New Year, New HIPAA Security Rule?

Citing the “alarming growth” of cyberattacks in recent years, the U.S. Department of Health and Human Services (“HHS”) has issued a Notice of Proposed Rulemaking to modify the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule to strengthen the cybersecurity of electronic protected health information (“ePHI”).

The proposed rule, if finalized, will require covered entities and their business associates (collectively, the “Regulated Entities”) to make substantial updates to their privacy policies and procedures, workforce trainings, information technology systems and business associate agreements.

In its Notice of Proposed Rulemaking, HHS noted that while the core requirements of the Security Rule “remain highly relevant and applicable, [it] has concerns regarding the sufficiency of the security measures implemented by regulated entities.” Further, audits conducted by the HHS Office of Civil Rights have shown that the Regulated Entities fail to consistently comply with the Security Rule.  According to HHS, the rising costs of health care data breaches (on average almost $10.1 million), reputable harm for affected individuals and entities and safety concerns necessitate a Security Rule update. 

Some of the changes address: 

• Vulnerability and Configuration Management: The proposed rule includes enhanced safeguards to require maintenance and testing of certain security measures. For example, Regulated Entities may be required to test written policies and procedures by simulating security events mimicking real-world cyberattacks. The proposed rule requires continuous monitoring of electronic information systems (“EIS”) and technology assets to ensure Regulated Entities maintains a baseline level of security, and Regulated Entities will be required to conduct vulnerability scans every six months. It also mandates removal of extraneous software from EIS.
• Technology Asset Inventories: As proposed, the rule will update the standard for the security management process to require Regulated Entities to maintain technology asset inventories and network maps of its EIS and all technology assets that may affect the confidentiality, integrity or availability of ePHI. 
• Risk Evaluations: Under the proposed rule, Regulated Entities are required to perform written technical and nontechnical evaluations to determine whether any changes to its operations may affect the confidentiality, integrity or availability of ePHI. Changes in operations include an upgrade in the Regulated Entity’s technology, as well as a sale or merger of all, or part of, the Regulated Entity with another entity.
• Risk Management: The proposal requires that Regulated Entities undertake risk management activities, such as the implementation of patches, updates and upgrades to technology to mitigate cyberattacks and address vulnerabilities.
• Workforce Security: The proposed rule includes new notification requirements related to workforce member access to ePHI, and changes or termination of certain EIS. 
• Security Incident Procedures and Compliance Audits: If finalized, Regulated Entities will be required to establish security incident response plans, and test them annually.  Annual compliance audits are also required under the proposed rule.
• Business Associate Verification: In addition to obtaining satisfactory assurances that a business associate will comply with the Security Rule, the proposed rule requires annual written verification that business associates have deployed the requisite technical safeguards. 
• Encryption/Decryption Standards and Authentication: The proposed rule requires encryption and decryption of all ePHI in a manner that is consistent with prevailing cryptographic standards, with limited exceptions. The proposed rule also requires using multi-factor authentication, with limited exceptions. 
• Contingency Plan Notification: Under the proposed rule, business associates will be required to notify covered entities within 24 hours of activating its contingency plan. HHS notes that it believes Regulated Entities activate their contingency plans infrequently, unlikely more than once per year.    

HHS has solicited comments on the proposed rule, which are due by March 7, 2025.  If you have questions related to how the proposed rule could impact your organization or would like assistance in submitting a comment, please contact the authors.