HHS Proposes Changes to Strengthen HIPAA Security Rule

Material updates to the HIPAA Security Rule could be on the way — affecting all HIPAA-regulated entities — for the first time in two decades. The Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (Proposed Rule) aiming to strengthen cybersecurity protections and better defend against cyber threats targeting the U.S. health care system. The comment period will close on March 7, 2025 (60 days after the Proposed Rule was published in the Federal Register).

This proposal to strengthen the security safeguards required under the HIPAA Security Rule is HHS’ response to the significant increase in cyber attacks in the health care sector. Specifically, from 2018 to 2023, HHS stated that reports of large breaches resulting from hacker and ransomware attacks increased by 102 percent, and the number of individuals affected by these breaches increased by 1,002 percent.

Summary of the Proposed Rule

The Proposed Rule attempts to strengthen the requirements of the Security Rule by clarifying and revising definitions and removing the distinction between “required” and “addressable” implementation specifications. The Proposed Rule adds new implementation requirements to better help ensure that HIPAA-regulated entities implement compliance activities consistent with industry standard best practices, such as the NIST Cybersecurity Framework.

Regulated entities would be required to document, in writing, all Security Rule policies and procedures, which include:

The creation and maintenance of a written inventory of technology assets and a network map. Regulated entities will need to review and update their asset inventory and network map on an ongoing basis, but at least once every 12 months and when there is a change in the environment or operations that may affect electronic protected health information (ePHI).
Annual risk analyses with more specificity. Risk analyses will consist of a written assessment that includes, among other things:
- Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI.
- Identification of potential and existing vulnerabilities to relevant IT systems.
- Assessment and documentation of the security measures used to protect ePHI.
- A reasonable determination of the likelihood that each identified threat would exploit the identified vulnerabilities.
- An assessment of risks to ePHI posed by current or prospective business associates.
Establishment of change management controls. The Proposed Rule contains requirements for technical and nontechnical evaluations prior to changes in the entity’s environment.
Patch management policies and procedures. HIPAA-regulated entities would be required to review patch management processes at least once every 12 months and modify the processes as reasonable and appropriate. A “reasonable and appropriate” time period to patch critical vulnerabilities would be within 15 calendar days of identification.
Robust risk management planning. The Proposed Rule contains more robust requirements for the establishment and implementation of a risk management plan for reducing the risks identified by the required risk analysis.
Stringent requirements for monitoring and incident response policies and procedures. The Proposed Rule would require:
- A review of activity of the relevant IT systems, which should be customized to meet the risk management strategy and the promotion of awareness of any activity that could suggest a security incident.
- An incident response plan that includes a disaster recovery planning procedures which will restore the loss of IT systems within 72 hours.
- An annual compliance audit to ensure compliance with the Security Rule Requirements.

Beyond written policies and procedures, the Proposed Rule attempts to expand the Security Rule’s technical safeguards, which would require regulated entities to:

Encrypt ePHI at rest and in motion, subject to limited exceptions.
Use multi-factor authentication, subject to limited exceptions.
Establish and deploy technical controls for configuring relevant IT systems in a consistent manner.
Implement required configuration management controls, including deploying anti-malware protection, removing extraneous software, and disabling ports in accordance with the risk analysis.
Conduct vulnerability scanning at least every six months and penetration testing at least once every 12 months.
Use network segmentation.
Deploy technical controls to create and maintain backups of relevant IT systems and to review and test the effectiveness of such controls once every six months.

In addition, the Proposed Rule adds requirements for business associate agreements (meaning business associate agreements will need to be updated if the Proposed Rules is enacted into law). Specifically, a business associate agreement must include a provision that requires a business associate to notify covered entities (and subcontractors to notify business associates) upon activation of its contingency plan, without unreasonable delay, but no later than 24 hours after activation. Further, the Proposed Rule places additional requirements on engagement with business associates, including requiring covered entities to obtain from business associates annually a written analysis and certification of compliance with the Security Rule’s technical safeguards. The analysis would need to be performed by “a person with appropriate knowledge of and experience with” ePHI cybersecurity principles. The Proposed Rule makes clear that a HIPAA-regulated entity that delegates compliance activities required by the Security Rule to a business associate remains liable for compliance with the Security Rule.

New and Emerging Technologies Request for Information

Through the Proposed Rule, HHS is seeking comments related to emerging technologies, such as artificial intelligence, quantum computing, and virtual and augmented reality, and HIPAA’s role in regulating these emerging technologies. The Proposed Rule notes that before HIPAA-regulated entities implement these new and emerging technologies, an accurate and thorough assessment of the potential risks and vulnerabilities to ePHI should occur.

What’s Next for HIPAA-Regulated Entities

At this point, the future of the Proposed Rule is unclear, as the newly elected administration will likely determine whether to move forward with the rulemaking process. Although cybersecurity protections have received bipartisan support, and during the first Trump administration there was a focus on information security, the Trump administration is expected to take a stance against increased regulations. As such, HIPAA-regulated entities should continue to monitor these developments. Given the short turnaround, however, entities should also review the Proposed Rule to determine if they wish to submit comments in case the Proposed Rule moves forward in its current state.

Health care data privacy continues to rapidly evolve and thus HIPAA-regulated entities should closely monitor any new developments and continue to take necessary steps towards compliance. If you have any questions on compliance with HIPAA or the ramifications of the Proposed Rule and other recent changes to health care data privacy laws — or would like assistance submitting comments regarding the Proposed Rule — please contact any of the authors or any of the Partners or Senior Counsel in Foley’s Cybersecurity and Data Privacy Group or Health Care Practice Group.

Disclaimer

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.