New HIPAA Cybersecurity Rules Proposed

Jan 15th, 2025

Cybersecurity is an ongoing international problem. Hacking is happening in unprecedented numbers. Breaches are almost a daily occurrence. To address this problem, on December 27, 2024, the the Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to strengthen cybersecurity protections for electronic protected health information (ePHI). The NPRM was published in the Federal Register on January 6, 2025 and the comment period closes March 6, 2025.

According to a press release, some of the changes include:

Remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required with specific, limited exceptions.
Require written documentation of all Security Rule policies, procedures, plans, and analyses.
Update definitions and revise implementation specifications to reflect changes in technology and terminology.
Require greater specificity for conducting a risk analysis.
Require regulated entities to conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements.
Require encryption of ePHI at rest and in transit, with limited exceptions.
Require the use of multi-factor authentication, with limited exceptions.
Require regulated entities to review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures.

These are some significant changes, some of which may be costly to implement, such as upgrading software to enable encryption and multi-factor authentication (MFA). Therefore, we strongly encourage covered organizations to review the Proposed Rule to understand the potential impact on your organization.

Remember, this is currently a Proposed Rule, not a Final Rule, so there is no deadline on the implementation of these measures; but they are things that security analysts recommend to protect your organization and your patient’s information. It wouldn’t hurt to start implementing some of these measures now and get ahead of the curve.