HIPAA Security Rule Overhaul: Start Planning Now
Significant changes are being proposed to the HIPAA Security Rule that will require Covered Entities and Business Associates to reevaluate their current HIPAA compliance practices. On January 6, 2025, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) published a Notice of Proposed Rulemaking (“NPRM”) to modify the HIPAA Security Rule (42 C.F.R. § 164.300 et seq.). To combat growing and consistent cybersecurity threats, the NPRM aims at strengthening cybersecurity protections for electronic Protected Health Information (“ePHI”).
HIPAA Security Rule Background and Purpose of NPRM
The Security Rule established national standards governing the protection of ePHI. Covered Entities and Business Associates are required to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI. The Security Rule applies to ePHI as opposed to physical (e.g., paper) PHI. The original Security Rule and its standards were released in 2003 and then modified in 2013. Up until this NPRM, the Security Rule standards have not changed, even with the proliferation of cyber attacks targeting the health care sector.
Since 2013, OCR has published additional Security Rule guidance through other means, often relying upon national cybersecurity standards including the National Institute of Standards and Technology, Federal Trade Commission, and the Department of Health and Human Services initiatives. It now appears that OCR is taking a more direct approach. Specifically, OCR states in the NPRM that they “do not believe that these [guidance documents] are sufficiently instructive for regulated entities to help improve their compliance with the Security Rule.”[1] OCR cites that the Security Rule needs to be modified due to a variety of factors, including significant changes in technology, changes in breach trends, and OCR enforcement experience, among other things.
No More Addressable Specifications; Only Required Ones
Under the current Security Rule regulations, implementation specifications for specific safeguards are either “required” or “addressable.” If an implementation is “addressable,” regulated entities can assess whether the specification is a reasonable and appropriate safeguard as applied to its ePHI and network environment, and can ultimately decide not to implement the specification provided that it has implemented an alternative measure and documents its rationale for departing from the implementation standard.
Under the NPRM, there are no more “addressable” specifications. Regulated entities are required to comply with the applicable standards and their implementation specifications. This change is notable because the NPRM also requires covered entities and business associates to perform and document audits at least once every 12 months for compliance with each standard and implementation specification.
Highlighted Safeguard Changes
Given that all implementation specifications will be mandatory, each regulated entity will need to consult the NPRM requirements to determine how its organization needs to modify its physical, administrative, and/or technical safeguards to come into compliance. Some of the major changes that Covered Entities and Business Associates would be required to address include:
- Develop and maintain technology asset inventory and network mappings identifying the movement of ePHI in and out of electronic information systems. Such inventory and map would need to be reviewed and updated at least once every 12 months and whenever there is a change in the environment or operations that may affect ePHI.
- Conduct more comprehensive annual risk analyses that will require identifying reasonably anticipated threats to ePHI, potential and existing vulnerabilities to relevant IT systems, assessment and documentation of security measures, the likelihood of each identified threat to exploit vulnerabilities, and risks to ePHI posed by Business Associates.
- Review patch management processes at least once every 12 months and modify relevant information systems where there is an identified patch to make. Critical vulnerabilities identified through patch management will need to be corrected within fifteen days of identification.
- Create more stringent requirements on workforce training and access management for workforce members.
- Develop comprehensive incident response, disaster recovery, and contingency plans that, among other things, restore loss of IT systems within 72 hours.
- Encrypt ePHI at rest and in transit, with limited exceptions.
- Use multi-factor authentication when accessing ePHI, with limited exceptions.
- Implement configuration management controls such as anti-malware, removing extraneous software, and disabling network ports.
- Conduct vulnerability scanning once every six months, at a minimum.
- Conduct penetration tests once every twelve months, at a minimum.
- Create data backups that ensure copies of ePHI are retrievable and no more than 48 hours older than the ePHI maintained in the existing information systems. Such backups must be tested once every six months or in response to environmental or operational changes.
OCR has published a fact sheet that summarizes the most substantive changes, including several not discussed above.
Business Associate Relationships
The NPRM also creates new oversight requirements on business associates that will affect the relationship between Covered Entities and Business Associates. Notably, Covered Entities would be required to obtain written verification from each of their Business Associates once every 12 months that such Business Associate has deployed the technical safeguards identified in the NPRM. The Business Associate can only provide this verification through a written analysis of the relevant electronic information systems by a person with appropriate knowledge and experience, and a person of authority must certify in writing that the analysis has been performed and is accurate.
That said, the NPRM would allow Covered Entities and Business Associates to appoint Business Associate to serve as the Covered Entity’s or Business Associate’s designated security official. So, although there is added oversight and compliance requirements as between each regulated entity, it appears that OCR is creating additional flexibility and recognizing that some Business Associates (such as managed IT vendors) are already functionally serving as security officials for their Covered Entity customers.
What’s Next?
The bottom-line is that complying with the to-be-updated Security Rule requirements will be a considerable undertaking for any Covered Entity or Business Associate and will, as a practical matter, make it a HIPAA requirement for health care providers and the business associates that support them to have a dedicated (and qualified) IT and cybersecurity support staff or on-call IT and cybersecurity support vendor. To be clear, the NPRM is not effective law yet (it is subject to review and comment and will almost certainly be revised prior to its finalization and being made active law), but we should anticipate that the final rule will nevertheless result in substantial changes to the HIPAA Security Rule landscape.
With the new presidential administration coming in after publication of this NPRM, it is unclear what the future of these rules are. However, Trump administration’s showed interest in heighted cybersecurity protections during its first term, so these heightened standards may align from one administration to the next.
The public commenting period for the NPRM runs until March 7, 2025. The effective date of any final rule after receipt of public comments would be sixty (60) days after the final rule’s publication in the Federal Register. Further, the date to comply with such final rule regulations would be one hundred eighty (180) days after the effective date of the final rule.
In summary, Covered Entities and Business Associates should start evaluating their current Security Rule compliance strategies now. This proactive approach will help them identify any necessary adjustments that may be required to comply with future rulemaking. By reflecting on and assessing their existing strategies, these entities can ensure they are well-prepared for any potential changes and can make the necessary modifications in a timely manner. This forward-thinking mindset will not only facilitate a smoother transition to new regulations but also reinforce their overall security posture.
Koley Jessen will continue to monitor further developments regarding the NPRM. If you have questions about the impact these rules may have on your organization or current HIPAA obligations, please contact a member of Koley Jessen’s Health Law practice group.
[1] 90 Fed. Reg. 898 at 900 (Jan. 6, 2025).
This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.