🛡️ 1. More Prescriptive, Mandatory Security Controls
Elimination of “Addressable” vs “Required” Flexibility
- Many controls that were previously addressable (meaning organizations could decide whether they were reasonable and implement or document reasons for not implementing) would become mandated for all entities.
- This means less optional flexibility and more baseline minimum cybersecurity requirements across all covered entities and business associates.
🔐 2. Mandatory Technical Safeguards
Multi-Factor Authentication (MFA)
- MFA required wherever electronic protected health information (ePHI) is accessed, not just recommended. Its not ‘addressable’ anymore
- This eliminates rationale like “our vendor doesn’t support MFA.”
Stronger Encryption Standards
- Encryption must protect ePHI both at rest and in transit using industry standard and accepted strong cryptographic methods.
- Organizations must prove deployment — not just policies claiming encryption exists.
🧰 3. Expanded Risk Assessment and Asset Management
Asset Inventories & Network Mapping
- Covered entities and business associates will need to maintain detailed, up-to-date inventories of technology assets and network maps showing where ePHI flows, including cloud, SaaS, and medical devices connected to systems.
- This helps identify all systems affecting ePHI and apply needed protections.
Risk Analysis & Documentation
- More rigorous written risk assessments are required, including identification of threats, vulnerabilities, and likelihood/impact determinations.
- Risk assessment documentation must be updated regularly and reflect real security posture.
🔍 4. Increased Testing & Validation Requirements
Regular Scanning and Testing
- Vulnerability scanning (at least twice yearly) and annual penetration testing would become requirements.
- This aligns HIPAA with modern cybersecurity practices that emphasize proactive vulnerability discovery and remediation.
🚑 5. Contingency Planning and Recovery Expectations
Restoration Capability Within 72 Hours
- Proposed updates highlight the need for demonstrable disaster recovery capability, including the ability to restore critical systems within 72 hours after an incident such as ransomware.
- This goes beyond written plans to measurable performance requirements.
📘 6. Enhanced Documentation & Accountability
- Entities must maintain comprehensive written policies, procedures, plans, and records proving actual implementation of security measures.
- This documentation must be audit-ready, reflecting real practice — not just policy statements.
🤝 7. Expanded Business Associate Responsibilities
- Business associates will be subject to greater accountability, including stronger safeguards, reporting expectations, and possible certification or attestation requirements to covered entities.
- This helps close gaps where third-party vendors have historically been a source of breaches.
🧠 8. Alignment with Modern and Industry Standard Cybersecurity Practices
- The proposed rule aims to more closely align HIPAA requirements with current cybersecurity frameworks and best practices (e.g., risk-based security, NIST standards).
- This helps move HIPAA away from outdated checklist compliance toward resilient cybersecurity operations.
