OCR Issues Notice of Proposed Rulemaking to Modernize the HIPAA Security Rule and Strengthen Protections for Health Information

On January 6, 2025, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) published a notice of proposed rulemaking (the “NPRM”) entitled HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information. In light of evolving technologies and cybersecurity threats, the NPRM aims to modernize security regulations implementing the Health Insurance Portability and Accountability Act security standards (the “HIPAA Security Rule”) and strengthen protections for the confidentiality, integrity, and availability of electronic protected health information (“ePHI”). In particular, OCR is considering modifications to the HIPAA Security Rule to address:

• Significant changes in technology;
• Changes in breach trends and cyberattacks;
• OCR’s enforcement experience;
• Other guidelines, best practices, methodologies, procedures, and processes for protecting ePHI; and
• Court decisions that affect enforcement of the HIPAA Security Rule.

The NPRM proposes sweeping revisions to the HIPAA Security Rule that all covered entities and business associates (collectively, “regulated entities”) should review closely. The changes proposed in the NPRM, if finalized, would require in-depth examination of, and potentially significant changes to, many regulated entities’ information security programs. Comments are due on or before March 7, 2025.

Key Proposals

The NPRM contains a myriad of changes to the HIPAA Security Rule. Some of the key changes are summarized below.

Removal of the Distinction Between “Addressable” and “Required” Implementation Specifications

One of the more important changes proposed in the NPRM is OCR’s proposal to remove the distinction between “addressable” and “required” implementation specifications. Currently, regulated entities may, depending on various factors (e.g., the regulated entity’s risk analysis), implement an addressable implementation specification, implement one or more alternative security measures to accomplish the same purpose, or implement neither the implementation specification nor an alternative. However, as it notes in the NPRM, OCR has observed that many regulated entities misunderstand addressable implementation specifications to be optional.

The NPRM would eliminate this distinction altogether to clarify that the HIPAA Security Rule provides a floor of cybersecurity protections. This change would also clarify that regulated entities have flexibility in choosing the manner in which they meet the HIPAA Security Rule’s standards and implementation specifications, not whether they meet them at all. As a result, subject to limited exceptions, the NPRM would require compliance with all standards and implementation specifications.

Updated Risk Analysis Requirements

The NPRM proposes several revisions to the HIPAA Security Rule’s foundational risk analysis requirement. These changes are generally intended to impose more specific requirements to address when regulated entities analyze the risks and vulnerabilities to ePHI in compliance with the HIPAA Security Rule. The NPRM would expressly require risk assessments to include the following:

• A review of the technology asset inventory and network map;
• Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI;
• Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems;
• An assessment and documentation of the security measures the regulated entity uses to ensure the confidentiality, integrity, and availability of ePHI;
• A reasonable determination of the likelihood that each identified threat will exploit identified vulnerabilities;
• A reasonable determination of the potential impact of each identified threat successfully exploiting identified vulnerabilities;
• An assessment of the risk level for each identified threat and vulnerability; and
• An assessment of the risks to ePHI posed by entering into or continuing a business associate agreement with any prospective or current business associate based on the written verification obtained from the prospective or current business associate.

Further, while the HIPAA Security Rule does not currently specify a frequency for risk assessments, the NPRM would require risk assessments to be reviewed, verified, and updated at least once every 12 months as well as in response to a change in the regulated entity’s environment or operations that may affect ePHI.

Technology Asset Inventory and Network Map

The NPRM would require a regulated entity to establish a written inventory that contains the regulated entity’s technology assets. This inventory would be required to cover technology assets that create, receive, maintain, or transmit ePHI as well as those that do not but may otherwise affect the confidentiality, integrity, or availability of ePHI. Such inventory would be required to include the identification, version, person accountable for, and location of each asset or information system component. OCR believes this inventory forms the basis for an accurate and thorough risk analysis since a regulated entity must have a complete understanding of its technology assets in order to appropriately assess the risks to its ePHI.

The NPRM would also require regulated entities to develop a network map illustrating the movement of ePHI through, into, and out of their information systems. This network map would detail where the regulated entity’s technology assets are (e.g., in the cloud) and consider all technology assets that affect the confidentiality, integrity, or availability of ePHI, regardless of whether they are part of the regulated entity’s electronic information systems (e.g., those used by offshore business associates).

Further, the NPRM would require a regulated entity to review and update its written inventory of technology assets and network map at least once every 12 months and when there is a change in the regulated entity’s environment or operations that may affect ePHI.

Audits and Tests

The NPRM proposes various revisions and new express requirements for regulated entities to audit their compliance or otherwise regularly test their security measures. For example, a regulated entity would be required to:

• Review and test the effectiveness of certain security controls at least once every 12 months;
• Audit its compliance with the HIPAA Security Rule at least once every 12 months;
• Perform vulnerability scans at least once every six months; and
• Perform penetration tests at least once every 12 months;

Relatedly, regulated entities would be required to obtain written verification from their business associates at least once every 12 months that such business associates have deployed technical safeguards in accordance with the HIPAA Security Rule. This verification would be required to include both an analysis of the business associate’s relevant electronic information systems by a “person with appropriate knowledge of and experience with generally accepted cybersecurity principles and methods for ensuring the confidentiality, integrity, and availability of [ePHI]” and a written certification that the analysis has been performed and is accurate by a person who is authorized to act on behalf of the business associate.

Contingency Planning and Incident Response

The NPRM would strengthen the HIPAA Security Rule’s contingency planning and incident response requirements. For example, a regulated entity would be required to:

• Establish written procedures to restore the loss of critical relevant electronic information systems and data within 72 hours of the loss;
• Review and test contingency plans at least once every 12 months and modify such plans in accordance with test results;
• Notify upstream entities (i.e., a business associate would be required to notify covered entities and a subcontractor would be required to notify upstream business associates) upon activation of its contingency plan within 24 hours after activation;
• Establish a written security incident response plan and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents; and
• Implement written procedures for testing and revising written security incident response plans.

Relatedly, the NPRM also proposes specific requirements related to backup and recovery. For example, a regulated entity would be required to ensure that retrievable copies of ePHI are no more than 48 hours older than the ePHI maintained in its relevant electronic information systems. In addition, a regulated entity would be required to conduct test restorations at least monthly and test the effectiveness of its backup controls at least once every six months.

Review of Policies and Procedures

The NPRM would maintain the current regulations’ requirement to maintain the policies and procedures implemented to comply with the HIPAA Security Rule in written form, which may be electronic. However, the NPRM proposes to expressly require regulated entities to review and update their documented policies and procedures, as well as other documentation of required actions, activities, and assessments, at least once every 12 months and within a reasonable time after a security measure is modified.

Training

Currently, the HIPAA Security Rule does not expressly require a specific frequency for training workforce members. The NPRM would require workforce members to be trained by the compliance date of the final rule and at least once every 12 months thereafter. The NPRM also proposes to codify a requirement to train each new workforce member within 30 days after the person first has access to relevant electronic information systems. Further, workforce members whose functions are affected by a material change to policies and procedures would have to be trained no later than 30 days after the material change occurs.

The NPRM also imposes more detailed requirements related to training content. Specifically, a regulated entity would be required to train workforce members on:

• The regulated entity’s written policies and procedures with respect to ePHI;
• Guarding against, detecting, and reporting suspected or known security incidents, including malicious software and social engineering; and
• The regulated entity’s written policies and procedures for accessing relevant electronic information systems.

Further, regulated entities would be required to provide ongoing education on security responsibilities and relevant threats, such as new and emerging malicious software and social engineering.

Other Security Controls

The NPRM would require regulated entities to implement a number of other specific safeguards and processes. For example, a regulated entity would, with limited exceptions, be required to:

• Encrypt ePHI at rest and in transit;
• Implement multi-factor authentication;
• Terminate a workforce members’ access rights within one hour after the workforce member’s employment is terminated;
• Notify another regulated entity within 24 hours when a workforce member’s access to ePHI or relevant electronic information systems maintained by the other regulated entity is terminated;
• Install patches, updates, and upgrades throughout the regulated entity’s relevant electronic information systems in a timely manner, including within 15 calendar days for critical risks and within 30 calendar days for high risks;
• Segment relevant electronic information systems;
• Deploy technology assets or technical controls to protect technology assets against malicious software;
• Remove extraneous software (i.e., software that is unnecessary for the regulated entity’s operations) from relevant electronic information systems; and
• Disable network ports in accordance with the regulated entity’s risk analysis.

Revised Definitions and New Defined Terms

The NPRM proposes revisions to various definitions, including those for the terms “access,” “administrative safeguards,” “authentication,” “availability,” “confidentiality,” “electronic media,” “information system,” “malicious software,” “password,” “physical safeguards,” “security or security measures,” “security incident,” “technical safeguards,” “user,” and “workstation.” In addition, the NPRM proposes ten new defined terms: “deploy,” “implement,” “electronic information system,” “multi-factor authentication,” “relevant electronic information system,” “risk,” “technical controls,” “technology asset,” “threat,” and “vulnerability.” These modifications and additions are generally intended to clarify how Regulated Entities should apply the HIPAA Security Rule’s standards and implementation specifications or to modernize the HIPAA Security Rule.  

New and Emerging Technologies Request for Information

The NPRM includes a request for information (“RFI”) asking for public comment on how the HIPAA Security Rule protects ePHI used in new and developing technologies, namely quantum computing, artificial intelligence (AI) in health care, and virtual and augmented reality, including any benefits, drawbacks, or unintended consequences. Specifically, it requests comments on the following considerations:

• Whether HHS’ understanding of how the Security Rule applies to new technologies involving ePHI is not comprehensive and if so, what issues should also be considered;
• Whether there are technologies that currently or in the future may harm the security and privacy of ePHI in ways that the Security Rule could not mitigate without modification, and if so, what modifications would be required; and
• Whether there are additional policy or technical tools that HHS may use to address the security of ePHI in new technologies.

Key Dates

Comments are due on or before March 7, 2025. The NPRM proposes that a final rule would take effect 60 days after its publication and the compliance date would be 180 days after such effective date. The NPRM also proposes a transition period beyond the 180-day compliance period to allow regulated entities to modify their business associate agreements in response to the changes.

Financial Impact

HHS estimates that the first-year costs attributable to this proposed rule total approximately $9 billion. For years two through five, the estimated annual costs for recurring compliance activities are estimated at approximately $6 billion. HHS asserts that the enhanced security posture of regulated entities would likely reduce the number of breaches of ePHI and mitigate the effects of breaches that nonetheless occur, and that if the proposed changes reduce the number of individuals affected by breaches by 7 to 16 percent, “the revised Security Rule would pay for itself.”

Takeaways

The HIPAA Security Rule was originally published in 2003 and was most recently revised in 2013, primarily to make the HIPAA Security Rule directly applicable to business associates. As such, much of the HIPAA Security Rule’s substance has remained unaltered for over two decades, during which time information technology and the health care industry have experienced drastic changes. Further, the NPRM includes an extensive discussion of the growing risks to ePHI, the significant costs associated with inadequate security in the health care sector, and the failure of many regulated entities to implement reasonable and appropriate safeguards. It is therefore little surprise that while the NPRM retains many of the HIPAA Security Rule’s fundamental tenets, it also proposes a bevy of revisions and additions that create requirements much more detailed than the fairly broad requirements in today’s HIPAA Security Rule. According to OCR, this added granularity is intended to strengthen protections and modernize the regulations, though it comes at the expense of regulated entities’ flexibility in complying with the HIPAA Security Rule. OCR intends for many of the changes proposed in the NPRM to expressly codify as requirements activities that are critical to protecting ePHI and provide greater detail for existing requirements in the regulatory text.

If the NPRM is finalized as proposed, most regulated entities will need to evaluate their security practices, policies, and procedures, and many will likely need to significantly modify their information security programs to comply with these changes to the HIPAA Security Rule. Regulated entities should therefore take the time to review the NPRM, including the various requests for comment, and submit comments to help shape the final rule.

We note that this NPRM was published just before the change in Administration. Given that protecting against cybersecurity is a bipartisan issue, we anticipate that the new Administration will be interested in the comments received, and we encourage regulated entities to comment on this NPRM.  We also encourage regulated entities to look at this as guidance for how to protect against and mitigate risks from security incidents and to support a claim that the entity acted responsibly in the case of an enforcement action.

* * *

For more information on the NPRM and how it may impact your organization, or for assistance with submitting comments, please contact the professionals listed below or your regular Crowell & Moring contact.