Healthcare GRC
HIPAA Security Rule 2025: Say Goodbye to "Good Enough"
Big changes are coming to HIPAA soon, bigger than we’ve seen in over a decade. The days of “good enough” security are numbered. This article breaks down what’s changing, why it matters, and how you can get ahead before compliance becomes crisis.
After 15+ years in healthcare compliance, I’ve never seen a shake-up, quite like theproposed HIPAA Security Rule overhaulpublished January of 2025. The Department of Health and Human Services (HHS) is raising the bar on Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliance. This means new requirements are on the horizon, and preparation needs to start now.
What’s Changing? Everything “addressable” will become required.
Key proposals include:
- Annual risk assessments and audits: You will need to formally assess risks and audit the compliance of your HIPAA security program every 12 months. If you haven’t updated your risk analysis since the Obama administration, that won’t fly anymore.
- Mandatory encryption and MFA: Encryption of electronic health information (ePHI) (in transit and at rest) and multi-factor authentication (MFA) would be explicitly required for all systems involving ePHI. If a device or database holds ePHI, it must be encrypted, no exceptions.
- New security must-haves: Expect to maintain a detailed asset inventory and network map of all systems handling ePHI, perform vulnerability scans every 6 months, conduct penetration tests annually, and implement 72-hour disaster recovery plans. Business associates will likely have to annually certify their compliance to you, too.
The proposed changes aren’t final yet, but the writing is on the wall. Cyberattacks on healthcare have hit record highs, 2024 saw hundreds of millions of patient records compromised.
Regulators’ message is clear: tighten up security or face consequences. The Office for Civil Rights (OCR) has already been aggressively enforcing existing rules, especially around risk assessments.
How to Prepare
- Don’t wait until this rule is law
- Conducting a risk analysis against the proposed requirements is vital.
- Identify where your organization falls short
- For example, are you still allowing single-factor logins to remote systems? Is your last risk assessment older than a year? Flag those gaps today. Through a risk management process, identify priorities for remediation and start addressing the deficiencies.
- Update your policies and documentation in advance
- The new rule will demand written policies and proof of compliance activities. Begin drafting and compiling those now so you’re not scrambling later.
- Educate leadership on impending regulatory changes
- Executive buy-in comes easier when you can point to an HHS proposal that says, “do X or face penalties”.
- For instance, I used the 2020 Cures Act Final Rule to secure funding for long-overdue security upgrades, consolidating nearly 50 EHR systems into one.
- The result: centralized security, streamlined controls, lower costs, and improved compliance and patient access, a clear case of regulation driving modernization.
In summary, the proposed HIPAA Security Rule overhaul aims to bring healthcare security practices up to par with today’s threats. Acting early can strengthen your cybersecurity posture and ensure a smoother transition when the new requirements hit.
Finally, remember that you don’t have to navigate these changes alone. At Coalfire, we are closely tracking HIPAA rule updates.
Our Healthcare GRC team can identify precisely what needs to be done for your organization to meet the coming requirements.