Categories: Cybersecurity, Health Care, Privacy and Security Law
, ,

The HIPAA Security Rule was originally promulgated over 20 years ago.

While it historically provided an important regulatory floor for securing electronic protected health information, the Security Rule’s lack of prescriptiveness, combined with advances in technology and evolution of the cybersecurity landscape, increasingly indicate the HIPAA Security Rule neither reflects cybersecurity best practices nor effectively mitigates the proliferation of cyber risks in today’s interconnected digital world.  On December 27, 2024, the HHS Office of Civil Rights (“OCR”) announced a Notice of Proposed Rulemaking, including significant changes to strengthen the HIPAA Security Rule (the “Proposed Rule”).  In its announcement, OCR stated that the Proposed Rule seeks to “strengthen cybersecurity by updating the Security Rule’s standards to better address ever-increasing cybersecurity threats to the health care sector.”  One key aim of the Proposed Rule is to provide a much clearer roadmap to achieve Security Rule compliance.

The Proposed Rule contains significant textual modifications to the current HIPAA Security Rule.  While the actual redline changes may appear daunting, the proposed new requirements are aimed at aligning with current cybersecurity best practices as reflected across risk management frameworks, including NIST’s Cybersecurity Framework.  For organizations that have already adopted these “best practices”, many of the new Proposed Rule requirements will be familiar and, in many cases, will have already been implemented.  Indeed, for such organizations, the biggest challenge will be to comply with the new administrative requirements, which will involve policy updates, updates to business associate agreements, increased documentation rules (including mapping requirements), and the need for additional vendor management.  For organizations that are still trying to meaningfully comply with the existing HIPAA Security Rule, or that seek to extend the Rule’s application to new technologies and systems handling PHI, the Proposed Rule will likely require significant investment of human and financial resources to meet the new requirements.

Proposed Key Changes to the HIPAA Security Rule

The following is a summary of the proposed key changes to the HIPAA Security Rule:

  • Removal of the distinction between “Addressable” and “Required” implementation specifications. Removal of the distinction is meant to clarify that the implementation of all the HIPAA Security Rule specifications is NOT optional.
  • Development of a technology asset inventory and network map. You cannot protect data unless you know where it resides, who has access to it, and how it flows within and through a network and information systems (including third party systems and applications used by the Covered Entity or Business Associate).
  • Enhancement of risk analysis requirements to provide more specificity regarding how to conduct a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Specifically, the risk analysis must consider and document the risks to systems identified in the technology asset inventory.
  • Mandated incident and disaster response plans. This will require organizations to have documented contingency plans in place, including a process to restore critical data within 72 hours of a loss.  This reflects a broader trend across the data protection landscape to ensure operational “resiliency”, recognizing that cyber attacks are routinely successful.
  • Updated access control requirements to better regulate which workforce members have access to certain data and address immediate termination of access when workforce members leave an organization.
  • Annual written verification that a Covered Entity’s Business Associates have implemented the HIPAA Security Rule.
  • Implementation of annual HIPAA Security Rule compliance audits.
  • Adoption of certain Security Controls:
    • Encryption of ePHI at rest and in transit;
    • Multi-factor authentication (i.e. requiring authentication of a user’s identity by at least two of three factors – e.g., password plus a smart identification card);
    • Patch management;
    • Penetration testing every 12 months;
    • Vulnerability scans every 6 months;
    • Network Segmentation;
    • Anti-malware protection; and
    • Back-up and recovery of ePHI.

Next Steps

The Proposed Rule was published in the Federal Register on January 6, 2025, and the 60-day comment period runs until March 7, 2025.  We encourage regulated organizations to consider the impact of the Proposed Rule on their own systems and/or submit comments as the Proposed Rule will likely have substantial implications on the people, processes, and technologies of organizations required to comply.  We also note that the Proposed Rule is only one of a number of a broad swath of ongoing cybersecurity related regulatory developments and you can learn about other similar developments which we discussed here by following our blog posts on Health Law Advisor.

Epstein Becker Green will be closely following this rulemaking process.  For additional information about the issues discussed above, or if you have other privacy, cybersecurity, or data asset management concerns, please contact the Epstein Becker Green attorney who regularly handles your legal matters, or one of the authors of this blog post.  Read more about our expansive capabilities and offerings here.

Tags: Data Asset Management, data protection, HHS
Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.