Changes Proposed by HHS to Strengthen HIPAA Security Rule

PDF

On January 6, 2025, the US Department of Health and Human Services Office for Civil Rights (“OCR”) issued a notice of proposed rulemaking (“Proposed Rule”) containing significant updates to the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). This Proposed Rule is the first round of significant updates in more than ten years since the HIPAA Omnibus Rule of 2013. According to OCR, the rule is intended to “improve cybersecurity and better protect the U.S. health care system from a growing number of cyberattacks” and “better align the Security Rule with modern best practices in cybersecurity.” Importantly, the Proposed Rule directly addresses common areas of non-compliance with the Security Rule that OCR has identified in the past ten years, and at the same time, makes the Security Rule more consistent with the National Institute of Standards and Technology (“NIST”) cybersecurity framework and HHS’s Cybersecurity Performance Goals, which were published in 2024.

The Security Rule, finalized by HHS over 20 years ago, applies to electronic protected health information (ePHI) held by “covered entities” and “business associates.” As HHS noted, “[a]lmost every stage of modern health care relies on stable and secure computer and network technologies.”

Below is a brief summary of some of the proposed changes.

• Removal of distinctions between “required” and “addressable” implementation specifications. Most implementation specifications would now be “required” with very few exceptions, signaling that all organizations should be undertaking the requirements of the Security Rule. “Addressable” specifications, on the other hand, require that the covered entity or business associate address whether the specification is reasonable and appropriate in the entity’s environment. HHS recognized that while the Security Rule was meant to be flexible along with rapidly changing technology, this change is meant to clarify that the implementation of specifications is not optional.
• Technology Asset Inventory. The OCR will require covered entities to develop and annually revise an accurate and thorough written asset inventory and network map of electronic information systems and all technology assets that may affect the confidentiality, integrity, or availability of ePHI. This map would include processes that involve movement of ePHI into and out of the entity’s systems.
• More Particularity for Risk Analyses. The Security Rule already requires that regulated entities conduct accurate and thorough assessments of the potential risks and vulnerabilities to ePHI; however, the Proposed Rule imposes more specific requirements in a written assessment taking into account certain specifications.
• Compliance Audits. This new standard requires regulated entities to perform and document an audit of their compliance with each standard and implementation specification of the Security Rule at least annually. This audit is in addition to the risk assessment required by the Security Rule.
• Patch Management. If enacted, the Proposed Rule would require a regulated entity to implement written policies and procedures for applying patches and updating the configuration of its relevant information systems. The OCR opined that this proposed standard would ensure that a regulated entity is aware of its liability for appropriately safeguarding ePHI by installing patches, updates, and upgrades throughout its relevant electronic information systems. It would also require specific timing requirements for patching, updating, or upgrading the electronic information system.
• Access Control Requirements. The Proposed Rule requires a regulated entity implement written policies and procedures addressing workforce members’ access to ePHI, including terminating access when appropriate and notification of such termination in access to other regulated authorities.
• Workforce Sanctions. The Proposed Rule includes new specifications requiring written policies and procedures related to sanctioning workforce members who fail to comply with a regulated entity’s security policies and procedures and documentation of such sanctions.
• Specificity to Contingency Planning Requirements. The Proposed Rule adds specific requirements to a regulated entity’s written policies as to contingencies and responding to security incidents – for example, the entity should maintain written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.
• Additional Business Associate Requirements. Under the Proposed Rule, business associates would be required to verify at least once every twelve months that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis and certification. Additionally, all downstream entities would be required to notify upstream entities upon activation of their contingency plans without unreasonable delay but no later than 24 hours after activation.
• Additional security measures the Proposed Rule would require include:
  • Encryption and description of ePHI, at rest and in transit;
  • Multi-factor authentication;
  • Vulnerability scanning at least once every six months and penetration testing at least once every twelve months;
  • Network segmentation;
  • Configuration management;
  • Deployment of anti-malware protection;
  • Removal of extraneous software from electronic information systems; and
  • Backup and recovery of exact retrievable copies of ePHI.

The Proposed Rule also includes provisions addressing new and emerging technologies, including not only artificial intelligence (AI) but also quantum computing and virtual and augmented reality. OCR wants to ensure that all organizations with compliance obligations devote time and resources to the appropriate understanding of how emerging technologies will affect the privacy and security programming of the organization. Even if an organization does not anticipate the affirmative using artificial intelligence in the near future, the strategic and cyber considerations must be addressed.

If finalized, the Proposed Rule will mean significant changes for covered entities and their business associates.  Comments are due by March 7, 2025, but with the new administration in Washington D.C., it remains to be seen whether all or any of this rule will be made final. The Centers for Medicare and Medicaid Services (“CMS”) is also due to propose new cybersecurity requirements for hospitals as requirements for participation in Medicare and Medicaid, though no timeframe has been published as of yet. It will also be important to watch for changes to the HIPAA Privacy Rule, which were initiated by the former Trump administration and may be dusted off in the coming months or years. Lastly, it remains to be seen what will happen with the Health Infrastructure Security and Accountability Act, which was proposed in September 2024.