In January 2025, the Office for Civil Rights (OCR) proposed an update to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, introducing new cybersecurity requirements. The proposal surfaced amid a rise in cyberattacks targeting the U.S. healthcare system.
Proposed HIPAA Security Rule Changes
The proposed changes include new cybersecurity requirements and clarification of existing regulations. The new rule could remove the distinction between required and addressable implementation specifications, requiring all specifications to be implemented with limited exceptions. The proposal also focuses on improving risk identification and remediation, as many entities have been found non-compliant with cybersecurity specifications in previous compliance audits.
The comment period for these proposed regulations ends March 7, 2025, after which all comments will be reviewed, and changes can be made. However, there is no certain timeline for when the new regulations could go into effect since a grace period is expected after comments have closed.
Here are some of the key proposed regulations:
- Development of a technology asset inventory and network map
- Specific requirements for risk analysis
- Written procedures for restoring data within 72 hours
- Internal audits at least every 12 months
- Regular reviews, vulnerability scans, and penetration tests
- Technical safeguards for portable devices
- Timely implementation of patches and software updates
- Removal of extraneous software from relevant electronic information systems
- Encryption of all ePHI at rest and in transit
- Annual verification of business associates’ and contractors’ security measures
Challenges for Businesses
The proposed changes to the HIPAA Privacy Rule could significantly affect healthcare providers whose data privacy and security measures aren’t in line with the updated requirements. Unplanned updates to operational systems can create a significant administrative and economic burden. Implementing these changes would require updating HIPAA policies and procedures and training employees, possibly causing business disruptions.
One requirement that could cause significant administrative impact is the shortened timeframe for providing medical records upon request. Based on the number of financial penalties for HIPAA Right of Access violations to date, it's clear that some healthcare providers have struggled to provide records within 30 days. Reducing this period to 15 days could pose a significant challenge, especially with many administrative teams already spread thin. The proposed changes also include the requirement to provide copies of ePHI in the format requested by the individual, which could be problematic for those healthcare providers limited by their EHR system.
HIPAA and HITECH-COMPLIANT Software could be the Answer
While seemingly minor, the proposed changes to HIPAA in 2025 could have considerable implications for HIPAA-covered entities that are unprepared. Given the uncertainty around the future of these changes, businesses should begin proactively planning for potential shifts in the regulatory landscape. Healthcare organizations can begin by documenting existing processes, flagging areas that will no longer be compliant under the revised regulations and considering the steps that will be required to bring those areas back into compliance.
Certified HIPAA and HITECH-compliant software like Sage Intacct is crucial in helping HIPAA-regulated businesses adjust and maintain compliance, confidently report and automate manual processes. Find out what Sage Intacct has to offer your business in the continually evolving HIPAA landscape and more.
