Changes to HIPAA on the Horizon?  

HHS-OCR Issues a Notice of Proposed Rulemaking for the HIPAA Security Rule

As we welcome in and gear up for 2025, here is a privacy topic that all providers should have on their radar.  On January 6, 2025, the U.S. Department of Health and Human Services (HHS) published through its Office for Civil Rights (OCR) a new proposed rule to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule (Proposed Rule) for the first time since 2013 (the original rule was published in 2003). The Proposed Rule would require health plans, healthcare clearinghouses, most healthcare providers, and business associates to strengthen cybersecurity protections for electronic protected health information (ePHI). 

A Need for Better Protection

The Proposed Rule was a critical action referenced in HHS’ Healthcare Sector Cybersecurity Concept Paper and supports the strategic objectives outlined in the 2023 National Cybersecurity Strategy issued by the Biden-Harris Administration. HHS Deputy Secretary Andrea Palm explained that a key driver for the Proposed Rule was to address evolving cybersecurity incidents, noting: 

“[T]he increasing frequency and sophistication of cyberattacks in the health care sector pose a direct and significant threat to patient safety. These attacks endanger patients by exposing vulnerabilities in our healthcare system, degrading patient trust, disrupting patient care, diverting patients, and delaying medical procedures. This proposed rule is a vital step to ensuring that health care providers, patients, and communities are not only better prepared to face a cyberattack, but are also more secure and resilient.”

The statistics cited by OCR illustrate the need for the Proposed Rule and are decidedly concerning. For example, in the last five years, reports of large breaches increased by 102%, and the number of individuals affected by such breaches increased by 1002%. OCR noted that these increases are caused primarily by hacking and ransomware attacks. Further, in 2023, over 167 million individuals were affected by significant breaches—a new record. In addition to changes in breach trends and cyberattacks, OCR highlighted significant changes in technology and how healthcare operates since the introduction of the Security Rule, a recognition of the healthcare sector’s importance to the economic and security interests of the U.S., and problems resulting from a patchwork quilt of state regulation as rationales for the Proposed Rule. In sum, the table was well set for HHS OCR to embark on an update to the Security Rule.

The Specifics

The nearly 400-page notice is jam-packed with specifics to strengthen the Security Rule standards and implementation specifications. We summarize the key requirements of the Proposed Rule below:

• Removing the distinction between “required” and “addressable” implementation specifications and making all implementation specifications required with specific, limited exceptions.
  • Recall, HHS distinguished between “required” and “addressable” implementation specifications in 2003 to provide regulated entities with flexibility in approach. Based on OCR’s enforcement experience, HHS believes that regulated entities have interpreted “addressable” as optional, leading regulated entities to not adopt implementation specifications when it would be reasonable and appropriate to do so. The move to “required” would eliminate this problem and create a clear expectation for regulated entities.
• Requiring written documentation of all Security Rule policies, procedures, plans and analyses.
• Updating definitions and revising implementation specifications to reflect changes in technology and terminology.
• A number of key defined terms will be revised. For example, the definition of “access” will be clarified to be more representative of how a user could interact with information to, among other changes, add the activities of “deleting” and “transmitting.” 
• Adding specific compliance time periods for many existing requirements.
• Requiring the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
• Requiring greater specificity for conducting a risk analysis. New express requirements would include a written assessment that contains, among other things:
  • A review of the technology asset inventory and network map.
  • Identification of all reasonably anticipated threats to the confidentiality, integrity and availability of ePHI.
  • Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems.
  • An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
• Requiring notification of certain regulated entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.
• Strengthening requirements for contingency planning and responding to security incidents. For example, regulated entities would be required to:
  • Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.
  • Perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration.
  • Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents.
  • Implement written procedures for testing and revising written security incident response plans.
• Requiring regulated entities to conduct a compliance audit at least once every 12 months to ensure compliance with Security Rule requirements.
• Requiring that business associates verify at least once every 12 months for covered entities (and that subcontractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate.
• Requiring encryption of ePHI at rest and in transit, with limited exceptions.
• Requiring regulated entities to establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner. New express requirements would include:
  • Deploying anti-malware protection.
  • Removing extraneous software from relevant electronic information systems.
  • Disabling network ports in accordance with the regulated entity’s risk analysis.
• Requiring the use of multi-factor authentication, with limited exceptions.
  • A new definition of “multi-factor authentication” is proposed. Regulated entities would be required to use this proposed definition when implementing the Proposed Rule’s requirements for authentication of user identity through verification of at least two of three categories of the following categories:
    • Information known by the user, including but not limited to a password or personal identification number (PIN). 
    • Item possessed by the user, including but not limited to a token or a smart identification card. 
    • Personal characteristics of the user, including but not limited to fingerprint, facial recognition, gait, typing cadence, or other biometric or behavioral characteristics.
• Requiring vulnerability scanning at least every six months and penetration testing at least once every 12 months.
• Requiring network segmentation.
• Requiring separate technical controls for backup and recovery of ePHI and relevant electronic information systems.
• Requiring regulated entities to review and test the effectiveness of certain security measures at least once every 12 months in place of the current general requirement to maintain security measures.
• Requiring business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay but no later than 24 hours after activation.
• Requiring group health plans to include in their plan documents requirements for their group health plan sponsors to:
  • Comply with the administrative, physical, and technical safeguards of the Security Rule; 
  • Ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and 
  • Notify the group health plans upon activation of their contingency plans without unreasonable delay but no later than 24 hours after activation.

Despite significant revisions to the regulations, OCR commented that it does not believe that the changes will substantially modify most of a regulated entity’s obligations under the existing Security Rule or pose implementation challenges. Rather, according to HHS OCR, the proposed changes will simply “explicitly codify those activities that are critical to protecting the security of ePHI as requirements and provide greater detail for such requirements. . . .” 

OCR offered the proposed requirement mandating encryption of ePHI at rest and in transit (with limited exceptions) to illustrate the impact that the Proposed Rule will have on the industry. Under the current Security Rule standard, encryption of ePHI is an addressable implementation specification such that a regulated entity must assess whether encryption is a reasonable and appropriate safeguard in its environment. From OCR’s perspective, undertaking this analysis should have resulted in regulated entities implementing mechanisms to encrypt ePHI in most instances already. As such, OCR believes the move to mandatory encryption will simply obviate the need for regulated entities to perform an analysis of whether encryption is reasonable and appropriate and add little additional burden. Despite this overarching position, of note, the Proposed Rule includes an extended transition period beyond the general 180-day compliance deadline provided for in 45 CFR 160.105 for requirements applicable to business associate agreements and other written arrangements (and OCR is considering a similar extension for plan documents) if certain conditions are met to alleviate the administrative burden for regulated entities. 

Also of note, the Proposed Rule is consistent with the HHS Healthcare and Public Health critical infrastructure sector Cybersecurity Performance Goals (CPGs). The CPGs are voluntary goals created by HHS to help healthcare stakeholders prioritize the implementation of strategies to mitigate cybersecurity risk. Those familiar with the CPGs will see the same flavors echoed in the Proposed Rule. 

What You Can Do Now to Prepare 

We remind readers that this is a proposed rule and is not final. To best position your enterprise for compliance with a final rule, regulated entities should:

• Digest the content of the Proposed Rule. Now is the time to review the content of the Proposed Rule and supply feedback for the development of the final rule. Interested parties may submit public comments until March 7, 2025.
• Evaluate Your Position. While not final, we expect that the majority of changes in the Proposed Rule will be adopted. As such, conducting an initial high-level assessment of any gaps in your existing compliance profile, should the rule become final, is prudent, including identifying potential impacts on budget and resources. Engage key stakeholders, including technology, legal, and compliance personnel, in this assessment. 
• Policy and Technical Updates. These are not easy to complete, and security safeguard compliance – particularly those as prescriptive as these – is often black and white (or oil and water) when it comes to compliance audits. Thus, key stakeholders should not wait for the effective date of a final rule to begin planning for implementation.

• Focus on Vendor Diligence. It is explicitly clear that vendor diligence is required for a HIPAA compliance program. Building strong vendor diligence standards and ongoing monitoring of your organization’s compliance program can take some time. We recommend you start strengthening your process in advance of a final rule.

• Consider HIPAA in a Larger Context. HIPAA-regulated entities already subject to state comprehensive privacy laws may find that several explicit requirements in the Proposed Rule follow expectations under state law (and certainly international standards). For example, IT systems with ePHI can be added to existing data maps. If the Proposed Rule is adopted with little modification, HIPAA will become one of the more prescriptive regulatory standards – a significant shift from the current flexibility and scalability framework.

• Continue to Comply with the Existing Security Rule Requirements. While the HHS OCR is undertaking this rulemaking, the current Security Rule remains in effect. 

• Watch for State Actions. Remember that states are empowered to enforce HIPAA at the state level. Some states are quite active in this space. Prepare for state regulators to look to the Proposed Rule to inform state-level investigations even before a final rule is implemented.

• Watch for IT Vendor Service Offerings. A clear winner with the Proposed Rule is the IT industry. We will undoubtedly see new and existing vendors begin to tailor service offerings to these new standards. Be careful to select strong, reputable IT partners as your organization explores options. Remember, there is no “HIPAA-certified” vendor.

Staying Up-To-Date

We will continue to monitor developments of the Proposed Rule and will be there to update you when the final rule is issued. You can stay updated on progress with our Health & Life Sciences HIPAA, Information Technology, Privacy & Security email list. For questions about this update or inquiries related to HIPAA compliance generally or health care privacy specifically, please contact Wakaba Tessier via phone (314) 696-5124 or email [email protected].

About the Author

Since 1892, Quarles has provided legal solutions to a wide range of clients on a national stage. Led today by a dynamic and diverse team of lawyers and business professionals, Quarles is a multidisciplinary Am Law 200 firm with approximately 550 attorneys practicing at the top of the profession in Chicago, Denver, Indianapolis, Madison, Milwaukee, Minneapolis, Naples, Phoenix, St. Louis, San Diego, Tampa, Tucson, and Washington, D.C. The authors of this article are:

• Simone Colgan Dunlap: (602) 229-5510 / [email protected]
• Dan Guggenheim: (619) 822-1474 / [email protected]
• Meghan O’Connor: (414) 277-5423 / [email protected]

Learn more about Quarles at www.quarles.com

About the National Infusion Center Association

NICA is dedicated to ensuring that the nation’s infusion centers remain a safe, more efficient, and more cost-effective alternative to hospital settings for consistent, high-quality care.

Infusion providers have a vested interest in the sustainability of the infusion delivery channel and its ability to serve vulnerable patient populations. NICA Provider Members have a voice and a seat at the table to inform NICA’s activities and the opportunity to remain highly engaged in the expansion and optimization of the infusion industry. Learn more about becoming a NICA member here: https://infusioncenter.org/join-nica/

Is your organization interested in becoming a featured subject matter expert on The Infusion Blog? Email [email protected] to inquire about opportunities for participation.