Quick, what do these words have in common? Cloud computing, internet of things, generative AI, blockchain, augmented reality, internet of things, machine learning.
Answer: As of 2025, all of these words are used in everyday conversation. In 1998, when the HIPAA Security Rule was first proposed, some of these terms did not exist. Others have a definition today that is vastly different from the definitions that held currency 27 years ago.
These positive advancements are mirrored by negative advancements.
Since 2013, when the Security Rule was last updated, threat actor activity has become more and more common in the healthcare sector, where opportunities for bad actors to cause disruption through hacking, ransomware, malware, and other means abound.
The last six years alone have seen witness to record levels of cyberattacks aimed at the healthcare sector. According to the Department of Health and Human Services (HHS) (p. 46):
“Between 2018 and 2023, the number of breaches of unsecured PHI reported to the Department grew at an alarming rate (100 percent increase), as did the number of individuals affected by such breaches (950 percent increase). The reports reflect rampant escalation of cyberattacks using hacking (260 percent increase) and ransomware (264 percent increase).”
HHS’ Proposed Modifications to the HIPAA Security Rule: Why are They Necessary?
HHS has some thoughts on why these increases have happened (pp.50-51):
“Many regulated entities fail to invest adequate resources in cybersecurity. Far too many regulated entities do not view cybersecurity as a necessary component of their operations that allows them to fulfill their health care missions. Anecdotal evidence suggests that senior management often lacks awareness of cybersecurity, including both threats and methods for protecting against such threats.”
HHS gets into some specific deficiencies:
“While maintaining an accurate and thorough inventory of technology assets is not currently an explicit requirement of the Security Rule, it is clearly a fundamental component of conducting a risk analysis and many of the other existing requirements. And yet, based on the Department’s experience, many regulated entities are not maintaining such an inventory. At least in part because of senior management’s lack of cybersecurity awareness, many fail to invest or fail to invest appropriately in cybersecurity infrastructure. Given the vulnerability of ePHI and the information systems of regulated entities and the potential effects of cyberattacks on patient safety and the delivery of health care, it is important that regulated entities prioritize such investments.”
HHS’ Proposed Modifications to the HIPAA Security Rule: Plugging a Hole
The Security Rule currently consists of administrative, physical, and technical safeguards. Covered entities and business associates must adopt these. Many of the safeguards call not for deployment of a security action, but rather implementation of written policies and procedures.
Take the Security Rule technical safeguard authentication standard, for example. It reads, “Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed,” instead of reading “deploy MFA.”
HHS has concluded that implementation of policies and procedures alone are insufficient to protect PHI. For this reason, and to effectively bring the Security Rule into the 21st century, on December 27, 2024, HHS issued a Notice of Proposed Rulemaking (NPRM) to revise the HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information.
Details of the NPRM are provided below.
HHS’ Proposed Modifications to the HIPAA Security Rule: The Three Rs:
The proposed modifications to the HIPAA Security Rule consist of three “Rs”: The proposal calls for standards and actions that are required (as opposed to what the current rule has – a mix of required and addressable standards). The proposed new rule calls for regular compliance measures (e.g., many proposed requirements must be met on an annual basis, which is currently not the case). The proposed rule calls for evidence of policies, procedures, plans, and analyses, and in general evidence that requirements have been met, in (w)riting.
HHS’ Proposed Modifications to the HIPAA Security Rule: Required
Currently, the Security Rule contains a series of standards, such as the facility access controls standard and the device and media controls standard. Many standards contain “implementation specifications,” which are measures for how to implement the standard (note that some standards, like the audit controls standard, do not contain implementation specifications. Compliance with such standards is required). When a standard contains implementation specifications, the language “implementation specifications” appears in the text of the standard.
Implementation specifications are required or addressable.
If an implementation specification is required, the word “Required” appears in parentheses after the title of the implementation specification. If an implementation specification is addressable, the word “Addressable” appears in parentheses after the title of the implementation specification.
What is the General Rule for Required Standards?
When a specific standard includes required implementation specifications, a covered entity or business associate must implement the implementation specifications.
What is the General Rule for Addressable Standards?
When a specific standard includes addressable implementation standards, a covered entity or business associate must assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information.
Then, after the assessment, the covered entity or business associate must implement the implementation specification if it is reasonable and appropriate to do so. If the covered entity or business associate has determined that implementing the implementation specification is not reasonable and appropriate, the covered entity or business associate must document why it would not be reasonable and appropriate to implement the implementation specification. Then, the covered entity or business associate must implement an equivalent alternative measure if it is reasonable and appropriate to do so.
What Changes Do the Proposed Modifications to the HIPAA Security Rule Make?
The proposed modifications eliminate the “required vs. addressable” distinction. All standards in the proposed new rule are required.
What Is Required Under the Proposed Modifications to the HIPAA Security Rule?
Under the proposed update to the Security Rule, covered entities and business associates must (among other requirements):
1. Develop and revise a technology asset inventory and a network map that illustrates the movement of ePHI throughout their electronic information system(s) on an ongoing basis.
2. Conduct a risk analysis with a written assessment that includes (among other things):
A review of the technology asset inventory and network map.
Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI.
Identification of potential vulnerabilities to relevant electronic information systems
An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
3. Notify certain HIPAA-regulated entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.
4. Meet enhanced contingency planning requirements, including:
Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.
Implement written procedures for testing and revising security incident response plans.
5. Conduct what HHS calls a “compliance audit” at least once every 12 months to ensure their compliance with the Security Rule requirements.
6. Encrypt ePHI at rest and in transit, with limited exceptions.
7. Use of multi-factor authentication (MFA).
8. Perform a vulnerability scan at least every 6 months and a penetration test at least once every 12 months.
9. Perform network segmentation.
10. Review and test the effectiveness of certain security measures at least once every 12 months.
HHS’ Proposed Modifications to the HIPAA Security Rule: Regular
As stated above, a number of the requirements must be met on a regular basis. For example, the “compliance audit” requirement must be met at least every 12 months. The vulnerability scanning requirement must be met at least every six months.
HHS’ Proposed Modifications to the HIPAA Security Rule: (W)ritten
The proposed new rule places a strong emphasis on “showing your work”: the new rule requires written documentation of all Security Rule policies, procedures, plans, and analyses.
HHS’ Proposed Modifications to the HIPAA Security Rule: What Happens Next?
Public comments on the NPRM are due 60 days after publication of the NPRM in the Federal Register – by March 7, 2025. A copy of the proposed modifications to the HIPAA Security Rule can be found here (the text of the proposed new rule can be found at pp. 354-393). A press release announcing the proposed modifications to the HIPAA Security Rule can be found here.
