Earlier this year, the U.S. Department of Health & Human Services (HHS) published a proposed update to the HIPAA Security Rule — the first major revision in more than a decade. The update aims to modernize data protection standards in light of today’s cybersecurity threats.
Read the official HHS summary here.
Where Things Stand
As of now, no final rule has been issued, and the existing HIPAA Security Rule remains in effect. The proposed changes are not yet enforceable, and HHS has not announced a publication or compliance date.
If finalized, organizations would likely have 12–24 months to comply after publication — giving time to review, budget, and implement the new safeguards.
What’s Changing
The proposed updates emphasize stronger protections for electronic protected health information (ePHI), including:
- Encryption of data
- Multi-factor authentication (MFA) for system access
- Asset inventories and network mapping to track where data lives
- Regular testing of incident response and contingency plans
These updates reflect cybersecurity best practices that many organizations — including those outside healthcare — can adopt today to strengthen their overall security posture.
How American PCS Helps
At American PCS, we’re closely monitoring these developments and aligning our cybersecurity services with the proposed requirements.
Through our Freedom Defense Cybersecurity Plans, we already meet or exceed the current and proposed HIPAA Security Rule. In addition, we also provide the following:
- 24/7 threat monitoring and managed detection & response
- Annual penetration testing
- Business continuity and disaster recovery solutions
- HIPAA compliance support for covered entities and business associates
We’ll continue to provide updates as these rules move toward finalization.
If your organization handles sensitive or health-related data and wants to assess readiness, contact us anytime to start the conversation.
