Navigating the New HIPAA Security Rule: Key Provisions, Deadlines, and Employer Implications

A new proposed rule from the Department of Health and Human Services (HHS) is set to bring significant changes to HIPAA’s Security Rule, particularly affecting business associates, covered entities, and employer-managed benefits programs. These revisions are designed to strengthen cybersecurity protections for electronic protected health information (ePHI) and increase accountability across the healthcare and benefits landscape. Employers and HR professionals must be prepared for new compliance requirements, tighter security standards, and potential penalties for non-compliance.

Key Changes and Compliance Requirements

One of the most critical updates under the proposed rule is the strengthening of business associate agreements (BAAs). Employers and other covered entities must ensure that their business associates, including third-party benefits administrators and IT service providers, comply with HIPAA’s updated Security Rule. These agreements must now include provisions requiring written verification of compliance at least once every 12 months. Additionally, business associates must report security incidents and the activation of contingency plans within 24 hours, increasing the urgency of breach response and mitigation.

Another significant change is the requirement for annual security audits. Employers handling ePHI must conduct internal compliance reviews every 12 months and ensure that all policies and procedures are documented, reviewed, and updated on the same timeline. Records of these audits must be retained for six years to meet federal requirements. Additionally, the rule imposes new technical safeguard mandates, meaning employers and business associates may need to invest in cybersecurity measures to prevent breaches.

Deadlines and Transition Periods

Employers and business associates will have a limited window to ensure compliance with the revised regulations. Once the final rule is published, businesses will have 60 days to implement new policies. However, for contracts signed before the rule’s publication, a transition period applies: existing BAAs remain valid for either 240 days or up to one year and 60 days, depending on the circumstances. Notably, "evergreen contracts" (those that automatically renew) are also subject to compliance updates within this timeframe. Failing to meet these deadlines could result in non-compliance penalties under 45 CFR 160.104(c).

Penalties and Enforcement Actions

The penalties for non-compliance are substantial. Employers and business associates that fail to report security breaches within 24 hours could face federal enforcement actions. Additionally, the requirement for annual security audits means that violations could be detected and penalized retroactively. Organizations must ensure that all their contracts, security protocols, and employee training programs align with the new requirements.

What This Means for Employers

For employers, particularly those in healthcare, insurance, and HR benefits administration, these changes present both challenges and opportunities. The increased compliance requirements mean that organizations must revisit their security policies, update contracts with vendors, and establish stronger cybersecurity practices. Those who rely on third-party HR and benefits platforms must work proactively to ensure vendor compliance before the transition deadline.

Failure to meet these requirements could result in fines, legal liabilities, and reputational damage. The rule also emphasizes encryption, risk assessments, and contingency planning, requiring employers to invest in stronger security frameworks. This could mean upgrading IT systems, implementing stricter access controls, and enhancing employee cybersecurity training.

Preparing for Compliance: Next Steps

To stay ahead of these changes, employers should begin by conducting a gap analysis to determine their current level of HIPAA Security Rule compliance. Next, they should review and update all BAAs, policies, and security protocols, ensuring alignment with the new regulations. Organizations should also engage their IT teams or external cybersecurity consultants to implement the necessary safeguards.

The upcoming compliance deadlines and reporting obligations will require ongoing attention. Employers must stay informed, collaborate with vendors, and allocate resources for cybersecurity improvements to ensure they meet federal requirements. By taking proactive steps now, businesses can avoid penalties, strengthen data security, and protect sensitive employee health information in an increasingly digital and interconnected healthcare environment.

Final Rule Full Text: https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information

Deadlines & Compliance Timeline

• Final Rule Publication Date: TBD

• Compliance Date: 60 days after publication

• End of Transition Period:

  • 240 days for renewing contracts

  • 1 year and 60 days for full compliance​