Get the eBook: Upcoming Updates to the HIPAA Security Rule

The U.S. Department of Health and Human Services (HHS) has issued a Notice of Proposed Rulemaking (NPRM) to update the HIPAA Security Rule. This modernization effort aims to better address today's cybersecurity threats and align with more mature frameworks like NIST CSF and NIST SP 800-53. While the rule is not yet finalized, it is expected to be by late 2025. This blog explores the upcoming changes and reasons to proactively address them.

Why is HIPAA Updating Security Rules Now?

Healthcare remains a prime target for cyberattacks, with IBM reporting a staggering 239% increase in cyberattacks on healthcare since 2018.

Patient records now average $50 per record on the dark web. HHS wants to ensure healthcare organizations, including Covered Entities and Business Associates, have stronger, clearer safeguards in place to protect sensitive information.

What Organizations are Impacted?

Any organization handling electronic Protected Health Information (ePHI) will be affected. This includes:

• Healthcare providers (hospitals, clinics, private practices)
• Health plans and insurers
• Clearinghouses
• Business associates (e.g., MSPs, cloud hosting providers, EHR vendors)

Significant Proposed Changes to HIPAA

Proposed HIPAA Security Rule Updates Include:

• Annual Security Risk Assessments (SRAs)
• System and asset inventories
• Mandatory encryption of ePHI at rest and in transit
• Multifactor Authentication (MFA) for privileged/admin access
• Clear documentation and testing of audit logging, vulnerability management, and incident response plans
• Formalized documentation and testing of contingency, disaster recovery (DR), and backup plans
• Business Associate Agreements (BAAs) must include explicit terms for breach response, logging, encryption, and annual reviews
• New focus on third-party tracking technology (e.g., cookies, session replay) as a source of unauthorized disclosure
• Enhanced workforce training expectations
  
  

Reduced Breach Notification Timelines:

• From 60 days to 30 days
• Breaches affecting 500+ individuals must be reported within 72 hours

Is HIPAA Enforcing These Changes?

Not yet. The proposed rule is currently in the public comment phase, with final rulemaking expected later in 2025. However, early adoption is encouraged as many of the changes align with security best practices already recommended under NIST, ISO 27001, and CMMC.

Risks of Not Preparing Now

Organizations that delay preparation may face:

• Higher costs of rushed compliance later
• Missed opportunities for phased budgeting and implementation
• Greater regulatory scrutiny if a breach occurs
• Potential legal and reputational damage due to a lack of due diligence

Can You Wait Until the Final Rule is Published?

While you can wait, it is not advised. Many of the proposed changes are aligned with already accepted best practices (e.g., encryption, MFA, asset inventory). Waiting may:

• Increase cost and complexity
• Show lack of due diligence in the event of a breach or audit
• Miss chances to improve security posture now

How Sourcepass Helps Healthcare Providers Prepare

Our Risk Advisory, Security Engineering, and Incident Response (IR) teams can assist with:

• Security Risk Assessments (SRAs) 
• Gap assessments and readiness checklists 
• Roadmap development for HIPAA modernization 
• Cybersecurity maturity benchmarking 
• Incident response planning and tabletop exercises 
• Support with vendor risk management processes 
• Discovery session to understand existing environments

Stay Ahead of the Curve with Sourcepass Managed IT for Healthcare Organizations

By proactively addressing these changes, healthcare organizations can better safeguard patient information and ensure compliance with evolving regulations.

Contact Sourcepass to speak with a Sourcepass Specialist to learn more or download a copy of our eBook.