Search Our Website:
menu
BACK TO INSIGHTS
BIPC Logo
ARTICLES & ADVISORIES
FEB 24 2025

A Fresh Look at HIPAA’s Security Rule: What to Expect from HHS’ Notice of Proposed Rulemaking

The U.S. Department of Health and Human Services (HHS) does not often amend the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (Security Rule). HHS issued a Notice of Proposed Rulemaking (NPRM) to amend the Security Rule, titled “The HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information.” This advisory highlights salient provisions of the proposed rule.

On January 6, 2025, the NPRM was published in the Federal Register, initiating a 60-day public comment period. On January 20, 2025, President Trump signed an Executive Order (Regulatory Freeze Pending Review), requiring all executive departments and federal agencies to stop all pending rulemaking activity. The Security Rule is paused until President Trump’s HHS Secretary has been confirmed and reviews the proposed rule.

In the wake of major cybersecurity breaches plaguing the healthcare industry, data protection initiatives are seemingly becoming a bipartisan matter. While it is expected that Congress will continue to examine legislative solutions to cybersecurity threats to the healthcare industry, HHS finalizing the Security Rule changes would provide for a more immediate solution.

NPRM Context

The Proposed Rule aims to enhance cybersecurity measures for electronic protected health information (ePHI). The NPRM is an outflow of the Biden Administration’s framework document Healthcare Sector Cybersecurity: Introduction to the Strategy of the U.S. Department of Health and Human Services. This framework document relied on voluntary compliance of healthcare entities to beef up their cybersecurity practices. Adoption of the framework document was slow. The NPRM was intended to put some teeth behind HHS’ goals, as non-compliance could lead to significant monetary and regulatory consequences.

The current Security Rule is flexible in its security requirements in order to account for different types of healthcare entities, their cybersecurity sophistication, and available resources. As such, the current Security Rule does not specify technical cybersecurity requirements organizations have to adhere to. Technical advancements and ever-evolving threat actor activities now require minimum standards for the healthcare industry as a whole.

Key NPRM Changes

  • Uniform Implementation Specifications: The NPRM suggests eliminating the current distinction between “required” and “addressable” implementation specifications, making all specifications mandatory with specific, limited exceptions.
  • Comprehensive Documentation: Regulated entities would be required to maintain written documentation for all Security Rules policies, procedures, plans, and analyses.
  • Updated Definitions and Specifications: The proposed rule includes updates to definitions and revisions to implementation specifications to reflect technological advancements and evolving cybersecurity practices.
  • Enhanced Security Measures: The NPRM mandates the adoption of advanced security measures, including:
    • Multifactor Authentication: Implementing multifactor authentication in most situations to strengthen access controls.
    • Network Segmentation: Segmenting networks to prevent the spread of intrusions across systems.
    • Data Encryption: Encrypting patient data to ensure that, even if stolen, it remains inaccessible.
  • Regular Policy Reviews: Entities would be required to conduct regular reviews, testing, and updates of their security policies and procedures to ensure ongoing effectiveness.

Implications for Covered Entities and Business Associates

Healthcare providers, health plans, healthcare clearinghouses, and their business associates should prepare for potential updates to the HIPAA Security Rule by:

  • Assessing Current Security Measures: Evaluate existing cybersecurity protocols to identify areas requiring enhancement in line with the proposed requirements.
  • Planning for Implementation Costs: Consider the financial implications of adopting the proposed security measures and allocate resources accordingly.
  • Engaging in the Comment Process: Participate in the public comment period to provide input on the proposed changes and their potential impact of operations.

The NPRM would be a change through modernization and specification. If the Proposed Rule is reissued or the pause is lifted, it is possible that it will come with some revisions. Staying informed and proactive in this space will be essential for compliance and for safeguarding ePHI against evolving cyber threats.

Buchanan can assist with drafting and finalizing comments should the pause on the proposed rule be lifted, triggering a new comment period.

For more information on managing ransomware risks and understanding your legal obligations, please contact Buchanan’s Cybersecurity and Data Privacy team at cyber@bipc.com. Our team includes experienced healthcare attorneys who are well-versed in the unique regulatory and compliance requirements specific to the healthcare sector.

Contributors
Related Services & Industries
Related Offices