Coming Soon: HIPAA Security Changes
The U.S. Department of Health and Human Services (HHS) is shaking things up with some important updates to the HIPAA Security Rule for the first time in 11 years. The changes are geared toward keeping your electronic health information (also known as ePHI) safer in today’s digital world. While not implemented yet, the period to comment on the Proposed Rule closed earlier this month. If it remains in its current state, we can expect to see some important updates.
Why Are These Changes Happening?
With cyberattacks and data breaches becoming more common, HHS is working to make sure healthcare data remains safe and secure. The Proposed Rule, which was initially shared on Jan. 6, 2025, attempts to address new technology, legal changes, and lessons learned from past mistakes.
What’s Changing?
Here’s a rundown of the key updates:
Clearer Definitions: Some of the terms in the rules are simplified to ensure everyone understands them the same way.
No More “Optional” Steps: In the past, some security measures were labeled as “addressable,” which confused people into thinking they were optional. HHS is now saying, “Nope, these are all important!” Unless there’s a good reason not to do them, everyone needs to follow these steps (or find an equally good alternative and explain why).
Deadlines and Paperwork: There will be specific timelines for getting things done and requirements to keep records of what you’ve done to stay safe.
Risk Checks: Companies will need to conduct detailed checks to spot any weak spots in their security and fix them.
Staff Changes: If someone leaves a job, there will be rules to make sure their access to sensitive information is turned off — and everyone is notified.
Emergency Plans: There will be better guidelines for what to do if something goes wrong, like a cyberattack.
Stronger Security Tools: Measures like encryption and multi-factor authentication will be required to keep your info safe.
Why These Changes Matter
As more health information moves online, risks are increasing. Hackers and even accidental leaks are becoming a bigger problem every day. By making these security steps mandatory, HHS said it hopes to cut down on data breaches and keep your health information private and secure.
What Will It Cost?
HHS estimates that setting up these changes will cost about $9 billion in the first year and around $6 billion each year after that for the next four years. These costs are associated with compliance activities for regulated entities and health plan sponsors. However, HHS estimates that if these changes reduce data breaches even by 7 to 16 percent, the revised Security Rule would quickly pay for itself.
What’s Next?
If you work in healthcare, help manage health plans, or handle health data, you’ll want to check out the full details when they’re published. The Siekmann Company has reviewed the Proposed Rule and can help you maintain compliance. Contact us today, or sign up for our monthly newsletter for updates as they occur.
Comments