Key Points
- HHS is expected to introduce the most significant HIPAA Security Rule update for cybersecurity in decades.
- Early feedback from HHS indicates the agency will prioritize hardening security for Electronic Protected Health Information (ePHI), compliance auditing, and implementing encryption standards.
- IANS Faculty recommend conducting audits, tracking compliance deadlines, maintaining a detailed inventory of ePHI data and creating comprehensive risk analysis programs.
HIPAA Security Rewrite Looms Amid Uncertainty
The U.S. Department of Health and Human Services (HHS) is expected to release new requirements for cybersecurity in HIPAA-regulated industries within the coming days.
These updates to the Security Rule, formally known as the Security Standards for the Protection of Electronic Protected Health Information, would be the first major revisions to HIPAA’s cybersecurity regulations since the law’s inception.
An update to the Security Rule was first announced by HHS’s Office for Civil Rights (OCR) in late 2024, with a public comment period drawing more than 4,700 comments. A new rule was expected to be issued by HHS in May, but no official message or update has been issued at press time.
The update as written focuses on mandating numerous IT security safeguards that were previously considered only best practices, but the final verbiage of the rule remains unknown.
"Now is the time for covered entities and business associates to look at their security program and determine where they stand. The HIPAA Security Rule currently affords flexibility but it's likely that we'll see more things mandated due to the increasing threat of cyberattacks and the need for regulated entities to be more resilient against them.” Lee Kim, IANS Faculty.
Big Picture
Though there’s plenty of uncertainty here, healthcare CISOs should anticipate significant changes to HIPAA reporting requirements when these new regulations are published.
Many practices long considered “ideal” or “suggested” could become expected standards across the industry.
The increasing number of successful cyberattacks against healthcare organizations, coupled with the exfiltration of patient ePHI and employee PII, has made protecting and securing that data a priority in early notices about the rule change issued by the HHS and OCR.
HHS said in earlier notices that changes would include mandatory encryption of ePHI at rest and in transit, written documentation of technology networks involving ePHI, and more frequent, recorded security assessments such as vulnerability scanning and penetration testing.
"OCR has frequently found that regulated entities are not conducting accurate and thorough risk assessments [and] that many organizations are treating addressable requirements as optional, such as encryption of electronic protected health information.” Lee Kim, IANS Faculty.
Any new requirements will likely include a grace period for adjustments and industry-wide leniency until wider adoption, so early auditing of existing systems will give security teams an early blueprint of possible failure points. These audits can also assist in showing flaws outsiders might notice, so teams can focus on specific short-term improvements while working towards larger compliance.
"The reality is that we need to plan for a short grace period and an erratic enforcement process. There's no point getting yourself into a tizzy on hypotheticals. Plan reasonably and be prepared to hit the ground running when the actual rule comes out.” Josh More, IANS Faculty.
IANS Faculty Recommendations
- Audit weaknesses: Conduct a HIPAA and NIST CSF 2.0 audit with an external auditor and see where your deficiencies are.
- Take inventory of ePHI: Conduct a risk analysis that identifies systems, applications, business teams, workflows and uses or disclosures that involve or store ePHI.
- Adopt privacy technologies: Consider Privacy-By-Design and Privacy-Enhancing Technology (PET) to improve your program and reduce costs. ISACA is a good place to start with Privacy-by-Design.
- Holistic risk assessments: Prior risk, security, or audit assessment results may be incomplete or inconsistent. Create a fresh template using the latest third-party risk information, any new risk-mitigation controls, and consider risks outside digital security.
- Monitor deadlines: Pay attention to the effective date, the compliance date, and any other relevant dates. If there is any grace or transition period, OCR may note that in the final rule.
Authors & Contributors
Tim McCarthy, Author, IANS News
Lee Kim, IANS Faculty
Josh More, IANS Faculty
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our News & blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.