Changes to the HIPAA Security Rule Could be on the Way

In December 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) to strengthen the HIPAA Security Rule. The rule modifications are designed to better protect electronic protected health information (ePHI) and support the Biden Administration’s National Cybersecurity Strategy. The HIPAA Security Rule has not been updated since 2013.

The proposed changes to the HIPAA Security Rule come at a time of increased scrutiny over cybersecurity in the healthcare sector. OCR has seen a substantial increase in reports of large breach reports over the last five years. From 2018-2023, the number of large data breaches reported to OCR increased by 102%. In the same period, the number of individuals affected by breaches increased by more than 1000%. Hacking and ransomware attacks are largely to blame for the data breaches. In 2023, more than 167 million people were impacted by data breaches, the largest number on record.

What’s Included in the Proposed HIPAA Security Rule Update

Proposed updates to the HIPAA Security Rule would require:

• The use of multi-factor authentication
• Vulnerability scanning at least every six months and penetration testing at least once every 12 months.
• Encryption of ePHI at rest and in transit, with limited exceptions.
• A technology asset inventory and a network map that illustrates the movement of ePHI
• More specific risk assessments that contain:
  • A review of the technology asset inventory and network map.
  • Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI.
  • Identification of potential vulnerabilities and predisposing conditions to electronic information systems.
  • An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
• Notification of certain regulated entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.
• Written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.
• A compliance audit to be conducted at least once a year.
• Business associates to verify at least once a year for covered entities that they have deployed technical safeguards required by the Security Rule to protect ePHI.
• Separate technical controls for backup and recovery of ePHI and relevant electronic information systems.

Here is a complete list of the proposed rule changes.

A public comment period for the proposed Security Rule changes will be open until early March 2025. OCR will assess the comments and decide how to move forward with a final rule. The incoming Trump administration and the accompanying new HHS leadership do add uncertainty to the future of the rule changes.

The Impact on Covered Entities

Ideally most covered entities and their business associates will have a large number of the new requirements in place as part of their ongoing cybersecurity practices. For example, while encryption was cumbersome and expensive when the Security Rule was first introduced it is now much easier to accomplish and is normally an expected practice when protecting PHI.

However, the fact that HHS is estimating the overall cost of covered entity implementation to be $34 million over five years indicates that their research indicates that there is still significant work to be done to implement these requirements.

The proposed changes to the HIPAA Security Rule will require new policies and procedures, tracking of PHI, annual verification of business associates and annual compliance audits. Additionally, as we have consistently seen from the OCR enforcement actions covered entities and their business associates have not consistently complied with the current HIPAA regulations which is one reason for significant breaches. OCR continues in this proposal to stress the importance of risk assessments and response to identified risks in the protection of protected health information.

CompliancePoint has a team of professionals dedicated to helping healthcare organizations achieve their cybersecurity and privacy goals, including HIPAA compliance and HITRUST certification. Reach out to us at connect@compliancepoint.com to learn more about our healthcare services.