New HIPAA Regulations Impact on Organizations — Checklist

by | Jun 13, 2025 | Uncategorized

tangible security how much risk can you afford

In our last blog post, we discussed important cybersecurity rule updates to HIPAA. To help you get started,  we’ve put together a checklist of changes the proposed rule imposes on organizations handling Electronic Protected Health Information (ePHI), which we show below, as well as in a handy pdf you can download here.

Please note that each of the “safeguard” sections below corresponds to the respective section within the proposed rule; the changes outlined are part of that section in the original document.

New HIPAA Regulations Checklist

Scope Changes

  • Expand controls protecting information systems to cover software applications and firmware.
  • Expand audit controls on information systems to include input, output, and access.
  • Expand transmission security controls to cover cryptography, protocols, and data integrity mechanisms.
  • Expand information system activity review controls to cover security incidents and policy violations.
  • Expand incident response plan controls to include security incident response and breach notifications.
  • Expand workstation controls to include servers, virtual devices, and mobile devices which function as workstations.
  • Implement administrative and technical safeguards currently listed as “addressable.”
  • Meet or exceed all standards and implementation specifications for technical safeguards currently listed as recommendations.
  • Expand security awareness training to include:
    • Role-based training
    • Guarding against incidents
    • Password best practices
    • Implemented physical safeguards, especially for mobile devices
    • Security policies
    • Procedures for secure handling of PHI
    • Recognizing and reporting possible security incidents
    • Understanding the importance of protecting PHI
  • Expand controls over security assets to cover all assets that may affect ePHI confidentiality.
  • Expand physical safeguard requirements to cover all ePHI in an organization’s possession across its facilities.
  • Expand maintenance record requirement to include security cameras.
  • Expand ePHI protection to all electronic information systems that affect ePHI.

 

Administrative Safeguard Changes

  • Implement modern security technologies and best practices.
  • Certify that business associates handling ePHI meet requirements.
  • Create a technology asset inventory and network map.
  • Create a prioritized risk management plan.
  • Create and maintain risk registers of threats to ePHI for your organization, for each vendor, and for each business
    • Assign each threat a probability and impact level to more accurately assess prioritization on the risk management plan.
  • Create a document detailing security controls used to protect ePHI and the rationale for those controls.
  • Create the following policies:
    • That evaluations must be conducted before implementing any changes to the environment which may impact ePHI, including:
      • Adding new technology assets
      • Upgrading systems
      • Mergers/consolidations
      • Legal changes
    • That if risks are identified in an evaluation, the risks should be addressed according to the risk management plan.
    • That the security control documentation, risk management plan, and risk registers should be reviewed and assessed on a regular basis.
    • That workforce members who fail to comply with security policies and procedures are sanctioned in an effective, appropriate, and proportional way.
    • That sanction events are documented.
    • That all policies are reviewed annually and modified as needed to remain relevant and effective.
    • That the security awareness training curriculum is reviewed annually.
    • That compliance with all HIPAA Security Rule standards and implementation specifications will be audited at least annually.
  • Document the following procedures:
    • For reviewing system activity records, including audit trails, event logs, firewall logs, system logs, backup logs, access reports, anti-malware logs, and security incident tracking reports.
    • Review should occur regularly, as appropriate for the type of log or report, and reviews must be documented.
    • For providing authorized access to ePHI to workforce members that require it to accomplish their roles.
      • Access must be documented and periodically reviewed
    • For authenticating, authorizing, and supervising workforce members with ePHI access.
    • For terminating workforce members’ access to ePHI when they change roles or leave the organization.
    • For segmenting a network such that only appropriate workstations can access ePHI.
    • For preparing for and responding to security incidents (an Incident Response Plan), including:
      • What the response goals are
      • Who the response team is
      • How to report incidents
      • How to respond to incidents
      • The following policies related to the incident response plan:
        • Integration of post-incident analysis into updates to other policies and procedures
        • Annual tests and revisions of the plan
        • Documentation of all stages of incidents, which must be retained for no less than six years
      • For preparing for and responding to emergencies (a Contingency Plan), including:
        • What systems and assets are critical
        • How data backups are created, maintained, and verified
        • How critical systems and data will be restored within 72 hours of loss
        • How the organization will operate in emergency mode to ensure the continued functioning of ePHI systems under critical conditions
        • How the plan will be tested and revised annually
      • Designate a Security Official responsible for ensuring HIPAA compliance.

 

Physical Safeguard Changes

  • Create written policies and procedures for all operational physical safeguards throughout the organization.
  • Create a policy to test, review, and – as necessary – update security measures at least annually.
  • Create procedures for authorizing and managing role-based access to facilities.
  • Create written policies and procedures governing the use of all workstations with access to ePHI.
  • Implement physical safeguards for all workstations with access to ePHI.

 

Technical Safeguard Changes

  • Document all technical safeguards, including all measures taken to assure the confidentiality, integrity, and availability of ePHI.
  • Test, review, and revise technical controls at least annually.
  • Implement controls to separate duties for accessing PHI such that no single individual has complete control over the process.
  • Monitor user ePHI activity, including tracking of who accesses what information, when, and from where.
  • Create a policy to review this data regularly.
  • Implement access controls to ensure only authorized users can access PHI.
  • Implement automatic logoffs.
  • Implement at-rest and in-transit encryption for PHI.
  • Implement secure encryption key management.
  • Implement PHI integrity controls that prevent unauthorized alteration or destruction.
  • Create a policy to notify individuals affected by unauthorized access to PHI as soon as reasonable, not to exceed 60 days; notifications must be easy to understand and include guidance individuals can take to protect themselves.
  • For systems that can’t be updated or replaced to add encryption in a reasonable timeframe, implement compensating controls to protect ePHI.
  • Create a policy stating that compensating controls must be reviewed and approved by the organization’s designated Security Official.
  • Creating a policy stating that compensating controls must be reviewed at least annually and any time a change is made to the system in question.
  • Implement anti-malware protection across all technology assets.
  • Remove unnecessary software from all PHI-affecting systems.
  • Configure all operating systems and software to minimize exploitable vulnerabilities.
  • Disable unsecured network ports.
  • Implement real-time monitoring and recording of all activities in PHI-affecting systems.
  • Implement unauthorized access alerting for those systems.
  • Implement record retention for these systems.
  • Implement multi-factor authentication. Compensating controls – tested and reviewed annually – may be used instead in the following situations:
    • Emergencies where MFA isn’t feasible
    • or for FDA-authorized devices
  • Create policies and procedures for vulnerability management, including ongoing monitoring to identify known vulnerabilities, risk assessment, and mitigation/remediation controls.
  • Create policies and procedures for patch management.
  • Create policies and procedures for regular penetration testing by qualified personnel.

 

Organizational Requirements

  • Create a policy that only business associates which commit to notifying the organization within 24 hours when they activate their contingency plans due to an emergency or other adverse event which impacts an ePHI-handling system may maintain a relationship with the organization.
  • If the organization is a health plan sponsor, update plan documents to obligate the organization or its ePHI-handling agents to implement HIPAA Security Rule administrative, physical, and technical safeguards.

 

Documentation Requirements

  • Document how the organization considered factors from 45 CRF 164.306(b) in developing written policies and procedures.
  • Create a policy that documentation must be updated at least annually, and within a reasonable time after modifying a security measure.

 

New/Emerging Technologies

  • Create a policy mandating risk analysis on any AI applications involving PHI.
  • Create a policy mandating the monitoring of authoritative sources for known vulnerabilities and for prompt application of patches, updates, and upgrades addressing critical and high risks in AI applications.
  • Create a policy requiring that any business associate developing VR/AR applications which will be used by the organization provide written verification they have implemented HIPAA Security Rule-required technical safeguards.

 

Tangible Computing can help you get up to speed with your HIPAA obligations. Our compliance gap assessment service evaluates your current compliance posture. We identify gaps, assess risks, and provide recommendations for remediation to ensure alignment with compliance requirements.

Learn More at https://tangiblesecurity.com/healthcare/