HHS’s Proposed Revisions to Strengthen the HIPAA Security Rule

Ian M. Stanford, Esq. and Miranda A. Preston, Esq.

Milligan Lawless, P.C.

            For the first time in over a decade, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has proposed an update to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule (the “Security Rule”).  OCR stated that its goal of the proposed rule[1] (the “Proposed Rule”) is to strengthen cybersecurity protections for electronic protected health information (ePHI) considering changes in the healthcare environment, a significant increase in breaches and cyberattacks, common deficiencies observed by OCR, and cybersecurity best practices.[2] OCR is concerned about the “rampant escalation” in the number of cyber security breaches that continues to climb each year.[3]  For example, in 2024, a ransomware attack against Change Healthcare is estimated to have affected approximately 190 million people.  If the Proposed Rule becomes effective, OCR estimates it will cost regulated entities $9 billion in the first year to implement, and $6 billion per year for years two through five for ongoing compliance activities.  The public comment period closed on March 7, 2025, and OCR received around 4,745 comments.

Brief Background on the Security Rule

HIPAA is a federal statute enacted in 1996, amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009.  To implement HIPAA and HITECH, HHS issued a set of federal regulations comprised of three separate rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule.  This article focuses on the Security Rule. The Security Rule was first published in 2003 and revised in 2013.  It establishes a national set of security standards to protect ePHI and is meant to serve as a floor to the security measures that regulated entities (i.e., “covered entities” and “business associates”) must implement.  The Security Rule does so by specifying administrative, physical, and technical security requirements. Administrative safeguards are the policies and procedures that regulated entities must implement to prevent, detect, contain, and correct security violations.  Technical safeguards relate to access controls, audit controls, software and other technology measures to protect ePHI. Physical safeguards relate to the physical measures, policies, and procedures to protect the physical premises where ePHI is stored.

Broad Changes in the Proposed Rule

            The Proposed Rule maintains the previous framework of administrative, physical, and technical safeguards.  However, it makes sweeping changes to the requirements imposed upon regulated entities. HHS published a fact sheet[4] that breaks down some of the sizeable changes proposed in the update to the Security Rule. Below are a few of the key changes in the Proposed Rule:

  1. Remove the distinction between “required” and “addressable” implementation specifications and all implementation specifications would be required, with limited exceptions.
  • Require the development of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis. The inventory and map must be reviewed and updated at least annually and in response to a change in the regulated entity’s environment or operations that affects ePHI.
  1. Require greater specificity for conducting a risk analysis. New express requirements would include a written assessment that contains, among other things:
  1. A review of the technology asset inventory and network map (See Section 1);
  2. Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI;
  3. Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant IT systems;
  4. An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified threats or vulnerabilities; and
  5. An assessment of the risks to ePHI posed by current and prospective business associate relationships.
  • Require regulated entities to establish and implement written policies and procedures for patch management[5] and updating the configuration of policies and procedures of relevant information systems.  These processes would require regulated entities to patch critical risks within 15 calendar days, patch high risks within 30 calendar days, and review such policies and procedures at least once every 12 months.
  • Require regulated entities to establish and implement written policies and procedures ensuring that: (1) workforce members’ access to ePHI is terminated as soon as possible, but no later than one hour after the workforce member’s employment or other arrangement ends; and (2) other covered entities or business associates are notified after a change in or termination of a workforce member’s access to ePHI.  This notice would be required to be provided as soon as possible, but no later than 24 hours after the workforce member’s authorization to access ePHI or relevant electronic information systems is changed or terminated.
  • Regarding business associates: (1) require business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plan without unreasonable delay but no later than 24 hours after its activation; and (2) require covered entities to obtain from business associates (and business associates from their subcontractors) an annual written analysis and certification of compliance with the Security Rule’s technical safeguards.  To the extent this requirement is finalized, all business associate agreements would need to be updated.
  • Require regulated entities to conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements.
  • Expand the Security Rule’s technical safeguards, including requiring regulated entities to : (1) encrypt ePHI at rest and in transit, with limited exceptions; (2) use multi-factor authentication for all technology assets, with limited exceptions; (3) create and maintain backups of relevant IT systems and review and test the effectiveness of such controls once every six months; and (4) conduct vulnerability scanning at least every six months and penetration testing at least once every 12 months.

Looking Forward

            The future of the Proposed Rule is unclear, and the Trump administration will likely decide whether the Proposed Rule moves forward. The Trump administration has already begun to act on its initiative to reduce federal regulations[6], which may mean the Proposed Rule will not be enacted into law.  In the meantime, regulated entities should make themselves aware of the key components of the Proposed Rule and monitor any developments concerning the Proposed Rule.  

[1] 90 Fed. Reg. 898 (Jan. 6, 2025).

[2] Id.

[3] Id. at 900.

[4] Health and Human Services, Office for Civil Rights, “HIPAA Security Rule Notice of Proposed Rulemaking to Strengthen Cybersecurity for Electronic Protected Health Information,” (2024) available at https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html.

[5] Patch management involves identifying, testing, applying, and verifying patches (or software updates) to improve security and performance.

[6] See Presidential Memorandum, Regulatory Freeze Pending Review¸ 90 Fed. Reg 8249 (Jan. 28, 2025);  Exec. Order 14192 “Unleashing Prosperity Through Deregulation,”90 Fed. Reg. 9065 (Feb. 6, 2025); and Exec. Order 14215, Ensuring Lawful Governance and Implementing the President’s “Department of Government Efficiency” Deregulatory Initiative, 90 Fed. Reg. 10583 (Feb. 25, 2025).