On December 27, 2024, the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to modify the HIPAA Security Rule and strengthen cybersecurity protections for electronic protected health information (ePHI). The HIPAA Security Rule directly impacts life sciences companies that are covered entities or business associates by setting cybersecurity standards for patient information. It has a less direct, though notable, impact on companies who are not HIPAA-regulated through its effect on industry norms and best practices. Public comments regarding this NPRM are due by March 7, 2025.
The NPRM aims to address the growing cybersecurity threats faced by the health care sector by updating a rule that has remained unchanged since 2013 despite massive growth in cybersecurity exposure across the industry. It introduced several key updates, including:
- Removal of the “addressable” vs. “required” distinction from the implementation specifications. Most security controls will be required, including encryption of ePHI in transit and at rest.
- Required (explicitly) development and ongoing maintenance of a technology asset inventory and network map for ePHI.
- More specific risk analysis requirements for ePHI, including what must be documented as part of the analysis -- current requirements allow more flexibility in approach.
- Additional notification obligations, including within a 24-hour period for certain workforce member access permission changes or in the event of business associate contingency plan activation.
- Required annual compliance audits for regulated entities including that business associates obtain certification from a qualified subject matter expert confirming technical safeguards compliant with the Security Rule every 12 months.
- Required use of multi-factor authentication with narrow exceptions.
- Required implementation of vulnerability scanning every 6 months and penetration testing at least once every 12 months.
According to Paul Rothermel, Senior Attorney at Gardner Law, “While these specific proposed changes to the HIPAA Security Rule developed by the previous administration may be revised under the Trump administration, there is bipartisan support for increased cybersecurity protections, especially in health care. Life sciences companies should expect continued data security scrutiny from both state and federal regulators in the coming years.”
These Security Rule changes would, if made final, likely take effect sometime in 2026, though there is no guarantee. It is also possible these proposals are shelved or significantly revised by the current administration. In either case, implementing and updating any cybersecurity program is a significant investment, so staying informed will be critical to timely compliance.
