Did you know that on January 6th, 2025, a Notice of Proposed Rulemaking (NPRM) was published to update the HIPAA ePHI security rules?
Regulated entities may have 180 days to comply if new rules are published.
Who needs to comply?: Any health care provider that transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA.
Are you
"Compliance Ready"?
Get our FREE readiness self-assessment guide
Stay Compliant, Stay Worry-Free with our HIPAA compliance experts
BorderHawk
Compliance and risk management can be complicated, but at BorderHawk, we make the process straightforward. Our team of expert cyber risk and compliance advisors works closely with your team to develop personalized strategies to address vulnerabilities and pursue compliance with the latest regulations.
With our guidance, your organization can navigate the complexities of cyber risk management and compliance with confidence. We provide tailored solutions to empower your organization to adopt and manage effective cyber risk management strategies and stay ahead of compliance obligations.
Optimize Your Compliance with Advisory Services
Preferred by hundreds of forward-thinking organizations.
HIPAA ePHI Compliance
Identifying and addressing potential compliance gaps to minimize risks of penalties, lawsuits, or data breaches
Continuous Education
Ongoing training and awareness programs for staff, ensuring the hospital remains compliant and well-informed on regulatory updates.
Cost Efficient
Access to seasoned HIPAA experts via fractional engagement models. Navigate the complexities of healthcare compliance while keeping labor costs within budget.
Customized Compliance Plans
Tailored strategies that address the unique challenges faced by rural hospitals, ensuring practical and effective compliance solutions.
Time Savings
Leadership teams can focus on core responsibilities while experts from BorderHawk handle the complexities of HIPAA compliance, and present results to the executive teams
Improved Patient Trust
Strengthening patient confidence by safeguarding sensitive information and staying current with evolving HIPAA regulations.
The 2025 HIPAA NPRM:
On January 6th, 2025, the Department of Health and Human Services published a Notice of Proposed Rulemaking (NPRM) to update the HIPAA ePHI security rules. Public comments were accepted from January 6th to March 6th, 2025. The next step is the adoption and publication of the new rules. Once finalized, regulated entities will have 180 days to comply. This update aims to address evolving security concerns and improve the protection of electronic health information.
Why did the Department of Health and Human Services publish a Notice of Proposed Rulemaking (NPRM) to update the HIPAA ePHI security rules? :
The Department of Health and Human Services proposed the NPRM to update HIPAA ePHI security rules due to several factors: changing healthcare environments, rising breaches and cyberattacks, common deficiencies found in OCR investigations, and evolving cybersecurity guidelines. Court decisions also impact Security Rule enforcement. Modern healthcare relies heavily on secure technologies across all stages, from appointment scheduling and telehealth to insurance verifications and medical records management. To safeguard this infrastructure, updates to HIPAA’s security rules are necessary to address these growing challenges and enhance protection against security threats.
Receive a copy of our summarized version of the HIPAA NPRM and stay informed with the latest updates on the development and adoption of the HIPAA ePHI security rules.
Risk Analysis and Management (Source HHS.gov laws and regulations)
The Administrative Safeguards provisions in the Security Rule require a regulated entity to perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the regulated entity as part of their security management processes. The risk analysis and risk management provisions of the Security Rule are addressed separately here because a risk analysis affects the implementation of all of the safeguards contained in the Security Rule by helping a regulated entity to identify potential risks and vulnerabilities. Based on the potential risks and vulnerabilities the regulated entity identifies, it then determines which security measures are reasonable and appropriate to implement for managing that risk.