top of page

Preparing for the Upcoming HIPAA Security Rule: An Essential Guide

  • gillisangela
  • May 29
  • 3 min read

Updated: Jun 23

As cyber threats to healthcare organizations increase, the Department of Health and Human Services (HHS) is responding. A significant update to the HIPAA Security Rule (the first revision since 2013) is on the way. While the final rule hasn't been released yet, the proposed changes unveiled in early 2025 provide a clear direction for what is likely to follow. Now is the time to start preparing!


The Rulemaking Timeline: When to Expect the Final Rule


HHS published its Notice of Proposed Rulemaking (NPRM) on January 6, 2025. This document included a 60-day public comment period, which ends on March 7. The final rule might be issued as early as late 2025 or early 2026. Once finalized, covered entities and business associates will have approximately 240 days (about 8 months) to comply.


A Checklist of Key HIPAA Compliance Changes You Should Prepare For


1. Mandatory Safeguards


The distinction between “required” and “addressable” safeguards will be eliminated. This means all implementation specifications (including encryption and multi-factor authentication) will now be mandatory. The flexibility to skip or adapt controls will no longer exist for most situations.


2. Annual Security Risk Assessments


You must conduct and document a complete security risk analysis each year. This is also required whenever there are significant changes, such as adopting new software or experiencing a security incident. Maintaining an updated technology asset inventory and a network map will also be mandatory.


3. Security Audits


Your organization will need to perform an internal HIPAA Security Rule audit at least once every 12 months. This ensures that all safeguards are operational and effective.


Strengthened Incident Response and Access Control


You will have to develop a written incident response plan. It's crucial to include contingency planning, including recovering critical systems within 72 hours of a disruption, such as a ransomware attack.


Upgraded Technical Safeguards


Here are some must-haves:

  • Encryption: Protect all electronic Protected Health Information (ePHI) both at rest and in transit.

  • Multi-Factor Authentication (MFA): This should be implemented for all systems dealing with ePHI.

  • Penetration Testing: Required at least once a year.

  • Vulnerability Scans: Conduct these at least twice a year.

  • Network Segmentation: Implement this where appropriate.


New Expectations for Business Associates


Covered entities will now need annual written verification from each business associate (BA). This verification must confirm that they have implemented all the necessary safeguards. Consequently, providers will need to update their BA agreements to include clauses for 24-hour breach notifications and contingency activation.


What This Means for Your Practice


While the new rule introduces a heavier compliance load, especially for smaller practices, the aim is to minimize breaches and associated fines. It also seeks to protect operational stability and maintain patient trust.


Potential Challenges

  • Increased costs for tools and consultants.

  • Time investments for documentation and training.

  • Updating BA agreements and processes.


Potential Benefits

  • Enhanced resilience against cyberattacks.

  • Strengthened trust from patients and partners.

  • Future-proofing operations for audits and regulatory changes.


Action Steps to Take Now


  1. Review Your Current Safeguards: Assess what’s in place and identify gaps.

  2. Start a Technology Inventory and Network Map: These will be essential for compliance.

  3. Update Your Incident Response and Contingency Plans: Incorporate restoration time goals and communication protocols.

  4. Schedule a Security Risk Assessment: Make this an annual priority.

  5. Reach Out to Business Associates: Prepare them for upcoming certification requirements.


Conclusion: The Path Ahead


The proposed changes to the HIPAA Security Rule signify a critical movement from general guidance to concrete standards. The best approach is to start prepping now. If you require assistance in assessing your compliance status or determining priorities, we provide HIPAA compliance services tailored for small and midsize healthcare organizations. Let’s collaborate to turn these regulatory changes into a strategic advantage for your data security!


Additional Resources


If you would like learn more, you can check out HIPAA Compliance Information here.


By taking proactive measures now, you can navigate the forthcoming changes with confidence.

 
 
 

Comments

bottom of page