The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced on December 27, 2024, and published in the Federal Register on January 6, 2025, a Notice of Proposed Rulemaking (NPRM) proposing extensive modifications to the HIPAA Security Rule. If finalized, these would be the first modifications of the Security Rule since 2013 and could entail significant additional compliance obligations and costs for HIPAA covered entities and business associates (collectively, regulated entities). For reference, a redline of the existing language of the Security Rule with the NPRM’s proposed modifications is available here.
