Newest HIPAA Rules

What is HIPAA & What Does it Have to do with Me? 

Before we take a look at the new proposed HIPAA rules, let's cover what HIPAA actually is. The well-known acronym stands for Health Insurance Portability and Accountability Act of 1996. This act included many things when it first came into effect and over the years, as you may expect, there have been plenty of adjustments made to the rules surrounding HIPAA. HIPAA’s goal is to protect protected health information (PHI) as well as establish benchmarks for the electronic exchange of health information. 

So, shouldn’t this just apply to hospitals and doctors' offices? Chances are you have given your PHI to more institutions than you may realize. HIPAA applies to all organizations that handle PHI which, for you, could include healthcare providers, billing services, academic institutions, employers, legal counsel, and even IT support. Any organization that has information about your identity and medical records is required to follow HIPAA guidelines. So, when new rules arise, they affect a lot of people and most of the time they require effected businesses to make adjustments to their practices. 

New Rules? 

This particular proposal, which first appeared January 6th, 2025, aims to modify the Security Standards for the Protection of Electronic Protected Health Information (“Security Rule”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). As you can tell by the titles of the acts, they deal with the electronic information exchanges of PHI.  

These ‘new rules’ aren’t really new; they are just slight modifications to old rules that set the standards for confidentiality and availability of ePHI (electronic PHI). Here is the proposed update from the Federal Register: 

“The proposals in this NPRM would increase the cybersecurity for ePHI by revising the Security Rule to address: changes in the environment in which health care is provided; significant increases in breaches and cyberattacks; common deficiencies the Office for Civil Rights has observed in investigations into Security Rule compliance by covered entities and their business associates (collectively, “regulated entities”); other cybersecurity guidelines, best practices, methodologies, procedures, and processes; and court decisions that affect enforcement of the Security Rule.” 

So, in short, they want to increase cybersecurity for ePHI. This is good news as the world of cybersecurity is always changing and it is one aspect of HIPAA that requires constant monitoring to keep up with current risks and threats. 

The last time this rule was updated was in 2013 and since then there have been a lot of changes to healthcare including an increased dependency on technology. To put in into perspective here is a list of some ePHI that the Federal Rister included: “appointment scheduling, prescription orders, telehealth visits, medical devices, patient records, medical and pharmacy claims submissions and billing, insurance coverage verifications, payroll, facilities access and management, internal and external communications, and clinician resources.” 

Our modern healthcare systems are not the same as they were in 2013, and new HIPAA rules and adjustments are an integral part of adapting to this dynamic environment. As technology, data sharing, and patient expectations continue to transform healthcare, regulatory updates like this help ensure that privacy and security standards adapt accordingly. The new rules not only reinforce the protection of sensitive health information but also pave the way for more responsive, transparent, and patient-centered care.