ScoutGet the App

HHS proposes mandatory HIPAA safeguards

- HHS’s Office for Civil Rights is still advancing its HIPAA Security Rule rewrite first proposed on December 27, 2024 and published January 6, 2025. (hhs.gov) - The core change is blunt: HHS would erase much of HIPAA’s “addressable” flexibility, make safeguards mandatory, and require written policies, asset inventories, and network maps. (hhs.gov) - It matters because healthcare breaches doubled from 2018 to 2023, while the number of people affected jumped 1002% — the pressure behind tougher rules. (hhs.gov)

Healthcare cybersecurity rules are where this story starts. HIPAA’s Security Rule has long told hospitals, insurers, clinics, and vendors to protect electronic(hhs.gov)shakier after years of ransomware, major outages, and record breach totals. So HHS, through its Office for Civil Rights, put out a proposed rewrite on December 27, 2024, and published it in the Federal Register on January 6, 2025. (hhs.gov) ### What is HHS actually trying to change? The big move is to tighten the HIPAA Security Rule itself — not guidanc(hhs.gov), or ePHI. HHS says the goal is to better protect confidentiality, integrity, and availability of that data as the healthcare system faces more cyberattacks. (federalregister.gov) ### Why is “addressable” such a big deal? Under the current rule, some safeguards are “required” and some are “addressable.” “Addressable” never meant optional(hhs.gov)why. HHS now wants to remove that distinction for implementation specifications, with only limited exceptions. Basically, the agency is saying the era of broad discretion is ending. (hhs.gov) ### What new concrete work would organizations have to do? A lot more would need(federalregister.gov) network map showing how ePHI moves through the organization’s systems, updated on an ongoing basis and at least every 12 months, plus whenever operations change in a way that could affect ePHI. (hhs.gov) ### Who would this hit? Not just hospitals. The proposal covers health plans, healthcare clearinghouses, most healthcare providers, and (hhs.gov)at matters because healthcare’s weakest point is often outside the hospital’s own walls. (hhs.gov) ### Why is HHS doing this now? Because the breach trend got ugly fast. OCR says reports of large breaches rose 102% from 2018 to 2023, and the number of affected people rose 1002%. In 2023 alone, more than 167 million people were affected by large breaches. HHS also d(hhs.gov)U.S. healthcare history. (hhs.gov) ### Is this final already? No — and that part matters. This is still a proposed rule. Comments were due by March 7, 2025, and OCR has been reviewing them. So the practical story right now is not “the law change(hhs.gov)and that blueprint is much stricter than the current rule. (federalregister.gov) ### What should healthcare organizations take from it now? Treat this as a direction-of-travel signal, not background noise. If your compliance model still depend(hhs.gov)ints the other way. The likely winners are organizations that already know where ePHI lives, how it moves, and which outside partners touch it. (hhs.gov) ### Bottom line? HHS is trying to turn HIPAA security from a principles-heavy framework into something more prescri(federalregister.gov)le plan. (hhs.gov)

Get your own daily briefing

Scout delivers personalized news, insights, and conversations tailored to your role and industry.

Download on the App Store

Shared from Scout - Be the smartest in the room.