February 18, 2025
HHS Proposes Major Updates to HIPAA Security Rule to Strengthen Cybersecurity, Comments due March 7
For the first time in two decades, the Department of Health and Human Services (HHS) has proposed significant updates to the HIPAA Security Rule to better protect electronic protected health information (ePHI) from increasing cyber threats. The Notice of Proposed Rulemaking (Proposed Rule) seeks to modernize security safeguards in response to a significant increase in large-scale healthcare breaches caused by hackers and ransomware between 2018 and 2023.
If enacted, the rule would require all HIPAA-regulated entities to:
- Enhance cybersecurity practices, including maintaining an up-to-date inventory of technology assets,
- Conducting annual risk analyses,
- Implementing stronger patch management policies, and
- Using multi-factor authentication.
Additionally, covered entities would be obligated to:
- Encrypt ePHI,
- Perform vulnerability scans and penetration testing, and
- Ensure more rigorous oversight of business associates handling sensitive health data.
As remote care platforms manage vast amounts of ePHI, these new cybersecurity rules could significantly impact telehealth services.
The Proposed Rule also emphasizes stricter compliance documentation and monitoring, including mandating a 72-hour disaster recovery plan, annual compliance audits, and stronger incident response protocols. Notably, business associates would be required to notify covered entities of any contingency plan activation within 24 hours.
The proposed rule also seeks comments on emerging technologies such as artificial intelligence, quantum computing, virtual and augmented reality, and HIPAA’s role in regulating these emerging technologies.
Comments are due by March 7, 2025 and can be submitted through the federal register.
Click Here to Read More