Digital Health

HIPAA Gets First Major Update in Over a Decade

January 27, 2025 Jason Barry 2 min read
HIPAA

It might have taken the biggest data breach in healthcare history to make it happen, but HHS finally announced the first major changes to HIPAA in over a decade.

Big changes need big titles, and the HIPAA Security Rule Notice of Proposed Rulemaking to Strengthen Cybersecurity for Electronic Protected Health Information packs 393 pages of them.

We admittedly only skimmed that for about two minutes before turning to our usual sources for a summary, so here’s an even shorter summary of those summaries.

The proposed HIPAA changes would require provider organizations to:

  • Enhance data security measures, including multi-factor authentication, network segmentation, and encrypting electronic protected health information (ePHI) 
  • Maintain a technology asset inventory and network map illustrating the movement of all ePHI within their information systems 
  • Maintain a detailed risk analysis of each component in the inventory and network map
  • Establish written procedures to restore EHR systems within 72 hours of a cyberattack
  • Conduct HIPAA compliance audits at least once per year

Another key change is the elimination of the distinction between “required” security rules that must be followed and “addressable” rules that providers can choose not to obey.

  • By eliminating that line, HIPAA would make all of the above changes mandatory for all organizations, whether they’re ready to implement them or not.

Even tech savvy providers are still in the business of care delivery, not cybersecurity, and many of them will have to partner with outside companies to ensure compliance.

  • Larger organizations with strong IT teams might already be preparing for these changes, but smaller hospitals with already-slim margins are probably in for a tough transition.

Health data needs to be protected, and our current safety measures obviously aren’t getting it done. On the other hand, there’s also a growing divide between “the best” and “the rest” of U.S. hospitals, so an unfunded mandate with heavy compliance costs runs the risk of making it wider.

The Takeaway

Healthcare has its fair share of acronyms, but HIPAA might just be the most common one in the alphabet soup. It’s important to get these changes right, and that means finding a balance between protecting patients and not overburdening providers. HHS is seeking comments on the rule until March 7.

Check out the other stories from this issue here: UnitedHealth, Segways, and HIPAA’s First Update in a Decade 
Get the top digital health stories right in your inbox

You might also like

Rock Health Green

Digital Health January 23, 2025

Rock Health 2024 Overview: David vs Goliath January 23, 2025

If last year’s digital health market felt like David vs. Goliath, Rock Health’s full-year funding recap has you covered with the reason why. Here’s 2024 by the numbers: There’s a tale of two trends unfolding between the early-stage startups and late-stage incumbents battling for market share, and neither side is helping out the funding total. […]

Innovaccer F

Startups January 16, 2025

Innovaccer Dives Into AI With Series F Raise January 16, 2025

We’re barely halfway through the first month of 2025, and Innovaccer already raked in what could end up being the biggest raise of the year with its $275M Series F funding round. Innovaccer got its start in 2014 with the goal of breaking down healthcare’s data siloes and using that connected fabric of information to […]

Health Affairs

Artificial Intelligence January 13, 2025

First Snapshot of AI Oversight at U.S. Hospitals January 13, 2025

A beautiful paper in Health Affairs brought us the first snapshot of AI oversight at U.S. hospitals, as well as a glimpse of the blindspots that are already adding up. Data from 2,425 hospitals that participated in the 2023 AHA Annual Survey shed light on the differences in AI adoption and evaluation capacity at hospitals […]

You might also like..

Select All

You're signed up!

It's great to have you as a reader. Check your inbox for a welcome email.

-- The Digital Health Wire team

You're all set!