In 2025, significant developments have been proposed to enhance the Health Insurance Portability and Accountability Act (HIPAA), particularly focusing on strengthening cybersecurity measures to protect electronic protected health information (ePHI).
Proposed Updates to the HIPAA Security Rule
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued a Notice of Proposed Rulemaking (NPRM) to amend the HIPAA Security Rule. This marks the first substantial update in over a decade, aiming to address the evolving cybersecurity threats in the healthcare sector.
Key proposed changes include:
- Mandatory Implementation Specifications: The distinction between “required” and “addressable” implementation specifications would be removed, making all specifications mandatory, with limited exceptions.
Link to HHS >> - Enhanced Security Measures: Requirements for encryption, multifactor authentication, and regular risk analyses would be introduced to ensure robust protection of ePHI.
Link to National Law Review >> - Business Associate Agreements: Covered entities would be required to obtain annual written verification from business associates confirming the deployment of HIPAA technical safeguards.
Link to Nixon Peabody LLP >> - Incident Reporting: Business associates would need to report the activation of their contingency plans to covered entities without unreasonable delay, and no later than 24 hours after activation.
Link to Nixon Peabody LLP >>
These proposed updates are a response to the significant increase in cyberattacks targeting the healthcare industry, with large breaches caused by hacking and ransomware rising by 89% and 102%, respectively, since 2019.
Public Comment Period
The NPRM was published in the Federal Register on January 6, 2025, initiating a 60-day public comment period ending on March 7, 2025. Stakeholders are encouraged to review the proposed changes and submit feedback during this period.
Implications for Healthcare Organizations
If finalized, these changes will require healthcare organizations and their business associates to implement more stringent cybersecurity measures, potentially incurring significant compliance costs. OCR estimates the total first-year cost of compliance across all regulated entities to be approximately $9 billion, with annual recurring costs of $6 billion over the following four years.
Healthcare organizations should begin assessing their current cybersecurity practices and prepare for potential adjustments to comply with the forthcoming requirements.