UncategorizedJune 3, 2025

Have You Checked Out the New HIPAA Cybersecurity Requirements for 2025?

Key Takeaways

 
  1. You must stay abreast of the new HIPAA cybersecurity requirements to understand how they impact you and your organization.
  2. Various emerging cyber threats, and the increasing number of cyberattacks has made the feds sit up and take notice.
  3. There have been no major updates or changes in the security and privacy requirements of PHI and ePHI since the publication of the Omnibus Final Rule in 2013.
  4. HHS published a notice of proposed rulemaking1 (NPRM) to modify the standards issued under the Security Rule of HIPAA and HITECH Act.
  5. These days there are few activities in healthcare which are outside the reach of technology making cybersecurity such a critical issue.
  6. OCR’s investigations led to the identification of areas where the healthcare providers lag in compliance as well as the significant increase in cyberattacks and breaches in recent years.
  7. Malicious activities gravely jeopardize not just data security, but also the smooth running of facilities, and quality of patient care given the ultra-dependence on electronic devices and computer connectivity/networks.
  8. The POTUS declared “Healthcare and Public Health” a critical infrastructure sector, and the HHS as Sector Risk Management Agency (SRMA).
  9. Robust privacy and security protections for PHI are areas of zero compromise. Therefore, HHS has updated terms of disclosure of PHI to provide greater clarity and specificity to regulated entities.
  10. Annual compliance audit has been made mandatory as has annual risk assessment.
  11. Regulated entities must inventory technology assets, while developing a network map of how ePHI travels through the provider’s electronic information systems to identify vulnerabilities and gaps.
  12. Security measures should factor in resilience after a cybersecurity disaster.
  13. Vulnerability scans must be carried out every six months, while penetration tests should be carried out at least once in 12 months.
  14. Administrative safeguards have been updated.
  15. All electronic devices, not just workstations, but all portable devices that create, store, and/or transmit ePHI must be encrypted. Those regulated entities which lack encryption at industry standards must provide written plans on how that can be rectified.
  16. HIPAA cybersecurity measures must be proactive, rather than reactive.
  17. Practice cybersecurity hygiene at all levels.

Introduction

Assuring cybersecurity has never been more critical, or more challenging. With AI and other cybersecurity threats increasing by the day, assuring data security has become dicier. Specifically, it has become more challenging for healthcare providers and covered entities to ensure the privacy, security, and availability of protected health information (PHI). When it comes to individually identifiable health information (IIHI), you must ensure its confidentiality, integrity, and availability (CIA) to stay compliant with HIPAA, and its ancillary rules, namely, the Privacy Rule, The Security Rule, the Omnibus Rule, and the Breach Notification Rule, apart from the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.

Background

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to “improve portability and continuity of health insurance coverage in the group and individual markets … (and) to simplify the administration of health insurance”. The HITECH Act incentivized the conversion of all health records into an electronic format, the electronic health records (EHRs). However, with the passage of time, the authorities began to perceive that the transition from paper based records to electronic records more than doubled the inherent risks to CIA. The Security Rule was initially passed in 2003. It has since been modified a few times to limit not just disclosures, but also the uses of PHI. Remember that the Security Rule only applies to ePHI, not to paper records. It also applies to IIHI which is emailed or stored in an electronic format.  

Omnibus Final Rule and afterwards: Subsequently, the Department of Health and Human Services (HHS) published an Omnibus Final Rule on January 25, 2013, in the Federal Register to strengthen the security, enforcements, and privacy provisos of HIPAA and HITECH to protect PHI in electronic and other formats. However, for more than a decade, there had been no major updates or changes in the security and privacy requirements of PHI and ePHI, though there had been some tweaks on sharing information.  

Notice Of Proposed Rulemaking

On January 6, 2025, the HHS published a notice of proposed rulemaking2 (NPRM) to modify the standards issued under the Security Rule of HIPAA and HITECH Act in the Federal Register. It read: “The proposed modifications would revise existing standards to better protect the confidentiality, integrity, and availability of electronic protected health information (ePHI).” Comments were invited from various stakeholders on the modifications to the HIPAA Security Rule at 45 CFR part 160, and subparts A and C of 45 CFR part 164, which were supposed to have been submitted on or by the 7th of March 2025.

Healthcare Industry Now Operates in a High Risk Environment

The Office for Civil Rights (OCR) investigates the compliance of covered entities with the provisos of the various HIPAA and its ancillary rules. Some of these investigations led to the identification of areas where the healthcare providers lag in the compliance of HIPAA cybersecurity as well as the significant increase in cyberattacks and breaches in recent years. The changes in the environment in which healthcare is provided these days have increased the threats to the privacy and security of PHI and ePHI. These days there are few activities in healthcare which are outside the reach of technology, or which do not rely on a robust computer network, and a stable electronic device. In all these, the patients are getting the worst of it as they are the most at risk of denial of service, and disruptions of procedures and services.

Ultra Dependence on Computer Networks and Electronic Devices

Healthcare providers are dependent on electronic devices and networks for varied activities. From setting up doctor appointments to sending reminders, meticulously documenting every step of a face to face encounter, and the steps taken for medical decision-making (MDM) to create elaborate electronic health records, this dependence shows up. Even when providing telehealth services doctors must be cautious about ensuring HIPAA cybersecurity. When patients are hooked on devices to track sleep patterns, physical activity, or vitals like pulse rate and heartbeats; a hacker can garner a significant amount of PHI. Coding, billing, submission of claims, even the fulfillment of prescriptions require protected health information to be in use, at rest, or in transit. Add to that, verification of insurance coverage, use of and access to facilities create vulnerability gaps. Bad actors can hack into healthcare systems to introduce malware, and perform other such malicious activities. These do not just gravely jeopardize data security, but also adversely impact the smooth running of facilities, and quality of patient care.

Alarming Increase in Data Breaches and Cybersecurity Incidents

What has goaded the HHS to sit up and take notice of the need to strengthen data security arrangements is the alarming increase in the reporting3 of data breaches and other cybersecurity incidents involving 500 and more persons, and their potential to harm. Therefore, the HHS proposed including “in regulatory text a non-exhaustive list of examples, such as viruses, worms, Trojan horses, spyware, and some forms of adware, to assist regulated entities in understanding what constitutes malicious software”. With the POTUS declaring “Healthcare and Public Health” as a critical infrastructure sector, and the HHS as Sector Risk Management Agency (SRMA), a major update of the Security Rule became vital to fix the major security gaps. It is not a simple issue of data security, or HIPAA cybersecurity. From lost flash drives and laptops which were unencrypted to failure to install appropriate firewalls, and cyberattack on the payment system of the food and beverage provider of a healthcare facility: the risks to data security have reached unprecedented proportions.

Terms for Disclosure of PHI Updated

Robust privacy and security protections for PHI are areas of zero compromise. The HHS realized that some of the administrative requirements were overburdening the providers. Add to that the need for continuously improving quality of care. The proposals include strengthening the right to access own PHI, personally view the records, and if necessary, take photographs of own medical records while making notes. There have been modifications to the language describing situations when and to whom PHI may be disclosed, such as to avert a life threatening event. Therefore, the HHS has sought to provide regulated entities with greater clarity and specificity regarding how to fulfill their obligations to ensure HIPAA cybersecurity.

Mandatory Risk Assessment Requirements

OCR identified many areas which need to have vulnerability gaps closed. Compliance audit requires every covered entity and their business associates to carry out an audit and document compliance with each standard and implementation specification at least once every year. To that end, the term “addressable”, which healthcare providers thought made such requirements optional, has been removed from implementation requirements. The new proposed Security Rule updates are focused on carrying out risk analyses and assessments, and implementing control measures to manage risks. HIPAA covered entities (CEs) need to combat cyberattacks, improve incident response, and minimize risk by including cybersecurity practices which protect electronically created, stored, and transmitted health records more efficaciously. Therefore, CEs must inventory technology assets, while developing a network map of how ePHI travels through the provider’s electronic information systems to identify vulnerabilities and gaps. While such audits should be ongoing; now all CEs must carry out risk assessments at least once every year.

Security Measures Should Factor in Resilience After a Cybersecurity Disaster

The HHS has proposed that the technical standards of security measures, and their implementation should take into account their effectiveness in supporting the resilience of the regulated entity to recover from a major security incident, or natural calamity which has thrown the information system into disarray. Ideally, it should be woven into the CE’s disaster recovery plan. Therefore, the CEs should develop written procedures for data restoration where priority should be based on criticality within 72 hours. The proposals state, “…regulated entities will regularly evaluate the security measures they have applied to comply with the standards and implementation specifications based on the technology available and known risks and vulnerabilities at the time of the evaluation”. This means that all regulated entities must carry out vulnerability scans every six months, while penetration tests should be carried out at least once in 12 months.

Proposed Updates: Section 164.308—Administrative Safeguards

45 CFR 164.304 provides the definitions of “Administrative safeguards,” “Physical safeguards,” and “Technical safeguards”. “45 CFR 164.308(a)(6)(ii) requires regulated entities to identify and respond to suspected or known security incidents; to mitigate, to the extent practicable, harmful effects of security incidents that are known to the regulated entity; and to document security incidents and their outcomes”. Therefore, the HHS has proposed updating terminology and definitions by replacing the term “electronic storage media” with “electronic storage material”. It understood that there are many regulated entities which lack sufficient, in some cases any, technical safeguards by way of technical controls to avert improper access and/or viewing of ePHI. Therefore, CEs are now required to institute controls required for not just computer workstations, but also to mobiles, tablets, and other portable electronic devices such as flash drives, digital cameras etc. It also includes administrative safeguards such as terminating access of any and every employee leaving the organisation with immediate effect to ensure HIPAA cybersecurity. If global access to ePHI needs to be granted to more than one employee, the regulated entity must document the reasons in the policies and procedures.

Don’t Overlook Encryption

Since HHS realizes that not all entities have the kind of technology assets which are amenable to encryption at acceptable industry standards; it has made an exception with the proviso that “a regulated entity would be required to establish a written plan to migrate ePHI to technology assets that support encryption consistent with prevailing cryptographic standards and to implement such (a) plan”4. All electronic devices, not just workstations, but all portable devices that create, store, and/or transmit ePHI must be encrypted. Most software come with options for encryption. HHS does not expect the regulated entities to break the bank to invest in encryption technologies if more affordable options are available. “If encryption is not reasonable and appropriate, a regulated entity must document why it would not be reasonable and appropriate for it to implement the safeguard and must implement an equivalent alternative measure if reasonable and appropriate”5. However, even the HHS understands that encryption does not provide bullet proof protection against cyberattacks.

Be Proactive Rather than Reactive in Cybersecurity Measures

Constantly evolving technologies are enabling complex tasks to be simplified. These include new tools for faster and more accurate diagnoses, effective treatments, and more efficient administration. HHS reminds healthcare providers that, they “must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI6” before implementation. The instructions for satisfying the access control standard are found at 45 CFR 164.312(a)(2). Unique user identifiers: The implementation specifications address unique user identifiers, emergency access procedures, automatic logoff, encryption and decryption. “The implementation specification for unique user identification requires a regulated entity to assign unique identifiers to users to facilitate the identification of specific users of an information system. By assigning a unique identifier to each user, a regulated entity can track the specific activity of that user when they are logged into an information system and hold the user accountable for the functions they perform in the information system when they access that system.7

Practice HIPAA Cybersecurity Hygiene at all Levels

You would be well advised to follow the industry best practices such as elimination of default passwords, adoption of MFA, institution of offline backups, installation of critical patches within a reasonable time, implement minimum standard security controls, and transparency of impact and vulnerability disclosures. Further, HHS has suggested adopting a risk-based approach in their security program, while performing a risk analysis in a manner that conforms with guidance from NIST and CISA. In the NPRM, a definition of multifactor authentication has been added.

Conclusion

The HHS has not proposed anything revolutionary in its NPRM. It has stressed on the importance of relying on industry best practices of using appropriate anti-malware, strengthening data security through stronger, more effective access controls by having stronger password policies, and multifactor authentication, backed by network segmentation.

If You Need Guidance or Immediate Assistance

For help in identifying vulnerability gaps, penetration testing, setting up access controls, creation of HIPAA compliant data security policies and procedures, and other compliance needs.

Get in touch with us at: service@friggp2c.com, amit.sarkar@friggp2c.com, or Call us at: +1 (905) 261-9124  |  +1 (905) 261-9123  |  +1 (866) 907-7227  |  +91 733-113-2288

About the Authors

Amit Sarkar

Amit Sarkar (amit.sarkar@friggp2c.com) is the Founder of Frigg Business Solutions at Sheridan, Wyoming, USA, and Hyderabad, Telangana, India. A seasoned writer whose multiple articles have been published in HCCA and SCCE. He is a former CEO of a US Healthcare Regulatory Compliance service organization, and a senior global leader in HIPAA Compliance, IT Security, Risk Management, and Compliance Governance.

LinkedIn:  Amit Sarkar | LinkedIn

Ayan Chatterjee

A tenured business leader with over two decades of experience leading organizations across multiple domains including healthcare. He has seen the impact of security breaches first hand and has become a passionate advocate for security & compliance preparedness in organizations.

LinkedIn: Ayan Chatterjee | LinkedIn

Ayan Chatterjee Cybersecurity Marketing expert

Image Credit: Designed by Freepik and by vectorjuice / Freepik

1https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information 2https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information 3https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
445 CFR 164.312(a)(2)(iv)
545 CFR 164.306(d)(3)(ii)(B). 645 CFR 164.308(a)(1)(ii)(B).
7https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information