Notice of Proposed RuleMaking for Changes to the HIPAA Security Rule-
- May 19
- 5 min read
UPDATE 05/05/26
Hi everyone,
This is an update in May regarding the Final Rule for these changes. As of right now, there is no update. Rumors across the cybersecurity sites do still have this rule finalizing sometime within the next month, with an estimated enforcement date of July/August 2026. I will update this further should that change.
I have finished the basics of a template for a policies and procedures manual regarding your cybersecurity procedures. You can view and purchase it here: https://www.floridatherapistnetwork.com/.../general...
It is a packet of 30+ pages of sample policies and procedures, editable in Microsoft Word to your own specific setup. You will notice several [INSERT] identifiers to let you know where to insert the relevant information asked per your setup. I hope this helps get you started!
Any purchases towards this initial packet will be to further support development of the website.
I am also working on 1) a free checklist companion to this, and 2) an actual training on the starting steps to implement this. I am hoping to get a couple CEUs attached to it, too. Stay tuned on that one.
Hi everyone,
This is an update to this post from about a year ago. You will remember that back in December 2024, HHS held a series of meetings to begin looking at possible revisions to the HIPAA Security Rule. It has been driven by the series of cyber attacks that took place over 2023-2024, which we all knew were major headaches and terrible to go through. The result of those meetings was the following proposed rulemaking changes:
We have been waiting a long while to see if this was going to come into effect, with the modmin advising that everyone begin preparing in the event that it is coming. Well, it IS. This thread will hopefully give you as much information as you need in order to make the necessary changes with these Security Rule updates as well as the Part 2 CFR Rule from the CARES Act that SAMHSA decided to also enact (it will likely go into the Privacy Rule over time).
Let’s handle the Part 2 CFR Rule first, as it is easier.
Final Rule: Part 2 CFR Rule
Per the notice itself from HHS: “The Part 2 statute (42 U.S.C. 290dd-2) protects “[r]ecords of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.” Confidentiality protections help address concerns that discrimination and fear of prosecution deter people from entering treatment for SUD.” You will find this final Facts Sheet here: https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html
The point of this rule change is to better protect substance use records from being utilized in various, potentially nefarious, ways in the court and legal systems, preserving patient privacy.
Now, to determine whether changes are required on your end:
Do you diagnose, treat, or refer for Substance Use Disorders (SUD)?
Do you advertise that you treat SUD or receive specialized training in SUD?
Have you ever requested records from a SUD program?
If the answer to ANY of these questions is YES, then you must make changes to your Informed Consent paperwork.
You will be required to cite 42 CFR Part 2 in your section about Records, to include that federal protection exists for the hearth information within substance use treatment. You will list out the legal protections and how redisclosure is handled. If your program or practice fundraises (common among SUD programs) then you must also add that to your Part 2 protections.
Person Centered Tech has a good facts sheet on this and some sample verbiage: https://personcenteredtech.com/.../42-CFR-Part-2-HIPAA...
This is required to be in your Informed Consents NOW. Also, now is a good time to review your Release of Information: remember, you MUST have a section to specifically consent for the disclosure of substance use history as well as HIV/AIDs history. This is a section I commonly see missed on ROIs.
Final Rule: Security Rule Changes 2026
Now for the bigger part: as was stated back in early 2025, there were several changes to the Security Rule proposed and discussed, and it is looking like they are going to be going through in a Final Rule. NOW IS THE TIME TO PREPARE.
Most HIPAA tracking places seem to indicate that the Final Rule will be completed in May 2026, with expected adherence being as soon as June/July or as late as end of year. You can find a few places discussing these changes here: https://www.healthcarelawinsights.com/.../major-hipaa.../ and here https://www.intech-hawaii.com/hipaa-2026-compliance.../ and here https://www.hipaajournal.com/hipaa-updates-hipaa-changes/
These rule changes are going to make us implement the following changes:
All healthcare providers will be required to create a keep written documentation of Security Rule policies, procedures, plans, and analyses. Basically, you need a handbook on your policies and procedures in dealing with cyber security and cyber attacks. This will need to be reproducible if asked, apply to your specific hardware and software setup, and have contingencies for most every possible problem or data leak that could occur.
You need a network map (a diagram basically showing every device in your network) created that shows the flow of ePHI through every single system that touches it, and update it at least once annually. This includes mobile devices, computers, printers, routers, servers, etc.
You will need to begin creating documentation and implementing cyber security risk analysis reports. This includes things like reviewing your network map and tech assets, examining possible threats to confidentiality and availability of ePHI, possible vulnerabilities in your tech systems, and identifying risk levels for each vulnerability.
New reporting measures when a machine with ePHI is compromised.
A plan in place to restore access to ePHI within 72 hours should your EHR platform go down. This essentially means that “a cloud platform going down” is not an excuse you can use if your data is down for more than 72 hours. You will need a backup system. You will also need to compile associated reports related to your platform going down and policies on reporting security incidents. This means you will be required to create a backup system in some way.
A compliance audit with all of this will be required once annually. It looks like mock cyber security attacks were removed from the most recent version, but more on this should it be re-added to the final rule.
Require (and confirm) that your ePHI data is encrypted both at rest and in-transit.
Create regulations and policies around defensive measures to protect from security vulnerabilities (things like network routing, port disabling, employing anti-malware measures, etc.)
Segment your network (that means your network can be broken up and still function- allowing you to quarantine off infected parts of a network to contain a virus, for example)
Require Multi-Factor-Authentication on all devices that handle ePHI.
Now, obviously, this is a lot. These specific measures are not new or cutting edge at all, and have likely (hopefully) been implemented in larger network systems (think hospitals, agencies, and bigger organizations with dedicated IT teams) for years. But for smaller organizations and private practices, most people don’t do all of this. The expectation is that whoever you pay the subscription to for your EHR would do all this in the background. This rule will shift that liability to you. Get started on it NOW.
We will ideally be coming out with some examples of some of these different measures over the coming weeks, and if desired, have someone present or do a presentation on how to best prepare.
If anyone has any questions, I’ll do my best to answer.
Comments