Doug Bies | Product Marketing Manager
More About This Author >
Doug Bies | Product Marketing Manager
More About This Author >
Thales comprehensive Data Security Platform helps you be compliant with 2025 HIPAA changes.
You are going about your normal day, following routine process at your healthcare organization, following the same business process you’ve followed for the last twelve years. You expect Personal Health Information (PHI) to be protected, thankfully due to HIPAA Compliance.
HIPAA forces organizations to build a security system for personal health information. You certainly wouldn't print your personal health information and pass it out to anyone. HIPAA ensures that businesses treat your personal health information with extra care, encrypting it, restricting who can access it, and ensuring systems that store it are secure and continuously tested. Every time you receive medical care, HIPAA is working behind the scenes to keep your PHI safe from cybercriminals.
According to the Thales Data Threat Report, Healthcare and Life Sciences Edition, in 2023, among healthcare and life sciences respondents, human error (76%) is the leading reported cause of cloud data breaches, well ahead of a lack of MFA, the second highest, at 11%. To compound issues, identity and encryption management complexity is a serious issue. 60% of healthcare respondents have five or more key management systems in use.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that created the national standards when it was first published to protect sensitive patient health information (PHI) from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.
Who does it apply to?
Covered Entities: All entities accessing protected personal health information (PHI), including health plans, health insurance organizations, hospitals, clinics, pharmacies, physicians, and dentists, among others.
Business Associates: Third-party service providers that create, receive, maintain, or transmit ePHI on behalf of covered entities. Examples include IT contractors or cloud storage vendors.
Key Dates
On December 27, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to strengthen cybersecurity protections for electronic protected health information (ePHI), which is expected to go into effect on March 7, 2025 following a comment period. HIPAA is not a static regulation. Since its original publication, it has been periodically updated to remain relevant.
What Changed?
The changes are extensive. They focus on new written policies and procedures, technical safeguards, and updated business associate agreements, which are summarized below.
- Elimination of "Addressable" Standards: The distinction between "required" and "addressable" implementation specifications has been removed. This means that HIPAA-regulated entities are now required to comply with all security standards, with specific, limited exceptions.
- Strengthened Security Measures:
- Mandatory Encryption: Encryption is now a mandatory requirement for all ePHI, both at rest and in transit, with limited exceptions.
- Multi-factor Authentication: Clear definitions to enhance security when accessing sensitive systems.
- Enhanced Risk Analysis: More stringent requirements for conducting and documenting risk analyses.
- Vulnerability Scanning and Penetration Testing: Regular vulnerability scanning and penetration testing are now mandatory.
- Improved Incident Response: Clearer guidelines and expectations for responding to security incidents.
- Alignment with NIST Guidelines: Incorporates well recognized cybersecurity best practices.
- Stronger Penalties: Increased consequences for negligence and repeated breaches.
Failure to be HIPAA Compliant
The penalties for non-compliance with HIPAA vary based on the perceived level of negligence and can range from $100 to $50,000 per individual violation, with a maximum penalty of $1.9 million per calendar year. Additionally, violations can also result in jail time of 1–10 years for the individuals responsible.
Thales Solution for HIPAA Compliance
No single tool enables organizations to be 100% compliant, but thankfully, Thales has comprehensive data security solutions that align to HIPAA requirements. Thales is driven by a vision to protect data and all paths to it, enabling you to become more compliant and more secure. Thales helps organizations address the requirements for safeguarding PHI necessary to comply with HIPAA by analyzing risk, reducing risk from third parties, access control and authentication, encrypting PHI at rest and in transit, protecting encryption keys, and de-identifying PHI in databases.
How Thales’s Helps with HIPAA Compliance
It's been one year since Thales and Imperva joined as two data security leaders. Although there is no silver bullet for improving your data security posture, Thales’s comprehensive data protection and monitoring strategy is now a clear solution to assist with HIPAA compliance. It offers remarkable encryption, multi-factor authentication, and cybersecurity solutions that enable healthcare organizations to find industry leading solutions for their data security, monitoring, and compliance needs.
With Thales’s solution depth, you can now be HIPAA compliant without investing in a confusing set of tools through multiple vendors. Thales’s Application Security, Data Security, and Identity and Access Management Solutions have the advanced security and compliance features that enable you to address new HIPAA requirements.
Summary
Thales is a major solution provider for organizations that want to achieve HIPAA compliance, remain HIPAA compliant, or adhere to new HIPAA requirements published in January 2025. HIPAA requirements are complex, and changed for the first time in 12-years, prompting organizations to look to Thales for application security, data security, and identity and access management solutions to help with HIPAA compliance.
Download our Thales Data Threat Report, Healthcare and Life Sciences Edition, to learn more about how data protection solutions and shorten your time to becoming HIPAA compliant.