Module: 01i — HIPAA Security Rule Update: The 2025 Overhaul Difficulty: Intermediate

Questions

Q1. The 2025 HIPAA Security Rule NPRM was published in the Federal Register on January 6, 2025. What is the citation for this publication?

  • A) 89 Fed. Reg. 1024
  • B) 90 Fed. Reg. 898
  • C) 88 Fed. Reg. 23,506
  • D) 91 Fed. Reg. 4,412

Correct answer: B Explanation: The 2025 NPRM was published at 90 Fed. Reg. 898 on January 6, 2025. The comment period closed March 7, 2025, and as of April 2026 the final rule had not yet been published.

Q2. The original 2003 HIPAA Security Rule divided its safeguards into "required" and "addressable" categories. What does the 2025 NPRM propose to do with this distinction?

  • A) Expand the list of addressable safeguards to give covered entities more flexibility
  • B) Eliminate the required/addressable distinction entirely — all standards become mandatory
  • C) Retain the distinction but add a new "conditional" category for AI-related controls
  • D) Convert all currently-required controls to addressable to reduce compliance burden

Correct answer: B Explanation: The 2025 NPRM eliminates the required/addressable distinction entirely. All Security Rule standards become mandatory — there is no longer any pathway to avoid a specific control by substituting an "equivalent alternative."

Q3. Under the 2025 NPRM, which of the following statements about multi-factor authentication is correct?

  • A) MFA is recommended but covered entities may document an alternative
  • B) MFA is required only for remote access, not on-premises ePHI access
  • C) MFA is required for ALL electronic access to ePHI, with narrow emergency exceptions
  • D) MFA is required only for business associates, not covered entities directly

Correct answer: C Explanation: The 2025 NPRM proposes MFA as mandatory for ALL electronic access to ePHI. Narrow exceptions exist for clinical emergencies where MFA cannot be practically implemented in time, but these will be strictly defined in the final rule.

Q4. Under current HIPAA rules (pre-2025 NPRM), encryption of ePHI is classified as "addressable." What does the 2025 NPRM propose to change about encryption?

  • A) Encryption remains addressable but documentation requirements become stricter
  • B) Encryption becomes mandatory for data in transit only; at-rest encryption remains addressable
  • C) Encryption becomes mandatory for both ePHI at rest AND in transit
  • D) Encryption is required only for ePHI held by business associates, not covered entities

Correct answer: C Explanation: The 2025 NPRM proposes mandatory encryption of all ePHI at rest AND in transit — no longer addressable. This closes the gap where covered entities could document an "alternative control" instead of encrypting unencrypted laptops, backup drives, or database storage.

Q5. The 2025 NPRM proposes two new mandatory annual documents. Which of the following correctly identifies both?

  • A) A risk analysis and a disaster recovery plan
  • B) A technology asset inventory and a network map showing ePHI flows
  • C) A penetration test report and a vulnerability scan summary
  • D) A business associate agreement audit and an incident response playbook

Correct answer: B Explanation: The 2025 NPRM proposes two new mandatory annual documents: (1) a technology asset inventory — a written list of all electronic information systems that create, receive, maintain, or transmit ePHI; and (2) a network map — a visual representation of how ePHI moves through the entity's systems.

Q6. The 2025 NPRM proposes specific mandatory frequencies for vulnerability scanning and penetration testing. Which combination is correct?

  • A) Vulnerability scanning every 3 months; penetration testing every 6 months
  • B) Vulnerability scanning every 12 months; penetration testing every 24 months
  • C) Vulnerability scanning every 6 months; penetration testing every 12 months
  • D) Vulnerability scanning every month; penetration testing every 6 months

Correct answer: C Explanation: The 2025 NPRM proposes vulnerability scanning at least every 6 months and penetration testing at least every 12 months. Currently, the risk analysis requirement mandates periodic assessment but does not specify frequency or require technical testing.

Q7. The 2025 NPRM proposes a 72-hour system restoration requirement for critical systems. How does this relate to CIRCIA's 72-hour requirement?

  • A) They are identical obligations — one report satisfies both
  • B) The HIPAA 72-hour requirement is a restoration capability requirement, while CIRCIA's is a reporting requirement — both can apply simultaneously to the same incident
  • C) HIPAA's 72-hour requirement supersedes CIRCIA's for healthcare entities
  • D) CIRCIA preempts HIPAA's restoration requirement for covered healthcare entities

Correct answer: B Explanation: The HIPAA 72-hour restoration target is a capability requirement — covered entities must be able to restore critical systems within 72 hours after a security incident. CIRCIA's 72-hour clock is a reporting obligation to CISA. They are independent and can both apply simultaneously to the same healthcare ransomware incident.

Q8. Under the 2025 NPRM, business associate agreements must be updated to require notification of security incidents within what timeframe?

  • A) Without unreasonable delay, not to exceed 60 days
  • B) Within 72 hours of discovering a confirmed HIPAA breach
  • C) Within 24 hours of discovering a security incident, regardless of whether it constitutes a HIPAA breach
  • D) Within 30 days of discovering any unauthorized access to ePHI

Correct answer: C Explanation: The 2025 NPRM proposes that BAAs must require business associates to notify covered entities within 24 hours of discovering a security incident — regardless of whether the incident constitutes a HIPAA breach. This is a tighter and broader obligation than current HITECH breach notification requirements.

Q9. The HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D) was NOT modified in the 2025 NPRM. For a large breach affecting 500 or more individuals, what is the current deadline for notifying HHS?

  • A) Within 30 days of discovery
  • B) Within 72 hours of discovery
  • C) Within 60 days of discovery — published on the HHS "Wall of Shame" website
  • D) Within 60 days of the end of the calendar year in which the breach occurred

Correct answer: C Explanation: Under the unchanged Breach Notification Rule, large breaches (500 or more individuals) must be reported to HHS within 60 days of discovery, and these reports are published publicly on the HHS "Wall of Shame" website. Small breaches (fewer than 500) are reported to HHS within 60 days of year-end.

Q10. Which enforcement agency is the primary HIPAA enforcement authority, and what is the per-violation civil penalty range for willful neglect that is NOT corrected?

  • A) FTC; $25,000 to $100,000 per violation
  • B) HHS Office for Civil Rights (OCR); $50,000 per violation (annual cap $1.9M, inflation-adjusted)
  • C) DOJ Criminal Division; criminal fines up to $250,000 per violation
  • D) State attorneys general only; no federal civil penalty applies to willful neglect

Correct answer: B Explanation: HHS Office for Civil Rights (OCR) is the primary HIPAA enforcement authority. For willful neglect that is not corrected, the civil penalty is $50,000 per violation with an annual cap of $1.9M (inflation-adjusted). State attorneys general may also bring enforcement actions under HITECH.