What better way to welcome the new year than with proposed new HIPAA Security Rules? 

As 2024 came to an end, the U.S. Department of Health and Human Services announced new proposed regulations to strengthen cybersecurity and protection measures for ePHI.  If adopted, this would be the first update to the Security Rule since 2013.  HHS states that the updates are necessary to address changes in how health care is provided (including via artificial intelligence and virtual and augmented reality) and how ePHI is used and disclosed; the alarming rise in cyberattacks and HIPAA breaches involving ePHI; consistent failures by covered entities and business associates to implement certain Security Rule requirements; and misunderstandings of the intent of certain Security Rule requirements expressed in court decisions.

The Proposed Rule was published in the Federal Register on January 6, 2025, for public comment.  A copy of the Proposed Rule is available here.

Sampling of key proposed modifications to the HIPAA Security Rule requirements (special thanks to Fox Partner Matt Redding for his contributions to this list):

  • Covered entities/business associates must review, test, and update HIPAA Security policies and procedures on a regular basis.
  • All Security Rule implementation specifications will be “required” and no longer “addressable” with specific, limited exceptions.
  • Covered entities/business associates must meet new Security Rule compliance time frames (e.g., patch critical risk within 15 days).
  • Covered entities/business associates must develop a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
  • The Security Risk Assessment that covered entities/business associates are required to perform must include, among other things:
    • A review of the technology asset inventory and network map;
    • Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI;
    • Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s “relevant electronic information systems” (defined as those that handle ePHI as well as those that otherwise affect the confidentiality, integrity, or availability of ePHI);
    • An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities; and
    • An assessment of risks to ePHI posed by entering a business associate agreement, based on a written verification obtained from the business associate.
  • Business associates must notify covered entities (and subcontractors must notify business associates) within 24 hours of (i) a change in or termination of a workforce member’s access to ePHI or relevant electronic information systems maintained by the covered entity (or business associate); and (ii) activation of a contingency plan.  
  • Covered entities/business associates must implement new/strengthened requirements for planning for contingencies and responding to security incidents:
    • Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours;
    • Perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration;
    • Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents; and
    • Implement written procedures for testing and revising written security incident response plans.
  • Business associates must verify in writing at least once every 12 months that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate.
  • PHI must be encrypted at rest and in transit, with limited exceptions.
  • Covered entities/business associates must employ multi-factor authentication (MFA) to access ePHI.
  • Covered entities/business associates must segment electronic information systems to limit access to ePHI to authorized workstations.