Your IT Security Budget May Need to Increase: Proposed Updates to the HIPAA Security Rule

Health Highlights

January 06, 2025

Key Takeaways:
Over the past five years, documented large-scale data breaches increased by 102 percent, and the number of individuals affected by such breaches increased by 1,002 percent. The Office of Civil Rights (OCR) recently issued a proposed rule that would substantially modify the Health Insurance Portability and Accountability Act (HIPAA ) security rule and require significant investment in informational technology (IT) security from providers and payors (the Proposed Rule). The proposed changes include much more prescriptive timeframes for regulated entities to take action and maintain compliance through regular reviews, monitoring, and testing, all of which must be documented. If finalized as proposed, regulated entities will need to comply with most new requirements within 240 days of publication of the final rule. A major unknown is how the Trump administration will react to the Proposed Rule. Because cybersecurity is a bipartisan issue, this Proposed Rule may be more likely to survive in some form than other Biden administration rules, such as the recent HIPAA Privacy Rule amendments specific to reproductive health, which we expect to be rescinded or abandoned.

Key Takeaways:

Over the past five years, documented large-scale data breaches increased by 102 percent, and the number of individuals affected by such breaches increased by 1,002 percent.

The Office of Civil Rights (OCR) recently issued a proposed rule that would substantially modify the Health Insurance Portability and Accountability Act (HIPAA ) security rule and require significant investment in informational technology (IT) security from providers and payors (the Proposed Rule). The proposed changes include much more prescriptive timeframes for regulated entities to take action and maintain compliance through regular reviews, monitoring, and testing, all of which must be documented.

If finalized as proposed, regulated entities will need to comply with most new requirements within 240 days of publication of the final rule. A major unknown is how the Trump administration will react to the Proposed Rule. Because cybersecurity is a bipartisan issue, this Proposed Rule may be more likely to survive in some form than other Biden administration rules, such as the recent HIPAA Privacy Rule amendments specific to reproductive health, which we expect to be rescinded or abandoned.

The OCR at the U.S. Department of Health and Human Services issued a proposed rule which, if enacted, would substantially modify the HIPAA Security Rule (the Security Rule) governing electronic protected health information (ePHI) (the Proposed Rule). The updates, the first proposed since 2013, would require health care providers and plans to significantly invest in IT security.

The Proposed Rule attempts to modernize HIPAA in light of the challenging cybersecurity environment for covered entities and their business associates (collectively referred to in the Proposed Rule as “regulated entities”), which have increasingly been the targets of damaging security breaches.

The Proposed Rule comes in the waning days of the Biden administration and will only be finalized if the Trump administration agrees to its issuance. Public comments on the Proposed Rule are due March 7.

Click the header to expand

Rationale

In explaining the proposed overhaul of the Security Rule, OCR continuously discusses a cybersecurity environment that has fundamentally changed since the issuance of the Security Rule in 2003, noting that health care records and treatment are increasingly maintained and delivered electronically. Breach reports and audits, however, have revealed that regulated entities have not implemented robust security measures in response to these new realities.

OCR paints a dark picture of the current state of health sector cybersecurity and criminals’ desire for health care data, noting, for example, that health care data is more valuable than credit card data on the dark web. OCR reports that, over the past five years, documented large-scale data breaches increased by 102 percent, and the number of individuals affected by such breaches increased by 1002 percent. In 2023, over 167 million individuals were affected by large breaches, the highest on record. The agency points in the Proposed Rule to a recent survey finding that 92 percent of health care organizations responded that they had experienced a cyberattack in the past year alone; OCR further cites to numerous examples of such attacks harming patients and, in some cases, potentially causing patient deaths.

OCR also notes concerns regarding recent court decisions—most notably the U.S. Court of Appeals for the Fifth Circuit decision in University of Texas M.D. Anderson Cancer Center v. U.S. Department of Health and Human Services (M.D. Anderson)—that may undermine enforcement of the Security Rule by interpreting it to merely require that a particular standard be adopted “without regard for the effectiveness of the implementation.”

High-Level Summary

The Proposed Rule contains numerous proposals to strengthen and clarify almost every standard of the existing Security Rule.

The proposed changes include much more prescriptive timeframes for regulated entities to take action and maintain compliance through regular reviews, monitoring, and testing, all of which must be documented.

Under the Proposed Rule, each regulated entity, including government entities that meet the definition of a covered entity under HIPAA (e.g., state Medicaid agencies), would be required to conduct a Security Rule compliance audit, report to covered entities or business associates, as applicable, upon activation of their contingency plan, deploy multi-factor authentication (MFA) in and penetration testing of relevant electronic information systems, complete network segmentation, disable unused ports and remove extraneous software, update cybersecurity policies and procedures, revise business associate agreements, and update their workforce training programs and materials.

Business associates would be required to conduct an analysis and provide verification of their compliance with technical safeguards, and covered entities would be required to obtain this verification from business associates (and business associates from their subcontractors). Additionally, group health plans would need to revise plan documents to require plan sponsors to comply with administrative, physical, and technical safeguards according to the Security Rule standards. Finally, through contractual language, health plan sponsors would need to enhance safeguards for ePHI according to the Security Rule standards.

OCR notes that compliance with the Proposed Rule will be a costly undertaking and identifies the ten proposed requirements that are likely to be the most expensive to implement. It also provides detailed justification for these costs.

The Details

The most significant changes include OCR’s proposals to:

Add and clarify numerous definitions, which expand the scope of the systems and activities that must be considered when complying with the Security Rule. For instance, OCR proposes to modify the definition of “workstations” to expressly include servers, mobile devices, and virtual devices.
Remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required with specific, limited exceptions. By making all Security Rule specifications required, rather than addressable, OCR seeks to adopt uniform industry standards and eliminate the misinterpretation that “addressable” means “optional.”
Implement MFA through two of three categories of factors about the user.
Require regulated entities to consider the effectiveness of the security measure (and documenting the same) when considering whether a measure is reasonable and appropriate.
Require review and testing of security measures on a specified cadence, and to modify the measures as reasonable and appropriate, generally, and at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI. Notably, OCR considers a transaction involving all or part of a regulated entity with another person one of the operational changes that would trigger review and testing (as would many of the proposed requirements below).
Require written documentation of all Security Rule policies, procedures, plans, and analyses.
Develop and regularly review and revise a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI (a Change). A regulated entity’s network map would reflect where its technology assets are—for example, physically located at the regulated entity’s worksite or accessed through the cloud—in addition to the version and person accountable for the asset. OCR notes that the technology assets used by a business associate to create, receive, maintain, or transmit ePHI, even if not a part of the covered entity’s electronic information system, would be required to be included in the network map of the covered entity.
Require greater specificity, with new express requirements, for conducting a risk analysis. OCR proposes eight implementation specifications for the risk assessment, one of which is a review of the technology asset inventory and network map, and another that requires assessing risks of ePHI posed by entering into or continuing a business associate agreement based on the written verification obtained from the business associate. In proposing enhancements to this requirement, OCR highlights that health care providers’ reliance on security activities performed by third-party vendors, without any risk analysis, is insufficient to have met the requirements of the current Security Rule. The risk assessment must be reviewed and revised at least once every 12 months and in response to a Change.
Disable access of terminated workforce members as soon as possible, but within one hour of termination, and require notification of other regulated entities where the workforce member had access to authorized systems within 24 hours of when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.
Strengthen workforce training requirements, including requiring that role-based training be provided within 30 days of a workforce member’s access to the regulated entities’ systems. OCR notes, for example, that, under this requirement, “if the entity implements a new EHR system, it would be required to also train its workforce, as appropriate, on measures to guard against security incidents related to the installation, maintenance and/or use of the system.”
Strengthen requirements for planning for contingencies and responding to security incidents, including that the contingency plan must set forth procedures to create and maintain exact retrievable copies of ePHI, and require such procedures to include verifying that the ePHI has been copied accurately. The Proposed Rule requires regulated entities to review and implement their procedures for testing contingency plans at least once every 12 months and to document the results of such tests.
Require regulated entities to conduct a newly required Security Rule compliance audit at least once every 12 months. OCR notes that audits are typically conducted independently from information security management, and the function typically reports to the governing body of the regulated entity.
Require that business associates verify at least once every 12 months for covered entities (and that business associate subcontractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI. This verification must be documented in a written analysis by a subject matter expert and must be accompanied by a written certification that the analysis has been performed and is accurate.
Encrypt ePHI at rest and in transit, with limited exceptions. OCR notes numerous times that the cost and burden of encryption has dramatically decreased since 2003 and that regulated entities, with limited exceptions, should be encrypting their ePHI at all times, including when communicating with patients via regulated entities’ technology platforms, unless otherwise directed by the patient.
Implement technical controls (not merely policy and procedures) for access controls to its systems. Furthermore, OCR proposes to add increased access privilege requirements. OCR provides the example “that a workforce member who has certain role-based administrative access privileges should have separate user identities for non-administrative access privileges and administrative access privileges.”
Perform a vulnerability scan at least every six months and penetration testing at least once every 12 months.
Deploy technical controls for securing electronic information systems and technology assets and remove extraneous software. These controls must be reviewed and tested at least every 12 months or in response to a Change.
Deploy either or both technology assets and technical controls to record and identify activity in the regulated entity’s electronic information system that are, among other things, monitored in real-time. These assets and/or controls would need to be tested at least every 12 months or in response to a Change.
Create exact copies of ePHI that would be no more than 48 hours older than the ePHI maintained in the regular electronic information systems. Under the proposal, a regulated entity would be required to restore a representative sample of backed-up ePHI (and document the results of such test restorations at least monthly).
Require regulated entities to review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures.
Require business associates to notify covered entities (and subcontractors to notify business associates) on activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation. The business associate would not, however, be required to notify the covered entity of the cause of the activation. OCR nonetheless believes that receiving this notice would enable the covered entity to take the necessary steps to “protect its own relevant electronic information systems, as well as to implement its own contingency plan if necessary and appropriate (e.g., enable the covered entity to access a remote or offline backup of its ePHI if necessary to ensure that patient care is unaffected—or to reduce the effect on patient care as much as possible).”

OCR also discusses how the updated Security Rule would apply to newer technologies, including augmented reality and artificial intelligence (AI). With regards to AI, OCR specifically notes that a regulated entity “interested in using AI would include the use of such tools in its risk analyses and associated risk management activities. The regulated entity’s risk analysis must include consideration of, among other things, the type and amount of ePHI accessed by the AI tool, to whom the data is disclosed, and to whom the output is provided.” OCR refers to the NIST Framework as a helpful resource. Consistent with OCR’s discussion throughout the Proposed Rule that the risk assessment is not a one-time process, OCR underscores the need for regulated entities to perform the risk assessment throughout the life cycle of the AI and not just prior to implementation.

Compliance Deadline

If finalized as proposed, regulated entities will need to comply with most new requirements within 240 days of publication of the final rule.

However, OCR is explicit that it understands the administrative burden of revising business associate and other written agreements. As a result, OCR proposes a transition period in which regulated entities can modify business associate agreements and other written arrangements to comply with the rule, if finalized.

Specifically, the Department proposes to add new transition provisions to allow regulated entities to continue to operate under certain existing business associate agreements or other written arrangements until the earlier of (1) the date such contract or other arrangement either is renewed on or after the compliance date of the final rule or (2) a year after the effective date of the final rule. The additional transition period would be available to regulated entities if both of the following conditions are met: (1) prior to the publication date of the final rule, the covered entity or business associate had an existing business associate agreement or other written arrangement with a business associate or subcontractor that complied with the Security Rule prior to the effective date of a final rule revising the Security Rule and (2) such contract or arrangement would not be renewed or modified between the effective date and the compliance date of the final rule.

Implications

A major unknown is how the Trump administration will react to the Proposed Rule, especially because President-elect Trump and his health care team have shown evidence of hostility towards many Biden administration health care rules issued by various health care agencies, including OCR. Nevertheless, cybersecurity is a bipartisan issue and, as a result, this Proposed Rule may be more likely to survive in some form than other Biden administration proposed rules, such as the recent HIPAA Privacy Rule amendments specific to reproductive health, which we expect to be rescinded or abandoned.

If this Proposed Rule were to be finalized in a form substantially similar to its current state, it would have major implications for the entire health care industry and would require a dedication of resources and leadership’s attention to improving the security of ePHI and all technology infrastructure around it.

The Proposed Rule, if finalized, will have a particularly significant impact on small and rural health care providers, who have historically been less aggressive in adopting addressable HIPAA security requirements than better resourced entities. OCR acknowledges the potential impact on these groups, but emphasizes the need for change, pointing out that the status quo of some small health care providers lacking even a designated security officer cannot continue.

In addition, the Proposed Rule, if finalized, would be an important change for larger providers and health plans. Many larger organizations will need to sunset legacy technology no longer supported, further deploy encryption technologies, implement new requirements so that workforce members’ access to administrative technologies involve logins and passwords different from those that allow access to ePHI, perform more detailed and frequent risk analyses to meet the new implementation specifications, undertake (often expensive) penetration testing, and take further steps to meet new documentation requirements and those related to technology asset inventories and network maps.

Policies for responding to security incidents will need to be strengthened for many larger organizations, including the need to have procedures to restore the loss of certain electronic information systems and data within 72 hours. Internal processes related to sanctions and access termination will need to be strengthened as well.

Further, as noted above, business associate agreements will need to be updated with additional requirements, such as the addition of a provision specifying that the business associate will report to the covered entity that it activated its contingency plan no later than 24 hours after activation of such plan.