Proposed Rule to Strengthen Cybersecurity

Proposed Rule to Strengthen Cybersecurity

In an effort to address the increasing breaches of electronic protected health information (ePHI), the Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) have issued a Notice of Proposed Rulemaking (NPRM) to amend the HIPAA Security Rule. The proposed changes, set to be published in the Federal Register on January 6, 2025, aim to address concerns related to technological advancements, breaches, enforcement, best practices, and methods for safeguarding ePHI. The NPRM seeks to enhance the Security Rule's standards and implementation guidelines, adding several new proposals and clarifications, including removing the distinction between "required" and "addressable" specifications and making all of them mandatory, with few exceptions; requiring written documentation of all Security Rule policies; updating definitions and implementation standards; and adding compliance time periods for requirements already in existence. Additional details on other proposals and clarifications included in the NPRM are listed on the Fact Sheet released on December 27, 2024. These additional safeguards are being proposed at least in part as a result of recent breaches such as the Change Healthcare cybersecurity incident the occurred in February 2024 and the HealthEquity breach that occurred in March 2024. They are also intended to address the everchanging cyber landscape. Until these rules are finalized the current rules continue to apply.

The information contained in this Benefit Beat is not intended to be legal, accounting, or other professional advice, nor are these comments directed to specific situations. This information is provided as general guidance and may be affected by changes in law or regulation. This information is not intended to replace or substitute for accounting or other professional advice. You must consult your own attorney or tax advisor for assistance in specific situations. This information is provided as-is, with no warranties of any kind. CBIZ shall not be liable for any damages whatsoever in connection with its use and assumes no obligation to inform the reader of any changes in laws or other factors that could affect the information contained herein.


© Copyright CBIZ, Inc. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization. 

“CBIZ” is the brand name under which CBIZ CPAs P.C. and CBIZ, Inc. and its subsidiaries, including CBIZ Advisors, LLC, provide professional services. CBIZ CPAs P.C. and CBIZ, Inc. (and its subsidiaries) practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations, and professional standards. CBIZ CPAs P.C. is a licensed independent CPA firm that provides attest services to its clients. CBIZ, Inc. and its subsidiary entities provide tax, advisory, and consulting services to their clients. CBIZ, Inc. and its subsidiary entities are not licensed CPA firms and, therefore, cannot provide attest services.

Proposed Rule to Strengthen Cybersecurityhttps://www.cbiz.com/Portals/0/Images/AdobeStock_345656874-1.jpeg?ver=aFHMYtXG5KSptxWBpz3jrQ%3d%3dhttps://www.cbiz.com/Portals/0/Images/AdobeStock_345656874.jpeg?ver=tZlTbu1pzjIBJhXoaBwi5A%3d%3dIn an effort to address the increasing breaches of electronic protected health information (ePHI), the Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) have issued a Notice of Proposed Rulemaking (NPRM) to amend the HIPAA Security Rule.2025-01-09T18:00:00-05:00In an effort to address the increasing breaches of electronic protected health information (ePHI), the Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) have issued a Notice of Proposed Rulemaking (NPRM) to amend the HIPAA Security Rule.Regulatory, Compliance, & LegislativeEmployee Benefits ComplianceNo