The Department of Health and Human Services is proposing a major overhaul of the HIPAA Security Rule, a move that would introduce new mandatory cybersecurity requirements for hospitals, health systems and other covered entities.
On Jan. 6, 2025, HHS’ Office for Civil Rights published a Notice of Proposed Rulemaking that would substantially revise the Security Standards for the Protection of Electronic Protected Health Information. The proposed rule references the February 2024 cyberattack on Change Healthcare as an example of how cybersecurity incidents can affect healthcare operations nationwide.
Here are eight things to know about the proposed changes:
- Under the current rule, certain protections are labeled “addressable,” allowing organizations to assess whether they are reasonable and appropriate for their environment and potentially opt out with documentation. The proposed rule would eliminate that distinction entirely, making all implementation specifications required with only narrow exceptions.
- Hospitals and health systems would be required to maintain technology asset inventories and map how ePHI moves through their systems, updated at least once every 12 months and whenever relevant operational changes occur.
- Encryption of ePHI would become mandatory in most cases, replacing the current framework that allows organizations to determine whether encryption is “reasonable and appropriate.” HHS said encryption tools are now widely available and affordable.
- The proposal would add requirements related to multifactor authentication, network segmentation, incident response planning and more frequent risk analyses.
- Organizations would need to be able to restore critical electronic systems within 72 hours of a security incident.
- HHS is proposing annual penetration testing and vulnerability scanning at least every six months, two separate requirements applicable to all regulated entities regardless of size.
- The proposed rule has drawn significant opposition from healthcare industry groups. During the comment period, the AHA urged HHS to make the requirements voluntary rather than mandatory, flagging several provisions as problematic, including the 72-hour system restoration requirement. Separately, a coalition of several industry groups led by CHIME and the Medical Group Management Association sent a letter to President Trump and HHS Secretary Robert F. Kennedy Jr. calling for the rule to be rescinded entirely. Notably, the AHA was not a signatory to that letter. Its position has been to modify the rule, not rescind it.
The comment period for the proposed rule closed March 7, 2025. HHS is currently reviewing feedback. A final rule is expected around mid-2026. Once published, hospitals and health systems would have 180 days to comply, with an additional 60 days for business associates to update their agreements.
At the Becker's 11th Annual IT + Revenue Cycle Conference: The Future of AI & Digital Health, taking place September 14–17 in Chicago, healthcare executives and digital leaders from across the country will come together to explore how AI, interoperability, cybersecurity, and revenue cycle innovation are transforming care delivery, strengthening financial performance, and driving the next era of digital health. Apply for complimentary registration now.
