The Biggest HIPAA Security Rule Update in Over a Decade: What Healthcare Practices Need to Do Now

The Biggest HIPAA Security Rule Update in Over a Decade: What Healthcare Practices Need to Do Now

What is changing and how to get your practice ready

The HIPAA Security Rule has not had a major overhaul since 2013. That is about to change. Federal regulators have proposed the biggest update in over a decade, changing what healthcare practices must do to protect patient data.

For smaller practices that rely on external IT support, changes will arrive quickly, and the gap between a passing audit and a failing one is about to widen. Many of the habits that have quietly worked for years will no longer hold up.

Continue reading to learn what is changing, why it applies to practices of every size, and the steps worth taking now.


What is changing

Today, some safeguards are labeled addressable, which allows practices to opt out as long as they document a reason. Encryption and multi-factor authentication both fell into this group, which is why so many small offices never enabled them.

The proposed rule closes that door. Most of these safeguards become required, and practice size is no longer a reason to skip them. A solo office faces the same baseline as a large group.


The new requirements 

The proposed rule sets clear, measurable expectations. The most important ones are as follows.

  • Multi-factor authentication everywhere: Required for anyone accessing systems with patient data. The excuse that a system does not support it no longer works.
  • Encryption at rest and in transit: Stored data must be encrypted too, not just data moving across the internet. That includes backups.
  • Regular testing: Vulnerability scans at least twice a year, plus a professional penetration test once a year.
  • Network segmentation: Patient data systems must be separated from devices such as cameras, smart devices, and guest Wi-Fi so that a breach cannot spread.
  • Asset inventory and network map: A current list of every system that touches patient data and a picture of where that data flows.
  • Ongoing risk review: The once-a-year checkbox assessment is replaced by continuous review tied to real changes in your environment.
  • Faster recovery: Plans must demonstrate you can restore critical systems within 72 hours, and the plan must be tested.


Related resource:
IT for Medical Offices: What’s the Best Way to Protect Your Patient Data?


What this means for your vendors

The rule also raises the bar for the outside companies that handle your data, such as billing services, cloud providers, and IT partners. Practices are now expected to get written proof, at least once a year, that those partners have the required safeguards in place. A signed agreement on file is no longer enough. The right partner should welcome that check rather than avoid it.


Why smaller practices cannot wait

This is not aimed only at hospitals. HHS has estimated that first-year compliance could cost the industry around $9 billion, underscoring the significance of this shift. Once a final rule is published, practices are expected to have about 240 days to comply, which is a short window for this much work. [1]

The good news is that modern cloud and managed security services have made strong protection affordable. Encryption, managed MFA, monitoring, and tested backups no longer require a large in-house IT team.


What to do now

The rule is not final yet, but the direction is clear, and waiting is the most expensive way to comply. A few steps are worth starting on now.

  • Compare your current safeguards against the proposed requirements to find your gaps.
  • Build a full inventory of every system that touches patient data and map how it flows.
  • Turn on multi-factor authentication everywhere and confirm your data is encrypted.
  • Set a testing schedule and update and test your recovery plan.
  • Review your vendor agreements and start collecting proof that partners meet the new bar.


Learn more:
Top Five Healthcare Technology Tools for Medical Office Administrators


Need help with your IT?

Our comprehensive managed IT services, specifically tailored for medical practices and physicians’ offices, offer an extensive range of services—giving you everything you need to achieve HIPAA compliance, protect patient data, and support your team.

“I have known and used InterNetwork IT for over 3 years. Adam and his team are very professional and go the extra mile to help. Their services are reliable and reasonably priced. I would not hesitate to recommend.”

—Leroy Harrison, Practice Manager, A Plus Pediatrics and South Lake Pediatrics


Visit our IT Services for Healthcare page and contact us today to get started!


1: HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information