In response to increased cybersecurity threats and significant regulatory enforcement actions, on Dec. 27, 2024, the Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking seeking to enhance cybersecurity protections under the Security Rule implemented pursuant to the Health Insurance Portability and Accountability Act of 1996. While the proposed rule is an important component of HHS’ ongoing effort to enhance cybersecurity requirements, many of the proposals raise new questions regarding HHS’ expectations. If adopted, the sweeping changes could have a major impact on the way covered entities and business associates conduct business, including with each other.

Read on for further details on the proposed rule and its implications for regulated entities.