HIPAA Security Rule NPRM Fact Sheet

The U.S. Department of Health and Human Services (HHS), through the Office for Civil Rights (OCR), recently issued a Notice of Proposed Rulemaking (“NPRM”) that includes extensive proposed changes to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule1. If finalized, the proposed changes will require Covered Entities and their Business Associates to comply with new standards and specifications designed to prevent and defend against cybersecurity threats to health information.  

To accompany the NPRM, HHS also released a Fact Sheet summarizing the agency’s proposed changes to the HIPAA Security Rule. 

Please note that the current standards and implementation specifications established by the HIPAA Security Rule continue to apply. 

Key Points from the Proposed Changes

  • Maintain written documentation of all policies, procedures, plans, and analyses required by the Security Rule.
  • Develop and revise of a technology asset inventory and a network map that illustrates the movement of electronic Protected Health Information (ePHI) through electronic information system(s).
  • Draft a written assessment after conducting a risk analysis that contains specific information.
  • Strengthen organizational response to security incidents through:
    • Written security incident response plans and procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.
    • Analysis of electronic information systems and technology assets to determine the priority for restoration.
  • Conduct a compliance audit at least once every 12 months.
  • Implement security measures that include, but are not limited to:
    • Encrypting ePHI at rest and in transit, with limited exceptions.
    • Establishing and deploying technical controls for consistent configuration of relevant electronic information systems.
    • Requiring multi-factor authentication, with limited exceptions.
    • Implementing separate technical controls for backup and recovery of ePHI and relevant electronic information systems.
    • Scanning for vulnerabilities at least every six months and conducting penetration tests and testing the effectiveness of certain security measures at least once every 12 months.

HHS encourages public comments on the proposed changes. Comments must be submitted through the Federal eRulemaking Portal or by regular, express, or overnight mail on or before March 7, 2025.  

HIPAA Security Rule NPRM Fact Sheet

Topic
Format
  • URL Link

Types

Law

Author

  • HHS
Date
2025