On January 6, 2025, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) published a Notice of Proposed Rulemaking (“NPRM”) to amend the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule. The proposed changes, if enacted, would represent the first update to the HIPAA Security Rule since 2013.
The proposed updates, which apply to covered entities and business associates (collectively, “Regulated Entities”) aim to enhance cybersecurity measures within the healthcare sector, addressing the increasing frequency and sophistication of cyberattacks that threaten patient safety and the confidentiality of electronic protected health information (“ePHI”).
Below are some of the key proposals set forth in the NPRM:
- Strengthened Security Requirements: HHS proposes eliminating the current distinction between “required” and “addressable” provisions of the Security Rule, thereby requiring compliance with all implementation specifications in the future. For example, with certain exceptions, ePHI would now be required to be encrypted at rest and in transit. Regulated Entities would no longer be permitted to merely document rationale for noncompliance with “addressable” implementation specifications. HHS also proposes new implementation specifications. As such, Regulated Entities would be required to strengthen and adopt security standards to ensure robust cybersecurity practices that keep pace with technological advancements and emerging threats, including by deploying anti-malware solutions, removing unnecessary software, disabling unused network ports, implementing multi-factor authentication for systems that handle ePHI, and conducting vulnerability scans every six months and annual penetration tests.
- Technology Asset Inventory and Network Map: Regulated Entities would be required to develop and maintain an inventory of their technology assets and create a network map illustrating the movement of ePHI within the Regulated Entities’ systems, which must be updated annually or when significant changes in the organizations’ operations or environment occur.
- Enhanced Risk Analyses: Regulated Entities would be required to include greater specificity when conducting a risk analysis, including, among other things:
- “A review of the technology asset inventory and network map.
- Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI.
- Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems; [and]
- An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.”
- The written risk assessment would need to be reviewed, verified, and updated at least every 12 months, with evaluations conducted when there are changes in the environment or operations. A written risk management plan must be maintained and reviewed annually.
- Contingency and Incident Response Plans with Notification Procedures: Regulated Entities would be required to implement detailed plans for restoring systems within 72 hours, prioritizing critical systems and establishing and test written security incident response plans regularly, and business associates and subcontractors would be required to notify covered entities within 24 hours of activating their contingency plans.
- Verification of Business Associates’ Safeguards: Business associates would be required to verify at least once every 12 months that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate. Based on these written verifications, Regulated Entities would be required to conduct an assessment of the risks posed by new and existing business associate arrangements.
Along with the NPRM, OCR published a fact sheet that provides additional details on the proposed updates.
Public comments to the proposed rule are due on or before March 7, 2025, although it is possible that the change in Administrations later this month could affect the progress of this and other proposed rules. While HHS undertakes the rulemaking, the current Security Rule remains in effect.