HHS Issues Proposed Rule Aimed at Strengthening HIPAA Security Compliance

On Dec. 27, 2024, the U.S. Department of Health and Human Services (HHS) released a proposed rule that would modify the HIPAA Security Rule to strengthen cybersecurity protections for electronic protected health information (ePHI). Although the changes are substantial, they are only in proposed form at this point. Employers with self-insured health plans and those with fully insured health plans with access to ePHI should monitor developments and plan to improve safeguards for ePHI if the changes are finalized.

The HIPAA Security Rule establishes a legal framework for protecting individuals’ ePHI by covered entities (health plans, health care clearinghouses, and most health care providers) and their business associates (collectively, regulated entities). These standards require regulated entities to analyze the risks and vulnerabilities of their ePHI. The risk assessment process helps regulated entities implement reasonable and appropriate safety measures to protect their ePHI.

According to HHS, the proposed rule would update the Security Rule’s standards to better address modern cybersecurity threats in the healthcare sector. HHS’ proposal to strengthen the Security Rule includes the following changes for regulated entities:

• Remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required with specific, limited exceptions.
• Require written documentation of all Security Rule policies, procedures, plans, and analyses.
• Update definitions and revise implementation specifications to reflect changes in technology and terminology.
• Add specific compliance time periods for many existing requirements.
• Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
• Require greater specificity for conducting a risk analysis. New express requirements would include a written assessment that contains, among other things:
  • Required notification of certain regulated entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.
• Strengthen requirements for planning for contingencies and responding to security incidents. Specifically, regulated entities would be required to, for example:
  • Conduct a compliance audit at least once every 12 months to ensure compliance with the Security Rule requirements.
  • Business associates verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate.
  • Require encryption of ePHI at rest and in transit, with limited exceptions.
• Require regulated entities to establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner. New express requirements would include:
  • Require the use of multi-factor authentication, with limited exceptions.
  • Require vulnerability scanning at least every six months and penetration testing at least once every 12 months.
  • Require network segmentation.
  • Require separate technical controls for backup and recovery of ePHI and relevant electronic information systems.
  • Require regulated entities to review and test the effectiveness of certain security measures at least once every 12 months in place of the current general requirement to maintain security measures.
• Require business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay but no later than 24 hours after activation.
• Require group health plans to include in their plan documents requirements for their group health plan sponsors to comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

If the proposed rule is finalized, regulated entities will be required to comply with it 180 days after its effective date. The change in presidential administration could impact the implementation of the final rule, so we will continue to monitor this story as it moves through the rulemaking process. To read the fact sheet issued by HHS, click here.