In this week’s installment of our blog series on the U.S. Department of Health and Human Services’ (HHS) HIPAA Security Rule updates in its January 6 Notice of Proposed Rulemaking (NPRM), we are exploring the justifications for the proposed updates to the Security Rule. Last week’s post on the updates related to Vulnerability Management, Incident Response & Contingency Plans can be found here.
Background
Throughout this series, we have discussed updates to various aspects of the Security Rule and explored how HHS seeks to implement new security requirements and implementation specifications for regulated entities. This week, we discuss the justifications behind HHS’s move and the challenges entities face in complying with the existing rule.
Justifications
HHS discussed multiple reasons for this Security Rule update, and a few are discussed below:
- Importance of Strong Security Posture of Regulated Entities – The preamble to the NPRM posits that the increase in use of certified electronic health records (80% of physicians’ offices and 96% of hospitals as of 2021) fundamentally shifted the landscape of healthcare delivery. As a result, the security posture of regulated entities must be updated to accommodate such advancement. As treatment is increasingly provided electronically, the additional volume of sensitive patient information to protect continues to grow.
- Increase Cybersecurity Incident Risks – HHS cites the heightened risk to patient safety during cybersecurity incidents and ransomware attacks as a key reason for these updates. The current state of the healthcare delivery system is propelled by deep digital connectivity as prompted by the HITECH and 21st Century Cures Act. If this system is connected but insecure, the connectivity could compromise patient safety, subjecting patients to unnecessary risk and forcing them to bear unaffordable personal costs. During a cybersecurity incident, patients’ health, and potentially their lives, may be at risk where such an incident creates impediments to the provision of healthcare. Serious consequences can result from interference with the operations of a critical medical device or obstructions to the administrative or clinical operations of a regulated entity, such as preventing the scheduling of appointments or viewing of an individual’s health history.
- The Healthcare Industry Could Benefit from Centralized Security Standards Due to Inconsistent Implementation of Current Voluntary Standards – Despite the proliferation of voluntary cybersecurity standards, industry guidelines, and best practices, HHS found that many regulated entities have been slow to strengthen their security measures to protect ePHI and their information systems. HHS also noted that recent case law, including University of Texas M.D. Anderson Cancer Center v. HHS, has not accurately set forth the steps regulated entities must take to adequately protect the confidentiality, integrity, and availability of ePHI, as required by the statute. In that case, the Fifth Circuit vacated HIPAA penalties against MD Anderson, ruling that HHS acted arbitrarily and capriciously under the Administrative Procedure Act. The court found that MD Anderson met its obligations by implementing an encryption mechanism for ePHI. HHS disagrees with whether the encryption mechanism was sufficient and asserted its authority under HIPAA to mandate strengthened security standards for ePHI. This ruling and lack of adoption of the voluntary cybersecurity standards by regulated entities has led to inconsistencies in the implementation of the Security Rule at regulated entities and providing clearer and mandatory standards were noted justifications for these revisions.
Takeaways
In 2021, Congress amended the HITECH Act, requiring HHS to assess whether an entity followed recognized cybersecurity practices in line with HHS guidance over the prior 12 months to qualify for HIPAA penalty reductions. In response to this requirement, HHS could have taken the approach of acknowledging recognized frameworks that offer robust safeguards to clarify expectations, enhance the overall security posture of covered entities, and reduce compliance gaps. While HHS refers to NIST frameworks in discussions on security, it has not formally recognized any specific frameworks to qualify for this so called “safe harbor” incentive. Instead, HHS uses this NPRM to embark on a more prescriptive approach to the substantive rule based on its evaluation of various frameworks.
HHS maintains that these Security Rule updates still allow for flexibility and scalability in its implementation. However, the revisions would limit the flexibility and raise the standards for protection beyond what was deemed acceptable in the past Security Rule iterations. Given that the Security Rule’s standard of “reasonable and appropriate” safeguards must account for cost, size, complexity, and capabilities, the more prescriptive proposals in the NPRM and lack of addressable requirements present a heavy burden — especially on smaller providers.
Whether these Security Rule revisions become finalized in the current form, a revised form, or at all remains an open item for the healthcare industry. Notably, the NPRM was published under the Xavier Becerra administration at HHS and prior to the confirmation of Robert F. Kennedy, Jr. as the new secretary of HHS. The current administration has not provided comment on its plans related to this NPRM, but we will continue to watch this as the March 7, 2025, deadline for public comment is inching closer.
Stay tuned to this series as our next and final blogpost on the NPRM will consider how HHS views the application of artificial intelligence and other emerging technologies under the HHS Security Rule.
Please visit the HIPAA Security Rule NPRM and the HHS Fact Sheet for additional resources.