HHS Tightens the Reins: What the New HIPAA Rules Mean for Healthcare

By Mike Wildsmith, Managing Consultant for Avertium

A LANDMARK MOVE FOR HEALTHCARE CYBERSECURITY: THE NEW HIPAA NPRM

On December 27, 2024, the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) issued a notice of proposed rulemaking (NPRM) aimed at improving cybersecurity for healthcare organizations. These proposed changes to the HIPAA Security Rule are designed to enhance the protection of electronic protected health information (ePHI) against internal and external threats. In this blog, we’ll explore the proposed regulations, their implications for healthcare entities, and why these changes are significant for the future of cybersecurity in the healthcare sector.

key facts about the proposed hipaa regulations

The NPRM issued by the HHS/OCR outlines several significant changes to the HIPAA Security Rule. Here are the key details:

• All Security Rules will now be required, removing the previous designation of some as “addressable.”
  
  
• Organizations must formally document, implement, and review all required administrative, physical, and technical safeguards regularly.
  
  
• The proposed regulations aim to align the HIPAA Security Rule with other commonly adopted cybersecurity frameworks, such as the NIST Cybersecurity Framework (CSF).
  
  
• The timing of this NPRM aligns with the previously released voluntary Cybersecurity Performance Goals, issued on January 24, 2024.
  
  

Related Resource Blog: Everything You Need to Know About HIPAA Compliance

implications for healthcare organizations

The proposed changes will have wide-reaching implications for covered entities, treatment providers, health plan organizations, and business associates:

1. Strengthened Safeguards → Healthcare organizations will need to adopt more rigorous measures to protect ePHI from evolving cyber threats.
   
   
2. Increased Accountability → Removing the “addressable” classification means all safeguards must be implemented without exception.
   
   
3. Alignment with Established Framework → Better alignment with the NIST CSF will provide clearer guidance on cybersecurity best practices.
   
   
4. Cost Considerations → Organizations that have not previously addressed basic cybersecurity practices may face significant costs to meet the new requirements.

compliance timeline and expectations

If the proposed rule is approved and the modifications are finalized, healthcare organizations will likely have a one-year compliance period. This means entities must ensure full compliance within a year of the rule’s publication in the Code of Federal Regulations (CFR). This timeline mirrors the approach taken with changes introduced in 2013.

Related Resource eBook: Essential Guide to HIPAA Compliance

expert opinion on the proposed changes

The HIPAA regulations saw significant focus after the release of the HIPAA Omnibus Act in 2013, especially with the introduction of a defined audit program within the OCR. Since then, fines, sanctions, and breaches have underscored the importance of compliance. However, the guidelines remained broad, often leaving organizations without clear directives on how to achieve compliance.

The proposed changes could provide the much-needed clarity, addressing the “how” with more descriptive requirements. Given the increasing frequency and severity of security breaches, these updates are not surprising and should prompt healthcare organizations to prioritize their cybersecurity budgets.

conclusion

The proposed modifications to the HIPAA Security Rule mark a pivotal moment for cybersecurity in the healthcare sector. By mandating comprehensive safeguards and aligning with established frameworks, the changes aim to fortify the protection of sensitive health information. While compliance may come with challenges, including potential costs, these updates are essential for addressing the persistent threat of cyberattacks. Healthcare organizations must act proactively, ensuring they are prepared to meet these new standards and contribute to a more secure future for patient data.

How avertium can help

At Avertium, we specialize in helping healthcare organizations navigate complex compliance requirements like the proposed HIPAA Security Rule updates. Our team of experts can assist you in:

• Conducting comprehensive HIPAA risk assessments to identify gaps in your current cybersecurity posture.
• Implementing and documenting all required administrative, physical, and technical safeguards.
• Aligning your security practices with frameworks such as the NIST Cybersecurity Framework (CSF).
• Providing ongoing monitoring and support to ensure your organization stays in compliance.

Customers that invest in Microsoft's security platform also have the opportunity to achieve security and compliance objectives, by leveraging Avertium as a comprehensive partner. Avertium offers services for MXDR, Identity and Access Management, security architecture and integration, etc. that satisfy critical compliance controls, as well as security best practices"

With a proven track record of supporting healthcare entities, Avertium is your trusted partner in building robust cybersecurity defenses. Contact us to learn more about our HIPAA compliance services and certification program. Let us help you meet these new requirements with confidence.