Insights and Takeaways: HHS’ Proposed HIPPA Security Rule Overhaul

By Kevin Heineman, Chief Information Security Officer, Lyric

The U.S. Department of Health and Human Services (HHS) has issued a Notice of Proposed Rulemaking (NPRM), specific to a set of proposed modifications to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule to bolster cybersecurity measures for electronic protected health information (ePHI). These updates mark a significant pivot in compliance obligations, threat mitigation strategies, and technology adoption standards for all types of covered entities and their business associates.

This blog takes a deeper dive—rooted in four key areas (Challenges, Takeaways, Technology, and Potential Areas of Impact)—that integrates the background and insights from the proposed Rule’s Executive Summary; Statutory Authority and Regulatory History; Justification for This Proposed Rulemaking; Section-by-Section Description of the Proposed Amendments to the Security Rule; and Regulatory Impact Analysis.

Background

The evolution of health information technology and the proliferation of sophisticated cyberattacks have compelled HHS to overhaul the HIPAA Security Rule. Since the publication of the original Security Rule in 2003 (see 68 FR 8334), cybersecurity threats and vulnerabilities have surged dramatically, affecting the confidentiality, integrity, and availability of ePHI on an unprecedented scale. Covered entities (e.g., health plans, health care providers, and clearinghouses) and business associates have struggled to keep pace with the rapidly evolving threat landscape.

Thus, HHS has proposed enhanced requirements for administrative, physical, and technical safeguards under Subpart C of Part 164, particularly referencing new or revised standards in 45 CFR 164.302 through 45 CFR 164.320. Not only do these revisions clarify existing requirements, but they also add new obligations such as mandatory multi-factor authentication, network segmentation, annual compliance audits, and mandatory patch management timelines through 45 CFR 164.312 and 45 CFR 164.308.

HHS’ statutory authority stems from sections 1171 through 1179 of the Social Security Act, which mandate that the Secretary establish safeguards for the security of electronically transmitted health data. The Department’s Regulatory Impact Analysis (RIA) underscores that while many organizations face higher compliance costs, the potential cost of not shoring up ePHI security is far more severe. Breaches harm individuals, degrade trust, and destabilize health care’s financial underpinnings. HHS projects that the rule’s net benefits—manifested in prevented breaches, reduced data loss, and fewer security incidents—ultimately will outweigh the compliance burden.

Challenges

1. Sheer Complexity of Security Requirements: Under the proposed revisions, 45 CFR 164.308(a) clarifies that regulated entities must conduct a “Security Rule compliance audit” annually. This is a distinct duty from the more commonly referenced “risk analysis” requirement in 45 CFR 164.308(a)(2). Having to operationalize both can introduce confusion, particularly for smaller practices, especially because the proposed changes add specificity around patch management (see 45 CFR 164.308(a)(4)), vulnerability scanning (45 CFR 164.312(h)(2)(i)), and business associate verification (45 CFR 164.308(b)).

2. Resource Constraints: Many entities are small or operate on thin margins and face significant efforts to comply with Multi-Factor Authentication (MFA) in 45 CFR 164.312(f)(2)(ii) and robust encryption requirements in 45 CFR 164.312(b). Smaller organizations may lack the internal IT staff to manage ongoing security updates, risk analyses, and vendor oversight. This can become especially challenging in rural healthcare settings, aligning with the Department’s RIA concerns that rural and small providers are susceptible to cyberattacks but have limited resources for advanced security solutions.

3. Vendor Management Complexities: Under 45 CFR 164.308(b)(1)(i), the new standard for business associates requires not only contractual assurances of compliance, but also verification that business associates have deployed all technical safeguards needed (45 CFR 164.308(b)(2)(ii)). This requires frequent coordination, documentation, and oversight of vendors. As a result, organizations must plan additional resources to manage subcontractor compliance.

Takeaways

1. Annual Compliance Audits: Entities must now demonstrate ongoing compliance with each standard and implementation specification in Subpart C. While risk analyses used vary in scope, the proposed requirement to conduct a formal “compliance audit” on top of the risk analysis signals a more rigorous stance. Entities should prepare for increased auditing frequency and documentation in § 164.308(a)(14).

2. More Rigorous Technical Safeguards: Specific proposed sections—§ 164.312(a) on Access Control, § 164.312(b) on Encryption and Decryption, and § 164.312(f) on Authentication—impose explicit obligations like implementing MFA, automatic logoff, log-in attempt thresholds, and more granular encryption of ePHI in all states of storage and transmission. This is a sharp shift from the older, more flexible addressable standard for encryption.

3. Heightened Patch Management Requirements: Under new 45 CFR 164.308(a)(4), covered entities and business associates would be obligated to define patch priorities and deploy them under strict deadlines—15 days for critical risks and 30 days for high risks—unless they can document allowable exceptions. This aims to mitigate known vulnerabilities that hackers exploit most often.

4. Compensating Controls: Multiple sections provide “exception” clauses for scenarios in which an entity can’t deploy an available patch or encrypt certain systems under the standard. However, 45 CFR 164.312(b)(4) directs that the entity must document these exceptions in real-time and implement “reasonable and appropriate compensating controls” to maintain the confidentiality, integrity, and availability of ePHI.

Technology

The proposed Security Rule enhancements introduce significant technology-driven safeguards to strengthen ePHI confidentiality, integrity, and availability. Four core areas—Patch Management, Vulnerability Scanning and Penetration Testing, Encryption, and Multi-Factor Authentication—are especially emphasized. Together, they represent a more stringent, explicit set of expectations for regulated entities’ electronic information systems.

1. Patch Management: Under the proposed 45 CFR 164.308(a)(4), all covered entities and business associates must establish and implement written policies and procedures to identify, prioritize, acquire, and verify the timely installation of patches, updates, and upgrades on relevant electronic information systems. Notably, any critical vulnerabilities must be addressed within 15 calendar days of identification if a patch is available (or, if no patch exists, within 15 days of one becoming available). Similarly, patches for vulnerabilities classified as high must be installed or mitigated within 30 days. Any patching or upgrade that cannot be done—due to unavailability or adverse effects on other systems—must be documented in real-time, supported with compensating controls, and regularly reviewed. This approach codifies industry best practices while adding strict and clearly defined timelines.

2. Vulnerability Scanning and Penetration Testing: In 45 CFR 164.312(h), the NPRM calls for regular automated vulnerability scans—performed at least every six months or more frequently if deemed necessary by the entity’s risk analysis—to detect exploitable technical weaknesses. Furthermore, 45 CFR 164.312(h)(2)(iii) requires each entity to conduct periodic penetration testing of relevant electronic information systems by a ‘‘qualified person’’ versed in recognized cybersecurity methods. The rules clarify that large or complex environments might need more extensive tests, whereas smaller organizations may have proportionate, yet still mandatory, penetration testing. Together, these measures advance a proactive posture: rather than merely reacting to confirmed breaches, organizations must actively seek out vulnerabilities and verify their security controls’ efficacy.

3. Encryption: Previously treated as an “addressable” standard, encryption is now proposed under 45 CFR 164.312(b) as a core requirement for ePHI at rest and in transit. Entities must deploy encryption solutions “consistent with prevailing cryptographic standards,” ensuring data cannot be deciphered without authorized keys. Limited exceptions exist (e.g., if an individual specifically requests unencrypted transmission under the right of access at 45 CFR 164.524, or when a patch or upgrade is not yet available). Specific exceptions also apply for certain legacy or FDA-authorized devices—provided organizations apply any available patches and document their compensating controls in real-time. Finally, encryption controls must be reviewed at least once every 12 months or upon operational changes, ensuring that covered entities and business associates continually align with contemporary encryption standards.

4. Multi-Factor Authentication: Proposed 45 CFR 164.312(f) would firmly establish MFA as a critical authentication step for all relevant electronic information systems. Under this approach, users must be verified using at least two of these three categories: something they know (e.g., password), something they have (e.g., secure token), or something they are (e.g., a biometric). MFA must also protect administrative or privileged actions that could affect the confidentiality, integrity, or availability of ePHI. These changes move MFA from a best practice to an unequivocal requirement, drastically reducing the risk of unauthorized account takeover.

Overall, these four areas underscore a technologically robust Security Rule framework, requiring more investment and a sophisticated oversight of electronic information systems that handle ePHI. By codifying explicit requirements for patches, vulnerabilities, encryption, and multifactor authentication, HHS aims to raise the security baseline across all regulated entities—large or small, urban or rural—and ensure that new cybersecurity threats are proactively mitigated, rather than addressed only after a breach occurs.

Potential Areas of Impact

The proposed modifications to the HIPAA Security Rule carry wide-ranging implications for diverse stakeholders, from large healthcare systems to individual provider offices, and from robust commercial insurers to small plan sponsors. The NPRM clarifies that the administrative, physical, and technical standards apply to all electronic protected health information (ePHI) as spelled out in 45 CFR 164.302–164.318.

In addition, heightened scrutiny around contingency plans—per § 164.308(a)(13)—pressures covered entities and business associates to allocate resources to plan for worst-case scenarios such as natural disasters or sophisticated cyberattacks. This requirement is especially critical in rural or smaller facilities that historically underinvest in cybersecurity due to limited budgets.

Another big shift lies in plan documents for group health plans under § 164.314(b). Plan sponsors receiving ePHI must now align their relevant electronic information systems with the same administrative, physical, and technical safeguards as covered entities. Consequently, even small employers that self-insure will need to upgrade or re-tool their data handling processes.

Cost burdens are also likely to rise as entities integrate new administrative demands, such as reviewing technology asset inventories and network mapping every 12 months, applying patches with stricter timelines, and verifying their business associates’ technical safeguards.

Meanwhile, the NPRM’s more explicit requirements—like encryption at § 164.312(b)—could enhance interoperability if standardized solutions become widespread. Ultimately, while immediate compliance costs may seem substantial, the long-term effect should be stronger public trust and a reduction in catastrophic breaches that have previously damaged reputations and hindered patient care.

Changes to Expect

In light of the NPRM’s heightened security mandate, six modifications stand out for regulated entities:

1. A new standard requires an annual documented evaluation of whether each security requirement and related implementation specification is fulfilled. This formalizes a more rigorous administrative protocol, ensuring organizations continuously verify their Security Rule posture.

2. The proposal calls for a more detailed risk analysis, explicitly demanding the identification of every threat, vulnerability, and risk level facing ePHI, along with mandatory updates at least once a year.

3. The rules for patch management become more prescriptive: regulated entities must install patches within specific timeframes based on severity or, if a patch is unavailable, put compensating controls in place.

4. The switch from addressable encryption and decryption requirements to a definitive standard means that ePHI stored or transmitted must be encrypted using prevailing cryptographic methods.

5. The addition of a new multi-factor authentication requirement compels covered entities and business associates to verify user identity by at least two factors prior to granting access to sensitive information systems.

6. Network segmentation practices are set to be formalized, requiring segmentation of systems that create, receive, or maintain ePHI. This move significantly reduces the risk of lateral movement by malicious actors in the event that one entry point is compromised.

Altogether, these changes guide the Security Rule toward a more comprehensive, technology-driven standard that integrates closely with ongoing risk management activities.

Conclusion

Taken together, these amendments represent a robust elevation of HIPAA Security Rule obligations. HHS’ Regulatory Impact Analysis underlines that while compliance costs may seem substantial—particularly for small practices, rural facilities, and plan sponsors—the risk of cyberattacks on ePHI has escalated so dramatically that the sector needs forceful, standardized minimum safeguards.

By integrating administrative, physical, and technical safeguards in a way that is more explicit and tightly regulated, HHS aims to reduce breaches, expedite detection, safeguard patient information, and uphold public confidence in health care’s digital transformation. The future of ePHI security is shaping up to be more exacting, and these proposals from HHS under 45 CFR 164.306, 164.308, 164.310, 164.312, 164.314, and 164.316 serve as a wake-up call to the entire industry: the stakes for safeguarding ePHI have never been higher.

About Lyric

Lyric, formerly ClaimsXten, is a leading AI healthcare technology company, committed to simplifying the business of care. Over 30 years of experience, dedicated, expert teams, and top technologies help deliver up to $14 billion of annual savings to our many loyal and valued customers—including 9 of the top 10 payers across the country. Lyric’s solutions leverage the power of machine learning, AI, and predictive analytics to empower health plan payers with pathways to increased accuracy and efficiency, while maximizing value and savings. Lyric is investing in AI driven technology to ease implementation and speed to value for customer savings, while offering enhanced and newly available solutions through internal product development and strategic partnerships, including recently announced partnerships with Concert Genetics, Autonomize AI, and now, Codoxo. Discover more at Lyric.ai.