Summary
On December 27, 2024, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) published its Notice of Proposed Rulemaking (“NPRM”) titled HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information. HHS seeks comments on proposed modifications to the Security Standards for the Protection of Electronic Protected Health Information comprising 45 C.F.R. Parts 160 and 164, Subpart C, commonly known as the “Security Rule”, to address modern breach and cybersecurity risks to electronic protected health information (“ePHI”)[1] and common deficiencies observed by HHS in Security Rule compliance investigations, and to incorporate current industry best practices[2] and court decisions affecting enforcement of the Security Rule[3].[4] As summarized below, the proposed modifications signal HHS’s commitment to aligning the Security Rule requirements with current cybersecurity standards and addressing areas of non-compliance with more prescriptive measures to enhance ePHI security in the face of evolving cyber threats and technological advancements. HHS invites interested parties to submit comments by March 7, 2025.
Two weeks after the NPRM was published in the Federal Register, President Trump issued an Executive Order requiring a “Regulatory Freeze Pending Review.” The regulatory freeze makes the fate of the proposed Security Rule amendments unclear. If the proposed Security Rule amendments proceed unchanged, regulated entities and health plan sponsors could incur significant combined costs, which HHS estimates at approximately $9.3 billion in the first year of implementation.[5]
HIPAA Framework
The statutory and regulatory framework that governs the privacy and security of (most) health information in the United States is codified under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, enacted on August 21, 1996 (“HIPAA”). Changes and additional requirements to this statutory and regulatory framework were included in the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-5, signed into law on February 17, 2009. Additionally, the Genetic Information and Nondiscrimination Act of 2008 (“GINA”), Public Law 110-233, signed into law on May 21, 2008, included provisions governing the use of genetic data.
In addition to the Security Rule, HHS issued regulations under HIPAA on Standards for Privacy of Individually Identifiable Health Information comprising 45 C.F.R. Parts 160 and 164, Subparts A and E (“Privacy Rule”), Standards for Notification in the Case of Breach of Unsecured Protected Health Information comprising 45 C.F.R. Parts 160 and 164, Subpart D (“Breach Notification Rule”), and Rules for Compliance and Investigations, Impositions of Civil Monetary Penalties, and Procedures for Hearings comprising 45 C.F.R. Part 160, Subparts C, D, and E (”Enforcement Rule”). These rules, developed through successive waves of the administrative rulemaking process, are extensive and complex.
Summary of the NPRM and Specific Requests for Comment
The Security Rule applies only to ePHI transmitted by or maintained in electronic media by covered entities and business associates (“regulated entities”). The NPRM proposes several modifications to the Security Rule in recognition of the “significant changes in which health care is provided and how the health care industry operates”[6] since the Security Rule was last revised in 2013. As is common for significant rulemaking, HHS often requests comments on its proposed rule changes, including perceived benefits, drawbacks, unintended consequences, and specific considerations for each proposal.
- Security Rule Requirements Are Not Optional. The Security Rule currently distinguishes between “addressable” and “required” implementation specifications to provide regulated entities with flexibility to implement administrative, physical, and technical safeguards that are reasonable and appropriate based on their risk analysis, risk mitigation strategies, existing security measures, and implementation costs. HHS has observed that, despite extensive guidance and regulation, some regulated entities have incorrectly interpreted “addressable” implementation specifications to be “optional” requirements, resulting in compliance gaps and increased risks to ePHI.[7] HHS proposes to eliminate the distinction between “addressable” and “required” implementation specifications to simplify and clarify the baseline mandatory security measures that regulated entities must meet in order to demonstrate they are reasonably and appropriately safeguarding ePHI.[8] With respect to this proposed modification, HHS requests comment on whether removing the distinction between required and addressable implementation specifications would result in unintended negative consequences for regulated entities and recommendations for how HHS may clarify that regulated entities are required to implement the security measures proposed in the NPRM.[9]
- Routine Review and Testing of Security Measures. The proposed amendments to the Security Rule would require regulated entities to review and test the effectiveness of their required security measures “on a specified cadence” and to modify them as reasonable and appropriate.[10] Some of the proposed measures for reviewing and testing measures are undertaking tabletop exercises to assess how effectively personnel follow incident response and security procedures, conducting knowledge assessments after training on policies and procedures, and reviewing system logs and access records to evaluate whether personnel are properly complying with policies and procedures governing access to ePHI.[11]
- Data Inventory, Network Map, and Risk Analysis.[12] The proposed Security Rule amendments include replacing the existing standard for security management process (45 C.F.R. 164.308(a)(1)) with a new requirement that a regulated entity conduct and maintain a written technology asset inventory. This inventory would demonstrate the regulated entity’s awareness of the location of ePHI it records, maintains, or processes. Additionally, regulated entities would be required to maintain a network map of their “electronic information systems”, including all technology assets that may impact the confidentiality, integrity, or availability of ePHI. The network map must detail the movement of ePHI within the regulated entity’s electronic information systems, showing how ePHI enters, exits, and is accessed from outside the electronic information systems. HHS also proposes to require a regulated entity to use information from the data inventory and network map to conduct a risk analysis to identify the potential risks and vulnerabilities to ePHI and related electronic information systems.[13] These proposed changes to the administrative safeguard requirements align with HHS’s objective of harmonizing HIPAA standards with familiar concepts from other data privacy and security frameworks and laws[14] that require organizations to understand the flow of the data they process. The changes also aim to enhance a regulated entity’s ability to identify and manage risks to the confidentiality, integrity, and availability of ePHI.
- Encryption as a Standard.[15]HHS proposes to redesignate encryption and decryption from an implementation specification for access control (45 C.F.R. 164.312(a)) and transmission security (45 C.F.R. 164.312(e)) to a standalone standard for technical safeguards in order “to increase its visibility and prominence.” The proposed amendments would require a regulated entity to use widely accepted encryption standards to protect ePHI at rest and in transit, update encryption methods as standards evolve, and maintain up-to-date risk analyses and security plans, subject to limited exceptions. For example, if a regulated entity is currently using a technology asset that does not support prevailing encryption standards, the regulated entity may still be in compliance with the encryption requirement provided that it “establish[es] a written plan to migrate ePHI to technology assets that support encryption consistent with prevailing [encryption] standards and to implement such a plan… within a reasonable and appropriate period of time.”[16] Another proposed exception would be when a regulated entity is transmitting unencrypted ePHI in response to an individual’s request pursuant to 45 CFR 164.524 (HIPAA Right of Access), wherein the individual instructs the regulated entity to submit responsive data in an unencrypted format (e.g., some types of text messaging instant messaging, or via an unencrypted app).[17]
- Authentication. HHS also proposes amendments to the existing standard for authentication by requiring a regulated entity to implement procedures that include technical controls for verifying the identity of those accessing a regulated entity’s electronic information system. HHS also proposes four new implementation specifications under this standard: (i) eliminate the use of default passwords, such as by requiring personnel to change any default passwords to unique passwords that are consistent with current authoritative source recommendations for unique passwords;[18] (ii) require regulated entities to use multi-factor authentication (“MFA”) to all technology assets in its relevant electronic information systems to verify that the person seeking access is the one claimed;[19] (iii) specific exceptions to MFA, including for currently-used technology assets that do not support MFA, when MFA is infeasible during an emergency, and for a technology asset that is a “device” defined under section 201(h) of the Federal Food, Drug, and Cosmetic Act;[20] and (iv) require a regulated entity to review and test the effectiveness of technical controls required by the authentications standard at least once every 12 months or in response to environmental or operational changes, whichever is more frequent, and modifying as reasonable appropriate.[21]
- Contingency Planning and Response.[22] The proposed Security Rule amendments would require a regulated entity to establish and implement, as needed, a written contingency plan that includes policies and procedures for responding to emergencies, such as fire, system failure, natural disaster, or security incident that adversely impacts the confidentiality, integrity, and availability of ePHI. The proposed standard for contingency planning would require regulated entities to, among other things, perform and document an assessment of the criticality of relevant electronic information systems that create, receive, maintain, or transmit ePHI or that are otherwise crucial to ensuring the confidentiality, integrity, or availability of ePHI, providing patient care, and supporting other business needs. Additionally, regulated entities would be required to establish and implement a written data backup plan that includes procedures for creating and maintaining exact retrievable copies of ePHI; to restore critical relevant electronic information systems and data within 72 hours of loss; and to review and implement procedures for testing contingency plans at least once every 12 months and to document and modify as appropriate the results of such tests.
- Compliance Audits.[23]The proposed Security Rule amendments require that a regulated entity conduct and document an audit of compliance with each standard and implementation specification of the Security Rule, either via an internal or third-party compliance audit, at least once every 12 months.
- Business Associate Management.[24] HHS proposes to require regulated entities to verify that their business associates have implemented required technical safeguards and to obtain satisfactory assurances of compliance with the Security Rule. To support compliance with this new standard, regulated entities will be required to obtain written verification from their business associates at least once every 12 months. The verification must include a written analysis of the business associate’s electronic information systems conducted by a qualified individual with expertise in cybersecurity principles, and must be accompanied by a written certification from an authorized representative of the business associate, affirming that the analysis has been completed and is accurate. The proposed Security Rule amendment allows flexibility in selecting the individual to perform the analysis, permitting a regulated entity to select either an internal or third party to conduct the required analyses. This proposed requirement aligns with HHS’s Cybersecurity Performance Goals for Vendor/Supplier Cybersecurity,[25] which emphasizes identifying, assessing, and mitigating risks to ePHI shared with business associates.
- Updated and New Definitions. HHS proposes to update 15 existing definitions in the Security Rule: access, administrative safeguards, authentication, availability, confidentiality, information system and electronic information system, malicious software, password, physical safeguards, security or security measures, security incident, technical safeguards, user, and workstation, primarily to clarify inconsistencies within the Security Rule.[26] For example, the proposed Security Rule amendments seek to modify the definitions for “administrative safeguards,” “physical safeguards,” and “technical safeguards”[27] to clarify that requirements also apply to actions to the policies and procedures addressing the activities covered by each definition. The proposed Security Rule amendments also seek to update the definition of “electronic media”[28] to include not only media on which data is or may be recorded electronically, but also media on which data may be maintained or processed. The proposed update expands the definition, capturing potential vectors for accessing or transmitting ePHI under the Security Rule’s requirements, thus reducing gaps in compliance. The proposed Security Rule amendments also propose to add 10 new defined terms to the Security Rule including: deploy, implement, electronic information system, multi-factor authentication, relevant electronic information system, risk, technical controls, technology asset, threat, and vulnerability[29] to clarify the scope of the Security Rule’s requirements and to further align the Security Rule with NIST CSF and other common security frameworks. HHS requests comments on whether the proposed updated definitions “would be problematic for regulated entities or result in unintended adverse consequences.” HHS also requests specific comments on some of the proposed definitions, including whether the proposed definition for “electronic media” accurately captures current uses and allows for future technological innovation, and whether additions to the non-exhaustive list of examples of electronic media are needed.
Impact on Regulated Entities
President Trump’s “Regulatory Freeze Pending Review” Executive Order directed federal agencies to “not propose or issue any rule in any manner… until a department or agency head appointed or designated by the President after noon on January 20, 2025, reviews and approves the rule.” While hearings for confirmation of the President’s nominee for Secretary of Health and Human Services are in process, the proposed amendments to the Security Rule face an uncertain future: they could move ahead as proposed in the NPRM, the proposed amendments could be revised and reissued, or the NPRM could be withdrawn entirely.
If, however, the proposed Security Rule amendments move forward in their current form, the impact on regulated entities and health plan sponsors would be substantial. HHS estimated that in the first year of implementing the proposed regulatory changes, regulated entities would incur approximately $4.655 billion in costs, while plan sponsors would incur about $4.659 billion.[30] HHS attributes these estimated costs to the following activities: conducting a Security Rule compliance audit; obtaining verification of business associates’ and subcontractors’ compliance with technical safeguards; providing verification of business associates’ compliance with technical safeguards; providing notification of termination or change of workforce members’ access to ePHI; deploying MFA and penetration testing; segmenting networks; disabling unused ports; removing extraneous software; notifying covered entities or business associates, as applicable, upon activation of a contingency plan; and updating health plan documents, policies and procedures, workforce training, and business associate agreements. These costs also include deployment of safeguards by health plan sponsors for their relevant electronic information systems to meet the new Security Rule standards and notifying group health plans upon activation of a plan sponsor’s contingency plan.
For more information, please contact the authors or your Squire Patton Boggs relationship attorney.
Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only and is not intended to constitute or be relied upon as legal advice.
[1] 45 CFR 160.103.
[2] See, e.g., NIST Cybersecurity Framework (“NIST CSF”), HHS’ Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients, the HHS Cybersecurity Performance Goals, the Federal Trade Commission’s (“FTC”) ‘‘Start with Security: A Guide for Business.” U.S. Department of Health and Human Services, 90 Fed. Reg. 900 (January 6, 2025).
[3] See, e.g., University of Texas M.D. Anderson Cancer Center v. U.S. Department of Health and Human Services, 985 F.3d 472, 478 (5th Cir. 2021). 90 Fed. Reg. 916.
[4] 90 Fed. Reg. 898.
[5] 90 Fed. Reg. 1010.
[6] 90 Fed. Reg. 899.
[7] 90 Fed. Reg. 917.
[8] 90 Fed. Reg. 933.
[9] 90 Fed. Reg. 934.
[10] 90 Fed. Reg. 936.
[11] Id.
[12] 90 Fed. Reg. 937.
[13] 90 Fed. Reg. 940.
[14] National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”), EU General Data Protection Regulation (“GDPR”), California Consumer Privacy Act (“CCPA”), Brazilian General Personal Data Protection Law (“LGPD”), and Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”).
[15] 90 Fed. Reg. 968.
[16] 90 Fed. Reg. 968-969.
[17] 90 Fed. Reg. 969.
[18] 90 Fed. Reg. 974.
[19] 90 Fed. Reg. 974-976.
[20] 90 Fed. Reg. 975.
[21] 90 Fed. Reg. 976-977.
[22] 90 Fed. Reg. 955.
[23] Id.
[24] 90 Fed. Reg. 924.
[25] https://hhscyber.hhs.gov/performance-goals.html.
[26] 90 Fed. Reg. 922.
[27] 45 C.F.R. 164.304
[28] 45 C.F.R. 160.103
[29] 90 Fed. Reg. 922.
[30] 90 Fed. Reg. 1010.