- FTC’s Start with Security: A Guide for Business
- HHS’ Cybersecurity Performance Goals
While HHS’s proposed changes may present challenges, particularly for smaller entities, the focus on resilience and security aligns with the urgent need to counteract the growing threat of cyberattacks. Organizations are encouraged to review these proposals and participate in the public comment process to help shape the future of healthcare cybersecurity.
Barry Mathis
Barry has nearly three decades of experience in the information technology (IT) and healthcare industries as a CIO, CTO, senior IT audit manager, and IT risk management consultant. He has performed and managed complicated HIPAA security reviews and audits for some of the most sophisticated hospital systems in the country. Barry is a visionary, creative, results-oriented senior-level healthcare executive with demonstrated experience in planning, developing, and implementing complex information-technology solutions to address business opportunities, while reducing IT risk and exposure. He is adept at project and crisis management, troubleshooting, problem solving, and negotiating. Barry has strong technical capabilities combined with outstanding presentation skills and professional pride. He is a prudent risk taker with proficiency in IT risk management, physician relations, strategic development, and employee team building.
Barry is a member of United States Marine Corps, Health Care Compliance Association, Association of Healthcare Internal Auditors, Healthcare Information Management Systems Society and Information Systems Audit and Control Association. He was an Honor Graduate in Systems Programming from the United States Marine Corps Computer Sciences School (MCCDC) in Quantico, VA. He is a Certified COBOL Programmer, a Certified Database Management Specialist, and a Certified Cyber Security Framework Practitioner.
Shannon Sumner
Shannon manages PYA’s Compliance Advisory Services and serves as the Firm’s Compliance Officer. A CPA certified in healthcare compliance, she has more than two decades’ experience in healthcare internal auditing and compliance programs. She advises large health systems and legal counsel in strengthening their compliance programs, and aids in areas of Anti-Kickback Statute and Stark Law compliance. Shannon also assists health systems regarding compliance with Corporate Integrity Agreements (CIAs) and Non-Prosecution Agreements (NPAs), conducts health system merger/acquisition/divestiture due diligence activities, and advises health system governing boards on their roles and responsibilities for effective compliance oversight.
At the direction of the Department of Justice, Shannon has served as the healthcare compliance and internal audit subject-matter expert for the largest federal compliance co-monitorship of a health system in U.S. history.
Shannon is a member of the Nashville Health Care Council, Association of Healthcare Internal Auditors, American Institute of Certified Public Accountants, Society of Compliance and Ethics Professionals, and the American Health Law Association. She is a faculty member of the Health Care Compliance Association and is a board member of the Maryland Farms YMCA, and is Certified in Healthcare Compliance (CHC), HCCA. Shannon earned a Bachelor of Science in Business Administration, Cum Laude, and a Master of Accountancy from the University of Tennessee.
Erin Walker
Erin is Certified in Healthcare Compliance and is a Certified HIPAA Professional and former HITRUST Authorized CSF Assessor. She has extensive experience advising on HIPAA and regulatory compliance consulting matters—specifically Business Associate Agreements and HIPAA and regulatory compliance program reviews. She assists with developing, documenting, and implementing policies and procedures, the compliance program and compliance risk assessment process, the HIPAA Security Risk Analysis process, and the analysis of Business Associate Agreements to ensure satisfactory assurances required by the Privacy Rule are met. Erin also regularly assists with risk mitigation compliance and documentation reviews.
Erin holds a Bachelor of Science degree from the University of Missouri, St. Louis, and is a member of Leadership Health Care.
