2025 HIPAA Updates: Changes to HIPAA Security Rule

The HHS is set to finalize HIPAA updates in 2025. See the latest changes to the HIPAA Security Rule to prepare for the upcoming revisions‍

The Department of Health and Human Services (HHS) announced changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that would strengthen cybersecurity protections for electronic protected health information (ePHI). The Notice of Proposed Rulemaking was published on January 6, 2025, and is open to public comments until March 7, 2025. The proposed 2025 HIPAA updates represent the first changes to the HIPAA Security Rule since its initial release in 2003 and its most recent revision in 2013.  

What are these changes necessary?  

As cybersecurity threats continue to evolve, gaps and uncertainties in current HIPAA regulations are becoming more apparent. At the same time, the legislative framework surrounding HIPAA struggles to keep up with rapid technological advancements leaving many emerging threats unaddressed. This ever-changing cybersecurity landscape weakens the effectiveness of HIPAA safeguards and contributes to a growing number of PHI breaches. Over the past five years, the Office for Civil Rights (OCR) has reported a 102% increase in large HIPAA breaches (those affecting 500 or more individuals), with the number of individuals impacted by these breaches surging by a staggering 1002%. As of November 30, 2024, over 180 million individuals had their PHI exposed in major healthcare data breaches.  

The proposed 2025 HIPAA updates represent a significant revision of the HIPAA Security Rule. It introduces new requirements aligned with modern cybersecurity best practices, methodologies, and procedures to enhance protection against both internal and external threats. Let’s dive deeper into proposed changes to HIPAA Security Rule.

The Key Changes Proposed to HIPAA Security Rule

The large healthcare data breaches have highlighted common deficiencies in HIPAA Security Rule compliance. The proposed rule addresses these common areas of noncompliance by including the latest cybersecurity guidelines, best practices, methodologies, procedures, and processes to improve ePHI security.  

The whole list of the proposed HIPAA security rule updates can be found in the Notice of Proposed Rulemaking. In this blog we aim to uncover the key HIPAA updates that upgrade Security Rules guidances on ePHI security:  

2025 HIPAA changes propose new, added, or modified definitions;

New added, clarified, or modified definitions

The changes to the HIPAA Security Rule include a lot of new added or modified definitions aimed at better corresponding with modern cybersecurity realities. For example, the proposed new terms include electronic information systems, multi-factor authentication, risk, threat, and vulnerability. The definitions for clarification or modification would include authentication, availability, confidentiality, information system, security incident, workstation, etc. By adding and clarifying key terms, these updates will help organizations implement more effective security measures to protect ePHI.  

Let’s take MFA as an example. The current version of the HIPAA Security Rule includes several technical provisions that require organizations to identify and authenticate users accessing sensitive information and systems. Although many organizations already use MFA as best practice to enhance authentication, many still solely rely on combinations of usernames and passwords.  

Recognizing that such combinations are insufficient to secure sensitive information, it is proposed to define the term multi-factor authentication with further making it an obligatory authentication step. Thus, all HIPAA covered entities should be ready to apply MFA for authenticating users’ identities through verification of at least two of three categories of factors of information about the user:

• something the user knows (e.g. password or PIN);
• something the user possesses (e.g. token or smart identification);
• something the user is (e.g fingerprint, facial recognition).

Removal of the addressable implementation specifications

One notable change is the removal of the distinction between required and addressable implementation specifications, with the latter removed in the proposed updates to HIPAA Security Rule. The main concern about the addressable implementation specifications is that organizations believe them to be optional. This misunderstanding led organizations to skip using the implementation specification, even when it would have made sense and been the right choice for them. Thus, removing the addressable implementation specifications makes it clear that all requirements must be implemented.

2025 Updates to HIPAA administrative safeguards

The Security Rule defines administrative safeguards as administrative actions, policies, and procedures to manage the implementation, selection, and maintenance of security measures to protect ePHI and to manage the workforce conduct concerning the protection of that information. Here are some of the key changes proposed to HIPAA administrative safeguards:  

‍Technology asset inventory and network mapping. As part of the proposed HIPAA update, technology asset inventory and network mapping would become a key administrative requirement. Organizations would need to develop and regularly update a technology asset inventory and network map that tracks the movement of ePHI across their systems. This should be done at least annually and whenever there are changes to the organization's environment or operations that could affect ePHI.  

‍Risk analysis. The proposed updates to the HIPAA Security Rule would require greater specificity for conducting a risk analysis. The updates HIPAA risk analysis would leverage NIST risk assessment guidelines along with NIST Cybersecurity Framework as the main risk assessment framworks. The improved risk assessment under the HIPAA Security Rule would include:

• a review of the technology asset inventory and network map;
• the identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI;
• the identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems;
• and an assessment of the risk level for each identified threat and vulnerability based on the likelihood that each identified threat will exploit the identified vulnerabilities.

Annual Security Rule compliance audits. HIPAA-regulated entities would be required to conduct a HIPAA Security Rule compliance audit on an ongoing basis, but at least once every 12 months, and when there is a change in the regulated entity’s environment or operations that may affect ePHI.  

‍Contingency planning and security incident response. As part of the proposed HIPAA Security Rule revisions, organizations would be required to establish written procedures for restoring electronic information systems and data within 72 hours of a disruption. This includes conducting an analysis to determine the criticality of systems and assets, setting restoration priorities, and creating clear security incident response plans. Additionally, entities would need to implement procedures for reporting security incidents, responding effectively, and regularly testing and updating these plans.

Expected changes to HIPAA physical safeguards

The HIPAA Security Rule defines physical safeguards as physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment from natural and environmental hazards, as well as unauthorized intrusion. The proposed changes to the rule include but are not limited to the following:  

‍Recognize the increasingly mobile nature of ePHI. The proposed HIPAA updates have several changes that would recognize the increasingly mobile nature of ePHI and workstations that connect to the information systems of regulated entities. The purpose of these proposals is to ensure that regulated entities properly consider physical safeguards for all workstations, including those that are mobile, and not only those that are located in regulated entities’ facilities.  

‍Appearance of the term "Technology Asset Controls. One notable change in the proposed update to the HIPAA Security Rule is the shift from the term "Device and Media Controls" to "Technology Asset Controls." This change substitutes "hardware and electronic media" with the broader term "technology assets." The goal is to more accurately capture the diverse components that comprise a regulated entity’s electronic information systems. By adopting this updated terminology, the Department aims to provide clearer guidance on the physical safeguards required to protect ePHI when technology assets are managed within a facility.

2025 Changes to HIPAA Technical Safeguards

HIPAA technical safeguards are defined as “the technology and the policy and procedures for its use that protect ePHI and control access to it.  

With limited exceptions, HIPAA-regulated entities would be required to implement the following security measures:

• Encryption of all ePHI at rest and in transit
• Multi-factor authentication
• Firewalls and network segmentation
• Configuration management
• Vulnerability scanning at least every 6 months
• Penetration tests at least every 12 months
• Anti-malware protection
• Removal of extraneous software from relevant electronic information systems
• Disable network ports in accordance with the regulated entity’s risk analysis.
• Separate technical controls for backup and recovery of ePHI and relevant electronic information systems.
• Review and test the effectiveness of certain security measures at least once every 12 months.

Annual verification of business associates’ and contractors’ technical safeguards

One of the proposed changes to the HIPAA Security Rule would require business associates to have a subject matter expert verify, at least annually, that they have implemented the necessary technical safeguards to protect ePHI. This requirement would also extend to contractors working on behalf of business associates. This proposed change would significantly enhance ePHI security by ensuring that business associates consistently meet the required technical safeguards to protect sensitive patient data. Regular verification will help identify and address any vulnerabilities or gaps in security before they can be exploited. Additionally, holding contractors accountable to the same standards strengthens the overall security framework, reducing the risk of breaches across the entire supply chain.

Notification Requirements

The proposed change would require covered entities and business associates to notify each other within 24 hours when a workforce member’s access to ePHI or critical electronic systems is altered or terminated. Additionally, business associates would need to promptly inform covered entities when they have enacted their contingency plans, with notifications sent no later than 24 hours after implementation. This requirement would improve ePHI security by ensuring swift communication and response in cases of unauthorized access or system disruptions. Timely notifications enable organizations to quickly assess and mitigate potential risks, minimizing the impact of security incidents and safeguarding sensitive patient data.

Important Considerations for Healthcare Executives

While the proposed HIPAA updates include many new requirements that will be easy to implement, some of them will be particularly challenging. If the changes are finalized, healthcare organizations will need to take a proactive approach to cybersecurity. Here’s what should be prioritized:

• Update your organization’s policies and procedures to comply with the new requirements.
• Ensure your teams are properly trained and equipped to meet the updated standards.
• Assess and improve your organization’s technical safeguards to align with the enhanced cybersecurity measures.
• Establish clear procedures for restoring systems and data, and ensure your workforce understands how to respond to security incidents.
• Review contracts with business associates and ensure they meet the new security requirements, including regular verification of technical safeguards.
• Implement continuous monitoring and periodic audits to ensure compliance and address any emerging threats or vulnerabilities.

The public comment period for the proposed rule ends on March 7, 2025. This is a critical opportunity for healthcare leaders to provide input and help shape the final changes.

Stay Updated with HIPAA Security Rule Changes with Planet 9

Planet 9 HIPAA-compliance services offer a comprehensive approach to ensuring and maintaining HIPAA compliance taking into account all updates and amendments. We are your HIPAA compliance partner and we will help you to:

• Perform a HIPAA evaluation to identify safeguards in place and compliance gaps.
• Keep up to date with the main changes to HIPAA rules and regulations.
• Conduct a risk assessment to identify risks to ePHI.
• Developing a roadmap for addressing the identified compliance gaps and risks.
• Assisting the client in executing the roadmap.

You can also utilize the Planet 9 HIPAA Vitals application to assess your HIPAA compliance. The HIPAA Vitals assessment is based on several reputable sources, including the Office of Civil Rights (OCR) Audit Protocol, NIST 800-66 Rev. 1, HIPAA Security Series issued by the Department of Health and Human Services (DHHS), and years of experience implementing HIPAA requirements in different organizations by our professionals.

Schedule a free consultation today to explore how Planet 9 can help you achieve your security and compliance goals.