Significant changes are being proposed to the HIPAA Security Rule that will require Covered Entities and Business Associates to reassess their current HIPAA compliance strategies. On January 6, 2025, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) to strengthen cybersecurity protections for electronic Protected Health Information (ePHI) in response to increasing and evolving cyber threats.
Background: The Security Rule and the NPRM
The HIPAA Security Rule establishes national standards for the protection of ePHI, requiring organizations to implement administrative, physical, and technical safeguards. These standards apply specifically to electronic PHI, not paper-based PHI. Since its original publication in 2003 (with updates in 2013), the Security Rule has remained largely unchanged—despite the dramatic rise in cybersecurity threats targeting the healthcare industry.
OCR has historically provided additional guidance based on national cybersecurity standards (e.g., NIST, FTC, HHS), but with this NPRM, it is taking a more direct approach. OCR notes that past guidance may not be sufficient for regulated entities to improve their compliance posture, citing changes in technology, breach trends, and enforcement experience as reasons for this overhaul.
Key Change: No More “Addressable” Specifications
One of the most impactful proposals in the NPRM is the elimination of “addressable” implementation specifications. Currently, regulated entities can assess whether an addressable safeguard is appropriate and may implement alternatives if justified and documented.
Under the NPRM, this flexibility would be removed. All standards and implementation specifications will be required. Additionally, Covered Entities and Business Associates must perform and document internal audits at least once every 12 months to demonstrate compliance.
Notable Proposed Safeguard Enhancements
Organizations will need to make significant adjustments to meet the updated requirements. Some of the most impactful changes include:
Asset Inventory & Network Mapping
Maintain an inventory and mapping of systems that store or transmit ePHI, reviewed and updated at least annually or after any environmental/operational change.
Annual Risk Analysis
Conduct more comprehensive risk analyses that evaluate anticipated threats, vulnerabilities, existing security measures, and potential risks posed by Business Associates.
Patch Management
Review patch management practices annually. Critical vulnerabilities must be patched within 15 days of identification.
Workforce Training & Access Controls
Enforce stricter training and access control standards across all workforce members.
Incident Response & Disaster Recovery
Develop and maintain response plans that restore IT system availability within 72 hours of a disruption.
Data Encryption
Encrypt ePHI both in transit and at rest, with limited exceptions.
Multi-Factor Authentication (MFA)
Require MFA for all ePHI access, with few exceptions.
Configuration Management
Implement controls such as anti-malware, removal of unnecessary software, and disabling unused network ports.
Vulnerability Scanning
Perform vulnerability scans at least every 6 months.
Penetration Testing
Conduct annual penetration tests.
ePHI Backups
Maintain backup copies of ePHI that are no more than 48 hours old, and test backups semiannually or after significant system changes.
OCR has also released a fact sheet outlining additional proposed changes not detailed above.
Business Associate Oversight
The NPRM introduces stricter oversight for Business Associates. Covered Entities will be required to obtain written verification every 12 months confirming that their Business Associates have implemented the required technical safeguards.
This verification must be based on a system analysis conducted by a qualified professional, and a senior official must certify its accuracy in writing.
The NPRM does, however, allow a Business Associate to be designated as the security official for a Covered Entity or another Business Associate. This reflects OCR’s acknowledgment that many Business Associates—such as managed IT service providers like Technology Architects—are already playing this role in practice.
What Happens Next?
Although the NPRM is not yet law, it signals major changes on the horizon. The public comment period runs through March 7, 2025, after which OCR will finalize and publish the rule. If adopted, the rule would become effective 60 days after publication, with compliance required within 180 days after that.
Start Preparing Now
Covered Entities and Business Associates should begin evaluating their current compliance frameworks immediately. Identifying gaps now and planning for future updates will position your organization for a smoother transition, no matter how the final rule takes shape.
This proactive approach not only prepares you for regulatory changes—it strengthens your overall cybersecurity posture in a time of rising threats.
At Technology Architects, we specialize in helping healthcare organizations and their partners navigate HIPAA compliance. Contact us today to learn how we can support your transition to the upcoming Security Rule requirements.
