HHS Proposes Significant Updates to HIPAA Security Rule

On January 6, 2025, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a Notice of Proposed Rulemaking (NPRM) to amend the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The proposed changes, if enacted, would represent the first update to the HIPAA Security Rule since 2013.

The proposed updates, which apply to covered entities and business associates (collectively, Regulated Entities) aim to enhance cybersecurity measures within the health care sector, addressing the increasing frequency and sophistication of cyberattacks that threaten patient safety and the confidentiality of electronic protected health information (ePHI).

Below are some of the key proposals in the NPRM:

1. Strengthened Security Requirements: HHS proposes eliminating the current distinction between “required” and “addressable” provisions of the Security Rule, thereby requiring compliance with all implementation specifications in the future. For example, with certain exceptions, ePHI would now be required to be encrypted at rest and in transit. Regulated Entities would no longer be permitted to merely document rationale for noncompliance with “addressable” implementation specifications. HHS also proposes new implementation specifications. As such, Regulated Entities would be required to strengthen and adopt security standards to ensure robust cybersecurity practices that keep pace with technological advancements and emerging threats, including by deploying anti-malware solutions, removing unnecessary software, disabling unused network ports, implementing multifactor authentication for systems that handle ePHI, and conducting vulnerability scans every six months and annual penetration tests.

2. Technology Asset Inventory and Network Map: Regulated Entities would be required to develop and maintain an inventory of their technology assets and create a network map illustrating the movement of ePHI within the Regulated Entities’ systems, which must be updated annually or when significant changes in the organizations’ operations or environment occur.

3. Enhanced Risk Analyses: Regulated Entities would be required to include greater specificity when conducting a risk analysis, including, among other specifics:

• “A review of the technology asset inventory and network map.

• Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI.

• Identification of potential vulnerabilities and predisposing conditions to the Regulated Entity’s relevant electronic information systems; [and]

• An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.”

The written risk assessment would need to be reviewed, verified, and updated at least every 12 months, with evaluations conducted when there are changes in the environment or operations. A written risk management plan must be maintained and reviewed annually.

4. Access Changes: Access to ePHI would need to be terminated as soon as possible and within one hour of after a workforce member’s employment (or other relationship) ends. Regulated Entities would be required to notify certain other Regulated Entities within 24 hours when a workforce member’s access to ePHI or related systems is terminated or modified.

5. Contingency and Incident Response Plans With Notification Procedures: Regulated Entities would be required to implement detailed plans for restoring systems within 72 hours, prioritizing critical systems and establishing and testing written security incident response plans regularly. Business associates and subcontractors would be required to notify covered entities within 24 hours of activating their contingency plans.

6. Verification of Business Associates’ Safeguards: Business associates would be required to verify at least once every 12 months that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate. Based on these written verifications, Regulated Entities would be required to conduct an assessment of the risks posed by new and existing business associate arrangements.

Along with the NPRM, OCR published a fact sheet that provides additional details on the proposed updates.

Public comments to the proposed rule are due on or before March 7, 2025, although it is possible that the change in administrations later this month could affect the progress of this and other proposed rules. While HHS undertakes the rulemaking, the current Security Rule remains in effect.

Copyright © 2025 by Ballard Spahr LLP.
www.ballardspahr.com
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.