866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

The Proposed HIPAA Security Rule Changes You Need to Know Blog Feature
Vinnie Minosky

By: Vinnie Minosky

Print/Save as PDF

The Proposed HIPAA Security Rule Changes You Need to Know

Healthcare Assessments | HIPAA

Published: Apr 8, 2025

The HIPAA Security Rule was first introduced in 2003 as part of the Health Insurance Portability and Accountability Act (HIPAA) of 1996. A major update to the HIPAA Security Rule then occurred in 2013, as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Despite the fact that that was 12 years ago, and that technology has changed significantly since then, this still stands as the most recent update.   

To put the timing of the most recent HIPAA Security Rule update into perspective, you might have been browsing the newly launched Vine video-sharing app on your iPhone 5 when it occurred. Today, Vine has been shut down for 8 years already, and we’re now onto the iPhone 16. Since then, there has been widespread adoption of technologies like cloud computing, big data/data analytics, and telehealth—technologies that have significantly impacted how healthcare organizations use, transmit, and store ePHI. 

Updates To the HIPAA Security Rule  

On December 27, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) released a Notice of Proposed Rulemaking (NPRM) aimed at updating the HIPAA Security Rule. The goal is to enhance cybersecurity protections for electronic protected health information (ePHI). OCR explains that these updates are meant to help strengthen cybersecurity for organizations by addressing the growing cybersecurity threats facing the healthcare sector. 

The new updates to the HIPAA Security Rule, as proposed in the NPRM, do not have an immediate compliance deadline yet. However, if the rule is finalized, regulated entities will typically be given a designated period of time to implement the changes. You can find the NPRM published in the Federal Register, and the OCR has also made a helpful fact sheet available. 

In this article, we’ll go over the overview of the changes to the HIPAA Security Rule that will likely take effect when final implementation is completed. You may have some time yet before that happens, but with this information, you’ll have the chance to get ahead of the game in making any necessary internal updates that the new HIPAA Security Rule will require. 

3 Key Categories for the HIPAA Security Rule Changes 

We say the following changes are “likely” because while they were all included in the HHS’ related NPRM published in December 2024, not all will necessarily be included in the Final Rule. HHS had an open comments period that ran through March 7th, 2025, and is now consolidating the feedback and analyzing modifications. While the following list is not exhaustive—you can view the full NPRM here.  

That said, here are some of the likely key changes that will affect your policies and procedures when the new rule does become effective:

1. General and Administrative

The proposed Security Rule update includes general requirements as well as ones regarding the Administrative Safeguards that organizations will not only want to be aware of, but will also be mandated to implement, including: 

  • Remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required with specific, limited exceptions.
    • The limited exceptions mentioned above are solely focused on encryption of ePHI (refer to encryption details below in section 2. Technical Safeguards).
  •  Require written documentation of all Security Rule policies, procedures, plans, and analyses.
  • Update definitions and revise implementation specifications to reflect changes in technology and terminology.
  • Add specific compliance time periods for many existing requirements (refer to details below in section 3. Compliance Time Periods). 
  • Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI. 
  • Require greater specificity for conducting a risk analysis. New express requirements would include a written assessment that contains, among other things: 
    • A review of the technology asset inventory and network map.
    • Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI.
    • Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems.
    • An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities. 
  • Strengthen requirements for planning for contingencies and responding to security incidents.  Specifically, regulated entities would be required to, for example: 
    • Perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration.
    • Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents.
    • Implement written procedures for testing and revising written security incident response plans. 

2. Technical Safeguards

The OCR proposes that the Security Rule include specific minimum cybersecurity hygiene requirements that reflect modern industry best practices. As a result, there are proposed updates to the Technical Safeguards aimed at strengthening cybersecurity among regulated entities to help curb the increase in ransomware attacks and breaches that impact the confidentiality, integrity, and availability of ePHI, such as: 

  • Require encryption of ePHI at rest and in transit, with limited exceptions. An exception only applies if the following conditions are met: 
    • Each exception applies only to the ePHI directly affected by the circumstances described in the specific exception. 
    • Each exception applies only to the extent that the regulated entity documents its understanding that the exception applies to the scenario in which the regulated entity relies upon the exception and why or how the exception applies, and that any additional applicable conditions are met. 
  • Require regulated entities to establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner. New express requirements would include: 
    • Deploying anti-malware protection. 
    • Removing extraneous software from relevant electronic information systems. 
    • Disabling network ports in accordance with the regulated entity’s risk analysis 
  • Require the use of multi-factor authentication (MFA), with limited exceptions. An exception only applies if the following condition is met: 
    • If a technology more secure than MFA is utilized to authenticate users, however, the HHS may not further define this exception unless a more secure technology should emerge. 
  • Require network segmentation.
  • Require separate technical controls for backup and recovery of ePHI and relevant electronic information systems. 

3. Compliance Time Periods

The HHS aims to remove ambiguity by adding specific compliance timeframes for many existing requirements. This is important because regulated entities may already be performing the procedures listed below, but they should ensure that these procedures are completed within the updated timeframes: 

  • Compliance Time Periods of 24 hours: 
    • Require notification of certain regulated entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated. 
    • Require business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation. 
    • Require group health plans to include in their plan documents requirements for their group health plan sponsors to:  
      • comply with the administrative, physical, and technical safeguards of the Security Rule;  
      • ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and  
      • notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation. 
  •  Compliance Time Periods of 72 hours: 
    • Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours. 
  • Compliance Time Periods of 6 months: 
    • Require vulnerability scanning at least every 6 months 
  • Compliance Time Periods of 12 months: 
    • Require regulated entities to conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements. 
    • Require that business associates verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate. 
    • Require penetration testing at least once every 12 months. 
    • Require regulated entities to review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures. 
  •  

Next Steps for HIPAA Compliance 

Although these changes are still proposed and not yet finalized, covered entities and business associates should be aware of them and their potential implications, as you’ll need to update your policies and procedures to remain in compliance.In fact, the significance and breadth of these modifications will also necessitate retraining your staff on the HIPAA Security Rule. 

Despite there not being a defined timeline yet to implement these modifications, taking a proactive approach before the Proposed Rule is finalized can help you identify any issues with current or future processes that could hinder implementation or compliance. 

To help you get started, first look at your current compliance with the Security Rule regulations—making sure you are compliant with those will save you from being caught off guard by gaps in your existing operations as you try to implement what’s necessary to accommodate these updates. If you’re ready to begin your HIPAA Compliance journey, or have any questions about the process or requirements, Schellman can help. Contact us today to learn more about our services and we’ll get back to you shortly. 

In the meantime, for more information on HIPAA compliance, make sure to check out our other HIPAA content on varying aspects that can help you avoid being tripped up by the complexities of this law, including information on a specialized service offered by Schellman: 

About Vinnie Minosky

Vinnie Minosky is a Manager with Schellman based in Columbus, OH, focusing primarily on SOC examinations. Vinnie has been with the firm for three years and prior to joining Schellman, he worked as a Senior IT Assurance Auditor at a large public accounting firm in Columbus, performing financial audit support and SOC audits across various industries. He has over six years of audit experience and maintains multiple certifications including: CISSP, CISA, and ISO 27001 Lead Auditor.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.