HHS Releases Proposed Updates to the HIPAA Security Rule: Everything You Need To Know

SecureScan
Written By: SecureScan
Updated
Woman receiving telehealth medicine from her doctor.

Protecting patient information is a responsibility that both the healthcare industry and the government take very seriously. Yet, as technology evolves, new threats emerge that put sensitive medical records at risk. Unfortunately, legal protections struggle to keep up with these rapid changes.

While the shift towards electronic recordkeeping in healthcare has brought undeniable benefits, it has also increased vulnerability to cyberattacks, phishing scams, and ransomware. To address these challenges, the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) on January 6, 2025. This proposal aims to update the HIPAA Security Rule with stronger cybersecurity measures designed to improve protections for electronic protected health information (ePHI).

If implemented, these changes will mark the most significant updates to the HIPAA Security Rule in more than a decade. The goal is to enhance safeguards for electronic medical records and reduce the risk of cybercriminals accessing sensitive data.

While these updates are not yet in effect, it’s important for medical practices to understand what is being proposed and prepare for what seems to be an inevitable security rule update. In this article, we’ll break down the proposed changes to the HIPAA Security Rule, explain why they’re necessary, and share a few easy steps you can take to protect your patients’ information.

Why Are Changes to the HIPAA Security Rule Necessary?

Medical records contain sensitive information, including personal details (PII), medical histories, diagnoses, and patient charts (PHI), as well as financial information like billing details. This makes them a prime target for cybercriminals who want to steal or misuse this data for their own gain.

In recent years, the healthcare industry has faced a sharp increase in cyberattacks. These range from sophisticated ransomware attacks, where hackers lock down data until a payment is made, to phishing scams that trick staff into providing criminals with access to secure systems.

Each type of attack presents a serious risk to patient privacy, something data privacy laws like HIPAA are designed to protect.

While the HIPAA Privacy Rule governs how protected health information (PHI) and personally identifiable information (PII) can be used and shared, the HIPAA Security Rule focuses on how that information is safeguarded from an administrative and technical perspective. In other words, the proposed changes aren’t about what information is protected but rather how it is protected.

The current HIPAA Security Rule was enacted in 2006, a time when technology was far less advanced than it is today. While it was effective for its era, it hasn’t kept pace with the increasing threats or rapid changes in technology. This gap is why the HHS is proposing these updates.

What Are the Proposed Changes?

The proposed updates to the HIPAA Security Rule focus on addressing gaps in current cybersecurity practices and ensuring healthcare providers are better equipped to protect electronic protected health information (ePHI). Here’s a breakdown of the key changes being proposed:

Mandatory Safeguards

Currently, the HIPAA Security Rule categorizes certain security measures as “addressable,” meaning organizations can assess their relevance and decide whether to implement them. The proposed updates would remove this flexibility, making all safeguards mandatory. This ensures that no potential vulnerabilities are left unaddressed.

For Example:

Current System: A small medical practice assesses its need for data encryption and determines it’s unnecessary, leaving patient records vulnerable during data transmission.
Proposed Change: Under the new rules, encryption would be mandatory, ensuring all ePHI is protected, whether it’s being shared electronically or stored in the cloud.

Documentation Requirements

Healthcare providers would be required to keep detailed records of their cybersecurity practices. This includes documenting security policies, risk assessments, mitigation plans, and any steps taken to protect patient information. Having this documentation readily available would help ensure accountability and compliance.

For Example:

Current System: A healthcare provider experiences a breach but cannot provide a clear record of their security policies or the steps taken to address potential risks. This results in heavier financial penalties and reputational damage.

Proposed Change: Practices must maintain thorough documentation of their cybersecurity measures, such as written plans for handling risks and evidence of staff training, ensuring they’re prepared in the event of an audit or breach investigation.

Updated Language

Some terms and specifications within the HIPAA Security Rule would be updated to reflect modern technology and cybersecurity practices. This includes cleaning up outdated language and aligning it’s text with current industry standards, making compliance with the law more practical and easier to understand.

For Example:

Current System: The current rule makes references to outdated technologies like fax machines, which are rarely if ever used today for transmitting health information.

Proposed Change: The updates clarify how to secure ePHI in a modern setting, such as securing data stored in cloud-based platforms or shared via telehealth systems.

Focus on Risk Management

The proposed changes emphasize that healthcare organizations should take a proactive approach to cybersecurity. This includes regularly conducting risk assessments and making the necessary updates to security measures to address emerging threats. The idea here is to shift from a reactive approach to security to preventive practices, reducing the likelihood of breaches before they happen.

For Example:

Current System: A clinic performs a risk assessment only once every few years, leaving them completely unaware of new vulnerabilities that have cropped up in their outdated software.

Proposed Change: The updated rule emphasizes regular risk assessments and proactive updates to systems, helping practices stay ahead of emerging threats posed by new technologies like AI or increased computational power capable of cracking encryption.

Training and Awareness

There’s a push to ensure that staff members across all levels of the healthcare industry are properly trained on cybersecurity protocols. The updates highlight the importance of educating employees about threats like phishing and ensuring they follow best practices to keep patient data secure.

For Example:

Current System: A front-desk employee falls victim to a phishing email, inadvertently providing login credentials to a malicious actor. This breach could have been avoided with the proper training.

Proposed Change: Regular staff training would be mandatory, focusing on identifying phishing attempts, securing devices, and following best practices to protect ePHI.

6 Ways Medical Practices Can Prepare Now

Preparing for these potential changes to the HIPAA Security Rule is simple. By taking a few proactive steps now, medical practices can strengthen their cybersecurity practices and ensure they’re ready for whatever updates are implemented.

1. Conduct a Security Audit

Start by reviewing your current systems to identify any gaps in your cybersecurity measures. Look at how electronic protected health information (ePHI) is stored, accessed, and shared. A thorough audit can help you pinpoint vulnerabilities, such as outdated software or weak access controls, so you know where to focus your efforts.

2. Update Policies and Procedures

Make sure your written policies and procedures reflect the latest best practices for protecting ePHI. If your documentation is incomplete or outdated, take time to create or update records that clearly outline your cybersecurity measures. Detailed policies not only support compliance but also help guide your staff in following secure practices.

3. Invest in Staff Training

Educate your employees on common cyber threats, like phishing scams, and teach them how to use secure communication methods. Since human error is one of the biggest risks to ePHI security, regular training ensures your team knows how to recognize threats and follow security protocols to keep patient data safe.

4. Strengthen Technical Safeguards

Consider upgrading your technical protections, such as implementing multi-factor authentication (MFA), encrypting sensitive data, and maintaining secure backups. If you’re unsure where to start, consulting with an IT or cybersecurity expert can help ensure your systems are up to modern standards and ready for future updates.

5. Stay Informed About Regulatory Changes

Keep an eye on updates from the Department of Health and Human Services (HHS) and other trusted sources to stay aware of new developments. Subscribing to newsletters, joining industry groups, or attending webinars can help you understand how these changes may impact your practice and what you need to do to remain compliant.

6. Plan for Long-Term Compliance

To stay compliant, practices need a plan that not only addresses current needs but also prepares for long-term changes. Consider budgeting for new technologies or staff training to keep up with future changes. If managing compliance feels overwhelming, outsourcing to cybersecurity or compliance professionals can provide peace of mind.

Wrapping Up

We hope this article provides enough information to convey the basics of the proposed changes to the HIPAA Security Rule and what they mean for medical practices. For a more thorough and detailed review, we recommend reading the information provided directly by the Department of Health and Human Services (HHS). Their official website outlines the proposed changes to the Security Rule in precise language. You can find and read the full proposal on the HHS website.

It’s important to note that during this rulemaking process, the current HIPAA Security Rule remains in full effect and must be followed as always. Medical practices should continue to comply with the existing standards in order to ensure that electronic protected health information is protected.

The HHS is currently seeking feedback on the proposed changes. They encourage input from all stakeholders, including patients and their families, health care providers, health plans, professional associations, consumer advocates, and government entities. If you would like to provide feedback, you can submit your comments by March 7th, 2025.

By staying informed and involved, we can all contribute to shaping the future of patient data protection in meaningful and effective ways.

Get in touch with SecureScan

We're here to help you tackle your paper problems. Contact us for more information, and someone will get back to you as soon as possible.

Speak With Us

Learn More About Our Services

SecureScan offers convenient and secure document scanning services to help you modernize your business's paper processing workflows.

Scan and Shred

Read More

New Privacy Laws in 2025
New State Privacy Laws in 2025: What Businesses Need To Know to Stay Compliant

Eight new state privacy laws are going into effect in 2025, adding to the growing list of data protection regulations across the United States. After efforts to pass a federal data privacy law stalled in June of 2024, state legislatures stepped in to fill the gaps, creating a patchwork of rules that can be difficult

Read Article

13 Best Practices For Scanning Medical Records

Medical practices are moving away from paper-based records in favor of electronic systems. Whether it’s to improve efficiency, meet compliance requirements, or enhance patient care, this transition is becoming standard across the medical industry. Electronic records offer several advantages for healthcare providers and their patients. They simplify organizing and accessing information, reduce the risk of

Read Article

Reasons Why You Should Scan Your Records
10 Signs It’s Time to Scan Your Documents, And Why You Should

Most businesses go through big changes at one point or another. Whether it’s a merger, restructuring, relocation, or even just rapid growth, these kinds of events usually demand your full attention. For that reason, most people don’t put much thought into what is going to happen with their records, and who can blame them? However,

Read Article