On December 27, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to strengthen cybersecurity protections for electronic protected health information (ePHI). The newly proposed HIPAA policy changes could have significant impacts on how MSPs and IT teams remain compliant with regulations.
The NPRM proposes to strengthen the Security Rule’s standards and implementation specifications with new proposals and clarifications, including:
- Remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required.
- Require written documentation of all Security Rule policies, procedures, plans and analyses.
- Add specific compliance time periods for many existing requirements. It also adds an annual audit of security controls at least once every 12 months.
- Require the development and revision of a technology asset inventory and a network map at least once every 12 months.
- Require vulnerability scanning at least every six months and penetration testing at least once every 12 months.
- Require greater specificity for conducting a risk analysis. New express requirements would include a written risk assessment.
Why upcoming HIPAA policy changes matter to MSPs:
If you support healthcare companies, you will need to help them meet the new list of security, compliance and audit controls in 2025. Healthcare companies who historically have not seen an ROI on security or compliance are going to be forced to comply with the new HIPAA policy changes in order to remain licensed, get insurance, or be paid by Medicare/Medicaid. Healthcare buyers are going to start asking about HIPAA, compliance services and security upgrades like penetration testing.
What should MSPs be doing to prepare:
This is the time to design and market a healthcare specific offering to meet your client’s needs, expand your business and manage risk. Evaluate your ability to properly assess network compliance and provide risk management solutions to your clients. Consider implementing solutions like Compliance Manager GRC to automate key components of compliance. Explore new security tools to help you design HIPAA compliant solutions for your customers, staying ahead of the trend before your competitors sell into your book of business.
Kaseya works hard to stay ahead of these changing regulations to make sure you can deliver automated and integrated solutions to meet these standards. Discover how you can master infrastructure audits, compliance and risk management with Kaseya’s Audit & Compliance Solutions.