Proposed Changes to the HIPAA Security Rule

On January 6, 2025, the Department of Health and Human Services (HHS) published a Notice of Proposed Rulemaking (NPRM) to make changes to the Security Rule under the Health Insurance Portability and Accountability Act (HIPAA). In response to the growing number of significant cybersecurity attacks and persistent non-compliance by HIPAA-regulated entities with the current Security Rule, these changes would strengthen the required protections and security protocols for electronic protected health information (ePHI) that HIPAA-regulated entities must implement.

The proposed updates to the Security Rule requirements loosely mirror those found in the DOL’s Cybersecurity Program Best Practices (not a requirement itself, but a standard for ERISA plans). More information can be found in the HHS Fact Sheet for the NPRM.

Timing

HHS previously cited updating the Security Rule as part of their strategy to enhance cybersecurity for the healthcare industry, and this NPRM is the first step in that endeavor. Comments on the proposed rules will be accepted by HHS until March 7, 2025. The next step in the rulemaking process would be the issuance and publication of a finalized version of the rules that may differ from the proposed rules based on the comments. However, with a new incoming administration, when and even if finalized rules would be issued is uncertain. The proposed rules indicate that once finalized rules are issued and published, HIPAA-regulated entities would have 240 days from the publication date to comply with the finalized rules.

Proposed Changes

The current Security Rule makes a distinction between “required” and “addressable” implementation specifications. HIPAA-regulated entities are generally meant to assess and document whether an addressable implementation specification is “reasonable and appropriate” for that entity, taking into consideration the entity’s size, complexity, and capabilities. This flexibility and scalability have been a hallmark of the Security Rule, in recognition of the diversity of HIPAA-regulated entities and the fast-paced advancement of technology.

HHS has identified HIPAA-regulated entities’ misinterpretation of “addressable” items as being “optional” items as a major contributing factor to widespread non-compliance. Therefore, the proposed rule would eliminate the distinction between “required” and “addressable” implementation specifications, instead designating all implementation specifications as “required”. This change, among updated definitions, aims to strengthen the Security Rule by clarifying and explicitly requiring certain security protocols that HHS indicates should technically already be implemented under the current Security Rule as “reasonable and appropriate” for virtually all HIPAA-regulated entities.

In addition, though the current Security Rule already requires that HIPAA-regulated entities conduct a security risk analysis, the proposed rule introduces more specifics around what a compliant security risk analysis must include and how it should be conducted (e.g., it must be reviewed at least annually and upon any changes in environment). The proposed rule also introduces additional documentation requirements such as a technology asset inventory and network map, among others (see below).

Consider the Proposal

Though a finalized rule could be months away (or potentially never materialize at all), HIPAA-regulated entities are encouraged to compare and contrast their current security protocols with the potential changes in the Security Rule and consider making updates where reasonable and appropriate. Below is a non-exhaustive outline of newly explicit requirements under the Security Rule that should be considered by HIPAA-regulated entities.

• Written documentation of all security policies, procedures, plans, and analyses.
• Written security risk analysis that must be reviewed and updated at least once every 12 months and should include the identification and risk assessment of all reasonably anticipated threats and potential vulnerabilities.
• Plan document must require the plan sponsor to:
  • Comply with administrative, physical, and technical safeguards;
  • Ensure that any agent that receives ePHI agrees to comply with the same; and
  • Notify plans within 24 hours upon activation of contingency plans.
• Technology asset inventory and network map (an illustration/description of the movement of ePHI through the entity’s electronic information systems).
• Risk management plan addressing risks identified during analysis.
• Procedures for incident response and disaster recovery for restoration of certain systems and data within 72 hours of a loss that must be tested and revised at least annually.
• Annual Security Rule compliance audit.
• Annual security awareness training for workforce members with access to or managing ePHI.
• Updates to business associate agreements, including requirements for business associates to:
  • Provide notification within 24 hours of activating contingency plans; and
  • Provide annual written analyses and certifications of compliance with required technical safeguards, conducted by a subject matter expert.
• Encryption of all ePHI, both at rest and in transit (limited exceptions apply).
• Use of anti-malware protection.
• Use of multi-factor authentication (limited exceptions apply).
• Vulnerability scanning every six months and penetration testing annually.
• Implementation of network segmentation.
• Separate technical controls for backup and recovery of ePHI.

While every effort has been taken in compiling this information to ensure that its contents are totally accurate, neither the publisher nor the author can accept liability for any inaccuracies or changed circumstances of any information herein or for the consequences of any reliance placed upon it. This publication is distributed on the understanding that the publisher is not engaged in rendering legal, accounting or other professional advice or services. Readers should always seek professional advice before entering any commitments.

Author