The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule on December 27, 2024. This would be the first update to the HIPAA Security Rule since 2013. The proposed updates will modernize the existing framework to better address the evolving cybersecurity threats facing the healthcare sector.
Healthcare professionals will have to significantly enhance their cybersecurity measures in response to an increase in cyberattacks, including ransomware, and the use of cloud computing, mobile devices, and other technologies. The proposed rule requires more rigorous security standards, updated risk management practices, and enhanced patient rights. Healthcare organizations will also have to adopt more robust incident response plans, comprehensive training, and awareness programs.
Some of the key proposed changes are as follows:
- Removal of “Required” vs. “Addressable” Specifications: The NPRM proposes to remove the distinction between “required” and “addressable” implementation specifications. This means that all implementation specifications will be mandatory, with very limited exceptions. For example, encrypting ePHI is an addressable implementation under the existing HIPAA Security Rule and would be required per the NPRM.
- Written Documentation: Healthcare entities will be required to maintain written documentation of all security rule policies, procedures, plans, and analyses. This ensures that there is a clear record of compliance efforts and security measures in place.
- Technology Asset Inventory and Network Mapping: Organizations will need to develop and regularly update a technology asset inventory and a network map that illustrates the movement of ePHI throughout their systems. This must be done at least once every 12 months or whenever there is a change in the environment that may affect ePHI.
- Specific Compliance Time Periods: The NPRM introduces specific compliance time periods for many existing requirements, ensuring that organizations adhere to a clear timeline for implementing necessary security measures.
- Updated Definitions and Terminology: The proposed rule updates definitions and revises implementation specifications to reflect changes in technology and terminology. For example, the definition of “electronic media” now includes technologies like voice over internet, telehealth recording technologies, and messaging services that store audio messages.
- Risk Analysis Specificity: The NPRM requires greater specificity for conducting risk analyses, ensuring that organizations thoroughly assess potential vulnerabilities and threats to ePHI. Vulnerability scanning must be conducted at least every six months and penetration testing every 12 months.
- Focus on Emerging Technologies: The proposed rule addresses new and emerging technologies, such as artificial intelligence, quantum computing, and virtual/augmented reality.
Deputy Secretary Andrea Palm commented that “[t]he increasing frequency and sophistication of cyberattacks in the health care sector pose a direct and significant threat to patient safety […][and] this proposed rule is a vital step to ensuring that health care providers, patients, and communities are not only better prepared to face a cyberattack, but are also more secure and resilient.” The public has until March 7, 2025, to submit comments on the proposed rule. Healthcare professionals should analyze how these potential changes may impact their organizations and prepare accordingly.
The attorneys at Chilivis Grubman represent healthcare providers of all types and sizes in connection with cybersecurity matters, including ransomware incident response, investigations by HHS-OCR, and HIPAA-related litigation. If you need assistance with such a matter, please contact us today.