HIPAA Security Rule update
HHS’s Office for Civil Rights published a Notice of Proposed Rulemaking to modernize the HIPAA Security Rule for today’s heavier digital and cyber threat environment, signalling clearer operational controls are coming for protected health data. (onspring.com) (jdsupra.com).
The U.S. Department of Health and Human Services has proposed the first major rewrite of the Health Insurance Portability and Accountability Act Security Rule since 2013, aiming to tighten cyber defenses around electronic health data. (hhs.gov) The Office for Civil Rights issued the proposal on December 27, 2024, and it was published in the Federal Register on January 6, 2025. The agency set March 7, 2025, as the deadline for public comments. (hhs.gov) (federalregister.gov) The rule covers electronic protected health information, meaning medical and insurance data stored or sent in digital form by health plans, health care clearinghouses, most providers, and their business associates. The current Security Rule requires administrative, physical, and technical safeguards to protect that data’s confidentiality, integrity, and availability. (hhs.gov 1) (hhs.gov 2) The proposed rewrite would make the rule more prescriptive. HHS said it would remove the long-standing split between “required” and “addressable” implementation specifications, require written policies and procedures, and force organizations to keep a technology asset inventory and a network map updated at least every 12 months and after major changes. (hhs.gov) HHS tied the rewrite to a sharp rise in attacks on hospitals, insurers, and vendors. The department said reports of large breaches rose 102 percent from 2018 to 2023, while the number of people affected rose 1,002 percent; in 2023 alone, more than 167 million people were affected by large breaches. (hhs.gov) The Security Rule now in force dates back to a February 20, 2003 final rule, with major omnibus updates published on January 25, 2013. HHS says the new proposal is meant to reflect changes in health care delivery, newer technology, court decisions, and weaknesses the agency says it has repeatedly found in investigations. (hhs.gov) (federalregister.gov) The proposal also sits inside a wider federal cyber push. HHS said the rulemaking follows the 2023 National Cybersecurity Strategy, a 2024 implementation update, and the department’s 2023 health care sector cybersecurity concept paper. (hhs.gov) For hospitals, doctors’ groups, insurers, and health technology vendors, the immediate question is not whether the proposal exists but how much of it survives into a final rule. As of April 2026, HHS still lists the Security Rule proposal as a regulatory initiative, and the current legal requirements remain the pre-2025 rule until any final version is issued. (hhs.gov 1) (hhs.gov 2)
