Proposed Changes to HIPAA. Are you ready?

​The U.S. Department of Health and Human Services (HHS) has proposed significant updates to the HIPAA Security Rule to enhance the protection of electronic protected health information (ePHI) against modern cybersecurity threats. These changes, announced in January 2025, represent the most substantial overhaul of the Security Rule in over a decade .​National Law Review+1Reuters+1Axios+1Axios+1

🔐 Key Proposed Changes

1. Mandatory Implementation Specifications
   The distinction between “required” and “addressable” implementation specifications would be removed, making all specifications mandatory with limited exceptions .
2. Comprehensive Risk Analysis and Asset Management
   Covered entities and business associates would be required to:
   • Maintain an up-to-date inventory of technology assets and a network map illustrating the flow of ePHI.
   • Conduct thorough risk analyses, including assessments of threats, vulnerabilities, and the effectiveness of current security measures.
   • Review and update these assessments at least annually or when significant changes occur .​Federal Register+1National Law Review+1
3. Enhanced Technical Safeguards
   The proposed rule mandates:
   • Encryption of ePHI to meet prevailing cryptographic standards.
   • Deployment of multi-factor authentication (MFA) for systems accessing ePHI.
   • Regular testing and evaluation of security measures to ensure their effectiveness .​Federal Register
4. Incident Response and Contingency Planning
   Entities must develop and maintain:
   • Written incident response plans detailing procedures for responding to security incidents.
   • Contingency plans to ensure the availability of ePHI during emergencies, including data backup and disaster recovery strategies .​National Law ReviewFederal Register
5. Business Associate Agreements
   Business associates would be required to:
   • Provide written verification annually that they have implemented the necessary security measures.
   • Notify covered entities within 24 hours of activating a contingency plan due to a security incident .​BankInfoSecurity+3Federal Register+3National Law Review+3Reuters+1Federal Register+1

📅 Implementation Timeline and Industry Response

• Public Comment Period: The public comment period for the proposed rule ended on March 7, 2025, with over 4,000 comments submitted for review .​Reuters+1Fierce Healthcare+1
• Cost Considerations: HHS estimates the first-year compliance costs at approximately $9 billion, with annual costs of $6 billion in subsequent years .​Reuters+2Axios+2The Verge+2
• Industry Concerns: Some healthcare organizations, particularly smaller facilities, have expressed concerns about the practicality and financial burden of implementing the proposed changes .​Axios+1Axios+1

🏥 Next Steps for Covered Entities

Healthcare organizations should proactively:

• Assess Current Compliance: Evaluate existing security measures against the proposed requirements.​HHS.gov
• Update Policies and Procedures: Revise documentation to align with the new standards.​
• Engage Stakeholders: Collaborate with IT, legal, and compliance teams to prepare for potential changes.​

For more detailed information, you can review the full proposed rule on the Federal Register.​Home | Holland & Knight+8Federal Register+8HHS.gov+8