The HHS has proposed HIPAA Security Rule updates, adding new cybersecurity requirements for healthcare organizations and health tech companies. These changes address growing cyber threats and aim to improve ePHI protection.

Health tech firms, including EHR providers, telehealth platforms, and AI-driven health apps, face new compliance challenges. The updates demand stronger risk management, stricter cybersecurity, and greater vendor accountability, requiring firms to revise security strategies.

Compliance costs are high, $9 billion in the first year and $6 billion annually, impacting startups and mid-sized firms more than larger organizations. With the public comment period open until March 7, 2025, companies must identify security gaps, strengthen protections, and prepare for compliance to avoid fines and reputational damage.

Key Takeaways

Health tech companies face new HIPAA Security Rule updates that introduce stricter cybersecurity requirements, impacting their risk management, finances, and compliance strategies.

  • Health tech firms must adopt more rigorous cybersecurity frameworks, including annual risk assessments, multifactor authentication, and stronger encryption protocols.
  • Compliance costs are projected at $9 billion in the first year and $6 billion annually, with smaller companies facing greater financial challenges.
  • Companies need to enhance employee training, invest in scalable security solutions, and actively participate in regulatory discussions to adapt to these changes.

Compliance challenges for health tech

The Notice of Proposed Rulemaking (NPRM) introduces several major security updates, requiring health tech companies to adopt more rigorous cybersecurity frameworks and strengthen their ability to detect, prevent, and respond to cyber threats.

Stricter risk management and security assessments

One of the most significant changes in the proposed rule is the requirement for more structured risk management processes. Health tech companies must now conduct mandatory annual risk assessments following eight specific implementation steps. Additionally, the rule mandates multifactor authentication (MFA) for all system access involving electronic protected health information (ePHI) to strengthen access control. To further safeguard patient data, stronger encryption protocols must be applied to both data in transit and at rest.

Regular vulnerability scans every six months and penetration testing once a year will be required to identify potential security weaknesses. Moreover, the proposed rule introduces network segmentation policies to limit exposure to cyberattacks by restricting access between different parts of a system.

For health tech vendors handling patient data, these updates mean they must upgrade their existing security measures and integrate advanced cybersecurity tools to comply with the new standards. Additionally, they will need to ensure that their clients using their platforms also meet these stricter security requirements to maintain compliance and avoid regulatory penalties.

Enhanced technology asset management

Health tech companies must track all technology assets handling ePHI, ensuring software and hardware stay updated with security patches. They must also map networks for vulnerabilities and enforce strict access controls. For cloud-based platforms, compliance is tougher due to numerous devices and third-party integrations. Robust asset management systems are needed for real-time visibility and security compliance.

New incident response and recovery mandates

The proposed rule introduces stricter incident response and recovery requirements, particularly to address the growing threat of ransomware attacks that have severely impacted hospitals and healthcare systems.

Under the new regulations, Health tech companies must restore critical systems within 72 hours after a cyberattack to ensure minimal disruption. They must also maintain contingency plans and implement frequent automated backups for quick ePHI recovery. Telehealth and cloud-based platforms must review disaster recovery plans to meet the 72-hour mandate. Close collaboration with covered entities is essential to minimize downtime and prevent data loss.

Greater accountability for business associates

Many health tech vendors operate as business associates, meaning they handle electronic protected health information (ePHI) on behalf of covered entities such as hospitals and insurance providers. Under the proposed rule updates, business associates will face stricter compliance requirements and greater accountability in protecting sensitive patient data.

They must notify covered entities of breaches within 24 hours if contingency plans are activated and conduct annual security audits. The rule also strengthens business agreements, increasing vendors’ legal and financial responsibility to meet stricter security standards.

Impact on health tech entities

Enhancing cybersecurity protections comes with financial and operational challenges for health tech companies of all sizes.

Rising compliance costs

HHS projects that compliance with the proposed rule will cost healthcare organizations and their business associates $9 billion, followed by $6 billion in annual costs. For health tech firms, the biggest expenses will come from investments in advanced cybersecurity infrastructure, such as MFA, encryption, and network monitoring solutions, hiring or training IT security personnel to oversee compliance efforts, and legal fees for updating contracts and conducting security audits.

While larger health tech firms can absorb these costs, smaller companies and startups may need to secure additional funding or adjust their pricing models to remain financially sustainable.

Increased administrative burden

The proposed rule introduces expanded documentation and reporting requirements, adding to the administrative burden for health tech firms. Companies will now need to conduct more frequent audits of their security policies and risk assessments to ensure compliance. Additionally, they must submit detailed security reports to regulators, outlining their cybersecurity measures and risk management efforts.

Another key requirement is ensuring that clients using their platforms adhere to HIPAA-mandated security standards, which places additional oversight responsibilities on health tech providers. These new obligations could slow down software development cycles, as compliance teams will need to carefully align new product features with evolving regulations to avoid potential penalties.

Uncertain regulatory landscape

With a new administration in office, the final version of the rule could see modifications, delays, or phased implementation. Possible changes include reducing financial burdens on small businesses by allowing exemptions or extensions, adjusting compliance deadlines to give companies more time to implement necessary security measures, and providing additional guidance on specific cybersecurity requirements.

Despite this uncertainty, health tech experts advise early preparation to avoid compliance risks and potential fines.

Preparing for Compliance

To ensure compliance with the proposed updates, health tech companies should take proactive steps to strengthen their security and compliance frameworks.

Conduct a comprehensive security gap analysis: Health tech companies should conduct a comprehensive security gap analysis to evaluate their current security policies and identify areas that need improvement. Key aspects to assess include access control measures, such as implementing multi-factor authentication (MFA) to enhance system security. Additionally, organizations must review their incident response planning and breach notification protocols to ensure they can respond effectively to cyber threats and data breaches.

Another critical area is examining business associate agreements and vendor management policies to confirm that third-party partners comply with security requirements. By performing this analysis, companies can prioritize their security investments and allocate resources efficiently, reducing vulnerabilities and strengthening overall compliance.

Strengthen employee cybersecurity training: Since human error is a major cause of data breaches, health tech firms should provide comprehensive cybersecurity training that covers recognizing phishing attacks and social engineering tactics, secure handling of ePHI and encryption best practices, and emergency response protocols for cyber incidents.

Regular security drills and training programs will help employees stay vigilant and respond effectively to threats.

Invest in scalable security solutions: Health tech companies should consider cost-effective, scalable security solutions, such as cloud-based security tools with automated compliance monitoring, managed security service providers (MSSPs) for threat detection and incident response, and AI-driven analytics to detect suspicious network activity.

Participate in policy discussions: Health tech companies should actively engage in regulatory discussions by providing feedback to HHS during the public comment period, collaborating with industry groups to advocate for balanced regulations, and staying informed on potential rule modifications.

By participating in these discussions, companies can help shape final regulations and ensure that industry concerns are addressed.

Adapting to HIPAA’s new security rules

The proposed HIPAA Security Rule updates introduce sweeping changes that will reshape compliance strategies for health tech entities. While the new regulations will enhance cybersecurity protections, they also bring significant financial, operational, and administrative challenges.

By proactively strengthening security frameworks, investing in compliance strategies, and staying informed about regulatory changes, health tech companies can navigate these challenges effectively while continuing to deliver secure and reliable digital healthcare solutions.