On January 6, 2025, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued a notice of proposed rulemaking (the “proposed rule”), which proposes a number of significant updates to the HIPAA Security Rule. According to OCR’s announcement, the proposed rule seeks to “improve cybersecurity and better protect the U.S. health care system from a growing number of cyberattacks” and “better align the Security Rule with modern best practices in cybersecurity.” The preamble states that the proposed rule seeks to address common areas of non-compliance with the Security Rule identified by OCR in its recent investigations, as well as build on recommendations from the National Committee on Vital Health Statistics and guidelines and best practices recommended by other parts of the government, such as the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST).
Below, we provide a brief summary of the proposed changes. The proposed rule is open for comment until March 7, 2025.
Key Provisions
- Removal of the Distinction Between “Addressable” and “Required” Implementation Specifications. For background, the Security Rule contains specific administrative, physical, technical, organizational, and documentation standards and associated implementation specifications. The current Security Rule contains both “required” and “addressable” implementation specifications. Required specifications must be implemented. Addressable specifications require that the covered entity or business associate (either, a “regulated entity”) assess whether the specification is reasonable and appropriate in the regulated entity’s environment with reference to the likely contribution to protecting electronic protected health information (ePHI) and, if the specification is not reasonable and appropriate, document why and implement an equivalent alternative measure that is reasonable and appropriate.
The proposed rule would remove the distinction between “required” and “addressable” implementation specifications and require all implementation specifications, except in limited circumstances. In the preamble, OCR states that it is concerned that some regulated entities misunderstand “addressable” specifications to be optional. While the preamble emphasizes that the proposed rule aims to maintain flexibility in the Security Rule, the removal of this distinction is meant to clarify that implementation of the specifications is not optional; a regulated entity must implement the standards and associated specifications and adopt reasonable and appropriate security measures to achieve such implementation. - Creation of Technology Asset Inventory and Network Map. The proposed rule would require regulated entities to conduct and document an accurate and thorough written technology asset inventory and network map of its electronic information systems and all technology assets that may affect the confidentiality, integrity, or availability of ePHI. Any technology asset inventory and network map would be required to take into account the processes that involve movement of ePHI into and outside of a regulated entity’s systems, including those that may involve another entity (i.e., a covered entity’s network map would be required to account for technology assets used by its business associates to create, receive, maintain, or transmit ePHI).
- Greater Specificity for Risk Analyses. While the current Security Rule requires that a regulated entity conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the regulated entity, the proposed rule would impose more specific requirements for such risk analyses. In particular, the proposed rule would require a written assessment that takes into account and documents details related to eight specifications, including:
- a review of the regulated entity’s technology asset inventory and network map;
- identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI;
- identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems; and
- a determination of the potential impact of each identified threat, among other requirements.
The preamble states that these requirements for risk analyses would be distinct from the evaluation standard, which requires a regulated entity to proactively consider whether risks or vulnerabilities will be introduced by any changes to the regulated entity’s environment or operations.
- Incident and Disaster Response Requirements. The proposed rule would require that a regulated entity establish a security incident response plan and implement procedures for testing and revising those plans at least once every 12 months. A regulated entity would also be required to develop and maintain documentation of investigations, analyses, mitigation, and remediation for suspected or known security incidents. Further, a regulated entity would be required to have contingency plans in place, including procedures to restore its critical electronic information systems and data within 72 hours of a loss and restore other systems and data in accordance with the criticality analysis contained in the regulated entity’s written contingency plan. A business associate would be required to notify covered entities (or a subcontractor business associate to notify business associates) upon activation of their contingency plans without unreasonable delay, but in no later than 24 hours after activation.
- Verification of Business Associates’ Technical Safeguards. The proposed rule would require that a regulated entity verify that an entity that creates, receives, maintains, or transmits PHI on its behalf is in fact taking necessary steps to protect ePHI. In particular, the proposed rule would require that a covered entity obtain a written verification, at least once every 12 months that a business associate has deployed technical safeguards required by the Security Rule, including a written analysis of the business associate’s relevant electronic information systems. The same requirement would apply to business associates with respect to their subcontractor business associates.
- Patch Management. The proposed rule would include a new standard for patch management, which would require that a regulated entity implement policies and procedures to identify, prioritize, and apply software patches throughout its electronic information systems that create, receive, maintain, or transmit ePHI or otherwise affect the confidentiality, integrity, or availability of ePHI. The proposed rule would impose specific timing requirements for patching, updating, or upgrading the relevant electronic information system: (i) 15 calendar days for a critical risk patch; (ii) 30 calendar days for a high risk patch; and (iii) a reasonable and appropriate period of time based on the entity’s policies and procedures for all other patches.
- Strengthened Access Control Requirements. The proposed rule would require that a regulated entity implement written policies and procedures related to its workforce members’ access to ePHI and relevant electronic information systems, including termination of such access where appropriate, such as upon termination or a change in an employee’s role. The proposed rule would also require that a regulated entity notify other regulated entities after a change in or termination of a workforce member’s authorization to access ePHI of those other regulated entities as soon as possible but no later than 24 hours after the change or termination.
- Compliance Audits. The proposed rule would require a regulated entity to perform and document an audit of its compliance with each standard and implementation specification of the Security Rule at least once every 12 months.
- Documentation Requirements. The proposed rule would require that a regulated entity document in writing all policies, procedures, plans, and analyses required by the Security Rule, and review that documentation at least annually and in response to changes in its security environment or operations. This would include (but not be limited to) the requirements related to the technology asset inventory, network map, and risk analysis discussed above.
- Workforce Sanctions. The proposed rule would include additional specifications related to the sanctioning of workforce members who fail to comply with a regulated entity’s security policies and procedures, including the requirement to establish and maintain written policies and procedures related to workforce sanctions and document instances of and the circumstances leading to a regulated entity imposing sanctions on a workforce member.
- Additional Security Measures. The proposed rule would require a number of additional security controls, each with limited exceptions, related to:
- encryption of ePHI at rest and in transit;
- multi-factor authentication;
- network segmentation;
- vulnerability scanning at least once every six months and penetration testing at least once every 12 months;
- deployment of anti-malware protection;
- removal of extraneous software from electronic information systems;
- disablement of network ports in accordance with a regulated entity’s risk analysis; and
- backup and recovery of ePHI.