Notice of Proposed Rule Making HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information

On January 5, 2025, the Department of Health and Human Services published a Notice of Proposed Rule Making HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information (ePHI). The rule is the first meaningful update to HIPAA since the Health Information Technology for Economic and Clinical Health (HITECH) Act was passed in 2009. HHS stated in its announcement that the proposed rule intended to improve cybersecurity in light of the growing number of cyber-attacks, and to better align the rule’s provisions with modern practices in cyber security and technology. HHS is accepting comments from stakeholders through March 7, 2025.


HHS included significant background to provide context for the proposal of the updated provisions. HHS stated that many of the proposed provisions are as a result of common findings following cyberattacks and HHS breach investigations. HHS stated that it believed that many covered entities either wrongly interpreted existing ePHI Security Rule requirements, or drafted the required administrative, technical, and physical policies and procedures, but meaningfully failed to perform or implement the underlying safeguards associated with them.


In drafting the proposed rule, HHS was seeking to more accurately define and update the Security Rule’s terms, removing vagueness, and formalize a distinction between “required” and “addressable” implementation specifications as articulated in existing Security Rule language, which would result in all specifications listed in the Security Rule being required for Covered Entities.  The NPRM is broken down into several segments including Definitions, Security Standards, Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements, and Documentation Requirements.


Definitions

In the NPRM, HHS proposes adding ten new terms and modifies the definitions of fifteen existing terms. The proposed new regulatory terms would be: Deploy, Implement, Electronic information system, Multi-Factor Authentication (MFA), Electronic Information System, Risk, Technical Controls, Technology Asset, Threat, and Vulnerability. The definitions they propose to modify are Access, Administrative Safeguards, Authentication, Availability, Confidentiality, Information System, Malicious software, Password, Physical Safeguards, Security or Security Measures, Security Incident, Technical Safeguards, User, and Workstation.


In either proposing or modifying these terms, HHS is seeking to address the rapidly changing technology landscape to ensure that covered entities understand their obligations under the Security Rule. For example, HHS proposed the definition for Multi-Factor Authorization (MFA) because the original requirements for user access were a combination of usernames and passwords. Multi-Factor Authentication (MFA) is currently the best practice for data security and user identification and authentication, which HHS believes is essential to data security.


Security Standards

In the NPRM, HHS re-states that covered entity and business associations must do the following with respect to all ePHI they create, receive, maintain, or transmit:

  1. Ensure the confidentiality, integrity, and availability of the electronic protected health information.
  2. Protect against any reasonably anticipated threats or hazards to the confidentiality, integrity, or availability of the electronic protected health information.
  3. Protect against any reasonably anticipated uses or disclosures of the electronic protected health information that are not permitted or required.
  4. Ensure compliance by its workforce with this subpart and all administrative, physical, and technical safeguards implemented in accordance with this subpart.


In deciding which security measures to use, covered entities must take into account the size and complexity of the organization and/or its business associates. It must also consider the cost of security measures, probability, and criticality of risks to ePHI, and the effectiveness for the resiliency of the organization. However, to be clear, the covered entities and business associates that HHS is essentially stating that they believe covered entities and business associates must take every effort to ensure the confidentiality, integrity, and resiliency of the electronic information systems.


Administrative Safeguards

Administratively, covered entities must create and maintain a written Technology Asset Inventory and Network Map of the covered entity’s or the business associate’s electronic information system and all other assets that may affect the confidentiality and integrity of ePHI. The Technology Asset Inventory and Network Map must be maintained, reviewed, and updated on an ongoing basis, but not less than annually or when the covered entity is adopting, upgrading, or patching technology.


Covered entities and business associates must conduct a comprehensive written assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI that is created, received, maintained, or transmitted. This written assessment must include a review of the technology asset inventory, identification of all reasonably anticipated threats, identification of all reasonably anticipated vulnerabilities, an assessment and documentation of the security measures, a reasonable determination of the likelihood of each identified threat, and the potential impact of the threat. This written assessment must be reviewed and updated not less than annually.


The rule includes relatively extensive requirements regarding patch management. A patch refers to a fix for a software or system vulnerability that is required to be installed to maintain compliance with HIPAA. The proposed rules require that covered entities develop and maintain policies and procedures for applying patches and updating configurations of the information systems. These policies must be reviewed and updated annually. Covered entities must implement a patch within 15 days of the identification of the need for a patch related to critical risks, and within 30 days for patches related to high risks. The written risk management plan must prioritize the risks identified within the analysis.


The covered entity must provide workforce security awareness training at the time of hiring, and annually thereafter. Additionally, the rules require policies and procedures related to a workforce member’s access to the covered entity’s information systems containing ePHI. The covered entity must establish written policies and procedures related to terminating a workforce member’s access to ePHI. This includes a termination of an employee’s access no later than one (1) hour following termination. In addition, the covered entity must notify any business associate with whom the terminated workforce member had access to the business associate’s ePHI within 24 hours of any change in access or termination.


Another requirement of the proposed rule will be that the covered entity must establish policies and procedures to restore the loss of critical electronic information systems within 72 hours of the loss. The covered entity must include an emergency mode operations plan and must test and revise this contingency plan as necessary.


Physical Safeguards

The proposed rule highlights many of the current physical safeguards required under HIPAA. Specifically, covered entities are reminded to establish and implement policies and procedures and a facility security plan to safeguard all facilities and equipment. This includes all covered entity workstations and the removal or destruction of technology assets. These must be reviewed and updated annually.


Technical Safeguards

The proposed rule requires that covered entities develop and implement technical safeguards to protect the confidentiality, integrity, and availability of all ePHI. This includes access control, unique user identification, emergency access procedures, automatic logoff, protections for multiple unsuccessful log-in attempts, and network segmentation to protect electronic information systems. Under the new rules, covered entities must ensure that all ePHI is encrypted, both at rest and during transit. These policies must be maintained and reviewed annually.


Additionally, a significant proposed requirement is that covered entities must conduct automated vulnerability scans to identify vulnerabilities in electronic information systems at least every six (6) months. These vulnerability scans must be reviewed for effectiveness annually. Also, covered entities must conduct penetration testing every twelve (12) months.


Organizational Requirements

The proposed rule requires that a covered entity must identify an individual who will serve as the HIPAA Security Officer. This individual will be responsible for ensuring compliance with the HIPAA Security Rules and must be identified in Security Rule documents. Also, the proposed rule requires that covered entities and business associates must report any security incident of which is becomes aware. Finally, the covered entity must report any activation of its contingency plan without unreasonable delay but no more than 24 hours.


Documentation Requirements

Covered entities must maintain all documents which they create in response related to the proposed rule in written or electronic form. These documents must be retained for a minimum of six years from their creation or the date with which it was last in effect, whichever is later.


Conclusion

In the proposed rule, HHS has stated that they estimate the cost of compliance in the first year to be roughly $9 billion dollars and $6 billion for years two through five for ongoing compliance. If finalized, the proposed rule will significantly increase a covered entity’s or business associate’s ePHI and technological security requirements. Stakeholders are encouraged to submit comments by March 7, 2025. Provisions, once made final, will be effective 60 days from the publication of the Final Rule, and compliance with most of those provisions will not be enforced until 180 days after the effective date, giving Covered Entities most of 2025 to take the steps necessary to implement policies and practices required by the Final Rule. The American Ambulance Association will continue to assess the impact of the rule and will submit comment. If you have any questions regarding the proposed rule, please us at questions@wmklawgroup.com.

Werfel, Moore, & Kelly Law Group

100 South Main Street

Suite 100J

Middleton, MA 01949

Brian Werfel

c: 917-582-3282

e: bwerfel@wmklawgroup.com

Scott Moore

c: 781-771-9914

o: 781-242-2111

e: smoore@wmklawgroup.com

e: questions@wmklawgroup.com

Chris Kelly

c: 404-934-8999

e: ckelly@wmklawgroup.com

Admin

e: awilliams@wmklawgroup.com

e: dkelly@wmklawgroup.com
 Visit Website
Facebook  X  LinkedIn  Instagram

Werfel, Moore, & Kelly Law Group | 100 South Main Street 100J | Middleton, MA 01949 US

Unsubscribe | Update Profile | Constant Contact Data Notice

Constant Contact