Proposed 2025 HIPAA Security Rule Changes & SMB Implications

Comment Period for 2025 HIPAA Security Rule changes ends March 7

Feb 20, 2025

Article voiceover

1×

0:00

-22:48

The 2024 HIPAA Security Rule amendments represent a significant overhaul, demanding strategic realignment of governance, risk management, and compliance (GRC) programs, particularly for SMBs. The proposed rule changes have an open commentary period, which ends on March 7th, 2025. To leave comments, go here: https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information

The elimination of the "addressable" implementation specifications, expanded technical safeguards, and compressed implementation timelines create compliance obligations and opportunities for strengthening organizational resilience. To navigate these changes successfully, SMBs must prioritize a phased approach, leveraging cost-optimization strategies and cultural change initiatives. The key is to transform compliance from a burden into a strategic advantage. Failing to adapt puts SMBs at considerable risk, as demonstrated by the statistic that "60% [of SMBs] fail within six months of a breach."

1. Core Changes to the HIPAA Security Framework:

Elimination of "Addressable" Implementation Specifications: The removal of the distinction between "required" and "addressable" safeguards is a fundamental shift. The revised rule "mandates implementation of all security controls unless specific documented exceptions apply." This directly addresses the previous tendency of SMBs to treat these standards as optional. Specific examples now mandated include:
Multi-Factor Authentication (MFA): "Now required for all system access points handling ePHI, replacing previous conditional implementations."
Encryption: "Mandatory for ePHI both at rest and in transit, closing previous loopholes for internal network communications."
Network Segmentation: "Requires documented segmentation strategies preventing lateral movement during breaches."
Expanded Technical Safeguards: The updated Technical Safeguards (45 CFR §164.312) introduce 14 new implementation specifications aligning with NIST Cybersecurity Framework standards. This expansion creates "technical debt requiring immediate prioritization" for SMBs. Examples of the added or emphasized safeguards include:
Maintaining comprehensive technology inventories updated quarterly.
Developing network topology maps tracking ePHI flow across systems.
Implementing session timeout policies for inactive systems.
Extending workstation security controls to mobile devices.
Automated patch management within 30 days of release.
Removal of unnecessary software from ePHI systems.

2. GRC Program Transformations:

Integrated Risk Management Frameworks: The updates mandate alignment between HIPAA compliance and enterprise risk management programs. Key integration points include:
Unified risk register (mapping HIPAA vulnerabilities to corporate risk appetite).
Annual security validation for all business associates.
Contractual requirements for 24-hour breach notifications.
Executive reporting (monthly dashboards and board-level briefings).
Compliance Lifecycle Acceleration: Implementation timelines are being compressed, requiring more agile compliance processes:
- Previous Cycle:
  - Risk analysis - Biannual
  - Security training - Annual
  - Policy updates - Event-driven
- 2024 Proposed Rule changes:
  - Risk analysis - Continuous monitoring + annual formal review
  - Security training - Quarterly + post-incident refreshers
  - Policy updates - Annual review + change-triggered updates

3. Technical Implementation Roadmap:

Phased Control Deployment: For resource-constrained organizations, a phased approach is recommended:
Phase 1 (0-6 months): Gap analysis, MFA implementation, enterprise encryption.
Phase 2 (6-12 months): Asset inventory, penetration testing, and network segmentation.
Phase 3 (12-18 months): GRC platform integration, automated vendor risk assessments, continuous monitoring.
Cost Optimization Strategies:
- Leverage compliance-as-a-service: MSP partnerships, cloud-based encryption.
- Automate documentation: Tools generating audit-ready reports and AI-assisted policy creation.
- Pool resources: Join healthcare ISACs and collaborate on training.

4. Operationalizing Cultural Change:

Leadership Engagement Tactics: Map HIPAA requirements to business outcomes (e.g., reduced insurance premiums) and implement cross-functional governance committees.
Staff Enablement Programs: Role-based compliance dashboards, gamified training, and recognition programs for control improvement suggestions.

5. Anticipating Future Regulatory Trends:

Emerging Requirements: Anticipate requirements related to AI governance, Software Bill of Materials (SBOM) adoption, and Zero Trust architecture.
Strategic Preparation Steps: Conduct tabletop exercises, allocate a budget for adaptive controls, and build partnerships with academic cybersecurity programs.

"The 2024 HIPAA changes present SMB cybersecurity leaders with challenges and strategic opportunities." By modernizing GRC programs, SMBs can "reduce breach risks," "improve operational efficiency," and "enhance market position." The immediate next steps include conducting a formal gap assessment, briefing executives, and exploring managed security services. For SMBs that successfully navigate this transition, the HIPAA updates offer a pathway to building cyber resilience that supports compliance and business growth.

Key Statistics & Concerns Highlighted:

747 large breaches exposing 168 million records in 2023
43% of SMBs historically treated "addressable" specifications as optional
60% of healthcare organizations targeted by ransomware
34% of breaches originate through business associates
$1.85M average breach cost threatening SMB viability
49% of healthcare data breaches involving unencrypted devices
58% of breaches stem from human error
82% of healthcare employees targeted by social engineering
73% of surveyed providers expect mandatory zero trust architectures by 2026
SMBs investing in HIPAA modernization achieve 34% faster audit cycles and 27% lower cyber insurance premiums

Recommendations:

Prioritize gap assessments against the updated requirements.
Secure executive-level buy-in and resource allocation.
Explore managed security services and compliance-as-a-service solutions.
Invest in staff training and awareness programs.
Begin planning for future regulatory trends like AI governance and Zero Trust architectures.

Thank you for taking the time to read the SMB Tech & Cybersecurity Leadership Newsletter! I truly hope you found it valuable. If you did, I’d be grateful if you could share it with others who might also benefit from it!

Product Shoutout: Omnistruct

Expert Governance Team + GRC Platform = Your Outsourced Risk Management Leadership

ELEVATE YOUR CYBERSECURITY WITH OMNISTRUCT’S PROVEN SERVICES.

Achieve superior data and privacy security at a fraction of the cost of building an in-house team. We can fast-track compliance, reduce risks, and help you focus on what you do best.

Learn more here: https://omnistruct.com/partners/influencers-meet-omnistruct/

References and resources:

https://www.hipaajournal.com/new-hipaa-regulations/

https://www.business-reporter.co.uk/management/the-future-of-grc-how-small-businesses-are-fighting-the-rise-of-cyber-crime

https://www.hipaajournal.com/hipaa-updates-hipaa-changes/

https://www.hipaajournal.com/hhs-strengthened-hipaa-security-rule/

https://www.tenfold-security.com/en/hipaa-security-rule-update/

https://hyperproof.io/resource/proposed-new-hipaa-rules-2025/

https://360advanced.com/hipaa-compliance-tips-for-small-to-mid-sized-business-smb-healthcare-providers/

https://greeneis.com/what-is-grc-in-cyber-security-comprehensive-guide/

https://www.kirkland.com/publications/kirkland-alert/2025/01/proposed-changes-to-the-hipaa-security-rule

https://www.techtarget.com/healthtechsecurity/feature/Things-to-know-about-proposed-HIPAA-Security-Rule-updates

https://www.elisity.com/blog/hipaa-security-rule-changes-2025-new-network-segmentation-requirements-and-implementation-guidelines

https://right-hand.ai/blog/grc-cyber-security/

https://www.morganfranklin.com/insights/hipaas-new-era-navigating-the-regulatory-changes-to-strengthen-cyber-risk-tprm-privacy-and-grc/

https://www.sheppardhealthlaw.com/2025/01/articles/hipaa/hhs-last-minute-holiday-gift-proposed-changes-to-the-hipaa-security-rule/

https://info.docxellent.com/blog/hippa-updates-and-changes

https://www.triagehealthlawblog.com/hipaa/hhs-publishes-notice-of-proposed-rulemaking-to-amend-hipaa-security-rule-requirements-comments-due-march-7-2025/

https://www.hklaw.com/en/insights/publications/2024/12/big-changes-proposed-for-the-hipaa-security-rule

https://www.cov.com/en/news-and-insights/insights/2025/01/hhs-issues-notice-of-proposed-rulemaking-to-update-the-hipaa-security-rule

https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html

https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html

https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information

https://www.hipaaguide.net/new-hipaa-regulations/

https://www.foley.com/insights/publications/2025/01/hhs-proposes-changes-strengthen-hipaa-security-rule/

https://hallboothsmith.com/hipaa-privacy-rule-changes-2024/

https://www.nixonpeabody.com/insights/alerts/2024/12/31/ocr-announces-proposed-updates-to-hipaa-security-rule

https://www.federalregister.gov/documents/2024/04/26/2024-08503/hipaa-privacy-rule-to-support-reproductive-health-care-privacy

https://www.hipaaguide.net/recent-hipaa-changes/

https://www.paubox.com/blog/upcoming-2024-hipaa-updates-and-changes

https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310\&RIN=0945-AA22

https://deandorton.com/2024-hipaa-regulations-update/

https://www.maynardnexsen.com/publication-hipaa-reproductive-health-care-phi-rules-compliance-date-approaching

https://www.healthcarelawinsights.com/2025/01/ocr-announces-proposed-updates-to-hipaa-security-rule-raises-the-bar-for-healthcare-cybersecurity/

https://www.barradvisory.com/resource/2024-year-in-review/

https://www.onetrust.com/blog/10-grc-trends/

https://www.navex.com/en-us/blog/article/the-state-of-cybersecurity-for-small-and-medium-businesses/

https://blog.procircular.com/how-the-new-hipaa-security-rule-changes-will-affect-healthcare

https://www.brightdefense.com/resources/cybersecurity-compliance-statistics/

https://www.barradvisory.com/resource/hipaa-security-rule-changing/

https://blog.rsisecurity.com/understanding-hipaa-violations-and-their-consequences/

https://www.frazierdeeter.com/insights/article/understanding-the-proposed-changes-to-hipaas-security-rule/

https://www.brightdefense.com/resources/hipaa-compliance-for-startups/

https://hallboothsmith.com/hipaa-2024-and-beyond/

https://www.sai360.com/resources/grc/hipaa-cybersecurity-updates-coming-soon-8-things-to-know-blog

https://www.cybernetman.com/blog/hipaa-compliant-technology-the-ultimate-guide/

https://www.compliancemanagergrc.com/blog/

https://blog.cspire.com/outsourced-it-can-improve-hipaa-compliance.-heres-how

https://clearwatersecurity.com/blog/ocrs-proposed-hipaa-security-rule-notice-of-proposed-rulemaking/

https://thoropass.com/blog/compliance/hipaa-requirements-healthcare-smb/

https://sprinto.com/blog/hipaa-security-rule-update/

https://www.brightdefense.com/resources/what-is-grc-in-cybersecurity-2/

https://www.fepbl.com/index.php/csitrj/article/view/1277/1509

https://www.metricstream.com/insights/utilizing-HIPAA-as-the-starting-point-for-comprehensive-cyber-risk-and-compliance.html

https://www.healthcarecompliancepros.com/blog/top-5-hipaa-challenges-for-small-health-practices