HHS Proposes Updates to HIPAA Cybersecurity Standards

Author(s): Luke Schwartz and Matt Reiter

What Happened in Congress this Week??

The 119th Congress was sworn in on January 3rd. The House of Representatives reelected Representative Mike Johnson as Speaker of the House. Congress has been busy with many other internal organizing functions such as determining committee rosters. The Senate is beginning to schedule confirmation hearings for President-elect Trump’s cabinet nominees.

Key Committee leaders in both the House and Senate have signaled their intent to prioritize important health policies that were excluded from the year-end continuing resolution in December. These include a 2.5% increase to Medicare payments and PBM reform.

HHS Proposes Updates to HIPAA Cybersecurity Standards

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) published a new proposed rule to update the HIPAA Privacy and Security regulations to improve cybersecurity in the healthcare sector. This proposed rule was expected to be published before the end of the year. It is largely in response to many high-profile cyberattacks on the healthcare system in 2024, the most notable of which was the cyberattack on Change Healthcare.

The proposed policies would impact both HIPAA-covered entities and business associates. The proposed rule uses the term “regulated entities” to refer to both covered entities and business associates.

Notable proposals include:

• Require regulated entities to conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements.

• Require written documentation of all Security Rule policies, procedures, plans, and analyses.
• Requiring encryption when communicating Personal Health Information (PHI).
• Requiring the use of multi-factor authentication.
• Require vulnerability scanning at least every six months and penetration testing at least once every 12 months.
• Require network segmentation.

• Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) at least once every 12 months.

• Strengthen requirements for planning for contingencies and responding to security incidents.

Top Stories in Healthcare Policy

• The Consumer Financial Protection Bureau (CFPB) finalized a rule that bans inclusion of any patient medical debt on a consumer’s credit report?
• CMS reports that 23.6 million consumers selected plan year 2025 coverage through the federal and state health insurance marketplaces since the start of the 2025 Marketplace Open Enrollment Period, including 3.2 million new consumers. This is an increase from the 21.4 million enrollments during the 2024 open enrollment period.
• CMS published updated Medicare Telehealth Trends Data that highlights trends in the use of telehealth services between? January 1, 2020 and June 30, 2024.?
• Senators Chuck Grassley (R-IA) and Sheldon Whitehouse (D-RI) released a bipartisan report on private equity’s impact on healthcare. The report found that quality and safety issues in facilities acquired by private equity. The finding suggest private equity in healthcare will be a bipartisan priority for the new Congress.?
• CMS announced that the administrative fee for the No Surprises Act’s (NSA’s) Independent Dispute Resolution (IDR) process will remain unchanged in 2025.?