The HIPAA Security Rule is Changing. Here’s What You Need to Know.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is preparing to make sweeping changes to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
OCR published a proposal outlining major updates that could soon be coming to the HIPAA Security Rule. The potential changes are aimed at empowering covered entities to modernize their cybersecurity programs and adapt to evolving best practices for securing sensitive patient data.
With the proposal officially open for public comment, here’s what you need to know now to gear up for the impending rule change:
What is the HIPAA Security Rule?
The HIPAA Security Rule establishes legal standards for the protection of electronic protected health information (ePHI). The rule mandates and recommends as best practice a number of controls related to risk analysis and risk management, access authorization, password management, disaster recovery, facility access, encryption, and more.
Organizations that process, store, and interact with protected health information (PHI) and ePHI must comply with HIPAA and the HIPAA Security Rule. This includes “covered entities” such as:
- Healthcare providers and other health services organizations that transmit PHI to perform transactions like claims, determine benefit eligibility, and field referral authorization requests;
- Health plans, such as insurance providers and other organizations that help individuals and groups pay for healthcare services; and,
- Healthcare clearinghouses, or organizations that process other entities’ healthcare transactions for tasks like claims processing, billings, and data management.
HIPAA and the HIPAA Security Rule also apply to “business associates” of these covered entities who use or disclose individually identifiable health data to perform or provide services.
The HIPAA Security Rule was first published in 2003 and has not been updated in more than a decade. But that will soon be changing.
What’s Changing?
According to Steve Ryan, attest services manager at BARR Advisory, OCR’s proposed changes would better align the HIPAA Security Rule with the modern threat landscape and shifts in attack methods since the rule was last updated.
“This would change the mindset and the culture of the healthcare industry,” Ryan said. “It ensures that healthcare organizations are making security a priority and building a culture that is security-first and security-focused.”
Today, there is a wide disparity in the healthcare industry when it comes to adhering to security best practices. “Some organizations are doing a great job and going above and beyond, while others are struggling to meet the bare minimum,” Ryan said. “The updates would level the playing field and help improve trust between patients and their healthcare providers.”
Among the most significant potential updates to the rule is the removal of terminology distinguishing between “required” and “addressable” controls under the standard, making all listed controls mandatory in most cases. Organizations would be required to “implement the specification or adopt a documented reasonable alternative,” the proposal says.
“It creates a standardized framework that organizations must align with and removes the ambiguity in the current rule,” Ryan said. “This change would mean that if you want to be HIPAA compliant, and you should be and have to be legally, then you need to do X, Y, and Z.”
If finalized, the new rule would also require covered entities to undergo annual compliance audits. This is not mandatory under the current standard.
“Too many times, organizations are breached, and only afterward do they realize they weren’t meeting the HIPAA Security Rule,” Ryan said. “The proposed rule encourages accountability by forcing organizations to review their control environments at least annually and, ideally, identify opportunities for continuous improvement.”
Other potential changes outlined in the proposal include new or stricter requirements surrounding:
- Risk analysis;
- Patch management;
- Vulnerability management;
- Access control;
- Software and device management;
- Incident and disaster response planning;
- Backup systems and data storage; and,
- Security and compliance documentation.
The proposal also broaches the topic of new technologies like artificial intelligence (AI) and quantum computing and the implications of their use on securing ePHI. According to OCR, roughly 50% of healthcare cybersecurity professionals told the Healthcare Information and Management Systems Society (HIMSS) in a 2023 survey that their organizations permitted the use of generative AI technology, opening the door to a new risk vector.
“Generative AI tools have produced in their output the names and personal information of persons included in the tools’ sources of training data,” OCR’s proposal warns. “Similar uses of generative AI by regulated entities, including the training of AI models on patient data, could result in impermissible uses and disclosures, including exposure to bad actors that can exploit the information.”
To address the growing risk, the proposed rule changes would require covered entities interested in using AI to perform a risk analysis that “must include consideration of, among other things, the type and amount of ePHI accessed by the AI tool, to whom the data is disclosed, and to whom the output is provided.”
Why Now?
Twelve years in the making, the proposed updates come amid pressure not only from cybersecurity experts like Ryan, who said the current HIPAA Security Rule has failed to keep up with modern threats, but also from patients themselves.
“Today, individuals are more educated than ever about the risks of data breaches, and they want to feel confident that the organizations they interact with are taking steps to protect their sensitive information,” he said. “This is especially true in the healthcare field. If your credit card information is stolen, you can get a new credit card and then move forward—but once your personal health information is out there, there’s no getting it back.”
According to Ryan, the release of the proposal is an exciting step forward for data security in healthcare, but it’s not a perfect plan. For instance, the proposal does not include a framework for continually updating the HIPAA Security Rule to ensure it stays relevant in years to come.
“This is a great first step, but we need to continue the momentum,” Ryan said, noting that other compliance frameworks, like HITRUST and ISO 27001, are updated regularly in order to keep up with changes in threats and technology. “We’re excited about the progress, but I do think a considerable amount of work needs to be done on top of this to ensure that the healthcare industry adapts to the new generation of information security and to create an industry culture of identifying new threats and mitigating risk.”
What Next?
The proposed changes are open for public comment until March 7, 2025, allowing healthcare professionals, security experts, and members of the public time to weigh in on the potential updates. The BARR team will be offering some recommendations of our own to assist in refining and strengthening this regulation to ensure risks in today’s information security landscape are covered within the updated rule.
After the public comment period has closed, OCR may make changes or additions to the proposal before publishing the final, updated rule, which could come as soon as late 2025 or early 2026. This means that for organizations that are required to comply with HIPAA, now is a great time to begin evaluating your security program—including your control design and implementation, as well as your vendor risk management strategies—to ensure your environment is built to withstand today’s complex threat landscape.
“You don’t have to wait for the new rule to come out to start building a security-first mindset in your organization,” Ryan said. “Let’s start working on it now.”
Contact us today for a free consultation.