On January 6, 2025, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued a notice of proposed rulemaking (the “proposed rule”), which proposes a number of significant updates to the HIPAA Security Rule.  According to OCR’s announcement, the proposed rule seeks to “improve cybersecurity and better protect the U.S. health care system from a growing number of cyberattacks” and “better align the Security Rule with modern best practices in cybersecurity.” The preamble states that the proposed rule seeks to address common areas of non-compliance with the Security Rule identified by OCR in its recent investigations, as well as build on recommendations from the National Committee on Vital Health Statistics and guidelines and best practices recommended by other parts of the government, such as the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST).

Below, we provide a brief summary of the proposed changes. The proposed rule is open for comment until March 7, 2025.

Key Provisions

  • Removal of the Distinction Between “Addressable” and “Required” Implementation SpecificationsFor background, the Security Rule contains specific administrative, physical, technical, organizational, and documentation standards and associated implementation specifications. The current Security Rule contains both “required” and “addressable” implementation specifications. Required specifications must be implemented. Addressable specifications require that the covered entity or business associate (either, a “regulated entity”) assess whether the specification is reasonable and appropriate in the regulated entity’s environment with reference to the likely contribution to protecting electronic protected health information (ePHI) and, if the specification is not reasonable and appropriate, document why and implement an equivalent alternative measure that is reasonable and appropriate.
    The proposed rule would remove the distinction between “required” and “addressable” implementation specifications and require all implementation specifications, except in limited circumstances.  In the preamble, OCR states that it is concerned that some regulated entities misunderstand “addressable” specifications to be optional.  While the preamble emphasizes that the proposed rule aims to maintain flexibility in the Security Rule, the removal of this distinction is meant to clarify that implementation of the specifications is not optional; a regulated entity must implement the standards and associated specifications and adopt reasonable and appropriate security measures to achieve such implementation.
  • Creation of Technology Asset Inventory and Network MapThe proposed rule would require regulated entities to conduct and document an accurate and thorough written technology asset inventory and network map of its electronic information systems and all technology assets that may affect the confidentiality, integrity, or availability of ePHI. Any technology asset inventory and network map would be required to take into account the processes that involve movement of ePHI into and outside of a regulated entity’s systems, including those that may involve another entity (i.e., a covered entity’s network map would be required to account for technology assets used by its business associates to create, receive, maintain, or transmit ePHI).
  • Greater Specificity for Risk AnalysesWhile the current Security Rule requires that a regulated entity conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the regulated entity, the proposed rule would impose more specific requirements for such risk analyses. In particular, the proposed rule would require a written assessment that takes into account and documents details related to eight specifications, including:
    • a review of the regulated entity’s technology asset inventory and network map;
    • identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI;
    • identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems; and
    • a determination of the potential impact of each identified threat, among other requirements.

    The preamble states that these requirements for risk analyses would be distinct from the evaluation standard, which requires a regulated entity to proactively consider whether risks or vulnerabilities will be introduced by any changes to the regulated entity’s environment or operations.

  • Incident and Disaster Response RequirementsThe proposed rule would require that a regulated entity establish a security incident response plan and implement procedures for testing and revising those plans at least once every 12 months. A regulated entity would also be required to develop and maintain documentation of investigations, analyses, mitigation, and remediation for suspected or known security incidents. Further, a regulated entity would be required to have contingency plans in place, including procedures to restore its critical electronic information systems and data within 72 hours of a loss and restore other systems and data in accordance with the criticality analysis contained in the regulated entity’s written contingency plan. A business associate would be required to notify covered entities (or a subcontractor business associate to notify business associates) upon activation of their contingency plans without unreasonable delay, but in no later than 24 hours after activation.
  • Verification of Business Associates’ Technical SafeguardsThe proposed rule would require that a regulated entity verify that an entity that creates, receives, maintains, or transmits PHI on its behalf is in fact taking necessary steps to protect ePHI. In particular, the proposed rule would require that a covered entity obtain a written verification, at least once every 12 months that a business associate has deployed technical safeguards required by the Security Rule, including a written analysis of the business associate’s relevant electronic information systems. The same requirement would apply to business associates with respect to their subcontractor business associates.
  • Patch ManagementThe proposed rule would include a new standard for patch management, which would require that a regulated entity implement policies and procedures to identify, prioritize, and apply software patches throughout its electronic information systems that create, receive, maintain, or transmit ePHI or otherwise affect the confidentiality, integrity, or availability of ePHI. The proposed rule would impose specific timing requirements for patching, updating, or upgrading the relevant electronic information system: (i) 15 calendar days for a critical risk patch; (ii) 30 calendar days for a high risk patch; and (iii) a reasonable and appropriate period of time based on the entity’s policies and procedures for all other patches.
  • Strengthened Access Control Requirements. The proposed rule would require that a regulated entity implement written policies and procedures related to its workforce members’ access to ePHI and relevant electronic information systems, including termination of such access where appropriate, such as upon termination or a change in an employee’s role. The proposed rule would also require that a regulated entity notify other regulated entities after a change in or termination of a workforce member’s authorization to access ePHI of those other regulated entities as soon as possible but no later than 24 hours after the change or termination.
  • Compliance Audits. The proposed rule would require a regulated entity to perform and document an audit of its compliance with each standard and implementation specification of the Security Rule at least once every 12 months.
  • Documentation RequirementsThe proposed rule would require that a regulated entity document in writing all policies, procedures, plans, and analyses required by the Security Rule, and review that documentation at least annually and in response to changes in its security environment or operations. This would include (but not be limited to) the requirements related to the technology asset inventory, network map, and risk analysis discussed above.
  • Workforce SanctionsThe proposed rule would include additional specifications related to the sanctioning of workforce members who fail to comply with a regulated entity’s security policies and procedures, including the requirement to establish and maintain written policies and procedures related to workforce sanctions and document instances of and the circumstances leading to a regulated entity imposing sanctions on a workforce member.
  • Additional Security Measures. The proposed rule would require a number of additional security controls, each with limited exceptions, related to:
    • encryption of ePHI at rest and in transit;
    • multi-factor authentication;
    • network segmentation;
    • vulnerability scanning at least once every six months and penetration testing at least once every 12 months;
    • deployment of anti-malware protection;
    • removal of extraneous software from electronic information systems;
    • disablement of network ports in accordance with a regulated entity’s risk analysis; and
    • backup and recovery of ePHI.
Photo of Elizabeth Brim Elizabeth Brim

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and…

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and health care.

Elizabeth’s practice includes counseling clients on compliance with the complex web of health information privacy laws and regulations, such as HIPAA, the FTC’s Health Breach Notification Rule, and state medical and consumer health privacy laws as well as state consumer privacy and genetic privacy laws. She also advises clients on health care compliance issues, such as fraud and abuse, market access, and pricing and reimbursement activities.

Elizabeth routinely advises on regulatory compliance as part of transactions, clinical trial programs, collaborations and other activities that involve genetic data, and the development and operation of digital health products. As part of her practice, Elizabeth routinely counsels clients on drafting and negotiating privacy and health care terms with vendors and third parties and developing privacy notices and consent forms. In addition, Elizabeth maintains an active pro bono practice.

Elizabeth is an author of the American Health Law Association treatise, Pricing, Market Access, and Reimbursement Principles: Drugs, Biologicals and Medical Devices and the U.S. chapter of the Global Legal Insights treatise, Pricing & Reimbursement Laws and Regulations.

Photo of Anna D. Kraus Anna D. Kraus

Anna Durand Kraus advises on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (“HHS”) gives her broad experience with, and valuable insight into…

Anna Durand Kraus advises on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (“HHS”) gives her broad experience with, and valuable insight into, the programs and issues within the purview of HHS, including Medicare, Medicaid, fraud and abuse, and HIPAA privacy and security. Anna is co-chair of the firm’s Health Care Industry practice group.

Anna regularly advises clients on Medicare reimbursement matters, particularly those arising under Part B and the Part D prescription drug benefit. She also has extensive experience with the Medicaid Drug Rebate program. She assists numerous pharmaceutical and device manufacturers, health care providers, pharmacy benefit managers, and other health care industry stakeholders to navigate the challenges and opportunities presented by the Affordable Care Act.

Anna is a trusted adviser on health information privacy, security and breach notification issues, including those arising under the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Her background in this area dates back to the issuance of the original HIPAA privacy regulations.

Anna’s clients depend on her to guide them through compliance with the Anti-Kickback statute, the Stark regulations, and other laws preventing fraud and abuse in the health care industry. Her deep knowledge of these laws has made her an important component of the firm’s representation of pharmaceutical companies and health care organizations under federal investigation or facing allegations under the False Claims Act. In addition, clients contemplating acquisitions in the health care sector rely on her to guide due diligence efforts.

Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

As part of her practice, she also regularly represents clients in strategic transactions involving personal data and cybersecurity risk. She advises companies from all sectors on compliance with laws governing the handling of health-related data. Libbie is recognized as an Up and Coming lawyer in Chambers USA, Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Photo of Olivia Vega Olivia Vega

Olivia Vega provides strategic advice to global companies on a broad range of privacy, health care, and technology issues, including in technology transactions, mergers and acquisitions, and regulatory compliance. Within her practice, Olivia counsels clients on navigating the complex web of federal and…

Olivia Vega provides strategic advice to global companies on a broad range of privacy, health care, and technology issues, including in technology transactions, mergers and acquisitions, and regulatory compliance. Within her practice, Olivia counsels clients on navigating the complex web of federal and state privacy and data security laws and regulations, including on topics such as HIPAA, California’s Confidentiality of Medical Information Act, and the California Consumer Privacy Act. In addition, Olivia maintains an active pro bono practice.