The 2024 HIPAA Security Rule Updates: What Healthcare Providers Need to Know — and How to Prepare
On December 27, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a Notice of Proposed Rulemaking (NPRM) proposing significant updates to the HIPAA Security Rule. These proposed changes aim to modernize the regulation for today’s cyber threat landscape — one defined by ransomware, phishing, and data breaches targeting electronic protected health information (ePHI).
The proposed rule represents the first major update to the HIPAA Security Rule in two decades and introduces new technical, administrative, and procedural requirements for covered entities and business associates alike (HHS, 2024).
For healthcare providers, this NPRM is especially important to elevate cybersecurity maturity, strengthen compliance documentation, and implement proactive defenses before enforcement begins.
Why HHS Is Updating the HIPAA Security Rule
Healthcare remains one of the most targeted sectors for cyberattacks. According to HHS data, breaches affecting over 88 million individuals were reported in 2023 alone — a 60% increase from the previous year. Threat actors now exploit weak authentication, unpatched systems, and insufficient segmentation to steal patient data and disrupt operations.
Recognizing this growing risk, HHS has proposed a series of updates that align the HIPAA Security Rule with modern cybersecurity standards like NIST SP 800-53 and industry best practices. The goal is to make compliance more measurable, enforceable, and effective in safeguarding ePHI.
Key Proposed Changes in the 2024 HIPAA Security Rule NPRM
1. Elimination of “Addressable” Requirements
The NPRM proposes removing the distinction between “required” and “addressable” implementation specifications. This means that every security safeguard listed in the rule will now be mandatory, unless a very narrow exception applies (HHS, 2024).
For providers, this represents a major shift — optional measures like encryption, multi-factor authentication (MFA), or vulnerability scanning will soon become baseline compliance requirements.
2. Written Documentation for All Security Activities
Entities will now be required to maintain written documentation of all policies, procedures, risk analyses, contingency plans, and implementation decisions. Documentation must reflect both policy and practice — proving that controls are in place, tested, and reviewed regularly.
This change is designed to strengthen accountability and simplify audits, ensuring that security is demonstrable, not just theoretical.
3. Annual Technology Asset Inventory and Network Mapping
The NPRM would require organizations to create and maintain an up-to-date technology asset inventory and network map showing where and how ePHI moves through their systems.
This inventory must be reviewed at least annually or whenever a significant change occurs in the organization’s infrastructure. For healthcare providers managing complex EHR systems, connected devices, and telehealth platforms, this will require continuous collaboration between IT, compliance, and clinical operations teams (HHS, 2024).
4. More Detailed and Measurable Risk Analysis
The proposed rule introduces new specificity for conducting risk analyses. Each assessment must:
Review the technology asset inventory and network map.
Identify all reasonably anticipated threats to ePHI confidentiality, integrity, and availability.
Identify vulnerabilities and predisposing conditions in relevant systems.
Assess the likelihood and potential impact of each identified threat exploiting those vulnerabilities.
This framework aligns with NIST’s risk management model, encouraging a proactive approach rather than a once-a-year audit exercise.
5. 24-Hour Access Termination Notifications
To limit insider and access-related breaches, covered entities must notify specific personnel or departments within 24 hours whenever a workforce member’s access to ePHI or certain systems changes or terminates.
This rapid communication requirement emphasizes real-time identity management and privileged access control.
6. Stronger Contingency and Incident Response Planning
The NPRM introduces detailed requirements for business continuity and incident response, including:
Written procedures to restore lost systems and data within 72 hours.
An analysis of system criticality to prioritize recovery.
A written security incident response plan outlining detection, reporting, and escalation steps.
Routine testing and revision of these response plans.
These updates reflect lessons learned from ransomware incidents that crippled hospitals for weeks — emphasizing resilience as a key compliance component.
7. Annual Compliance Audits
Covered entities must conduct a formal compliance audit at least once every 12 months to verify adherence to the Security Rule.
This goes beyond risk assessments by requiring a systematic review of implementation effectiveness, documentation accuracy, and remediation progress.
8. Business Associate Verification Requirements
Under the NPRM, business associates (such as IT vendors, billing providers, or cloud service providers) must:
Conduct an annual analysis of their technical safeguards.
Provide a written certification verifying that the analysis was performed by a cybersecurity expert and is accurate.
Share verification documentation with covered entities upon request.
This change closes a long-standing compliance gap by holding vendors accountable for the same standards that covered entities face.
9. Mandatory Encryption and Multi-Factor Authentication
Perhaps the most significant updates involve technical safeguards:
Encryption of ePHI both in transit and at rest, with limited exceptions.
Multi-factor authentication (MFA) for all users accessing ePHI or relevant systems.
Previously, these were “addressable.” Under the NPRM, they will be explicitly required. Providers will need to ensure all systems, including EHR platforms, backup servers, and cloud applications, comply.
10. Network Segmentation and Technical Controls
The NPRM calls for organizations to implement network segmentation to isolate systems containing ePHI and configure systems consistently through written procedures.
Additional technical requirements include:
Anti-malware deployment.
Removal of unnecessary software.
Disabling unused network ports.
Separate technical controls for backup and recovery.
This shift toward secure configuration management reflects a “zero trust” mindset — assume breach, minimize impact.
11. Required Vulnerability Scanning and Penetration Testing
Entities must conduct vulnerability scans every six months and penetration testing annually.
For many healthcare organizations, this will be a new and critical operational step, ensuring that external and internal defenses are continuously validated against real-world threats (HHS, 2024).
12. Annual Review and Testing of Security Measures
Instead of the vague requirement to “maintain” security measures, the NPRM mandates reviewing and testing the effectiveness of safeguards at least annually.
This change ensures that organizations can demonstrate not only that security controls exist, but that they are functional and up to date.
The Risks of Noncompliance
Failure to align with the updated HIPAA Security Rule could expose providers to:
Civil monetary penalties and OCR enforcement actions.
Contractual risks from noncompliant business associates.
Data breach liability and patient trust erosion.
Given that enforcement will likely intensify once the final rule takes effect, healthcare entities must act now to build compliance readiness.
How CCS Helps Healthcare Providers Achieve Compliance and Security Readiness
At Compliance Cybersecurity Solutions (CCS), we partner with healthcare organizations to bridge the gap between regulatory compliance and practical cybersecurity resilience.
1. HIPAA Security Readiness Assessments
We conduct comprehensive audits of your existing security program against current and proposed HIPAA standards, including encryption, MFA, and documentation readiness.
2. Risk Analysis and Asset Inventory Development
Our team helps you map ePHI flows, build a complete asset inventory, and identify vulnerabilities across networks, devices, and applications — all aligned with the NPRM’s new requirements.
3. Implementation of Technical Safeguards
From MFA deployment to encryption, segmentation, and endpoint protection, we help implement and configure the exact controls the new rule will require.
4. Business Associate Management
CCS assists covered entities in verifying that business associates meet HIPAA security requirements — helping you meet the new annual certification expectation.
5. Continuous Compliance Monitoring
We don’t just prepare you for an audit; we help you stay ready year-round through vulnerability scanning, compliance dashboards, and managed security services.
By combining cybersecurity best practices with healthcare-specific compliance expertise, CCS ensures your organization isn’t just compliant — it’s protected.
Conclusion
The 2024 HIPAA Security Rule NPRM marks a turning point in healthcare cybersecurity. HHS is signaling that compliance can no longer be flexible or reactive — it must be proactive, documented, and technically rigorous.
Healthcare providers who prepare now will not only avoid penalties but also build stronger defenses, better patient trust, and long-term resilience in an increasingly hostile cyber environment.
CCS is here to help you navigate that journey — from gap analysis to full compliance implementation — efficiently and confidently.
References
U.S. Department of Health and Human Services (HHS). (2024, December 27). HIPAA Security Rule: Notice of Proposed Rulemaking (NPRM) Fact Sheet. Retrieved from https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html
