On December 27, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to strengthen cybersecurity protections under the HIPAA Security Rule. This move comes in response to rising cyber threats targeting healthcare systems and aims to improve safeguards for electronic protected health information (ePHI).
The proposed updates align with the Biden-Harris Administration’s National Cybersecurity Strategy, which prioritizes protecting critical infrastructure. Given the increasing frequency and sophistication of cyberattacks on healthcare providers, these regulatory changes will impose stricter security measures on covered entities, including health plans, healthcare clearinghouses, healthcare providers, and their business associates.
Key Changes Proposed in the HIPAA Security Rule
The NPRM introduces several modifications to existing regulations, focusing on standardizing security measures, improving compliance requirements, and strengthening cybersecurity defenses. Some of the most significant updates include:
- Mandatory Implementation of Security Measures: The distinction between “required” and “addressable” security implementations will be removed, making all security measures mandatory with limited exceptions.
- Enhanced Documentation Requirements: All security policies, procedures, plans, and risk analyses must be documented in writing to ensure compliance and accountability.
- Updated Definitions and Standards: The rule will introduce new terminology and updated security standards to align with modern technology and current cybersecurity threats.
- Compliance Timeframes: Many security requirements will now have specific compliance deadlines, ensuring timely implementation.
- Technology Asset Inventory and Network Mapping: Covered entities must maintain a detailed inventory of technology assets and a network map to track ePHI movements. These records must be updated at least annually and whenever significant changes occur.
Strengthening Risk Analysis and Access Controls
The proposed HIPAA Security Rule emphasizes proactive risk management by mandating a more structured and detailed risk analysis process. Covered entities must conduct thorough assessments that include:
- Reviewing technology assets and network maps to identify potential vulnerabilities.
- Evaluating anticipated threats to the confidentiality, integrity, and availability of ePHI.
- Identifying weaknesses in their electronic systems that could be exploited by cyber threats.
- Assigning risk levels to identified threats based on their likelihood and potential impact.
Additionally, access controls are being strengthened to prevent unauthorized access to sensitive health information. Some of the key changes include:
- Mandatory Multi-Factor Authentication (MFA): With limited exceptions, all covered entities must implement MFA to prevent unauthorized access.
- 24-Hour Notification for Workforce Access Changes: If an employee’s access to ePHI is modified or terminated, the entity must notify the appropriate parties within 24 hours.
Incident Response, Encryption, and Security Testing
To enhance cyber resilience, the rule mandates robust incident response planning, encryption requirements, and regular security testing:
Incident Response Plans: Organizations must establish written security incident response plans that outline reporting procedures, response strategies, and steps for handling cyber incidents.
Encryption Requirements: All ePHI must be encrypted at rest and in transit, with very limited exceptions.
Technical Security Controls: Covered entities must implement specific technical safeguards, such as:
- Deploying anti-malware protection to mitigate cyber threats.
- Removing unnecessary software to reduce vulnerabilities.
- Disabling unused network ports based on risk assessments.
Routine Security Testing: The rule requires:
- Vulnerability scanning at least every six months.
- Penetration testing at least once every 12 months.
- Network segmentation to limit damage from cyber intrusions.
Annual Compliance Audits and Business Associate Accountability
To ensure continuous compliance, covered entities and their business associates must conduct annual security audits:
- Self-Audits: Covered entities must perform a yearly compliance audit to verify adherence to the Security Rule.
- Business Associate Certification: Business associates must annually certify that they have deployed required security measures. This includes:
A written analysis by a cybersecurity expert.
A certification report confirming the implementation of safeguards.
- Backup and Recovery Enhancements: The rule mandates separate technical controls for data backup and recovery, ensuring rapid restoration in case of cyber incidents.
New Contingency Planning and Group Health Plan Responsibilities
Recognizing the criticality of healthcare data, the new rule enhances contingency planning requirements:
- Restoration Timeline: Healthcare organizations must be able to restore lost data and systems within 72 hours after an incident.
- Security Incident Reporting: Business associates must notify covered entities within 24 hours of activating their contingency plans.
- Group Health Plans: Must update plan documents to require:
- Adherence to administrative, physical, and technical safeguards.
- Compliance confirmation from third-party vendors handling ePHI.
- Immediate notification (within 24 hours) upon contingency plan activation.
Key security enhancements in the proposed HIPAA Security Rule update
Here’s a table summarizing the key security enhancements in the proposed HIPAA Security Rule update:
| Category | Enhancement | Requirement Details |
| Mandatory Security Measures | Removal of “addressable” vs. “required” distinction | All security measures are mandatory with few exceptions |
| Documentation Requirements | Written policies and risk analysis | Entities must document all security-related procedures |
| Risk Analysis & Management | Structured and detailed risk assessments | Review assets, threats, vulnerabilities, and assign risk levels |
| Technology Asset Inventory | Annual updates of technology assets and network maps | Maintain and update records whenever changes occur |
| Access Controls | Mandatory Multi-Factor Authentication (MFA) | Required for all covered entities with limited exceptions |
| Workforce Access Updates | 24-hour notification for access changes | Immediate reporting of access modifications or terminations |
| Incident Response Plans | Written security incident response plans | Clear procedures for identifying, responding to, and mitigating cyber incidents |
| Encryption Standards | Encryption of ePHI at rest and in transit | Few exceptions allowed |
| Technical Security Controls | Anti-malware, software minimization, port disabling | Required to reduce cyber vulnerabilities |
| Security Testing | Regular vulnerability scans and penetration testing | Scanning every 6 months, penetration testing yearly |
| Annual Compliance Audits | Self-audits for security rule adherence | Covered entities and business associates must audit yearly |
| Business Associate Accountability | Annual security certification for business associates | Certification by cybersecurity experts confirming security measures |
Public Feedback and Next Steps
While these proposed regulations aim to strengthen cybersecurity, the existing HIPAA Security Rule remains in effect until final revisions are approved. HHS encourages stakeholders, including patients, tools for healthcare providers, insurers, and advocacy groups, to submit feedback via regulations.gov.
The public comment period lasts for 60 days after the NPRM’s publication in the Federal Register, with a Tribal consultation meeting scheduled soon. Further details on participation will be announced by HHS.
Conclusion
The proposed HIPAA Security Rule updates represent a significant step toward fortifying cybersecurity in the healthcare industry. By mandating stronger protections, stricter compliance measures, and enhanced incident response protocols, HHS aims to mitigate the growing threats targeting electronic protected health information (ePHI).
Healthcare providers, insurers, and business associates must prepare for these upcoming changes by assessing their current security measures and enhancing their cybersecurity infrastructure to ensure compliance and safeguard patient data effectively.
