Paragon Partners Blog | April 2025

Cybersecurity is no longer just an IT issue, it’s a compliance imperative. In January 2025, the Department of Health and Human Services (HHS) proposed significant updates to the HIPAA Security Rule to strengthen protections for electronic protected health information (ePHI). For brokers, employers, and benefit administrators, these changes are a wake-up call to reassess how sensitive health data is handled, shared, and secured.

At Paragon Partners, we’re here to help our broker network and their clients stay ahead of the curve. Let’s walk through what’s changing, what it means for your clients, and how we can support smarter, safer compliance strategies.

What’s Changing in the HIPAA Security Rule?

The HHS’s proposed updates reflect a shift toward modern, proactive cybersecurity practices. While not finalized yet, the proposals signal clear expectations for how organizations should protect ePHI.

Here are the key proposed requirements:

  • Mandatory multifactor authentication and encryption protocols for systems accessing ePHI.
  • Annual technical inventories and detailed security risk assessments.
  • Stronger oversight of business associates, with mandatory incident reporting protocols.
  • Formalized incident response plans, plus regular testing of contingency and disaster recovery strategies.

Together, these updates aim to improve transparency, reduce vulnerability, and hold all parties handling PHI to a higher standard.

What’s Already in Effect: Privacy Rule Updates

In December 2024, a separate update to the HIPAA Privacy Rule took effect, specifically addressing reproductive health information. Covered entities are now required to:

  • Limit disclosures of reproductive health data.
  • Ensure policies and procedures reflect this sensitive category of PHI.
  • Provide training and audit trails to demonstrate compliance.

For employers offering self-insured plans or brokers managing groups in healthcare-related fields, this is a critical change that requires both attention and documentation.

What This Means for Brokers and Employers

These HIPAA updates may feel far removed from day-to-day benefits conversations—but they’re not.

Many employers, especially those offering self-funded plans or using benefits platforms that store health data, fall under these rules. And brokers are often the first line of communication when it comes to helping those clients understand their compliance responsibilities.

Here’s how you can help your clients stay prepared:

  • Review vendor agreements: Are business associate agreements (BAAs) up-to-date and enforceable under the new standards?
  • Ask about incident response plans: Do benefit admin platforms or TPAs have formalized testing processes?
  • Evaluate MFA and encryption protocols: Especially for HR systems or platforms that house eligibility and enrollment data.
  • Support privacy audits: Encourage clients to review disclosures, especially those touching reproductive health or other sensitive categories.

How Paragon Partners Supports You

Compliance shouldn’t feel overwhelming. That’s why Paragon is committed to keeping you informed and equipped to respond, not just to what’s happening now, but what’s on the horizon.

Here’s how we help:

  • Carrier & vendor vetting: We work with trusted partners who are proactive about cybersecurity and HIPAA compliance.
  • Field underwriting & group assessments: We help identify potential compliance risks during onboarding.
  • Education & updates: We share timely, digestible updates so you can keep your clients confident and compliant.

Cybersecurity and data protection are more than regulatory checkboxes, they’re part of the trust your clients place in you. As HIPAA evolves, the brokers and partners who understand the risks and prepare early will stand out as true leaders in the field.

Have questions about how these updates might impact your clients or your business? Reach out to your Paragon rep for insights, support, or a compliance check-in.

Paragon Partners: Supporting broker success with integrity, innovation, and the human connection that makes all the difference.