HHS’s Proposed Revisions to Strengthen the HIPAA Security Rule

For the first time in over a decade, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has proposed an update to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule (the “Security Rule”).  OCR stated that its goal of the proposed rule[1] (the “Proposed Rule”), is to strengthen cybersecurity protections for electronic protected health information (ePHI) considering changes in the healthcare environment, a significant increase in breaches and cyberattacks, common deficiencies observed by OCR, and cybersecurity best practices. OCR is concerned about the “rampant escalation” in the number of cyber security breaches that continues to climb each year.  For example, in 2024, a ransomware attack against Change Healthcare is estimated to have affected approximately 190 million people.  If the Proposed Rule becomes effective, OCR estimates it will cost regulated entities $9 billion in the first year to implement the Proposed Rule, and $6 billion per year for years two through five for ongoing compliance activities.  The public comment period closed on March 7, 2025, and OCR received around 4,745 comments.

 

Brief Background on the Security Rule

 

HIPAA is a set of federal regulations comprised of three separate rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule.  This article focuses on the Security Rule. The Security Rule was first published in 2003 and revised in 2013.  It establishes a national set of security standards to protect ePHI and is meant to serve as a floor to the security measures that regulated entities (i.e., “covered entities” and “business associates”) must implement.  The Security Rule does so by specifying administrative, physical, and technical security requirements. Administrative safeguards are the policies and procedures that regulated entities must implement to prevent, detect, contain, and correct security violations.  Technical safeguards relate to the access controls, audit controls, software and other technology measures to protect ePHI. Physical safeguards relate to the physical measures, policies, and procedures to protect the physical premises where ePHI is stored.

 

Broad Changes in the Proposed Rule

 

            The Proposed Rule maintains the previous framework of administrative, physical, and technical safeguards.  However, it makes sweeping changes to the requirements imposed upon regulated entities. HHS published a fact sheet[2] that breaks down some of the sizeable changes proposed in the update to the Security Rule. Below are a few of the key changes in the Proposed Rule:

 

1. Require the development of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s). This must be revised on an ongoing basis, but at least once every 12 months.
   
   
2. Require greater specificity for conducting a risk analysis. New express requirements would include a written assessment that contains, among other things:

 

1. • A review of the technology asset inventory and network map (See Section 1).
   • Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI.
   • Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant IT systems.
   • An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified threats or vulnerabilities.
   • A risk assessment of current and future business associates.

 

3. Require regulated entities to establish and implement new patch management[3] policies and procedures that would require regulated entities to patch critical risks within 15 calendar days, patch high risks within 30 calendar days, and review such policies and procedures at least once every 12 months.

 

4. Remove the distinction between “required” and “addressable” implementation specifications and all implementation specifications would be required, with limited exceptions.

 

5. Require regulated entities to establish and implement written policies and procedures ensuring that: (1) workforce members’ access to ePHI is terminated as soon as possible, but no later than one hour after the workforce member’s employment or other arrangement ends; and (2) other covered entities or business associates are notified after a change in or termination of a workforce member’s authorization to access ePHI that are maintained by such other regulated entity where the workforce member is or was authorized to access such by the regulated entity making the notification. This notice would be required to be provided as soon as possible, but no later than 24 hours after the workforce member’s authorization to access ePHI or relevant electronic information systems is changed or terminated.

 

6. Adds the following new requirements for business associates: (1) business associate agreements must include terms requiring business associates (and subcontractors to notify business associates) to notify covered entities upon activation of their contingency plan within 24 hours of its activation; (2) covered entities are required to obtain from business associates (and business associates from their subcontractors) an annual written analysis and certification of compliance with the Security Rule’s technical safeguards. To the extent this aspect of the Proposed Rule is finalized, all business associate agreements would need to be updated.

 

7. Require regulated entities to conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements.

 

8. Expand the Security Rule’s technical safeguards, requiring regulated entities to do the following, among other things: (1) encrypt ePHI at rest and in transit, with limited exceptions; (2) use multi-factor authentication for all technology assets, with limited exceptions; (3) create and maintain backups of relevant IT systems and review and test the effectiveness of such controls once every six months; and (4) conduct vulnerability scanning at least every six months and penetration testing at least once every 12 months.

 

Looking Forward

 

            The future of the Proposed Rule is unclear, and the Trump administration will likely decide whether the Proposed Rule moves forward. The Trump administration has already begun to act on its initiative to reduce federal regulations[4], which may mean the Proposed Rule will not be enacted into law.  In the meantime, regulated entities should make themselves aware of the key components of the Proposed Rule and monitor any developments concerning the Proposed Rule.  If you have any questions about the Proposed Rule, please contact Ian Stanford or Miranda Preston.

[1] https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information#citation-223-p913

[2] https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html

[3] Patch management involves identifying, testing, applying, and verifying patches (or software updates) to improve security and performance.

[4] https://www.whitehouse.gov/presidential-actions/2025/01/regulatory-freeze-pending-review/;

https://www.whitehouse.gov/presidential-actions/2025/01/unleashing-prosperity-through-deregulation/;

https://www.whitehouse.gov/presidential-actions/2025/02/ensuring-lawful-governance-and-implementing-the-presidents-department-of-government-efficiency-regulatory-initiative/