OCR Proposes Sweeping Changes to the HIPAA Security Rule
On January 6, 2025, the Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) issued a proposed rule to modify the HIPAA Security Rule. Health care organizations, including covered entities and business associates, continue to be a primary target for cyberattacks, and in the past few years, the number of data breaches reported to OCR has continued to grow. The HIPAA Security Rule was last updated over a decade ago and much has changed in the world of health care and technology. To address this, OCR has proposed significant changes to the HIPAA Security Rule available here.
The changes are only proposed at this time, and OCR is seeking comments until March 7, 2025. Overall, the proposed updates largely reflect the changes from local servers and workstations to cloud based health care records systems, the availability of information such as usernames and passwords on the Dark Web, and the increase in the sophistication of cyberattacks against health care organizations.
Highlights of the proposed rule include the following requirements:
- Removing “addressable” implementation specifications from the HIPAA Security Rule, and requiring organizations to implement minimum specification standards unless a specific, limited exception applies;
- Minimum cybersecurity hygiene requirements that are reflective of modern industry best practices;
- Encryption of ePHI at rest and in-transit;
- Multi-factor authentication (“MFA”);
- Vulnerability scanning at least once every six (6) months and penetration testing once every twelve (12) months;
- Compliance audits at least once every twelve (12) months;
- Written procedures to restore the loss of certain electronic information systems within 72 hours;
- Anti-malware protection;
- Strong password policies to include letters, numbers and spaces;
- Backup and recovery of ePHI;
- A requirement that organizations implement a comprehensive security program with minimum standards of security controls; and
- Additional requirements for conducting risk assessments.
Below are some additional notable proposed changes.
Technology Asset Inventory and Network Map
The proposed rule requires organizations to create an inventory and network map, which allows organizations to focus security efforts and budgets on those assets and network segments that house sensitive information and ePHI. The creation of the inventory and network map initially will be a large undertaking – as ePHI likely resides on many devices and platforms throughout most health care organizations. However, the ongoing or annual updates to such documents should be an easier task.
Business Associates
Another significant proposal concerns business associates and the time frame for reporting incidents to a covered entity. OCR noted that delayed notification has exposed covered entities to potential cyberattacks by allowing attackers to move from one entity to another while an investigation at the business associate (or sub-contractor) is taking place. The proposed rule would require a business associate to report to a covered entity no later than 24 hours after it has activated its contingency plan – allowing a covered entity to begin to promptly investigate any impact on its own systems and ePHI. This requirement is in addition to the existing obligation to report security incidents and/or breaches to the covered entity.
The proposed rule would also require covered entities to obtain a written verification, at least once every twelve (12) months, that a business associate has implemented technical safeguards required by the HIPAA Security Rule. The same requirement would apply to business associates with respect to subcontractor business associates.
These changes, if finalized, will require that all business associate agreements (“BAA”) be amended or renegotiated. For most organizations this will require renegotiating of hundreds, if not thousands, of BAAs.
Risk Assessments and Audits
Risk assessments have been a requirement of the HIPAA Security Rule since its inception. However, there has not been a one-size-fits all approach. The proposed rule includes new directives for conducting written assessments including gap assessments and risk analyses (assessing the potential risks and vulnerabilities to the ePHI) and assigning categories of potential impact of the identified risk. Under the proposed rule, organizations will be required to conduct risk analyses at least once every twelve (12) months or when there is a change in the environment or operations that may affect ePHI.
Definitions
OCR proposes to include definitions, or expanded definitions, for terms such as:
- Risk – OCR believes that defining the term would clarify several existing and proposed provisions of the HIPAA Security Rule, such as the factors regulated entities must consider when determining the security measures they will implement and the importance and purpose of conducting the required risk analysis.
- Vulnerability (not defined in the Security Rule) – OCR has explained that although some cyberattacks may be sophisticated and exploit previously unknown vulnerabilities (i.e., zero-day attacks), most can be prevented or mitigated by addressing known vulnerabilities.
- Threat – OCR proposes to define ‘‘threat’’ as meaning any circumstance or event with the potential to adversely affect the confidentiality, integrity, or availability of ePHI. This would apply broadly to include threats caused by, or existing because of, a variety of circumstances that specifically could affect the security of ePHI. Hackers, malicious insiders, and malicious software are examples of threat sources.
- Technological Safeguard – OCR proposes to clarify that the technology, technical controls, and related policies and procedures in this category govern the use of the technology to protect and control access to ePHI.
- Security or Security Measures – OCR believes that it is necessary that organizations implement and deploy safeguards that address two types of threats: (i) threats related to attempted or successful but unauthorized access, use, disclosure, modification, or destruction of information in an information system, and (ii) threats related to the attempted or successful unauthorized interference with system operations.
Conclusion
The proposed changes would result in a large undertaking by most covered entities and business associates, and will require additional personnel and budgetary resources. Administrators, HIPAA Security Officers, Privacy Officers, and information security teams should carefully review the proposed rules and the potential impact on their organization. OCR is seeking comments until March 7, 2025. We will continue to monitor the status of the proposed rule and release updates as they are available.