The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) has proposed significant updates to the HIPAA Security Rule to address growing and evolving threats to PHI. The Notice of Proposed Rulemaking (NPRM) to modify HIPAA aim to close gaps in current standards by introducing more stringent requirements for risk management, technical safeguards, and organizational processes. Let’s examine the proposed changes and delve into their potential impact on your healthcare organization in 2026 and beyond.
Why the HIPAA Security Rule is Changing
The healthcare industry has faced a 264% increase in ransomware attacks in recent years, highlighting vulnerabilities in existing security frameworks. These cyberattacks, coupled with increased regulatory scrutiny, have led the HHS to modernize the HIPAA Security Rule.
The proposed updates aim to strengthen cybersecurity practices, clarify compliance requirements, and ensure that ePHI remains secure across advanced technological landscapes, including cloud environments. Ultimately, the regulators are catching up with practices that healthcare organizations should already be leveraging to protect sensitive data.
Proposed HIPAA Security Rule Changes: Risk Analysis, Documentation & More
Eliminating Ambiguity in Implementation Specifications
What’s Changing: All implementation specifications will become mandatory, removing the distinction between “required” and “addressable,” and all Security Rule policies, procedures, plans, and analyses must now be documented in writing.
Implications:This clarification leaves no room for misinterpretation. Every control will need to be implemented, putting greater emphasis on thorough documentation and execution.
Action Steps: To ensure your organization stays compliant, take the time to review existing implementation standards and address any areas where compliance may have been overlooked, while also maintaining clear, well-documented policies as part of your overall compliance framework.
Upgraded Risk Analysis Requirements
What’s Changing: To protect sensitive ePHI and ensure compliance, organizations need to conduct thorough risk analyses, which include creating a detailed technology asset inventory and network map to track ePHI movement while identifying potential threats, vulnerabilities, and overall risk levels.
Implications: Risk management processes will require more precision and routine updates to secure systems effectively and address vulnerabilities proactively.
Action Steps: To stay ahead in protecting sensitive data like ePHI, leverage cloud-based tools to create real-time asset inventories and movement maps, while conducting quarterly risk assessments to ensure compliance and address potential vulnerabilities effectively.
Bolstered Contingency and Incident Response Plans
What’s Changing: The proposed change would require organizations to have written contingency plans to restore critical systems and data within 72 hours. It would also mandate detailed incident response plans outlining clear reporting processes and response strategies.
Implications: Organizations need more robust contingency frameworks and efficient response mechanisms to manage security breaches and data recovery.
Action Steps: Test contingency plans against real-world scenarios to validate response times, and train workforce members to recognize and report security incidents promptly.
Strengthened Auditing and Testing Standards
What’s Changing: The proposed changes require businesses to conduct annual compliance audits, perform vulnerability scans every six months, and carry out penetration tests once a year.
Implications: Regular audits and testing will enhance oversight but could challenge smaller organizations with more limited resources.
Action Steps: Healthcare organizations can consider partnering with external cybersecurity and compliance firms for audits and advanced testing. Organizations can enhance their healthcare cloud security by integrating automated scanning tools. These tools proactively detect potential threats or anomalies, allowing issues to be addressed before they escalate.
Enhanced Business Associate Oversight
What’s Changing: The new rule change requires business associates and their contractors to annually verify, through expert analysis and written certification, that they have implemented Security Rule safeguards to protect ePHI. Additionally, business associates must notify covered entities (and subcontractors must notify business associates) within 24 hours of activating contingency plans.
Implications: Accountability for business associates has increased, necessitating enhanced vendor oversight to ensure they comply with Security Rule requirements.
Action Steps: To prepare for this update, organizations should update business associate agreements to include annual reporting requirements, and ensure compliance by requesting and reviewing their documentation, including security certifications.
Expanded Technical Safeguards
What’s Changing:
To strengthen data security, key measures include mandatory encryption of all electronic protected health information (ePHI) both in transit and at rest, along with implementing multi-factor authentication (MFA), anti-malware protection, regular vulnerability fixes, and disabling unused network ports. Group health plans must ensure their sponsors follow strict Security Rule safeguards—covering administrative, physical, and technical protections—and require agents handling ePHI to do the same.
Implications: These clarified safeguards will ensure stronger protection against cyberattacks but demand significant system upgrades, especially for legacy infrastructure.
Action Steps: To prepare, organizations should consider the transition to cloud platforms with integrated technical safeguards, encryption, and MFA while scheduling routine vulnerability scans to proactively address weaknesses.
Compliance and Monitoring Enhancements
What’s Changing: New regulations now mandate annual reviews and testing of security measures, replacing the previous general maintenance requirements. Additionally, group health plan sponsors are required to implement compliance safeguards and provide notification to relevant entities within 24 hours if contingency plans are activated.
Implications: A more dynamic approach to monitoring security practices is necessary to meet these stricter rules, and timely communication with stakeholders will be critical for collaborative compliance.
Action Steps: Organizations should consider establishing frequent monitoring schedules to ensure ongoing evaluation of their security efforts. Leveraging automated solutions can help streamline this process and enhance efficiency. To set themselves up for success in managing incident responses, organizations should also create standardized communication templates, enabling quicker and more effective notifications during security events.
Preparing for Compliance with New HIPAA Standards
Healthcare compliance officers should adopt a proactive approach to prepare for these new regulations. Here are some practical steps to get ahead:
- Educate Your Team: Ensure all staff, especially those involved in IT, understand the proposed changes and any impact to their daily workflows.
- Invest in Scalable Cloud Solutions: Opt for cloud services tailored for healthcare compliance, with built-in tools for encryption, access control, and incident detection.
- Partner with Compliance-Focused Providers: Choose a partner that offers robust safeguards aligned with healthcare regulations like HIPAA and HITRUST. These providers ensure your cloud solutions meet regulatory requirements by offering built-in compliance tools, such as encryption, access monitoring, and incident management.
- Conduct a Gap Analysis: Identify areas where current security practices fall short of the proposed regulations, particularly in cloud environments.
- Enhance Business Associate Oversight: Review contracts and request security certifications from all cloud vendors and business associates.
- Leverage Automated Tools: Implement automation for monitoring, auditing, and incident response to meet compliance timelines efficiently.
- Stay Alert to Updates: Comment periods for the proposed rule are active until March 2025, so monitor announcements from HHS and OCR to stay informed.
Preparing for HIPAA Security Rule Changes
The proposed changes to the HIPAA Security Rule represent a pivotal moment for healthcare compliance in the era of advanced technology and cloud computing. By understanding the updates, healthcare organizations can strengthen their security posture and ensure compliance with evolving standards.
Compliance officers should prioritize collaboration with IT, legal, and cloud vendors to adapt policies and procedures effectively.
With careful planning and strategic investments, organizations can protect patient data while maintaining regulatory compliance.
