Proposed Rulemaking to Strengthen HIPAA Security Rule

Firm Publication

On January 6, the Department of Health and Human Services Office for Civil Rights (OCR) published a notice of proposed rulemaking (Proposed Rule) that would strengthen the requirements of the security rule promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA Security Rule).

The Proposed Rule would modify the HIPAA Security Rule’s standards for protecting electronic protected health information (ePHI) to address changes impacting cybersecurity since the rule’s initial publication in 2003, including the significant increases in ransomware and other threats to ePHI affecting the healthcare industry.

New Proposals and Clarifications that Seek to Strengthen the Security Rule

The HIPAA Security Rule historically has afforded covered entities and business associates (collectively, Regulated Entities) flexibility in meeting its requirements. The technical, administrative and physical safeguards of the HIPAA Security Rule contain both “required” and “addressable” implementation specifications. If the Regulated Entity determines that it is not reasonable and appropriate to implement an addressable specification, the Regulated Entity must document why and may implement an “equivalent alternative measure” to protect ePHI.

The Proposed Rule would eliminate addressable implementation specifications altogether, requiring Regulated Entities to comply with a more precise set of security standards and controls. The Proposed Rule would continue to allow Regulated Entities to consider the entity’s size, complexity, technical capabilities, and the cost of security measures when implementing the standards set forth in the HIPAA Security Rule. It would also permit Regulated Entities to consider the effectiveness of a security measure in “supporting the resiliency” of the Regulated Entity.

The Proposed Rule would significantly modify the current standards and affirmative obligations of the HIPAA Security Rule in other ways, including the following:

Elements and Frequency of Risk Analysis

OCR has consistently taken the position that conducting a thorough risk analysis is “foundational” to a Regulated Entity’s compliance with the HIPAA Security Rule. However, based on its audits and investigations of Regulated Entities, OCR has observed that many Regulated Entities have failed to meet all of the elements of a compliant risk analysis. OCR proposes to define risk, threat and vulnerability to codify the elements of a risk analysis that have previously been described in OCR guidance documents. Further, the Proposed Rule would specify all the required steps for conducting a risk analysis, beginning with an inventory of the Regulated Entity’s technology assets and creating a “network map” that illustrates the movement of ePHI throughout the Regulated Entity’s systems. Regulated Entities would also be required to do the following:

  • Identify reasonably anticipated threats to ePHI.
  • Identify potential vulnerabilities to the Regulated Entity’s electronic information systems.
  • Assess and document security measures used to ensure the confidentiality, integrity, and availability of ePHI created, received, maintained or transmitted by the Regulated Entity.
  • Determine the likelihood and potential impact of each threat identified by the Regulated Entity.
  • Assess the risk level for each threat.
  • Assess the risks to ePHI posed by entering or continuing to operate under a Business Associate Agreement (BAA) based on written verification from the business associate or subcontractor (as described below).

Regulated Entities would be required to review and update the elements of the risk analysis on at least an annual basis.

Risk Management

The Proposed Rule would modify the existing risk management standard to include more stringent implementation and review requirements for Regulated Entities. A Regulated Entity would be required to establish and implement a written plan for reducing the risks identified through its risk analysis activities and implement security measures that are sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level. Whether a risk level is reasonable and appropriate would be a fact-specific inquiry, depending on the Regulated Entity’s complexity and risk profile. Regulated Entities would be required to review their risk management plans at least once every 12 months and as reasonable and appropriate in response to a risk analysis.

Encryption and Decryption

Under the HIPAA Security Rule, encryption of ePHI, both in transit and at rest, is an addressable implementation specification. In the preamble to the Proposed Rule, OCR cites its findings from several investigations that many Regulated Entities failed to employ technical controls sufficient to keep pace with the evolving digital environment of healthcare. OCR also observes that tools to encrypt ePHI have become generally more available, less costly, and more in line with industry standards. Accordingly, OCR proposes to require that Regulated Entities configure and implement tools to encrypt and decrypt ePHI in a manner that is consistent with prevailing cryptographic standards, subject to certain exceptions, such as when ePHI is stored or created on a medical device that is no longer supported by its manufacturer.

Multifactor Authentication

The Proposed Rule would require multifactor authentication (MFA) to be deployed on all technology assets within a Regulated Entity’s electronic information systems. The Proposed Rule outlines three exceptions to this rule. The first exception would apply to technology assets that are currently in use by a Regulated Entity but do not support MFA. The second exception would apply to an emergency or other occurrence that adversely affects a Regulated Entity’s relevant electronic information systems or the confidentiality, integrity, or availability of ePHI. The third such exception would apply to legacy devices authorized by the Food and Drug Administration (FDA) for marketing, so long as those devices are duly authorized by the FDA for marketing based on a submission received on or after March 29, . To rely on any of the above exceptions to the MFA requirement, a Regulated Entity must document the existence of the criteria demonstrating that a given exception would apply and the rationale for why the Regulated Entity believes such an exception would apply. The Regulated Entity would also be required to implement reasonable and appropriate compensating controls, in lieu of MFA.

Business Associate Verification Requirements

The Proposed Rule would require Regulated Entities to obtain written verification from their business associates documenting the business associates’ deployment of technical safeguards at least once every 12 months. As part of this written verification, a business associate would be required to conduct a comprehensive analysis of their compliance with each of the HIPAA Security Rule’s technical safeguards and verify that all such required items are in place.

Compliance Audits

Regulated Entities would be required to perform and document an audit to assess compliance with all standards and implementation specifications under the HIPAA Security Rule once every 12 months. OCR posits that the audit may be performed internally by the Regulated Entity or with the assistance of a third party.

Data Backup and Recovery

The Proposed Rule would require Regulated Entities to implement new technical controls that allow each such entity to create and maintain exact, retrievable copies of ePHI as part of the entity’s data backup and recovery system. OCR proposes four specific implementation specifications related to data backup and recovery, which would require that:

  • The technical controls ensure each copy of ePHI is no more than 48 hours older than ePHI maintained in the entity’s information system.
  • The technical controls include real-time alerts to workforce members on any failures or errors involving data backups.
  • The technical controls record the success, failure, and error conditions of any backups.
  • Regulated Entities test the effectiveness of data backups and document the results at least monthly.

What Practical Effects Would the Rule Have on Regulated Entities?

Compliance with the Proposed Rule, if finalized, would require Regulated Entities to take a number of proactive steps, including the following:

Revising Business Associate Agreements

Regulated Entities would need to revise their BAA forms to include a statement that the business associate will report to the covered entity without unreasonable delay and within 24 hours of activation of its contingency plan. The Proposed Rule would allow Regulated Entities additional time to update existing BAAs. Regulated Entities would be required to replace or amend their existing BAAs by the earlier of the contract renewal date or within one year of the Proposed Rule’s effective date.

Updating Security Safeguards to Meet Minimum Requirements

Many Regulated Entities would need to enhance their technical controls to comply with the Proposed Rule’s more detailed and precise safeguard requirements. For example, while the HIPAA Security Rule requires terminating workforce members’ access to ePHI when no longer necessary for their job functions, the Proposed Rule would require Regulated Entities to remove such access within one hour from the end of employment. The Proposed Rule also would require Regulated Entities to change default passwords and implement unique user passwords that are consistent with current recommendations of authoritative sources such as the National Institute of Standards and Technology.

Enhancing the Risk Analysis Process with Additional, Specific Steps

The Proposed Rule’s detailed specifications for how to conduct an accurate and thorough risk analysis would require many Regulated Entities to refine or replace their current security risk analysis process. For example, Regulated Entities that have not historically maintained clear technology asset inventories will need to revise their process to meet new specifications. Additionally, compliance with the requirement to review, verify, and update security risk assessments on an annual basis could pose cost and resource challenges for Regulated Entities.

Reviewing Written Policies and Procedures

The Proposed Rule would require Regulated Entities to demonstrate that technical controls are not only documented but also put into effect and operationally functional as expected. The Proposed Rule also adds specificity to existing obligations regarding documentation and maintenance of written policies (e.g., requiring certain policy reviews on an annual basis). Updating written policies and procedures to reflect these revamped specifications can help an organization ensure compliance and also concretely demonstrate compliance efforts to regulatory authorities.

When Will the Proposed Rule’s Requirements Take Effect?

The Proposed Rule’s publication signals OCR’s determination to align HIPAA’s security requirements with modern-day technological considerations. OCR is accepting comments on the Proposed Rule through March 7, 2025. It is possible the transition to a new presidential administration will delay issuing a Final Rule, although many of the substantive considerations in the Proposed Rule carry bipartisan support. The Final Rule will become effective 60 days after its publication, with compliance dates at least 180 days after publication. The current Security Rule remains in effect while OCR further pursues this rulemaking process.

Our team is monitoring this regulation. If you have questions about the Proposed Rule or its potential impact on your organization, please contact the authors.

Related Professionals
Related Services
Firm Publication

On January 6, the Department of Health and Human Services Office for Civil Rights (OCR) published a notice of proposed rulemaking (Proposed Rule) that would strengthen the requirements of the security rule promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA Security Rule).

The Proposed Rule would modify the HIPAA Security Rule’s standards for protecting electronic protected health information (ePHI) to address changes impacting cybersecurity since the rule’s initial publication in 2003, including the significant increases in ransomware and other threats to ePHI affecting the healthcare industry.

New Proposals and Clarifications that Seek to Strengthen the Security Rule

The HIPAA Security Rule historically has afforded covered entities and business associates (collectively, Regulated Entities) flexibility in meeting its requirements. The technical, administrative and physical safeguards of the HIPAA Security Rule contain both “required” and “addressable” implementation specifications. If the Regulated Entity determines that it is not reasonable and appropriate to implement an addressable specification, the Regulated Entity must document why and may implement an “equivalent alternative measure” to protect ePHI.

The Proposed Rule would eliminate addressable implementation specifications altogether, requiring Regulated Entities to comply with a more precise set of security standards and controls. The Proposed Rule would continue to allow Regulated Entities to consider the entity’s size, complexity, technical capabilities, and the cost of security measures when implementing the standards set forth in the HIPAA Security Rule. It would also permit Regulated Entities to consider the effectiveness of a security measure in “supporting the resiliency” of the Regulated Entity.

The Proposed Rule would significantly modify the current standards and affirmative obligations of the HIPAA Security Rule in other ways, including the following:

Elements and Frequency of Risk Analysis

OCR has consistently taken the position that conducting a thorough risk analysis is “foundational” to a Regulated Entity’s compliance with the HIPAA Security Rule. However, based on its audits and investigations of Regulated Entities, OCR has observed that many Regulated Entities have failed to meet all of the elements of a compliant risk analysis. OCR proposes to define risk, threat and vulnerability to codify the elements of a risk analysis that have previously been described in OCR guidance documents. Further, the Proposed Rule would specify all the required steps for conducting a risk analysis, beginning with an inventory of the Regulated Entity’s technology assets and creating a “network map” that illustrates the movement of ePHI throughout the Regulated Entity’s systems. Regulated Entities would also be required to do the following:

  • Identify reasonably anticipated threats to ePHI.
  • Identify potential vulnerabilities to the Regulated Entity’s electronic information systems.
  • Assess and document security measures used to ensure the confidentiality, integrity, and availability of ePHI created, received, maintained or transmitted by the Regulated Entity.
  • Determine the likelihood and potential impact of each threat identified by the Regulated Entity.
  • Assess the risk level for each threat.
  • Assess the risks to ePHI posed by entering or continuing to operate under a Business Associate Agreement (BAA) based on written verification from the business associate or subcontractor (as described below).

Regulated Entities would be required to review and update the elements of the risk analysis on at least an annual basis.

Risk Management

The Proposed Rule would modify the existing risk management standard to include more stringent implementation and review requirements for Regulated Entities. A Regulated Entity would be required to establish and implement a written plan for reducing the risks identified through its risk analysis activities and implement security measures that are sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level. Whether a risk level is reasonable and appropriate would be a fact-specific inquiry, depending on the Regulated Entity’s complexity and risk profile. Regulated Entities would be required to review their risk management plans at least once every 12 months and as reasonable and appropriate in response to a risk analysis.

Encryption and Decryption

Under the HIPAA Security Rule, encryption of ePHI, both in transit and at rest, is an addressable implementation specification. In the preamble to the Proposed Rule, OCR cites its findings from several investigations that many Regulated Entities failed to employ technical controls sufficient to keep pace with the evolving digital environment of healthcare. OCR also observes that tools to encrypt ePHI have become generally more available, less costly, and more in line with industry standards. Accordingly, OCR proposes to require that Regulated Entities configure and implement tools to encrypt and decrypt ePHI in a manner that is consistent with prevailing cryptographic standards, subject to certain exceptions, such as when ePHI is stored or created on a medical device that is no longer supported by its manufacturer.

Multifactor Authentication

The Proposed Rule would require multifactor authentication (MFA) to be deployed on all technology assets within a Regulated Entity’s electronic information systems. The Proposed Rule outlines three exceptions to this rule. The first exception would apply to technology assets that are currently in use by a Regulated Entity but do not support MFA. The second exception would apply to an emergency or other occurrence that adversely affects a Regulated Entity’s relevant electronic information systems or the confidentiality, integrity, or availability of ePHI. The third such exception would apply to legacy devices authorized by the Food and Drug Administration (FDA) for marketing, so long as those devices are duly authorized by the FDA for marketing based on a submission received on or after March 29, . To rely on any of the above exceptions to the MFA requirement, a Regulated Entity must document the existence of the criteria demonstrating that a given exception would apply and the rationale for why the Regulated Entity believes such an exception would apply. The Regulated Entity would also be required to implement reasonable and appropriate compensating controls, in lieu of MFA.

Business Associate Verification Requirements

The Proposed Rule would require Regulated Entities to obtain written verification from their business associates documenting the business associates’ deployment of technical safeguards at least once every 12 months. As part of this written verification, a business associate would be required to conduct a comprehensive analysis of their compliance with each of the HIPAA Security Rule’s technical safeguards and verify that all such required items are in place.

Compliance Audits

Regulated Entities would be required to perform and document an audit to assess compliance with all standards and implementation specifications under the HIPAA Security Rule once every 12 months. OCR posits that the audit may be performed internally by the Regulated Entity or with the assistance of a third party.

Data Backup and Recovery

The Proposed Rule would require Regulated Entities to implement new technical controls that allow each such entity to create and maintain exact, retrievable copies of ePHI as part of the entity’s data backup and recovery system. OCR proposes four specific implementation specifications related to data backup and recovery, which would require that:

  • The technical controls ensure each copy of ePHI is no more than 48 hours older than ePHI maintained in the entity’s information system.
  • The technical controls include real-time alerts to workforce members on any failures or errors involving data backups.
  • The technical controls record the success, failure, and error conditions of any backups.
  • Regulated Entities test the effectiveness of data backups and document the results at least monthly.

What Practical Effects Would the Rule Have on Regulated Entities?

Compliance with the Proposed Rule, if finalized, would require Regulated Entities to take a number of proactive steps, including the following:

Revising Business Associate Agreements

Regulated Entities would need to revise their BAA forms to include a statement that the business associate will report to the covered entity without unreasonable delay and within 24 hours of activation of its contingency plan. The Proposed Rule would allow Regulated Entities additional time to update existing BAAs. Regulated Entities would be required to replace or amend their existing BAAs by the earlier of the contract renewal date or within one year of the Proposed Rule’s effective date.

Updating Security Safeguards to Meet Minimum Requirements

Many Regulated Entities would need to enhance their technical controls to comply with the Proposed Rule’s more detailed and precise safeguard requirements. For example, while the HIPAA Security Rule requires terminating workforce members’ access to ePHI when no longer necessary for their job functions, the Proposed Rule would require Regulated Entities to remove such access within one hour from the end of employment. The Proposed Rule also would require Regulated Entities to change default passwords and implement unique user passwords that are consistent with current recommendations of authoritative sources such as the National Institute of Standards and Technology.

Enhancing the Risk Analysis Process with Additional, Specific Steps

The Proposed Rule’s detailed specifications for how to conduct an accurate and thorough risk analysis would require many Regulated Entities to refine or replace their current security risk analysis process. For example, Regulated Entities that have not historically maintained clear technology asset inventories will need to revise their process to meet new specifications. Additionally, compliance with the requirement to review, verify, and update security risk assessments on an annual basis could pose cost and resource challenges for Regulated Entities.

Reviewing Written Policies and Procedures

The Proposed Rule would require Regulated Entities to demonstrate that technical controls are not only documented but also put into effect and operationally functional as expected. The Proposed Rule also adds specificity to existing obligations regarding documentation and maintenance of written policies (e.g., requiring certain policy reviews on an annual basis). Updating written policies and procedures to reflect these revamped specifications can help an organization ensure compliance and also concretely demonstrate compliance efforts to regulatory authorities.

When Will the Proposed Rule’s Requirements Take Effect?

The Proposed Rule’s publication signals OCR’s determination to align HIPAA’s security requirements with modern-day technological considerations. OCR is accepting comments on the Proposed Rule through March 7, 2025. It is possible the transition to a new presidential administration will delay issuing a Final Rule, although many of the substantive considerations in the Proposed Rule carry bipartisan support. The Final Rule will become effective 60 days after its publication, with compliance dates at least 180 days after publication. The current Security Rule remains in effect while OCR further pursues this rulemaking process.

Our team is monitoring this regulation. If you have questions about the Proposed Rule or its potential impact on your organization, please contact the authors.

In Case You Missed It: