History of HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to address two primary objectives: ensuring health insurance coverage for individuals during job transitions and establishing national standards for protecting sensitive health information.  Over the years, HIPAA has evolved to include additional rules that reflect the growing digitization of healthcare, particularly through the Privacy Rule (2003), Security Rule (2005) and the Health Information Technology for Economic and Clinical Health (HITECH) Act (2009).

The Security Rule, specifically, was introduced to provide a framework for safeguarding electronic protected health information (ePHI). It mandates that covered entities implement administrative, physical and technical safeguards to protect ePHI from breaches and unauthorized access. However, as the healthcare sector’s digital landscape has significantly evolved and cyber threats have grown more sophisticated, the need for updated and more robust security measures has become apparent.

Why Now and What’s Changing

Cyberattacks on healthcare organizations have surged in recent years, with data breaches affecting millions of patients and disrupting care. According to the HIPAA Journal, over 85 million individuals were impacted by breaches in 2024. Between 2018 and 2023, reports of large breaches rose by 102%, affecting over 167 million individuals in the past year alone. These incidents underscore the urgent need for stronger safeguards to protect electronic ePHI.

In response to the changing cybersecurity landscape, the Department of Health and Human Services (HHS) has proposed amendments to the HIPAA Security Rule. These changes aim to strengthen protections for ePHI while addressing gaps exposed by advancements in technology and the increasing sophistication of cyberattacks. Key proposed changes include:

Uniform Implementation of Security Measures: The proposal makes all security specifications mandatory, removing the distinction between “required” and “addressable.” This aims to improve consistency in how organizations apply the standards and alleviate any misconstrued opinions of addressable specifications being optional.

Asset Inventory and Network Mapping: Entities are required to maintain a precise technology asset inventory and network map of their information systems and assets that could impact the confidentiality, integrity or availability of ePHI, including any movement into and out of the entity’s systems.

Expanded Risk Analysis Requirements: The current security rule requires organizations to conduct a risk analysis aimed at identifying potential risks and vulnerabilities to ePHI; however, the new rule would impose additional requirements. Specifically, there would be required steps for how to conduct the risk analysis and define risk, threat and vulnerability elements.

Stronger Security Requirements: From both the administrative and technical perspectives, the organization must implement enhanced safeguards and controls. To help further protect ePHI, key proposed requirements include:

• Asset Management and Network Mapping
• Patch Management
• Incident Response and Contingency Plans
• Encryption
• Network Segmentation and Network Protection
• Multi-Factor Authentication
• Configuration Management

Annual Compliance Verification: Regulated entities must perform and document compliance with all standards and implementation specifications under the HIPAA Security Rule on an annual basis. These audits may be performed internally by the entity or with the assistance of a third party.

The Impact

The proposed changes to the HIPAA Security Rule impacts all regulated entities including healthcare providers, health plans and healthcare clearinghouses, but extends to any organization that utilizes ePHI. This includes organizations defined by HIPAA as covered entities, business associates and their subcontractors. The impact of these changes is significant, as they could require substantial financial investment and operational adjustments. Entities will need to allocate resources for compliance verification, incident response planning and network protection, ultimately aiming to bolster the security of patient data and the resilience of healthcare services.

What’s Next?

While HHS is undertaking this rulemaking, the current security rule remains in effect. The next steps for the proposed changes involve the conclusion of the 60-day public comment period on March 7, 2025. During this time, healthcare providers, stakeholders and the public are invited to submit their feedback and express any concerns or suggestions regarding the proposed amendments. Following the review of these comments, the HHS will evaluate the feedback and make any necessary revisions to the proposed rule. The newly elected administration will determine whether to move forward with the rulemaking process. Regulated entities should stay informed and prepare for these changes by assessing their current security measures, budgeting for necessary investments and developing a comprehensive implementation plan to ensure they meet the updated standards within the specified timeframe.

How FD Can Help

Frazier & Deeter’s HIPAA risk analysis, consulting and compliance-based services have been meticulously aligned with the Security Rule, OCR guidance and other authoritative sources. Whether your organization is at the forefront of developing a HIPAA compliance program, seeking consultation to adopt these newly proposed changes, or in the midst of a breach investigation, Frazier & Deeter has the experience to deliver effective and actionable results. Reach out to our team to get started.

Explore related insights

Explore Insights & Resources

• • Article

  •

  February 6, 2025

  The SALT Brief

  Read more: The SALT Brief

  

• • Article

  •

  February 5, 2025

  Good Records Bring Good Tax Results: A Guide to Recordkeeping for Small Businesses

  Read more: Good Records Bring Good Tax Results: A Guide to Recordkeeping for Small Businesses