On January 6, 2025, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) decided it was time to give the HIPAA Security Rule a much-needed cybersecurity makeover—and let’s just say, it’s not just a light touch-up. These proposed changes mean stricter security rules, fewer loopholes, and a whole lot more paperwork for covered entities, business associates, and especially Health Information Exchanges (HIEs) and Health Information Networks (HINs).
Here’s a look at what’s different and how it’s going to shake things up.
What’s Changing? The Key Differences
1. Say Goodbye to “Addressable” Requirements
- Before: Some security measures were labeled “addressable,” meaning organizations could implement alternatives if they met the intent of the rule.
- Now: Nope. Everything is required—no more creative workarounds (with very few exceptions).
2. Paperwork, Paperwork, and More Paperwork
- Before: You needed documentation, but there was some wiggle room.
- Now: Every policy, procedure, risk assessment, and security plan must be documented. Oh, and you’ll need a network map and an inventory of every tech asset handling ePHI, updated at least annually.
3. Stronger Risk Analysis (a.k.a. No More Guesswork)
- The new rule explicitly requires a written risk assessment that includes:
- A review of your tech inventory and network map.
- Identification of all threats and vulnerabilities (because hoping hackers take the day off isn’t a strategy).
- A risk level assessment for each threat—yes, you have to put it in writing.
4. Tougher Incident Response & Contingency Planning
- Before: Have a general contingency plan.
- Now:
- Restore critical systems within 72 hours after an incident.
- Report security incidents within 24 hours (no more “we’re looking into it” delays).
- Test and revise your security plans every year—because the bad guys keep getting smarter, and so should you.
5. New Cybersecurity Must-Haves
- Encryption of ePHI at rest and in transit (no more excuses).
- Multi-Factor Authentication (MFA) required for system access (time to say goodbye to password-only logins).
- Mandatory tech controls, including:
- Anti-malware protection (yes, still a thing).
- Vulnerability scans every six months, penetration testing once a year.
- Network segmentation to keep hackers from hopping between systems.
- Backup and recovery protections (separate from your main systems, just in case).
6. Faster Reporting Requirements
- Access Changes: If someone gets fired or loses ePHI access, you have 24 hours to notify relevant parties.
- Business Associate Compliance: They have to certify compliance every 12 months—no more taking their word for it.
- Contingency Activation: If a business associate’s backup plan kicks in, they have 24 hours to tell their partners.
What This Means for HIEs, HINs, and Organizations Sharing Data Through Them
If you’re an HIE or HIN, these changes don’t just affect you—they’ll reshape how you operate. But you’re not the only ones feeling the impact—any healthcare organization sharing data through an HIE or HIN will also need to adjust to these new security expectations.
1. More Security, More Problems (at Least for Compliance Teams)
- Keeping a real-time network map and an updated inventory of every connected system isn’t just a suggestion anymore.
- HIEs/HINs will have to keep an even closer eye on partners to ensure compliance—because if someone in your network messes up, you could be held responsible too.
2. Stronger Enforcement = More Accountability for Everyone
- If you’re used to occasional security check-ins, those days are over. Annual compliance audits and continuous risk analysis are now mandatory.
- Business associates and organizations exchanging data through HIEs/HINs can’t slack off anymore—they need annual certification that they’re following security standards.
3. Tighter Timelines for Incident Response
- 72 hours to restore critical systems after an incident.
- 24 hours to report security breaches or access changes.
- If your network goes down, there’s no time to panic—just execute the plan.
4. Bigger Security Budget (Because Compliance Isn’t Cheap)
- MFA, encryption, vulnerability testing, and network segmentation all cost money—which means leadership will need to prioritize security investments.
- Smaller HIEs, HINs, and even the hospitals and providers exchanging data through them might struggle to afford all the new requirements, potentially leading to more consolidation in the industry.
5. Stricter Rules for Data-Sharing Organizations
- If your organization relies on an HIE or HIN to exchange patient data, expect stricter security assessments before connecting.
- HIEs/HINs will need to ensure that every entity exchanging ePHI through them is also compliant, meaning more oversight, more documentation, and more security reviews for hospitals, clinics, insurers, and other healthcare players.
- If you don’t meet the new security requirements, you could find yourself cut off from key data-sharing networks.
Final Thoughts: Brace Yourself for Compliance Overhaul
The proposed HIPAA Security Rule changes aren’t just minor tweaks—they’re a full-blown cybersecurity upgrade. While they aim to make healthcare data safer, they also come with a heavy compliance burden, especially for HIEs, HINs, and the organizations that rely on them for data exchange.
Bottom line: If these rules are finalized, healthcare security teams will be busier than ever, compliance officers will have more checklists than they know what to do with, and IT budgets might need some serious reallocation to cover all these new requirements.
Public Comment Period closes March 7, 2025.
