The HIPAA Security Rule was originally promulgated over 20 years ago.
While it historically provided an important regulatory floor for securing electronic protected health information, the Security Rule’s lack of prescriptiveness, combined with advances in technology and evolution of the cybersecurity landscape, increasingly indicate the HIPAA Security Rule neither reflects cybersecurity best practices nor effectively mitigates the proliferation of cyber risks in today’s interconnected digital world. On December 27, 2024, the HHS Office of Civil Rights (“OCR”) announced a Notice of Proposed Rulemaking, including significant changes to strengthen the HIPAA Security Rule (the “Proposed Rule”). In its announcement, OCR stated that the Proposed Rule seeks to “strengthen cybersecurity by updating the Security Rule’s standards to better address ever-increasing cybersecurity threats to the health care sector.” One key aim of the Proposed Rule is to provide a much clearer roadmap to achieve Security Rule compliance.
The Proposed Rule contains significant textual modifications to the current HIPAA Security Rule. While the actual redline changes may appear daunting, the proposed new requirements are aimed at aligning with current cybersecurity best practices as reflected across risk management frameworks, including NIST’s Cybersecurity Framework. For organizations that have already adopted these “best practices”, many of the new Proposed Rule requirements will be familiar and, in many cases, will have already been implemented. Indeed, for such organizations, the biggest challenge will be to comply with the new administrative requirements, which will involve policy updates, updates to business associate agreements, increased documentation rules (including mapping requirements), and the need for additional vendor management. For organizations that are still trying to meaningfully comply with the existing HIPAA Security Rule, or that seek to extend the Rule’s application to new technologies and systems handling PHI, the Proposed Rule will likely require significant investment of human and financial resources to meet the new requirements.
Proposed Key Changes to the HIPAA Security Rule
The following is a summary of the proposed key changes to the HIPAA Security Rule:
- Removal of the distinction between “Addressable” and “Required” implementation specifications. Removal of the distinction is meant to clarify that the implementation of all the HIPAA Security Rule specifications is NOT optional.
- Development of a technology asset inventory and network map. You cannot protect data unless you know where it resides, who has access to it, and how it flows within and through a network and information systems (including third party systems and applications used by the Covered Entity or Business Associate).
- Enhancement of risk analysis requirements to provide more specificity regarding how to conduct a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Specifically, the risk analysis must consider and document the risks to systems identified in the technology asset inventory.
- Mandated incident and disaster response plans. This will require organizations to have documented contingency plans in place, including a process to restore critical data within 72 hours of a loss. This reflects a broader trend across the data protection landscape to ensure operational “resiliency”, recognizing that cyber attacks are routinely successful.
- Updated access control requirements to better regulate which workforce members have access to certain data and address immediate termination of access when workforce members leave an organization.
- Annual written verification that a Covered Entity’s Business Associates have implemented the HIPAA Security Rule.
- Implementation of annual HIPAA Security Rule compliance audits.
- Adoption of certain Security Controls:
- Encryption of ePHI at rest and in transit;
- Multi-factor authentication (i.e. requiring authentication of a user’s identity by at least two of three factors – e.g., password plus a smart identification card);
- Patch management;
- Penetration testing every 12 months;
- Vulnerability scans every 6 months;
- Network Segmentation;
- Anti-malware protection; and
- Back-up and recovery of ePHI.
Next Steps
The Proposed Rule was published in the Federal Register on January 6, 2025, and the 60-day comment period runs until March 7, 2025. We encourage regulated organizations to consider the impact of the Proposed Rule on their own systems and/or submit comments as the Proposed Rule will likely have substantial implications on the people, processes, and technologies of organizations required to comply.