Introduction

Cyberattacks on healthcare systems are rising at an alarming rate, putting patient safety and trust at risk. To address this, the Department of Health and Human Services (HHS) has introduced HIPAA Security Rule 2025 Proposed Updates. These changes aim to enhance cybersecurity and better protect electronic protected health information (ePHI). Here’s what you need to know and how EPI Compliance is here to help.

Why the HIPAA Security Rule 2025 Proposed Updates Matter

Between 2018 and 2023, reports of breaches affecting 500+ individuals rose by 100%, with cyberattacks increasing by 264%. These breaches harm patients and create challenges for providers. The HIPAA Security Rule 2025 Proposed Updates address these risks with stronger safeguards, ensuring trust in the healthcare system.

Key Changes in HIPAA Security Rule 2025 Proposed Updates

1. Written Policies and Documentation:
   All security policies and procedures must now be written, tested, and regularly updated. Goodbye to “addressable” specs; everything will now be mandatory with limited exceptions.
2. Clearer Definitions & Compliance Timelines:
   The definitions of what counts as protected information and systems will be updated to reflect today’s tech landscape. Plus, compliance deadlines for certain rules will be more specific.
3. Asset Inventory & Network Mapping:
   Every organization will need an up-to-date inventory of tech assets and a map showing how electronic protected health information (ePHI) flows through their systems. These must be updated yearly or whenever systems change.
4. Stronger Risk Assessments:
   Risk analysis will now include identifying potential threats, vulnerabilities, and likelihood of exploitation—and this must all be documented in detail.
5. New Security Measures:
   • Multi-factor authentication will be required.
   • Regular vulnerability scans every six months and annual penetration testing.
   • Separate systems for backing up and recovering ePHI.
6. Incident Response:
   Organizations must have detailed, written plans for handling security incidents and restoring systems within 72 hours if a breach occurs.
7. Compliance Audits:
   Annual compliance audits are now required, ensuring everyone stays on track.
8. Business Associate Checks:
   Business associates will also need annual audits to confirm they’re implementing required security safeguards.

My Thoughts

 For the most part, I (Dr. Jose I. Delgado) agree with these changes and have already started implementing many of them as part of the EPI Compliance package. To make compliance easier for our clients, I will also be working on a series of blogs that break down these topics in greater detail. For tasks we currently don’t offer, we’ll explore partnerships with trusted providers to ensure our clients remain fully compliant.

If you have any questions or concerns about these updates, don’t hesitate to contact us. We’re here to help you navigate these changes and stay ahead of the curve.