PH Privacy
HHS OCR Releases Proposed Updates to HIPAA Security Rule
January 22, 2025
By Michelle A. Reed,Rachel Kurzweil,& Kimia Favagehi
On December 27, 2024, the U.S. Department of Health and Human Services (HHS), through the Office for Civil Rights (OCR), announced a Notice of Proposed Rulemaking (NPRM) to amend the Security Standards for the Protection of Electronic Protected Health Information (Security Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). The NPRM was later published in the Federal Register on January 6, 2025 (full text here).
According to OCR, the proposed rule comes in response to growing cyber threats impacting regulated entities, with language noting, “[b]etween 2018 and 2023, the number of breaches of unsecured PHI reported to [HHS] grew at an alarming rate (100 percent increase), as did the number of individuals affected by such breaches (950 percent increase).” Not only do the proposed amendments take into account the rise of cybersecurity incidents and vulnerabilities experienced by regulated entities, but also follow President Biden’s previously issued plan for improving the cybersecurity of critical infrastructure, as seen in the Biden-Harris Administration’s National Cybersecurity Strategy.
The proposed rule seeks to strengthen the Security Rule’s standards and implementation specifications for protecting electronic protected health information (ePHI) and “align[s] the Security Rule with modern best practices in cybersecurity” through clarifications of the rule and new proposals. For example, the proposed rule removes the distinction between “required” and “addressable” implementation specifications. Currently, the Security Rule contains “required” and “addressable” requirements for implementing the rule, referred to as “implementation specifications,” including specific administrative, technical, organization and documentation standards. Implementation specifications deemed “required” must be implemented. “Addressable” implementation specifications require that the regulated entity assess whether the implementation specification is reasonable and appropriate in its environment, when analyzed with reference to the likely contribution to protecting ePHI, and, if the regulated entity determines such implementation is not reasonable and appropriate, document why and implement a reasonable and appropriate alternative measure.
The proposed rule also updates definitions and other implementation specifications to reflect changes in technology and adds specific compliance time periods for many requirements. The proposed rule also sets specific requirements for covered entities and Business Associates (as such terms are defined under HIPAA) to improve cybersecurity protections and safeguards for individuals’ ePHI by requiring certain measures of companies subject to the Security Rule, including:
- Maintain written documentation of all policies, procedures, plans and analyses in connection with the HIPAA Security Rule.
- Employ specified security measures, including encrypting ePHI at rest and in transit; multi-factor authentication (MFA); anti-malware protection, network segmentation; separate controls for backup and recovery of ePHI; vulnerability scanning at least every six months; penetration testing at least once every 12 months; and patch management.
- Conduct compliance audits every 12 months.
- Develop and maintain a technology asset inventory and network map illustrating the movement of ePHI (must be updated at least once every 12 months and in response to changes in environment or operations affecting ePHI).
Further, the proposed rule would require greater specificity for a regulated entity’s risk analysis. Currently, the Security Rule requires that regulated entities “[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the Covered Entity or Business Associate.” (45 C.F.R. § 164.308(a)(1(ii)(A)). The proposed rule builds on this and would require that a written risk assessment include, among other things:[1]
- A review of the technology asset inventory and network map.
- Identification of all reasonably anticipated threats to the confidentiality, integrity and availability of ePHI.
- Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems.
- An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
The proposed rule also sets specific requirements for incident response. For example, it requires that regulated entities establish a written incident response plan that is tested and revised every 12 months and documents responses to known or suspected security incidents. The proposed rule also requires that entities establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours and perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration.
Finally, the proposed rule includes updated requirements for Business Associates, in particular. First, the proposed rule requires that covered entities obtain verification at least once every 12 months from Business Associates showing that they have employed technical safeguards required by the Security Rule to protect ePHI. This is done through a written analysis of the Business Associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate. Second, the proposed rule would require Business Associates to notify covered entities upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation. These same requirements would apply to Business Associates that subcontract with other Business Associates.
Public comments to the proposed rule are due 60 days after publication in the Federal Register (on or before March 7, 2025), and the current HIPAA Security Rule will remain in effect during this rulemaking. HHS has asked for comments on a variety of topics around new and emerging technologies, including quantum computing and artificial intelligence.
The NPRM provides that the effective date of the final rule would be 60 days after publication and that a compliance date would then be set by the final rule. The NPRM proposes that the compliance date would be 180 days after the effective date of the final rule. As such, assuming many of the key provisions of the proposed rule would remain unchanged, entities subject to the Security Rule, including entities that may be subject to certain requirements through Business Associate agreements, should consider:
- Reviewing current practices around asset inventories and network maps.
- Evaluating security policies and procedures, including cadence for risk analyses, penetration tests and vulnerability scanning.
- Encrypting ePHI in transit and at rest and implementing MFA, if not already in place.
In anticipation of the forthcoming rule, Paul Hastings is working with clients to conduct gap assessments, contract analysis and policy playbooks to address and anticipate the risk of the likely coming changes. The Paul Hastings Data Privacy and Cybersecurity practice regularly advises on the HIPAA Privacy and Security rules. If you have any questions concerning how the proposed updates to the Security Rule may affect your organization, please do not hesitate to contact any members of our team.
[1] Note that this blog post includes just a sample of the proposed requirements. See the OCR’s Factsheet, which includes a more comprehensive list of the proposed requirements.
Contributors
Practice Areas
Data Privacy and Cybersecurity
Privacy and Cybersecurity Solutions Group