On January 6, 2025 the U.S. Department of Health and Human Services published a Proposed Rule (90 FR 898) to strengthen the HIPAA Security Rule and afford greater cybersecurity protections for electronic protected health information (ePHI). The Proposed Rule is in response to increasing reliance on health IT (including electronic health records) since publication of the Security Rule in 2003 and its last revision in 2013, “alarming” increases in security breaches and “rampant escalation” of cyberattacks, common deficiencies in Security Rule compliance by regulated entities, and cybersecurity guidelines and best practices.
As noted in HHS’s Fact Sheet, proposals to strengthen and clarify Security Rule standards and implementation specifications include:
- Making most implementation specifications “required.”
- Adding specific compliance time periods for many existing requirements.
- Strengthening requirements for contingency planning and incident response. For example, regulated entities would be required to: establish written procedures to restore loss of certain electronic information systems (IS) and data within 72 hours; analyze the relative criticality of IS and technology assets to determine restoration priority; and establish how workforce members report security incidents and how the regulated entity will respond.
- Implementing written procedures for testing and revising incident response plans.
- Requiring of regulated entities:
- A technology asset inventory and network map showing movement of ePHI throughout the entity’s IS, with ongoing and event-triggered updates.
- Greater specificity for conducting a risk analysis, including: a written assessment that contains a review of the technology asset inventory and network map; identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI; identification of potential vulnerabilities and predisposing conditions to relevant IS; and assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
- Notification of certain regulated entities within 24 hours of change to or termination of a workforce member’s access to ePHI or certain IS.
- An internal Security Rule compliance audit at least yearly.
- Business associates (BA) to verify to their covered entities (CE) (and subcontractors to their BAs) at least yearly that they have deployed required technical safeguards. This will require analysis of relevant IS by a subject matter expert, and certification that an accurate analysis was performed.
- Encryption of ePHI at rest and in transit, with limited exceptions.
- Technical controls for consistently configuring relevant IS, including workstations: deploying anti-malware protection; removing extraneous software; and disabling network ports in accordance with the entity’s risk analysis.
- Multi-factor authentication, with limited exceptions.
- Vulnerability scanning at least every six months, and penetration testing at least yearly.
- Network segmentation.
- Separate technical controls for backup and recovery of ePHI and relevant IS.
- Review and testing of certain security measures at least yearly.
- BAs to notify their CAs (and subcontractors to notify their BAs) upon activation of their contingency plans.
- Group health plans to include in their plan documents requirements for their sponsors to comply with Security Rule safeguards, ensure that agents to whom they provide ePHI agree to implement Security Rule safeguards, and notify their plans upon activation of their contingency plans.
While the Proposed Rule significantly revises the text of the Security Rule, HHS anticipates that regulated entities with robust Security Rule compliance will not experience a substantial change to their current obligations: “[i]nstead, the proposed modifications would explicitly codify those activities that are [already] critical to protecting the security of ePHI as requirements and provide greater detail for such requirements in the regulatory text.” For CEs and BAs with compliance gaps, the Proposed Rule is a reminder the cybersecurity is top-of-mind at HHS’s Office for Civil Rights (OCR), which enforces HIPAA.
The 60-day public comment period has begun, with comments due by March 7, 2025. Ultimately, any Final Rule would become effective 60 days after its publication, with a compliance date 180 days later–until then, the Security Rule in its current form remains in effect.
Although the Proposed Rule is in its early stages, it telegraphs regulators’ view of what effective Security Rule compliance looks like. Leadership, directors, and Security Officials–it is not too soon to assess how your covered entity or business associate measures up. We can help.
Proposed Rule: Here
HHS Fact Sheet: Here