The U.S. Department of Health & Human Services (HHS) has proposed major updates to the HIPAA Security Rule to strengthen cybersecurity protections for electronic protected health information (ePHI).
If your business is a covered entity (healthcare provider, plan, or clearinghouse) or a business associate, these changes will impact your compliance requirements.
Key Takeaways from the Proposed Rule Changes
More Stringent Compliance Requirements – All security rule specifications will be required (no more "addressable" vs. "required" distinctions).
Mandatory Risk Analysis & Security Audits – Entities must conduct an annual risk assessment and compliance audit to ensure security measures are in place.
Encryption & Multi-Factor Authentication (MFA) Required – ePHI must be encrypted both at rest and in transit, with mandatory MFA for access.
Faster Incident Response & Recovery – Organizations must: Restore lost systems & data within 72 hours after an incident. Notify affected entities within 24 hours of security breaches. Perform regular vulnerability scans (every 6 months) and penetration tests (annually).
Stronger Technical Controls – New requirements include: Anti-malware protection & network segmentation Vulnerability scanning & penetration testing Workstation and software security controls to remove unnecessary software and disable unused network ports.
Increased Accountability for Business Associates – Must conduct annual security reviews and certify technical safeguards are in place. What This Means for Your Business If you handle ePHI, now is the time to assess your cybersecurity strategy. The proposed changes raise the bar on compliance, enforcement, and security expectations.
Next Steps: HHS is currently accepting public comments on these changes. If your business will be impacted, now is the time to review and prepare. Full details available here: HIPAA Security Rule NPRM
Disclaimer
The information contained in this communication is intended for limited use for informational purposes only. It is not considered professional advice, and instead, is general information that may or may not apply to specific situations. Each case is unique and should be evaluated on its own by a professional qualified to provide advice specifically intended to protect your individual situation. Kosh is not liable for improper use of this information.
Comments