In January 2025, the U.S. Department of Health and Human Services (HHS) proposed significant updates to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule to enhance the protection of electronic protected health information (ePHI). These proposed modifications aim to address evolving cybersecurity threats and technological advancements. Key proposed changes include:
Mandatory Annual Technical Inventories: Organizations would be required to conduct yearly inventories of their technical assets to ensure all systems handling ePHI are accounted for and properly managed.
Enhanced Security Risk Assessments: Entities must perform more rigorous and comprehensive security risk assessments to identify and mitigate potential vulnerabilities effectively.
Federal Register
Stricter Vendor Oversight: Business associates would be obligated to notify covered entities within 24 hours of activating a contingency plan, ensuring timely awareness and response to incidents.
Reuters
Mandatory Multi-Factor Authentication (MFA): The implementation of MFA would be required to strengthen access controls and reduce the risk of unauthorized access to ePHI.
Reuters
Encryption Standards: Organizations must adopt robust encryption protocols to protect ePHI both at rest and in transit, safeguarding data even in the event of unauthorized access.
Formalized Incident Response Planning: Covered entities would need to establish and maintain detailed incident response plans to promptly detect, respond to, and recover from security incidents.
Reuters
Disaster Recovery and Backup Requirements: The proposed rule emphasizes the necessity for comprehensive disaster recovery and data backup strategies to ensure the availability and integrity of ePHI during unforeseen events.
Regular Compliance Audits: Entities would be subject to annual compliance audits to verify adherence to the updated security standards and identify areas for improvement.
Updated Workforce Security Access Management: Organizations must implement stringent policies and procedures for managing workforce access to ePHI, ensuring that access is granted appropriately and reviewed regularly.
Regular Network Testing and Segmentation: The proposed rule calls for periodic network testing and the implementation of network segmentation to prevent unauthorized access and contain potential breaches.
These proposed enhancements aim to strengthen security controls, reduce the risk of data breaches, and ensure greater protection of ePHI. The public comment period for these proposed changes concluded on March 7, 2025, with over 4,000 comments submitted for review.
R