How to Stay Compliant with the New HIPAA Security Rule Updates

The Health Insurance Portability and Accountability Act (HIPPA) was established to protect patient privacy and secure health information. While it has been around for nearly two decades, it is evolving to keep up with an increasingly digital world and in response to the skyrocketing number of cyber attacks the industry sees every year.

On December 27, 2024, the Department of Health and Human Services (HHS) Office for Civil Rights  (OCR) issued a Notice of Proposed Rulemaking (NPRM) to modify the HIPAA Security Rule to increase cybersecurity protections for electronic protected health information (ePHI).

The HIPAA Security Rule 2024 aims to enhance cybersecurity by updating the Security Rule’s standards to better resist the torrent of cybersecurity attacks on the healthcare sector. The new rules call for faster response times, more robust healthcare cybersecurity features, and better visibility into threats.

Overview of the 2024 NPRM: What’s New

Several important updates to the HIPAA Security Rule 2024, as outlined in the 2025 NPRM, build upon previous discussions and updates. Here’s a breakdown of the three that stand out:

Annual Technical Inventories: What They Are and How to Conduct Them

Annual technical inventories help to identify potential weaknesses and make sure that all assets are accounted for and in a safe location. They are comprehensive lists of all technology assets—hardware, software, electronic media, and data—that assist in developing, receiving, storing, or transmitting ePHI. They include a network map describing how ePHI moves throughout the organization’s electronic system.

How to Conduct Them:

Identify Assets: List all hardware, software, and electronic media that handle ePHI.

Document Asset Details: Include asset locations, versions, and responsible personnel.

Create a Network Map: Illustrate how ePHI enters, exits, and is accessed within and outside the organization’s systems.

Update Annually or as Needed: Review and update the inventory at least annually or after significant changes, such as security incidents or technology acquisitions.

Multi-Factor Authentication: A Mandate, Not a Recommendation

MFA improves security by forcing users to verify their identity using at least two distinct factors—such as a password (something you know), a smartphone or token (something you have), or a fingerprint (something that is part of you)—to prevent unsanctioned access, even should one credential be compromised

The NPRM will make this mandatory for all systems that handle ePHI, save for certain legacy systems and pre-March 2023 FDA-approved medical devices. If they currently use exempted systems, all affected entities must have a plan to migrate ePHI to MFA-supported technology.

HIPAA Risk Assessments and Beyond: Enhancing Healthcare Cybersecurity Posture

Although regular risk analysis has always been a key component of HIPAA, the NPRM proposes more detailed specifications for the processes involved.

Affected bodies will have to conduct HIPAA risk assessments. They will need to review their technology asset inventory, identify anticipated threats and vulnerabilities, document all security measures, set out policies and procedures for tracking risks and vulnerabilities, and make documented “reasonable determinations” of the likelihood and potential impact of the identified threats and vulnerabilities.

Other Significant Updates

In addition to these three, affected entities will need to implement seven other changes if they have not already.

Rigorous Vendor Oversight: Covered entities must validate business associates’ compliance through expert-certified risk assessments and will need timely notifications of contingency plan activations within 24 hours.

Mandatory Encryption Standards: Encryption of ePHI at rest and in transit is required to reduce the risk of breaches, with few exceptions, such as patient requests for unencrypted data.

Formal Incident Response Planning: Entities must develop formal, written incident response plans detailing reporting, mitigation, remediation, and eradication procedures. These must be reviewed annually.

Disaster Recovery and Backups: The updates introduce “criticality analysis” to help prioritize system restoration. This also mandates exact ePHI backups and recovery within 72 hours in the event of an incident.

Yearly Compliance Audits: Affected entities must carry out annual audits (internal or external) to ensure they are adhering to HIPAA Security Rule standards.

Workforce Security Access Management: Role-based access policies must be implemented, and access must be terminated within one hour after employment ends. Other entities must be notified of any changes of authorization within 24 hours.

Network Testing, Segmentation, and Configuration: Vulnerability scans must happen every six months, and annual penetration testing is required alongside network segmentation to limit lateral movement during an attack.

How Fortra Secure Configuration Management Can Support HIPAA Compliance Efforts

Fortunately for healthcare organizations, Fortra supports HIPAA compliance efforts through several solutions:

Final Thoughts: Prepare Now to Avoid Penalties Later

Preparation is at the heart of HIPAA compliance. Putting all the new checks and balances in place is a major overhaul, adding stricter controls on cybersecurity, risk management, and electronic PHI protection.

All bodies subject to the Act must swiftly adopt and implement these tools and measures and act now to become compliant before they suffer a breach and catastrophic consequences.

Learn how Fortra’s solutions can support HIPAA compliance – visit our HIPAA compliance solutions page or speak with a compliance expert.