Coronavirus Resources
powered by LeadingAge New York
  1. Home
  2. » Topics
  3. » Technology
  4. » Resources & Links
  5. » HHS Proposes Changes in HIPAA Security Rule

HHS Proposes Changes in HIPAA Security Rule

(Jan. 6, 2025) The U.S. Department of Health and Human Services (HHS) has released proposed changes in the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The Security Rule governs the technical, administrative, and physical safeguards that covered entities must implement to protect electronic protected health information (ePHI) and has not been substantively updated since 2013. Public comments on the proposed changes are due on March 7, 2025.

The proposed changes, summarized in a fact sheet here, include, among other proposals, the following:

  • Require written documentation of all Security Rule policies, procedures, plans, and analyses.
  • Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis.
  • Require greater specificity for conducting a risk analysis.
  • Require notification of certain regulated entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.
  • Strengthen requirements for contingency planning and incident response, including, for example, written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.
  • Require a compliance audit at least once every 12 months to ensure compliance with the Security Rule requirements.
  • Require that business associates verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis by a subject matter expert and a written certification that the analysis has been performed and is accurate.
  • Require encryption of ePHI at rest and in transit, with limited exceptions.
  • Require deployment of anti-malware protection; the use of multi-factor authentication, with limited exceptions; vulnerability scanning at least every 6 months; and penetration testing at least once every 12 months.

The full text of the rule is here. LeadingAge National will be providing a more complete summary of the proposed rule.

Contact: Karen Lipson, klipson@leadingageny.org

Share

13 British American Blvd Suite 2
Latham, NY 12110
518.867.8383
518.867.8384 fax