By Junichiro Nishimura, LL.M. Class of 2026
As part of the 2023 National Cybersecurity Strategy, on January 6, 2025, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) proposed a Notice of Proposed Rulemaking (NPRM) to amend the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This proposed amendment aimed to enhance the cybersecurity protection of electronic protected health information (ePHI). In the proposed amendment, regarding ePHI, it is suggested that encryption is made mandatory, and multi-factor authentication (MFA) is also required, which may cause a significant change that will have substantial impacts to the medical industry.
Since October 2024, when OCR reached a resolution with the Bryan County Ambulance Authority in Oklahoma requiring it to pay $90,000 specifically because it had failed to conduct an adequate HIPAA risk analysis, there have been other instances in which OCR has imposed monetary penalties for deficiencies in risk assessment. In the context of HIPAA, “risk assessment” refers to the process by which healthcare organizations and related entities identify, analyze, and evaluate risks to the confidentiality, integrity, and availability of electronic protected ePHI. It constitutes a core requirement under the HIPAA Security Rule. Given that monetary penalties for failing to conduct required risk assessments have been increasing significantly, this blog explains the proposed amendments to risk assessment suggested in the NPRM.
Change of Risk Assessment
Since before NPRM was suggested, under the HIPAA Security Rule, covered entities and business associates have been required to take appropriate measures according to the level of risk they face, and to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. 45 C.F.R. §164.308(a)(1)(ii)(A). On the other hand, in the NPRM, HHS proposed to require continuous risk assessments based on NIST SP 800-66 Rev. 2, which sets the federal government’s minimum cybersecurity standards.
If the proposed amended HIPAA Security Rule takes effect, covered entities and business associates subject to HIPAA must establish a system for conducting continuous risk assessments. NPRM Section III. It is important to note that conducting continuous risk assessments requires organizations to assess risks across the entire system and, based on the results of that assessment, prioritize and enhance controls, such as access controls, audit logging, and workforce training, and to repeat this cycle annually and as circumstances warrant.
Security Risk Assessment Tool
On September 9, 2025, HHS OCR released a new version (ver. 3.6) of the HIPAA Security Risk Assessment Tool (SRA Tool) as a recommended resource to assist covered entities and business associates in fulfilling their risk analysis obligations. This tool is a free resource designed to provide practical support for complying with the risk analysis requirements under the HIPAA Security Rule, particularly for small and medium-sized healthcare organizations, businesses, and business associates. Because this tool is expected to be used by covered entities and business associates in preparing for compliance with the proposed amendments to the HIPAA Security Rule, it is of particular practical importance.
The SRA Tool has been available for some time, but version 3.6 includes several major updates that align with the NPRM, as outlined below:
- Terminology Update to align with NIST standards
To make the risk scale consistent with NIST terminology, “medium” has been changed to “moderate.”
- “Reviewed By” function
A new “reviewed by” button and date stamp have been added to each section, making it easier for organizations to document internal review and approval.
- Enhanced Reporting
The enhanced reports now include section-by-section approval details and user-input information.
- Refreshed Library Files
During installation, outdated library files are replaced, reducing potential vulnerabilities.
- Content updates
Some questions, responses, and educational materials have been clarified to reflect today’s cybersecurity environment.
SRA Tool is available for free download, and its use is expected to help organizations prepare for compliance with the proposed amendments to the HIPAA Security Rule. However, it should be noted that using the SRA Tool does not automatically ensure compliance with the risk analysis requirements under the HIPAA Security Rule, nor does it address all possible risks to ePHI. Each covered entity and business associate must take appropriate measures tailored to the specific risks it faces.
Conclusion
Amendments to the HIPAA Security Rule will require covered entities and business associates to take new measures in managing ePHI. In particular, given the increased enforcement focus on risk assessments, ensuring compliance in this area has become especially important. From a practical standpoint, effective use of the SRA Tool to implement a NIST-aligned risk assessment framework may help reduce the likelihood of violations of the amended HIPAA Security Rule and is therefore of substantial compliance significance.