At the end of 2024, the federal government began updating the data security rules under the Health Insurance Portability and Accountability Act (HIPAA), a change that could have big implications for healthcare companies.
Now, you may think, “That happened under the old President; the new President might not follow through on those plans.” That’s certainly something a lot of us are considering when it comes to federal regulations, and often, the best thing to do is wait and see what happens next.
However, believe it or not, bipartisan agreement does still exist in some areas. One of those areas is cybersecurity, as lawmakers on both sides of the aisle see that online crime is surging year-on-year. Hackers are having a devastating effect on all aspects of the economy, especially for healthcare companies (and the people who rely on those companies.)
Consider these recent stats:
U.S. healthcare companies lost $1.9 billion last year to hackers
The biggest healthcare data breach in history occurred in 2024 when a breach at Change Healthcare exposed records of 100 million people
Stolen Electronic Private Health Information (ePHI) is becoming one of the main drivers of identity fraud
Vulnerabilities exist along the entire healthcare supply chain
Most healthcare companies work hard to protect their patients’ ePHI, but hackers are working hard too. And even if your company does everything to protect ePHI, the fact is that you’re only as secure as the weakest link in your supply chain.
For these reasons and more, the government is likely to go ahead and implement the biggest change to HIPAA since 2013.
First, the good news. HIPAA still only applies to covered entities: health plans, health care clearinghouses, health care providers, and the business associates of those companies. If you’re not affected by HIPAA right now, that won’t change.
You can read the full text of the proposed changes on the HHS website, but here’s a quick summary:
Everything is “required”: HIPAA rules are currently defined as “required” (you must implement) or “addressable” (you’re advised to implement, but you can follow your own best practices). Under the proposed new rules, all HIPAA specifications will become required.
Improved local security: Most systems with access to ePHI will now require multi-factor authentication (with some limited exceptions.) You’ll also need a plan to deliver security measures across the organization—for example, by installing malware protection on every authorized device.
Processes must be documented: A lot of the new rules deal with process documentation, including your security policies and auditing methodologies. It’s a good idea to have these processes documented anyway, but new HIPAA rules might require you to present your documentation to an external auditor.
Specific guidelines for risk analysis: Your risk analysis will need to go into detail about your technology assets, network map, anticipated threats, potential vulnerabilities, and likely impact of a data breach.
Encrypt all ePHI data: The guidelines don’t specify what level of encryption to use. However, you will need to encrypt data when it’s in transit and when it’s at rest. This may involve working with third parties to agree on encryption standards.
Regular testing schedules: You’ll need to conduct vulnerability scanning every six months and penetration testing every year. You will also need to conduct an annual review of all other security measures.
Things might change between now and the final implementation, which should occur later this year. However, in general, we can expect to see major changes in HIPAA rules in the future. This will probably mean more compliance work for healthcare companies. If it helps mitigate the risk of cybercrime, it might be worth it.
What do you think? Will the new HIPAA rules help keep data safe? Or is it just more bureaucracy? Leave a comment, and subscribe to get the next issue of 5-Minute Cybersecurity.