Skip to Content

Proposed Changes to HIPAA Security Rule Under Review, by Abbye Alexander, Esq., Christopher Tellner, Esq., and Henry Norwood, Esq., 5-22-2025

Posted May 22, 2025

Earlier this year, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) issued a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to strengthen cybersecurity protections for electronic protected health information (ePHI).

If implemented, this would represent the first major update to the rule since 2013, but the proposed rule has faced opposition in recent months, placing its status on shaky ground.

Current Status

The proposed rule, published in the Federal Register on January 6, 2025, was open for public comment until March 7, 2025, at which time OCR received more than 4,600 comments. Those comments are under review, but in the meantime, the rule, proposed under the Biden administration, has drawn backlash from industry groups concerned about the compliance onus.

This past February 2025, several industry associations including the College of Healthcare Information Management Executives (CHIME), co-signed a letter to President Donald Trump and HHS Secretary, expressing their “unified opposition” and requesting a rescission of the proposed regulation.

Among criticism, the letter contends the proposed rule does not take into account P.L. 116-321, which was signed into law on January 5, 2021 under the Trump administration. “This law explicitly requires HHS to consider a regulated entity’s adoption of recognized security practices when enforcing the Security Rule. Yet, this proposed regulation fails to address or incorporate that legal requirement, directly contradicting existing statute,” the letter notes.

In the wake of increased cyberattacks on the healthcare industry, the proposed rule seeks to strengthen cybersecurity by updating the Security Rule’s standards to better address ever-increasing cybersecurity threats to the health care sector, according to HHS.

Key Proposals

The NPRM proposes to strengthen the Security Rule’s standards and implementation specifications with a significant number of new proposals and clarifications, including the below outlined in an agency fact sheet:

  • Require written documentation of all Security Rule policies, procedures, plans, and analyses.
  • Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
  • Require greater specificity for conducting a risk analysis. New express requirements would include a written assessment that contains, among other things, a review of the technology asset inventory and network map and identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI.
  • Require notification of certain regulated entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.
  • Strengthen requirements for planning for contingencies and responding to security incidents. Specifically, regulated entities would be required to, for example, to establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.
  • Require regulated entities to conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements.
  • Require that business associates verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate.
  • Require regulated entities to establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner. New express requirements would include deploying anti-malware protection.
  • Require the use of multi-factor authentication, with limited exceptions.
  • Require vulnerability scanning at least every six months and penetration testing at least once every 12 months.
  • Require regulated entities to review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures.
  • Require business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.
  • Require group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

Fort Lauderdale Partner Avery Dial, Chair of KD’s Data Privacy and Cybersecurity Practice Group, offers more details about the rule in a Part B News article.

Whether the rule will be finalized remains to be seen, but covered entities should remain mindful that data protection and cybersecurity continue to be priorities for HHS.

OCR’s Enforcement Authority

Potential violators of the Security Rule could face enforcement measures by OCR.

HHS’ OCR is tasked with enforcing HIPAA Privacy, Security, and Breach Notification Rules. OCR enforces HIPAA requirements by investigating HIPAA complaints, performing compliance reviews, and providing covered entities with compliance guidance. OCR is only permitted to act on complaints if: the allegedly at-fault party is a covered entity or a business associate; the alleged misconduct involves a violation of either the HIPAA Privacy or Security Rule; any complaints are filed within 180 days of the time when OCR knew or should have reasonably known of the alleged violation.

While the Department is undertaking this rulemaking, the current Security Rule remains in effect. The NPRM with more information can be found here.

Kaufman Dolowich will continue to monitor developments.

Authors: Abbye Alexander and Christopher Tellner, Co-Chairs of Kaufman Dolowich’s Managed Care/Health Care Practice Group, and Of Counsel Henry Norwood

Our Firm's Awards & Honors

No aspect of the advertisement has been approved by the Supreme Court. Learn more about the selection methodology of awards and honors.

Mansfield Rule Certified 2023 Super Lawyers Best Law Firms 2025 Best Law Firms 2025 Martindale Hubbel AV Preeminent Law 360