New HIPAA Rules Mandate MFA and Encryption for ePHI—Is Your Organization Ready?

The HIPAA Security Rule is getting a major update—one of the biggest in years. On December 27, 2024, the Office for Civil Rights (OCR) proposed new cybersecurity requirements designed to protect electronic protected health information (ePHI) from the growing wave of cyber threats. 

These updates were published on January 6, 2025, kicking off a 60-day public comment period. After the public comment period, the OCR will review feedback, revise the proposed rule if necessary, and finalize for regulatory approval. Once approved and published, the rule will include an effective date and a compliance timeline. If there are no major delays, the final rule could come late 2025 or early 2026. It will include an effective date and a compliance deadline (often 6–24 months after publication).

The changes aim to establish greater data protection and clearer compliance expectations. This is in addition to mandatory enforcement of critical security measures.

These measures include: 

• Multi-factor authentication (MFA) for all systems accessing ePHI
• Encryption for ePHI at rest and in transit
• Technology asset inventories and network mapping to track ePHI movement
• More rigorous and detailed risk analysis requirements

For data security leaders, you’ll need to prove that ePHI is properly protected—everywhere it exists, at all times. However, many organizations lack visibility into their data and who is accessing it. 

So the question becomes: How do you protect and demonstrate compliance if you don’t know where your ePHI is? You can’t protect what you don’t know exists and you can’t enforce MFA if you don’t know who’s accessing ePHI. 

Breaking Down the New HIPAA Security Requirements

1. Multi-Factor Authentication (MFA) Is Now Required

MFA is no longer a recommendation—it’s a mandate for any system that grants access to ePHI. This applies to on-prem, cloud, and third-party systems used by covered entities and business associates.

What you need to do:

• Implement MFA across all accounts accessing ePHI
• Monitor access for suspicious activity
• Enforce role-based access control to limit unnecessary access

How Cyera helps: To enforce MFA, you must first discover and classify your data to understand where your ePHI resides. With this knowledge, provided by Cyera’s discovery and classification capabilities alongside our Identity module, you can gain clarity into where your ePHI resides and who—or what has access to ePHI.

2. Encryption Must Be Enforced at Rest and In Transit

Encryption is an industry best practice, but now it’s explicitly required under HIPAA. ePHI must be encrypted by default—whether it is structured, semi-structured, or unstructured.

While the type of encryption is not explicitly stated, it must be reasonable and appropriate, such as:

• Applying AES-256 encryption for data at rest
• Using TLS 1.2+ encryption for data in transit
• Ensuring cloud and third parties comply with encryption policies

The final point mentioned above means increased due diligence when working with third parties. This will result in changes to processes, including third-party risk assessments, as well as updated contractual language to ensure proper data handling.

How Cyera Helps: Understanding where your ePHI resides is the first step in verifying encryption. Cyera’s DSPM solution provides deep visibility into your data stores, delivering detailed metadata to help you assess critical security measures, including encryption.

Encryption visibility may vary by storage system. For on-premises data, encryption can be nuanced—while a storage array may encrypt the disk, this doesn’t necessarily mean the data itself is encrypted. Disk-level encryption primarily protects against physical theft rather than securing the data at rest. Cyera helps you navigate these complexities, ensuring your encryption measures meet security and compliance standards.

3. Organizations Must Track All Technology Assets and Data Movement

The new rule brings another major new requirement: Every organization must maintain an updated inventory of all technology assets that process, store, or transmit ePHI. This includes creating a network map that tracks ePHI’s movement between internal systems and external partners.

This requirement is similar to PCI compliance, where organizations must clearly document the architecture and components of the cardholder data environment. Under the new HIPAA rules, covered entities must now establish a well-defined ePHI data holder/processor environment.

The key is ensuring that ePHI is only stored, processed, or transmitted within this designated, documented environment. If ePHI moves outside this controlled environment into an "out-of-scope" area within the enterprise, that environment must also meet the same minimum security requirements outlined in the rule and becomes subject to audit.

What you need to do:

• Identify and document all systems, devices, and applications that store or process ePHI
• Map how ePHI moves across internal and external environments
• Review and update this inventory at least annually—or after major changes

How Cyera helps: Over the years, many organizations have lost track of their most sensitive data, including ePHI. Cyera solves this. By connecting to your data sources, Cyera automatically discovers, inventories, and classifies data with high precision, at scale and with speed—even shadow data that you may not know exists. Through the use of AI, Cyera can even uncover ePHI data types that are unique to your business in ways that traditional methods, such as Regular Expression (RegEx) and pattern matching simply cannot. 

4. Risk Analysis Must Be More Comprehensive

HIPAA has always required risk assessments, but the new rule means that a generic security risk assessment won’t cut it anymore. The new rule demands more detailed evaluations of cyber threats, vulnerabilities, and safeguards specific to protecting electronic protected health information (ePHI).

What you need to do:

• Review your technology asset inventory and network map
• Identify all realistic threats to ePHI’s confidentiality, integrity, and availability
• Assess vulnerabilities in electronic systems and networks
• Determine risk levels based on likelihood and potential impact

This isn’t a one-and-done audit either—it requires ongoing monitoring and risk mitigation to maintain compliance.

How Cyera helps: Cyera offers detailed data risk assessments by discovering, classifying, and evaluating your data security maturity against governance, privacy, security, and compliance controls. With the assessment, we identify risks, providing deeper insights into the effectiveness of critical data security controls. The assessment includes a virtual CISO-led maturity evaluation leveraging a Capability Maturity Model Integration (CMMI) to help you understand your data security posture as it relates to HIPAA and other regulatory frameworks.

5. Addressable Security Measures Must Be Justified

HIPAA allows some flexibility through "addressable" security measures (sometimes called compensating controls). This means that minimum control requirements can be met through various approaches, including design, architecture, or a combination of complementary controls working together to meet or exceed regulatory standards. The new rule makes it clear that organizations must fully document their reasoning for the alternative measure and provide a detailed justification.

What you need to do:

• Ensure any deviation from standard security controls is thoroughly documented
• Identify acceptable alternative security measures where needed
• Be prepared to defend your security choices in audits

How Cyera helps: Cyera offers detailed metadata about your datastores, including what security measures are—or are not—in place. This, alongside the data risk assessment service, brings clarity to your control implementation surrounding ePHI. 

A Strong Data Security Posture Simplifies Compliance

The new HIPAA requirements reflect a shift—healthcare organizations must level up their data security program. Organizations that take a data-first approach will streamline HIPAA compliance while reducing exposure to breaches, fines, and reputational damage.

Is your organization ready for these HIPAA changes? Now is the time to evaluate how you track, secure, and enforce protections on ePHI. Request a demo today to see how Cyera can help.