Submit a Service Request
Open Menu

Cybersecurity threats in healthcare are increasing, and regulatory bodies are taking action. On December 27, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to strengthen the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. These proposed updates aim to improve cybersecurity protections for electronic protected health information (ePHI) and impose stricter compliance requirements on healthcare organizations and their IT partners—including Managed Service Providers (MSPs).

With major changes expected in 2025, now is the time for healthcare IT teams to prepare. Here’s what you need to know about the proposed HIPAA changes, why they matter, and how your organization can get ahead of the curve.

Key Proposed Changes to the HIPAA Security Rule

The NPRM introduces several significant modifications, including:

  • Mandatory Implementation of Security Measures: The distinction between “required” and “addressable” security standards will be removed, making all implementation specifications required.
  • Annual Compliance Audits: Organizations must conduct a compliance audit at least once every 12 months.
  • Written Documentation Requirements: Organizations must document all security policies, procedures, plans, and risk assessments in writing.
  • Regular Risk Analysis & Vulnerability Assessments: Organizations must conduct a written risk assessment, including an inventory of technology assets and a network map, at least once every 12 months.
  • Penetration Testing & Vulnerability Scanning: MSPs must conduct vulnerability scans at least every six months and penetration testing at least once a year.
  • Stronger Incident Response Requirements: Organizations must establish written security incident response plans and procedures, with defined roles and reporting structures.
  • Multi-Factor Authentication & Encryption: Encryption of ePHI at rest and in transit will be required, along with mandatory multi-factor authentication.
  • Stricter Access Controls & Termination Policies: Healthcare providers must notify certain entities within 24 hours when a workforce member’s access to ePHI is changed or terminated.
  • Backup & Recovery Enhancements: Organizations must implement separate technical controls for ePHI backups and recovery processes.

Why These Changes Matter to MSPs & IT Teams

For IT professionals supporting healthcare organizations, these changes bring new challenges and opportunities:

  1. Increased Demand for Compliance Support: Many healthcare providers lack the internal resources to manage compliance effectively. They will rely on MSPs and IT consultants for guidance.
  2. Healthcare Clients Will Be Forced to Comply: Organizations that previously overlooked security due to cost concerns will now be required to implement these changes to maintain licensing, obtain insurance, and receive payments from Medicare and Medicaid.

How We Can Help You Prepare

At Bent Ear, we specialize in helping healthcare organizations navigate cybersecurity compliance. Here’s how we can support you before these changes take effect:

  • HIPAA Compliance Audits & Risk Assessments: We’ll conduct in-depth security audits and risk assessments tailored to your organization.
  • Network & Asset Mapping: Our team will help you develop a comprehensive technology asset inventory and network map.
  • Vulnerability Scanning & Penetration Testing: We offer regular testing services to identify and mitigate security weaknesses.
  • Implementation of Security Controls: From encryption solutions to multi-factor authentication, we’ll help you deploy the necessary safeguards.
  • Automated Compliance Solutions: We leverage tools like Compliance Manager GRC to simplify and automate compliance tracking.
  • Ongoing Security Training & Incident Response Planning: We’ll ensure your team is equipped with the knowledge and protocols needed to meet HIPAA’s updated security standards.

Act Now—Don’t Wait Until It’s Too Late

The proposed HIPAA Security Rule changes are expected to be finalized in 2025, and compliance deadlines will follow soon after. Waiting until the last minute could leave your organization vulnerable to penalties, breaches, and operational disruptions.

Take proactive steps now to ensure a smooth transition. Contact Bent Ear today to schedule a consultation and start preparing for the future of healthcare cybersecurity.

We're With You Every Step of the Way

Keeping you up and running is our number one priority.

Connect With Us