HHS OCR Proposes Significant Modifications To HIPAA Security Rule

HIGHLIGHTS

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced on December 27, 2024, and published in the Federal Register on January 6, 2025, a Notice of Proposed Rulemaking (NPRM) proposing extensive modifications to the HIPAA Security Rule. If finalized, these would be the first modifications of the Security Rule since 2013 and could entail significant additional compliance obligations and costs for HIPAA covered entities and business associates (collectively, regulated entities). For reference, a redline of the existing language of the Security Rule with the NPRM's proposed modifications is available here.

Among other new obligations, the NPRM would require regulated entities to:

• Comply with all standards and implementation specifications by eliminating the distinction between "addressable" and "required" implementation specifications
• Encrypt all electronic protected health information (ePHI) at rest and in transit, with limited exceptions, removing some flexibility that regulated entities presently have with respect to implementation of encryption
• Deploy multi-factor authentication (MFA) for all technology assets in relevant electronic information systems to verify that a person seeking access to the relevant electronic information system(s) is the user that the person claims to be, and for any action that would change a user's privileges in a manner that would alter the user's ability to affect the confidentiality, integrity, or availability of ePHI
• Develop and maintain an information technology asset inventory and a network map of information technology systems and assets that may affect the confidentiality, integrity, or availability of ePHI
• Obtain on an annual basis from their business associates or subcontractors written verifications that the business associates or subcontractors have implemented technical safeguards
• Ensure that new business associate contracts include, and that existing business associate contracts are modified to include, a provision requiring the business associate or subcontractor to report to the covered entity or business associate activation of the business associate's or subcontractor's contingency plan, without unreasonable delay but no later than 24 hours after activation
• Perform and document in writing certain assessments as a component of their risk analyses and update the written assessments on an ongoing basis, but no less frequently than once every 12 months and in response to any change in the regulated entity's environment or operations that may affect ePHI
• Establish and implement a written risk management plan for reducing the risks identified through risk analysis activities and review the plan at least once every 12 months
• Perform and document an audit of their compliance with each standard and implementation specification of the Security Rule at least once every 12 months
• Assess the effectiveness of security measures in supporting the resiliency of the regulated entity when deciding whether a particular security measure is "reasonable and appropriate"
• Conduct automated vulnerability scans to identify technical vulnerabilities in the regulated entity's relevant electronic information systems in accordance with the regulated entity's risk analysis or at least once every six months, whichever is more frequent
• Perform penetration testing of the regulated entity's relevant electronic information systems by a qualified person at least once every 12 months or in accordance with the regulated entity's risk analysis, whichever is more frequent
• Create backups of ePHI with such frequency to ensure retrievable copies of ePHI are no more than 48 hours older than the ePHI maintained in the regulated entity's relevant electronic information systems and restore a representative sample of such backed-up ePHI at least monthly.

The NPRM would also "clarify" certain existing compliance obligations under the Security Rule, including, for example, that:

• Regulated entities must not only establish policies and procedures about technical requirements but also must actually apply effective technical policies and procedures to all ePHI throughout the entity's enterprise
• Regulated entities must implement reasonable and appropriate security measures to implement the standards and implementation specifications of the Security Rule, and regulated entities may not determine that implementation itself is unreasonable or inappropriate in some circumstances
• Group health plans must require that plan sponsors meet certain Security Rule requirements, including requirements to implement administrative, physical, and technical safeguards and to perform an annual risk analysis.

HHS states that the NPRM is intended to address changes in the environment in which healthcare is provided; significant increases in breaches and cyberattacks; common deficiencies OCR has observed in investigations into Security Rule compliance; other cybersecurity guidelines, best practice, methodologies, procedures, and processes; and court decisions that affect the enforcement of the Security Rule.

Stakeholders may submit comments within 60 days from the NPRM's date of publication in the Federal Register (i.e., by March 7, 2025). The NPRM may be modified in light of comments submitted and/or otherwise by the incoming administration. A final rule would be effective 60 days after publication in the Federal Register. Regulated entities would have until a subsequent "compliance date" to establish and implement policies, procedures, and practices to achieve compliance with any new or modified standards. HHS proposes here that the compliance date would generally be 180 days after the effective date of a final rule – or a total of 240 days following publication of a final rule.

IN DEPTH

BACKGROUND

The Security Rule, first published in 2003, established a national set of security standards for the protection of ePHI. The Security Rule set forth certain administrative, physical, and technical safeguards that covered entities must put in place to protect ePHI. In the preamble to the Security Rule, HHS noted the previous absence of "standard measures" in the healthcare industry to "address all aspects of the security of [ePHI]." HHS sought to establish a standard that was "comprehensive and coordinated" as well as "scalable," and that was flexible enough "to make use of future technology advancements." The Security Rule was last modified in 2013 to directly extend its provisions to business associates and implement other changes required by the HITECH Act enacted in 2009.

HHS acknowledges that the NPRM proposes considerable revisions to the text of the Security Rule. However, HHS states that it is reasonable and appropriate to strengthen the Security Rule to address changes in the healthcare environment and to clarify the compliance obligations of regulated entities. HHS expresses concerns that regulated entities are not consistently complying with the Security Rule's requirements, as demonstrated by OCR's experience investigating allegations of Security Rule violations, reports received by OCR of breaches of unsecured PHI, and the results of the audits conducted by OCR in 2016 – 2017. HHS is also concerned that regulated entities may not have updated their security measures to adjust to changes in the healthcare environment and their operations, including new and emerging threats to the confidentiality, integrity, and availability of ePHI. HHS seeks to resolve these concerns with the modifications to the Security Rule proposed in the NPRM.

NPRM DETAIL

This section summarizes some but not all of the changes proposed by the NPRM. For reference, a redline of the existing language of the Security Rule with the NPRM's proposed modifications is available here.

Modifications to the Definition of Electronic Media

The NPRM proposes modifications to the definition of "electronic media" at 45 C.F.R. 160.103 to clarify that electronic media includes not only media on which data may be "recorded" but also any media on which data may be "maintained" or "processed." The NPRM proposes to add to the non-exhaustive list of examples of electronic media "any other form of digital memory or storage." Additionally, the NPRM proposes to add "public networks" to the list of examples of "transmission media." According to HHS, these modifications are intended to respond to changes in the role technology plays in the storage and transmission of information and in the types of media used to store and transmit such information.

The Addition of 10 New Definitions and the Modification of 15 Existing Definitions

The NPRM proposes to add 10 new definitions and modify 15 existing definitions (including the definition of "electronic media," as discussed above) at 45 C.F.R. 164.304. According to HHS, these new and modified definitions are intended to clarify how regulated entities should apply the Security Rule standards and implementation specifications while modernizing the Security Rule to the current healthcare environment.

The NPRM proposes to add the following 10 new definitions:

• Deploy.
• Electronic information system.
• Implement.
• Multi-factor authentication.
• Relevant electronic information system.
• Risk.
• Technical controls.
• Technology asset.
• Threat.
• Vulnerability.

The NPRM proposes to modify the following 15 existing definitions:

• Access.
• Administrative safeguards.
• Authentication.
• Availability.
• Confidentiality.
• Electronic media.
• Information system.
• Malicious software.
• Password.
• Physical safeguards.
• Security incident.
• Security or security measures.
• Technical safeguards.
• User.
• Workstation.

Modifications to the Security Standards: General Rules

The NPRM proposes modifications to the general requirements provision at 45 C.F.R. 164.306(a) that:

• Are intended to clarify that the general requirements apply to "all" ePHI at "each" regulated entity
• Would require each regulated entity to protect against any reasonably anticipated threats or hazards to the confidentiality, integrity, or availability of all ePHI instead of to the security or integrity of ePHI
• Would require each regulated entity to ensure that its workforce complies not only with the Security Rule but also with all administrative, physical, and technical safeguards implemented in accordance with the Security Rule (i.e., the specific safeguards adopted by the regulated entity).

The NPRM would require regulated entities to comply with all standards and implementation specifications¹ by eliminating the distinction between "addressable" and "required" implementation specifications at 45 C.F.R. 164.306(c).²

The NPRM proposes modifications to 45 C.F.R. 164.306(b) that are intended to clarify that regulated entities must apply reasonable and appropriate security measures to implement the standards and 1 The Security Rule "standards" are mandatory requirements that regulated entities must follow to protect ePHI. They outline at a high level what must be done to ensure the confidentiality, integrity, and availability of ePHI. The Security Rule "implementation specifications" provide more detailed instructions on how to meet the "standards." 2 The Security Rule presently distinguishes between "required" and "addressable" implementation specifications. Summarized at a high level, regulated entities must implement "required" implementation specifications but have some flexibility in how to address "addressable" implementation specifications. If a regulated entity determines that an addressable implementation specification is reasonable and appropriate in regulated entity's environment with respect to its likely contribution to protecting ePHI, the regulated implementation specifications of the Security Rule. The proposed modifications would clarify that implementation is not optional based on whether a regulated entity believes it is reasonable and appropriate; to the contrary, a regulated entity is required to implement the standards and implementation specifications and must adopt reasonable and appropriate security measures that allow the entity to achieve such implementation. According to HHS, the proposed clarification would comport more precisely with the statute.

The NPRM also would require regulated entities to consider the effectiveness of a security measure in supporting the resiliency of the regulated entity when deciding whether a particular security measure (e.g., a technical control) is reasonable and appropriate for implementing a standard and its associated implementation specification. For example, a regulated entity would be required to consider this factor, in addition to the existing factors, when choosing a specific encryption solution that allows the entity to meet the proposed requirement to encrypt ePHI, which will help prevent an unauthorized user from accessing the entity's ePHI, or when developing its security incident plan or disaster recovery plan, which will help ensure that the regulated entity can recover data or reestablish data integrity after a security incident or disaster.

The NPRM proposes to delete the current maintenance requirement at 45 C.F.R. 164.306(e) and instead delineate maintenance implementation specifications for specific standards, when applicable. For example, such maintenance requirements would remove any ambiguity about the need for regulated entities to regularly review, test, and modify for each standard.

Footnotes

1 The Security Rule "standards" are mandatory requirements that regulated entities must follow to protect ePHI. They outline at a high level what must be done to ensure the confidentiality, integrity, and availability of ePHI. The Security Rule "implementation specifications" provide more detailed instructions on how to meet the "standards."

2 The Security Rule presently distinguishes between "required" and "addressable" implementation specifications. Summarized at a high level, regulated entities must implement "required" implementation specifications but have some flexibility in how to address "addressable" implementation specifications. If a regulated entity determines that an addressable implementation specification is reasonable and appropriate in regulated entity's environment with respect to its likely contribution to protecting ePHI, the regulated entity must implement it. If the regulated entity determines that an addressable implementation specification is not reasonable and appropriate, the regulated entity must document why the implementation specification is not reasonable and appropriate for the regulated entity (e.g., technically infeasible, cost prohibitive, low probability of threat materializing, and/or low criticality of system or data), consider compensating security controls, document why any compensating controls are reasonable and appropriate based on a cost-benefit analysis and other factors, and implement the reasonable compensating controls. The regulated entity must maintain written security policies and procedures that document how it complies with each of the required and addressable implementation specifications.

To view the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.