Proposed Changes to HIPAA Security Rule: Strengthening Cybersecurity for Electronic Protected Health Information

Recently proposed amendments to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule are designed to enhance the cybersecurity of electronic protected health information (ePHI). These updates aim to ensure that healthcare organizations are equipped to handle evolving threats and maintain compliance with federal standards. Electronic Personal Health Information (ePHI) is highly sensitive and subject to stringent regulations under HIPAA. Additionally, the proposed modifications address artificial intelligence (AI) systems with proposed rule changes designed to bolster defenses against cyber threats, ensuring that organizations can protect this critical data effectively. Similarly, as the use of AI becomes more common in healthcare, understanding how AI will use and maintain ePHI and ensuring the proper security and protection of ePHI is even more critical.  

Key Updates to the HIPAA Security Rule 

Proposed modifications include:

• Universal Implementation Specifications: All specifications are mandatory, removing distinctions between "required" and "addressable" items. 
• Comprehensive Documentation: Written documentation will be required for all Security Rule policies, procedures, plans, and analyses. This also includes documentation of AI system training, prediction models and algorithm data used.  
• Updated Definitions and Specifications: Reflects changes in technology and terminology. 
• Asset Inventory and Network Map: Mandates the development and revision of a technology asset inventory and network map at least annually, including AI software used to create, receive, maintain, transmit, or interact with ePHI. 
• Detailed Risk Analysis: Requires a thorough risk assessment including a review of technology assets, identification of threats, and assessment of risks. Risk assessments should include the AI systems used and trained and consider the type and amount of ePHI accessed by AI tools, to whom it is disclosed, to whom the output is provided, and the effects of changes to confidentiality, integrity, and availability of ePHI when conducting risk analysis. (HIPAA Security Rule references the National Institute of Standards and Technology’s (NIST) AI Risk Management Framework). 
• Access Change Notification: Requires notification within 24 hours for changes in workforce access to ePHI.  
• Enhanced Contingency Planning: Demands written procedures for system restoration within 72 hours and specific incident response plans. 
• Annual Compliance Audit: Ensures compliance with Security Rule requirements through annual audits. 
• Business Associate Verification: Requires annual verification of deployed technical safeguards by business associates. 
• Mandatory Encryption: Encryption of ePHI at rest and in transit is required. 
• Technical System Controls: Requires deployment of anti-malware protection, removal of extraneous software, and disabling network ports. 
• Multi-factor Authentication: Implementation is required. 
• Regular Security Testing: Vulnerability scanning every six months and penetration testing annually, and where AI systems are used, monitoring and remediating the sources for vulnerabilities such as patch management, upgrades, etc. 
• Network Segmentation: Required to enhance security. 
• Backup and Recovery Controls: Specific controls for ePHI backup and recovery systems. 
• Contingency Plan Activation Notification: Requires notification within 24 hours of activation. 
• Group Health Plan Compliance: Requires plan documents to include compliance requirements and notifications. 

The proposed HIPAA Security Rule changes were expected to take effect on January 6, 2025, with a compliance deadline set for organizations to fully implement these updates by January 6, 2026. However, the new administration has paused any HHS regulation updates until further notice.  

Benefits of the Proposed Changes 

• Improved protection against data breaches. 
• Enhanced trust in healthcare data management. 
• Alignment with international cybersecurity standards. 
• Ethical and compliant AI governance program. 

What can organizations do to meet the requirements? 

To meet the proposed HIPAA Security Rule requirements, healthcare organizations should undertake the following actions: 

• Conduct Comprehensive Risk Assessments: Regularly perform risk assessments encompassing both security and AI to identify vulnerabilities and threats to ePHI and develop strategies to mitigate these risks. 
• Develop and Document Policies: Establish detailed policies and procedures for safeguarding ePHI, and ensure they are documented and updated regularly. 
• Implement Technical Safeguards: Deploy necessary technical controls such as encryption, multi-factor authentication, anti-malware software, and network segmentation to protect ePHI and where it is used with AI systems. 
• Train Workforce Members: Provide ongoing training to employees on cybersecurity and AI use best practices and procedures for handling ePHI securely and incorporating it into your AI systems. 
• Conduct Regular Audits and Reviews: Schedule annual compliance audits and regular security testing to ensure adherence to HIPAA standards. Testing and monitoring also pertain to AI systems, including the algorithms and inputs/outputs. 
• Verify Business Associate Compliance: Ensure that business associates comply with HIPAA requirements by conducting regular audits and obtaining certifications of compliance. 
• Prepare Contingency Plans: Develop and test contingency plans to address potential data breaches or system failures, and ensure timely notification of incidents. This includes having an incident response plan for AI systems to ensure AI models continue to perform as intended, do not drift, or hallucinate. 

How Ankura can help 

 Ankura Consulting Group, LLC offers specialized services to support healthcare organizations in adapting to these new regulations. Our offerings include: 

• Risk Assessment: Comprehensive evaluations of organizational risk as it relates to ePHI and the use of AI systems in regulatory compliance. 
• Asset Management: Creation and management of technical system inventories, including AI tools used to access critical data. 
• Network Vulnerability Scans: Identifying and mitigating potential vulnerabilities. 
• Managed Detection and Response: 24/7 coverage on endpoints to monitor and respond to threat events.  
• Device Configuration Review: Ensuring devices are secure and compliant. 
• Network Architecture Review: Assessing and strengthening network design. 
• Firewall and Perimeter Defense Review: Analyzing and optimizing security barriers. 
• Employee Mock-Phishing Exercise: Testing and improving employee awareness. 
• Employee Awareness Survey: Gauging and enhancing cybersecurity knowledge. 

The proposed HIPAA Security Rule amendments represent a significant step forward in safeguarding ePHI and the use of AI systems. Healthcare organizations must proactively update their security measures to align with these changes. Ankura's expert services provide a clear roadmap to compliance, ensuring that organizations can meet new standards efficiently and effectively. 

For more information, contact: ankuracyber@ankura.com 

Sign up to receive all the latest insights from Ankura. Subscribe now 

^{© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.}