Upcoming HIPAA Security Rule Overhaul: What Healthcare Organizations Need to Know

The U.S. Department of Health and Human Services (HHS) has proposed significant updates to the HIPAA Security Rule, aiming to enhance the protection of electronic protected health information (ePHI) against increasing cybersecurity threats. These proposed changes, issued in January 2025, are expected to be finalized by late 2025 or early 2026.

Upcoming HIPAA Security Rule Overhaul – Key Proposed Changes:

1. Mandatory Multi-Factor Authentication (MFA):
   All access points to ePHI will require MFA, enhancing user verification processes to prevent unauthorized access.

2. Comprehensive Asset Management:
   Organizations must maintain a detailed inventory and network map of all technology assets affecting ePHI confidentiality, integrity, and availability.

3. Accelerated Patch Management:
   Critical vulnerabilities must be patched within 15 days, and high-risk flaws within 30 days, to mitigate potential security breaches.

4. Enhanced Vendor Notification Requirements:
   Covered entities and business associates must notify each other within 24 hours of any security incidents, necessitating more stringent business associate agreements (BAAs).

5. Elimination of “Addressable” Safeguards:
   The distinction between “required” and “addressable” implementation specifications will be removed, making nearly all safeguards mandatory.

Implications for Healthcare Organizations

These proposed updates represent a significant shift in HIPAA compliance, aligning the Security Rule with modern cybersecurity practices. Organizations should begin preparing by:

• Implementing MFA across all systems accessing ePHI.

• Conducting and maintaining comprehensive asset inventories and network maps.

• Establishing or updating patch management protocols to meet the new timelines.

• Reviewing and updating BAAs to include the new notification requirements.

• Assessing current safeguards and addressing any gaps to comply with the forthcoming mandatory standards.

By proactively addressing these areas, healthcare organizations can strengthen their cybersecurity posture and ensure compliance with the anticipated updates to the HIPAA Security Rule.

For more detailed information, refer to the HHS Fact Sheet on the Proposed Rule and the Federal Register Notice