New HIPAA Rule Enhances Protection for Electronic Health Data

03.01.2025

 

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has proposed updates to the HIPAA Security Rule to enhance protections for electronic protected health information (ePHI) amid rising cybersecurity threats in the healthcare sector. These updates are part of a broader effort to modernize compliance standards and strengthen the resilience of healthcare organizations against cyberattacks.

Originally established in 1996, the HIPAA Security Rule sets national requirements for safeguarding ePHI, applying to healthcare providers, health plans, clearinghouses, and their business associates. The proposed revisions eliminate outdated provisions, clarify existing requirements, and introduce more stringent safeguards, including mandatory encryption, multi-factor authentication, and detailed risk assessments for electronic systems.

Key updates include requiring regulated entities to maintain an up-to-date technology asset inventory, develop comprehensive incident response plans, and ensure all policies and procedures are documented in writing. Additionally, business associates and subcontractors must certify their adherence to these technical safeguards annually, emphasizing accountability across the healthcare supply chain.

HHS’s proposed rule aligns with the Biden Administration’s National Cybersecurity Strategy and builds on initiatives such as the Healthcare Sector Cybersecurity Concept Paper. Stakeholders are encouraged to provide feedback during a 60-day public comment period, reflecting the federal government’s commitment to balancing robust data protection with operational practicality.

If finalized, these updates would represent a significant step forward in protecting healthcare data from evolving cybersecurity threats, setting a stronger standard for the industry.

en_USEnglish