HIPAA to Mandate Increased Cybersecurity Measures in Response to Escalating Number of Attacks

The U.S. Department of Health and Human Services (HSS) Office for Civil Rights (OCR) has published a Notice of Proposed Rulemaking (NPRM) proposing substantial cybersecurity requirements for all regulated entities and their business associates to be added to the HIPAA Security Rule.

Comments are due on or before March 7, 2025, with a final ruling due to take effect 60 days after publication and a compliance date 180 days after that. Following these dates, the NPRM also proposes a transition period beyond the 180-day compliance period to allow regulated entities to modify their business associate agreements in response to the changes.

Why Now?

The 390-page NPRM marks the first time OCR has updated the HIPAA Security Rule since 2013 in the wake of a substantial increase in breaches. The OCR Breach Portal data for 2024 makes for sobering reading and necessitates urgent action. The Secretary of ...