HHS Proposes Strengthened HIPAA Security Rule

Posted By Steve Alder on Dec 30, 2024

The White House has cleared the HIPAA Security Rule update proposed by the U.S. Department of Health and Human Services. A draft version of the Notice of Proposed Rulemaking (NMPR) was published on Friday and is due to be added to the Federal Register on January 6, 2025. The HHS is seeking comments on the proposed rule from HIPAA-regulated entities, healthcare industry stakeholders, and the public. The comment period will be open for 60 days following the date of publication of the NMPR in the Federal Register.

This is the first major update to the HIPAA Security Rule in over a decade and follows the January 2023 publication of the HHS Healthcare and Public Health Sector Cybersecurity Performance Goals. The purpose of the voluntary goals is to encourage healthcare organizations to enhance cybersecurity but as the HHS explained in its December 2023 Healthcare Sector Cybersecurity concept paper, voluntary goals alone would be unlikely to be sufficient to drive the behavioral changes needed across the sector to enhance cybersecurity.

The purpose of the original HIPAA Security Rule was to ensure that healthcare organizations implement security policies, procedures and safeguards to ensure the confidentiality, integrity, and availability of electronic health information. The Security Rule was written to be technology agnostic to ensure it would remain relevant for years without requiring regular updates to account for technological advancements. The Security Rule was also written to be flexible to ensure it was applicable to organizations of different types and sizes. As such, the HIPAA Security Rule does not specify the technologies that should be used to secure ePHI, and many of the implementation specifications in the original Security Rule are addressable rather than required elements.

Since the HIPAA Security Rule was enacted, there have been considerable advances in technology and cybersecurity, and there is now a pressing need to improve cybersecurity due to the massive increase in cyberattacks on the healthcare and public health sector. “Cyberattacks continue to impact the health care sector, with rampant escalation in ransomware and hacking causing significant increases in the number of large breaches reported to OCR annually. The number of people affected every year has skyrocketed exponentially, a number we expect to grow even bigger this year with the Change Healthcare breach, the largest breach in our health care system in U.S. history,” said OCR Director Melanie Fontes Rainer. “This proposed rule to upgrade the HIPAA Security Rule addresses current and future cybersecurity threats. It would require updates to existing cybersecurity safeguards to reflect advances in technology and cybersecurity, and help ensure that doctors, health plans, and others providing health care meet their obligations to protect the security of individuals’ protected health information across the nation.”

In the past five years, OCR has seen a 102% increase in reports of large data breaches (500 or more records), while the number of individuals impacted by those data breaches has increased by a staggering 1002%. The massive increase in victims of data breaches is largely due to an 89% increase in hacking incidents and a 102% increase in ransomware incidents since 2019. In 2023, 167 million individuals were affected by healthcare data breaches and this year the total is higher still. As of 30 November 2024, more than 180 million individuals have had their personal and protected health information exposed or impermissibly disclosed in large healthcare data breaches.

The 393-page proposed HIPAA Security Rule update – The HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information – includes specific measures that must be implemented by HIPAA-covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates to strengthen cybersecurity protection for individuals protected health information.

OCR investigates all large healthcare data breaches, and those investigations and past audits have highlighted common deficiencies in HIPAA Security Rule compliance, especially the risk analysis requirement. The proposed rule addresses these common areas of noncompliance, as well as changes to the environment where healthcare is provided since the original Security Rule was published, the latest cybersecurity guidelines, best practices, methodologies, procedures, and processes to improve protections against external and internal threats, and court decisions that have affected enforcement of the HIPAA Security Rule.

Key Requirements of the Proposed HIPAA Security Rule Update

The proposed HIPAA Security Rule update revises definitions and implementation specifications to reflect changes in technology and terminology and removes the distinction between required and addressable implementation specifications, which will all be required, with limited exceptions. All Security Rule policies, procedures, plans, and analyses must be documented by HIPAA-regulated entities, and the update adds specific compliance time periods for many of the existing Security Rule requirements.

Technology asset inventory and network map – The development and revision of a technology asset inventory and network map illustrating the movement of ePHI throughout the regulated entity’s electronic information systems on an ongoing basis, but at least every 12 months and following any change to the regulated entity’s environment or operations that may affect ePHI.

Risk analysis – Greater specificity for conducting a risk analysis, which must include a review of the technology asset inventory and network map, the identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI, the identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems, and an assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.

Annual Security Rule compliance audits – HIPAA-regulated entities will be required to conduct a HIPAA Security Rule compliance audit at least every 12 months.

Contingency planning and security incident response – Establish written procedures for restoring electronic information systems and data within 72 hours; conduct an analysis of the relative criticality of electronic information systems and technology assets to establish the restoration priority; establish written security incident response plans and procedures on how workforce members can report potential or known security incidents; establish written procedures on how the entity will respond; implement written procedures for testing and revising incident response plans.

Enhanced security measures – with limited exceptions, HIPAA-regulated entities would be required to implement the following security measures:

• Encryption of all ePHI at rest and in transit
• Multi-factor authentication
• Network segmentation
• Vulnerability scanning at least every 6 months
• Penetration tests at least every 12 months
• Anti-malware protection
• Removal of extraneous software from relevant electronic information systems
• Disable network ports in accordance with the regulated entity’s risk analysis.
• Separate technical controls for backup and recovery of ePHI and relevant electronic information systems.
• Review and test the effectiveness of certain security measures at least once every 12 months

Notification Requirements – Require notification of certain regulated entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated. Business associates must notify covered entities when they have implemented their contingency plans without unnecessary delay and no later than 24 hours after the contingency plan has been implemented.

Annual verification of business associates’ and contractors’ technical safeguards – At least every 12 months, business associates must have a subject matter expert verify that they have deployed the technical safeguards required by the Security Rule to protect ePHI. The same applies to business associates’ contractors for their business associates.

Group health plans must stipulate that health plan sponsors must implement Security Rule safeguards – Group health plans must include in their plan documents requirements for their group health plan sponsors that they must comply with the administrative, physical, and technical safeguards of the Security Rule; ensure any agent’s provided with ePHI implement administrative, physical, and technical safeguards of the Security Rule, and that they must notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

The proposed Security Rule update will be added to the Federal Register before President Trump is inaugurated; however, it will be down to the Trump-Vance administration to decide whether or not to move forward with the Security Rule update. There is bipartisan support for increased cybersecurity requirements for the healthcare sector, although progress may be slow. President Trump is keen to eliminate rather than introduce new regulations and recently stated that ten old regulations will need to be removed for every new one implemented. Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies, said the estimated cost of implementation of the Security Rule update will be $9 billion in the first year, plus $6 billion over the following four years.