Understanding the New HIPAA Security Rule NPRM | Key Takeaways and Cybersecurity Enhancements for Healthcare Organizations

Table of Contents

• Introduction
• 1. Annual Technical Inventory and Data Mapping
• 2. Stronger Security Risk Assessments
• 3. Increased Vendor Oversight
• 4. Mandatory Multi-Factor Authentication (MFA)
• 5. Mandatory Encryption for ePHI
• 6. Formalized Incident Response Planning
• 7. Disaster Recovery and Data Backups
• 8. Mandatory Annual Compliance Audits
• 9. Workforce Security and Access Management
• 10. Network Testing, Segmentation, and Configuration
• Conclusion
• Frequently Asked Questions (FAQs)

Introduction

On January 6, 2025, the U.S. Department of Health and Human Services (HHS) introduced new regulations under the Health Insurance Portability and Accountability Act (HIPAA). These regulations aim to strengthen cybersecurity protections for electronic protected health information (ePHI).

This Notice of Proposed Rulemaking (NPRM) is the first major update to the HIPAA Security Rule since 2013. The changes come as a response to the increasing use of electronic medical records and the rising risks of cyberattacks on healthcare data.

Below are the top 10 important changes in the new HIPAA Security Rule NPRM that healthcare organizations must understand and implement.

1. Annual Technical Inventory and Data Mapping

What’s Changing?

• Healthcare organizations must now keep a record of all hardware, software, and data related to ePHI.
• They must also map how ePHI moves through the organization.
• These records must be updated annually or when a major security change happens.

Why is this important?

A clear inventory and data flow will help identify vulnerabilities and reduce security risks.

2. Stronger Security Risk Assessments

What’s Changing?

• Organizations must analyze security risks in greater detail.
• They need to document security measures and evaluate potential threats.
• They must also track risks and vulnerabilities consistently.

Why is this important?

Better risk assessments mean fewer security gaps and stronger protection against cyber threats.

3. Increased Vendor Oversight

What’s Changing?

• Business associates and vendors must now prove they are following HIPAA security rules.
• A cybersecurity expert must verify their security practices.
• Vendors must inform healthcare organizations within 24 hours if they activate a contingency plan due to a security issue.

Why is this important?

Many data breaches happen through third-party vendors. This rule ensures better vendor security.

4. Mandatory Multi-Factor Authentication (MFA)

What’s Changing?

• MFA is now required for all technology handling ePHI.
• Some older systems and FDA-approved medical devices before March 2023 may get exceptions, but only if a transition plan is in place.

Why is this important?

MFA adds extra security by requiring more than just a password to access sensitive data.

5. Mandatory Encryption for ePHI

What’s Changing?

• Encryption is now a must for ePHI stored on servers, laptops, mobile devices, and during transmission.
• Only a few exceptions apply, such as patient requests for unencrypted data.

Why is this important?

Encryption makes stolen data useless to hackers, reducing the risk of data breaches.

6. Formalized Incident Response Planning

What’s Changing?

• Organizations must create a written incident response plan that explains:
  • How security incidents should be reported.
  • How threats should be identified and removed.
• These plans must be reviewed and tested every 12 months.

Why is this important?

A clear response plan can help organizations react quickly and reduce damage from cyberattacks.

7. Disaster Recovery and Data Backups

What’s Changing?

• Organizations must create "exact" backup copies of ePHI.
• If a cyberattack happens, they must restore critical systems within 72 hours.
• Vendors must notify covered entities within 24 hours if they activate a contingency plan.

Why is this important?

Having fast recovery systems ensures patient data and healthcare operations are not disrupted for long.

8. Mandatory Annual Compliance Audits

What’s Changing?

• Organizations must conduct annual compliance audits to check if they meet HIPAA security standards.
• HHS does not specify whether these audits should be internal or external.

Why is this important?

Regular audits help identify weaknesses before hackers exploit them.

9. Workforce Security and Access Management

What’s Changing?

• Organizations must set strict rules for workforce access to ePHI:
  • Employees must only access data necessary for their job.
  • Access must be revoked within one hour after an employee leaves.
  • Other healthcare organizations must be notified within 24 hours if an employee had shared access to their data.

Why is this important?

Quickly removing unauthorized access reduces the risk of insider threats.

10. Network Testing, Segmentation, and Configuration

What’s Changing?

• Organizations must conduct vulnerability scans every six months.
• They must perform penetration testing every 12 months.
• They must implement network segmentation to prevent attackers from moving freely inside the network.
• They must remove outdated software that poses security risks.

Why is this important?

Regular testing and network segmentation limit the spread of cyberattacks.

Conclusion

The new HIPAA Security Rule NPRM introduces stricter cybersecurity regulations to protect electronic health records from increasing cyber threats.

These changes require healthcare organizations to strengthen security measures, improve risk assessments, and enforce stricter access controls.

While these new requirements may require time and investment, they are necessary to protect patient data and ensure compliance with evolving cybersecurity threats.

Healthcare organizations must start preparing now by updating their security policies, training employees, and strengthening IT infrastructure.

Frequently Asked Questions (FAQs)

What is the HIPAA Security Rule NPRM 2025?

The HIPAA Security Rule NPRM 2025 is a proposed update by HHS to improve cybersecurity protections for electronic protected health information (ePHI).

Why is the HIPAA Security Rule being updated?

The update addresses increasing cyber threats, improves data security, and ensures compliance with modern cybersecurity standards.

What is the biggest change in the new HIPAA Security Rule?

One of the biggest changes is the mandatory implementation of multi-factor authentication (MFA) and encryption for all ePHI.

How does this update affect healthcare organizations?

Healthcare organizations must enhance security measures, conduct regular audits, and enforce stricter access control policies.

Is multi-factor authentication (MFA) required under the new rule?

Yes, MFA is now mandatory for all systems handling ePHI, with limited exceptions for some legacy systems.

What new requirements are there for vendor security?

Vendors must prove compliance with HIPAA security rules, and business associate agreements (BAAs) must be verified by cybersecurity experts.

What are the requirements for risk assessments?

Organizations must regularly assess risks, document security measures, and track vulnerabilities affecting ePHI.

How often do organizations need to conduct risk assessments?

Risk assessments must be performed annually or whenever there is a significant security change.

What does the new rule say about data encryption?

All ePHI must be encrypted on servers, laptops, mobile devices, and during transmission, with very few exceptions.

Are healthcare organizations required to conduct compliance audits?

Yes, annual compliance audits are now mandatory to ensure adherence to HIPAA security standards.

What happens if an organization fails to meet the new HIPAA security standards?

Non-compliance can lead to financial penalties, legal consequences, and increased risk of cyberattacks.

How does this rule affect business associates and subcontractors?

Business associates must notify covered entities within 24 hours of activating a security contingency plan.

Are there new requirements for incident response plans?

Yes, organizations must develop and document a formal incident response plan, review it annually, and update it as needed.

What is the new requirement for disaster recovery and backups?

Organizations must restore critical systems within 72 hours of a cyberattack and maintain exact ePHI backups.

Do small healthcare providers have to follow these rules?

Yes, but there are some flexibility provisions for smaller providers with limited resources.

What is the significance of network segmentation in the new rule?

Network segmentation is required to prevent lateral movement of cyber threats within healthcare systems.

How often should vulnerability scans be conducted?

Vulnerability scans must be performed at least every six months.

Is penetration testing now a requirement?

Yes, organizations must conduct penetration testing at least once every 12 months.

What is the workforce security access management update?

Organizations must limit access based on job roles and revoke access within one hour of employee termination.

What changes are made to authentication controls?

The "addressable" authentication requirement has been removed, making MFA mandatory for all technology assets.

Do organizations need to notify other covered entities about terminated employees?

Yes, if an employee had shared access, other organizations must be notified within 24 hours of termination.

Will the new HIPAA rule increase costs for healthcare organizations?

Yes, implementing encryption, MFA, network segmentation, and compliance audits may require financial investment.

What is the deadline for compliance with the new rule?

Organizations have 180 days after the final rule is published to comply.

What is the role of business associate agreements in the new rule?

BAAs must now include detailed security assurances and must be reviewed by cybersecurity professionals.

How will the new rule impact healthcare cybersecurity?

The rule strengthens cybersecurity by reducing risks, improving response plans, and enforcing stricter security measures.

Are organizations required to test their security policies?

Yes, security policies, including incident response and access controls, must be tested annually.

Can organizations use legacy systems under the new rule?

Legacy systems may be used if they meet security requirements or have a transition plan in place.

Does the new rule apply to all healthcare providers?

Yes, it applies to all covered entities, including hospitals, clinics, and insurance providers.

What happens if a vendor fails to comply with the new security requirements?

Healthcare organizations must evaluate risks before entering a vendor agreement and take necessary actions if non-compliant.

Where can organizations find guidance on implementing these changes?

HHS provides official guidelines, and cybersecurity experts can help organizations comply with the new rule.

Let me know if you need any modifications or additional details.