The U.S. Department of Health and Human Services (HHS) has proposed updates to the HIPAA Security Rule through a Notice of Proposed Rulemaking (NPRM). While these updates are not yet final, they signal the continued evolution of cybersecurity expectations for protecting electronic Protected Health Information (ePHI).
Importantly, HIPAA is not limited to healthcare providers. Organizations such as law firms, personal injury practices, workers’ compensation firms, disability claims processors, and other professional services that handle Protected Health Information (PHI) may also be subject to these requirements.
The proposed updates focus on stronger cybersecurity controls, including encryption, multi-factor authentication, risk assessments, incident response planning, and vendor oversight.
Across healthcare and related industries, the direction is clear: expectations for protecting sensitive data continue to increase, and organizations are expected to demonstrate stronger security practices over time.
At Atech, we help organizations stay ahead of evolving cybersecurity and compliance requirements so they don’t have to interpret regulatory changes or manage them alone.
