The Updated HIPAA Security Rule: Key Changes Healthcare Organizations Must Address

HHS has proposed significant updates to the HIPAA Security Rule for the first time since 2013. Healthcare organizations and their business associates need to understand what's changing and how to prepare.

The Department of Health and Human Services (HHS) has proposed substantial updates to the HIPAA Security Rule in its Notice of Proposed Rulemaking (NPRM), representing the first major revision to the rule since 2013. The changes respond to a dramatic increase in healthcare data breaches over the past decade and reflect updated best practices in cybersecurity that have emerged since the original rule was promulgated.

Key proposed changes include mandatory multi-factor authentication (MFA) for all access to electronic Protected Health Information (ePHI), required network segmentation, encryption of ePHI at rest and in transit with no exceptions, and specific timelines for vulnerability scanning and penetration testing. The proposal also removes the distinction between 'required' and 'addressable' implementation specifications — converting all specifications to required, eliminating the flexibility that many smaller organizations have historically relied upon.

Business associates face heightened obligations under the proposed rule, including mandatory annual compliance audits, written verification of security practices shared with covered entities, and new breach notification timelines. Organizations that have treated HIPAA compliance as a checkbox exercise will find the updated rule significantly more demanding in terms of documentation, technical controls, and ongoing monitoring.

Healthcare organizations should begin preparing now, even before the final rule is published. Priority actions include conducting a comprehensive risk analysis against the proposed requirements, assessing current encryption and MFA posture across all systems that access ePHI, reviewing business associate agreements, and establishing vulnerability management and penetration testing programs if not already in place. AmericaTech's compliance practice helps healthcare organizations and their business associates close the gap between current posture and the incoming requirements.