Proposed HIPAA Amendments Will Close Healthcare Security Gaps

The US Department of Health and Human Services (HHS) is planning a massive overhaul of the Health Insurance Portability and Accountability Act (HIPAA) security rule to strengthen baseline cybersecurity requirements for protecting electronic protected health information (PHI). The proposed amendments, which will be published in the Federal Register on Jan. 6, would require healthcare organizations and other covered entities to implement security controls, such as multifactor authentication (MFA) and enhanced encryption requirements.

The proposal describes the most substantive changes to HIPAA to date. The security rule was last revised in 2013. The threat landscape is different now than it was over a decade ago, and breaches against healthcare organizations have increased by 102% between 2018 and 2023, the HHS Office  for Civil Rights said in a statement. In 2023, over 167 million people had their health information compromised, a 1,002% increase from 2018.

Proposed Changes to HIPAA

The amendments will apply to health plans, healthcare clearinghouses, health providers, healthcare facilities, insurance companies, and business associates.

Everything in writing: All policies, procedures, plans, and analyses will need to be in writing. This also applies to developing stronger incident response procedures, such as having documented incident response plans and testing plans, as well as written procedures to be able to restore information systems and data within 72 hours.

Asset inventory: Healthcare organizations will need to develop and regular maintain an up-to-date technology asset inventory and network map to track the movement of PHI through the various systems.

Risk analysis: Healthcare organizations are not very good at security risk analysis. The proposed changes include more specifics on how to conduct security risk analysis, such as written assessments that include a review of the technology asset inventory and network map, identification of all potential threats to PHI, and an assessment of the risk level for each threat and vulnerability.

Implement security controls: Healthcare organizations will be required to employ MFA and network segmentation to make it harder for healthcare systems to be compromised. All PHI will need to be encrypted both at rest and in transit, reflecting the consensus that encryption is no longer optional. For systems that process PHI, security teams will need to scan for vulnerabilities every six months, run penetration tests at least once a year, deploy anti-malware defenses, and remove extraneous software from systems. These requirements show how these are moving from recommended activities to minimum security baseline every entity must meet.

Organizations will need to conduct a compliance audit at least once every 12 months to ensure these technical controls are in place and to prove the safeguards have been implemented at least once a year via a written certification.

Next Steps After Comments

The changes to the security rule will cost approximately $9 billion in the first year and $6 billion for years two to five, said Anne Neuberger, deputy national security adviser for cyber and emerging technology, during a Dec. 27 press briefing.

"The cost of not acting is not only high, it also endangers critical infrastructure and patient safety, and it carries other harmful consequences," Neuberger said.

Stakeholders have 60 days after the nearly 400-page proposal is published to submit comments (early March 2025). HHS will issue the final version of the rule afterward, although a specific date has not yet been set, followed by a compliance date of 180 days. It is also not clear whether work on the changes will continue under the new presidential administration. Even so, healthcare organizations should review proposed requirements and evaluate their existing security programs to prepare.