Proposed Rule to Modify HIPAA’s Security Rule

On January 6, 2025, the Department of Health and Human Services (HHS) issued a notice of proposed rulemaking to modify the Security Standards for the Protection of Electronic Protected Health Information (Security Rule) under HIPAA and HITECH. The proposed updates respond to the rising number of cyberattacks on HIPAA-covered entities and the increasing reliance on digital technologies in healthcare, including certain medical devices. HHS found that 94% of covered entities and 88% of business associates failed to implement appropriate risk management measures. Citing the Legislature’s intent for HIPAA’s standards to adapt to technological advancements, HHS asserts its authority to revise the Security Rule. HHS’s proposals begin on page 922 of the Proposed Rule, and Comments must be submitted on or before March 7^th.