OCR Announces Proposed Updates to HIPAA Security Rule, Raises the Bar for Healthcare Cybersecurity 

Noreen Vergara, Kathleen Snyder, Revital Beckerman and Ashton Harris

Updated on February 2, 2025
Legal

On December 27, 2024, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), issued proposed changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule (the Proposed Rule) to strengthen the cybersecurity protections that HIPAA-regulated entities are required to maintain for electronic protected health information (ePHI). 

This marks the first update to the HIPAA Security Rule since 2013. These changes aim to address the steadily increasing risk of cyberattacks on critical healthcare infrastructure. From 2018-2023, OCR observed a 102% increase in breaches affecting 500 or more individuals, with 167 million affected in 2023 alone. One 2024 cyberattack on a healthcare payment cycle management company caused severe disruption throughout the healthcare industry and is estimated to have resulted in the compromise of the ePHI of up to one third of the U.S. population. 

The Proposed Rule applies to HIPAA-regulated entities, including Covered Entities such as health plans, healthcare clearinghouses, most healthcare providers, and their Business Associates. It updates the current requirements and introduces new administrative, technical, and physical safeguards to better address cybercrime threats. It also affects the relationship between a Covered Entity and its Business Associate by imposing additional requirements. 

HIPAA-regulated entities should assess their security operations and business associate relationships and consider engaging in the public comment period ending on March 7, 2025.

Key Takeaways from the Proposed Rule

The Proposed Rule expands Security Rule obligations and adds detail to existing requirements. Significantly, the Proposed Rule:  

  • Removes the distinction between “required” and “addressable” implementation specifications such that all implementation specifications are required, with limited exceptions.  
  • Mandates a compliance audit at least once every 12 months to ensure compliance with the Security Rule requirements.

Administrative and Organizational Requirements 

Adds enhanced administrative safeguards, including:

  • The development and maintenance of a technology asset inventory and network map illustrating movement of ePHI through the electronic information system. HHS expects that artificial intelligence (AI) software used to create, receive, maintain, or transmit ePHI or interact with ePHI, would be listed as part of the technology asset inventory.
  • A risk analysis and evaluation that includes gap assessment and risk analysis. Risk analysis should be conducted at least once every 12 months, and evaluations should be conducted whenever new technology is adopted.
  • Updated requirements to patch management that includes annual updates to policies and procedures for identifying, installing, and verifying the timely installation of patches, updates, and upgrades throughout electronic information systems.
  • The establishment of written procedures to restore the loss of certain electronic information systems and data within 72 hours. 

Technical Security Requirements 

Adds enhanced technology safeguard requirements for HIPAA-regulated entities, including:

  • Required multi-factor authentication (MFA) to all technology assets in the relevant electronic information systems to verify user identity, with limited exceptions.
  • Encryption of ePHI is required at rest and in transit using a secure encryption algorithm, with limited exceptions.
  • Required network segmentation where “reasonable and appropriate.” This includes the process of dividing computer networks into small, isolated components. 

Changes to the Business Associate Relationship

Requires HIPAA-regulated entities to: 

  • Obtain written verification from Business Associates, on an annual basis, that the Business Associates have deployed HIPAA-technical safeguards. Business Associates would also be required to obtain this verification from their subcontractors.  
  • Update Business Associate Agreements to require the Business Associate to report to the Covered Entity upon activation of the Business Associate’s contingency plan in response to an emergency or other occurrence affecting electronic information systems without unreasonable delay, but no later than 24 hours after activation.
  • Provide notice within 24 hours when there is a change in, or termination of, a workforce member’s access to ePHI or the electronic information systems and that workforce member had access to the ePHI. 

Requirements for Group Health Plans

Requires Group Health Plans to extend HIPAA Security Rule requirements to their Plan Sponsors by updating plan documents to include language that requires Plan Sponsors to: 

  • Comply with the administrative, physical, and technical safeguards of the Security Rule. 
  • Ensure any Plan Sponsor agents who receive ePHI to agree to implement the administrative, physical, and technical safeguards of the Security Rule. 
  • Notify their Group Health Plan of any security incident.
  • Notify their Group Health Plan upon activation of the Plan Sponsor’s contingency plan without unreasonable delay, but no later than 24 hours after activation.

Deadlines and Key Dates

Comments are due on or before March 7, 2025

Comments should be identified by RIN Number 0945–AA22 and can be submitted by any of the following ways:

  • Federal eRulemaking Portal. You may submit electronic comments at https://www.regulations.gov by searching for the Docket ID number HHS–OCR–0945– AA22. Follow the instructions at: https://www.regulations.gov for submitting electronic comments. Attachments should be in Microsoft Word or Portable Document Format (PDF). 
  • Regular, Express, or Overnight Mail. Mail written comments to the following address: U.S. Department of Health and Human Services, Office for Civil Rights, Attention: HIPAA Security Rule NPRM, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue, SW, Washington, DC 20201. Allow sufficient time for mailed comments to be timely received in the event of delivery or security delays. Duplicate comments should not be submitted.

Effective Date of Final Rule: 60 daysafter the Final Rule’s publication in the Federal Register.

Compliance Deadline: 180 days from the effective date for most provisions.

Noreen Vergara
Noreen Vergara
Partner at Husch Blackwell

Noreen Vergara is a partner with Husch Blackwell.

Kathleen Snyder
Kathleen Snyder
Senior Counsel at Husch Blackwell

Kathleen Snyder is Senior Counsel with Husch Blackwell.

braun revital retake image 152177
Revital Beckerman
Healthcare Regulatory & Compliance Counseling Attorney at Husch Blackwell

Revital Beckerman is a Healthcare Regulatory & Compliance Counseling attorney with Husch Blackwell.

Ashton Harris
Ashton Harris
Healthcare Regulatory Associate Attorney at Husch Blackwell

Ashton Harris is a Healthcare Regulatory Associate Attorney with Husch Blackwell.

Healthcare Business Today is a leading online publication covering the healthcare industry.

email us

founded in

Pittsburgh, PA

© healthcare business today 2025

PRIVACY POLICY DMCA