6-minute read
If your business handles sensitive health information — whether you're a healthcare provider, a human services organization, or any organization dealing with electronic protected health information (ePHI) — you should be aware of potential new cybersecurity rules. Nothing is set in stone yet, but the federal government is proposing significant updates to HIPAA’s Security Rule.
These changes, announced by the U.S. Department of Health and Human Services (HHS) early this year, are aimed at strengthening cybersecurity protections for patient data. That’s good news for anyone worried about cyber threats. But it also means businesses that handle ePHI may soon face new compliance requirements — some of which could be costly and time-consuming to implement.
So, what’s on the table? And, more importantly, what should you do now to prepare? Let’s break it down.
What’s Being Proposed?
Right now, HIPAA’s Security Rule sets baseline standards for protecting electronic health information. But cyber threats have evolved dramatically since these rules were first introduced. That’s why HHS is proposing the following key updates:
- Mandatory Data Encryption – All electronic protected health information (ePHI) would have to be encrypted, making it much harder for hackers to access sensitive data.
- Multi-Factor Authentication (MFA) – Businesses would be required to implement MFA to verify the identity of anyone accessing ePHI, reducing the risk of unauthorized access.
- Regular Security Audits – Organizations handling ePHI would need to conduct routine security assessments to identify vulnerabilities and ensure compliance.
- Incident Response & Recovery Plans – Companies would have to establish formal plans to respond to cyberattacks and restore systems within 72 hours.
What This Means for Your Business
If your organization deals with patient data, these changes to HIPAA could bring additional costs, administrative work, and compliance hurdles. Even businesses that already take cybersecurity seriously may need to invest in new technologies, upgrade internal processes, and train staff on new requirements.
For smaller businesses — such as non-profits, human services organizations, and independent medical practices — compliance could be particularly challenging.
Encryption, multi-factor authentication, and ongoing audits require resources that some organizations simply don’t have. And if your current cyber insurance policy isn’t built for these changes, you could be looking at significant financial exposure if a data breach occurs.
Nothing Is Final — But Don’t Wait Until It Is
As of now, these proposed changes are not law. The federal government is in the middle of a public comment period, meaning businesses, industry experts, and advocacy groups can weigh in before the rules are finalized. After that, HHS will review the feedback and make adjustments before issuing a final rule.
That process could take months or even longer. But waiting until the last minute to prepare isn’t a good strategy. The best approach? Start planning now.
How to Stay Ahead of the Curve
Even though these changes aren’t official yet, businesses can take steps to strengthen their cybersecurity posture now. Here’s how:
- Assess Your Current Cybersecurity Practices
Take a look at your existing data protection measures. Do you already use encryption? Is multi-factor authentication in place? Identifying gaps now can help you avoid scrambling later. - Review Your Cyber Insurance Policy
Many businesses assume their cyber insurance will cover them in case of a data breach, but policies vary widely. Some don’t account for regulatory changes or new compliance requirements. Reviewing your coverage now could prevent costly surprises down the line. - Stay Informed
The rules aren’t final, but we’ll be keeping a close eye on the process. Keeping up with regulatory updates ensures you’re not caught off guard when compliance deadlines are eventually set. - Start Strengthening Your Security Now
Even if these exact rules don’t go into effect, the trend is clear: cybersecurity expectations are getting stricter. Implementing stronger security measures now — like employee cybersecurity training and stricter access controls — will benefit your business regardless of what happens with HIPAA.
The Bottom Line
Cyber threats aren’t waiting for regulators to make decisions. Taking proactive steps now — like evaluating your security measures, reviewing your cyber insurance, and staying informed — will put your business in a stronger position no matter what happens next.
If you’re unsure where to start, we’re here to help. Our team specializes in helping businesses navigate risk, compliance, and insurance solutions tailored to their needs. Have questions? Let’s talk.
The Mahoney Group, based in Mesa, Ariz., is one of the largest independent insurance and employee benefits brokerages in the U.S. For more information, visit our website or call 877-440-3304.
This article is not intended to be exhaustive, nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice.