Update Applicable to:	Comments Due Date
All Covered Employers	March 7, 2025

What happened?

On January 6, the Department of Health and Human Services (HHS) published a proposed rule to enhance the security of electronic protected health information (ePHI) due to increasing cyberattacks on healthcare organizations. HIPAA-regulated entities have until March 7 to submit public comments.

Overview

The U.S. Department of Health and Human Services (HHS) has proposed updates to the HIPAA Security Rule to enhance cybersecurity protections for electronic protected health information (ePHI) in response to increasing cyberattacks.

• If adopted, this would be the first update to the Security Rule since 2013.
• The proposed rule aims to better protect individuals’ ePHI against both external and internal threats by clarifying and providing specific instructions on what covered entities and their business associates must do. This aligns with the Security Rule and modern best practices in cybersecurity.
• Entities will have 180 days to comply with the revised Security Rule once it is finalized. HIPAA-regulated entities are encouraged to engage in the rulemaking process by submitting comments by March 7.
• The current Security Rule remains in effect while the Department undertakes this rulemaking.
• Employers can leave comments until March 7, 2025. Fact sheets and other resources are available to help them make an informed decision.

Additional Details:

Key Proposed Changes:

General Updates

• Removal of Distinction: All implementation specifications will be required, with limited exceptions.
• Documentation Requirements: Entities must maintain written documentation of all Security Rule policies, procedures, plans, and analyses.
• Technology and Terminology Updates: Definitions and implementation specifications will be updated to reflect changes in technology and terminology.
• Compliance Time Periods: Specific compliance time periods will be added for many existing requirements.
• Asset Inventory and Network Mapping: Entities must develop and maintain a technology asset inventory and a network map illustrating the movement of ePHI, updated annually or when significant changes occur.
• Risk Analysis Specificity: Greater specificity will be required in conducting risk analyses.

Security Standards: General Rules (45 C.F.R. Sec. 164.306)

• Apply HIPAA Security Rule to all ePHI.
• Eliminate the distinction between “required” and “addressable” specifications.
• Add a new element to consider: the effectiveness of security measures in supporting resiliency.
• Increase specificity in maintenance requirements to regularly review and update security measures.

Administrative Safeguards (45 C.F.R. Sec. 164.308)

• Technology Asset Inventory: Maintain an accurate inventory and network map of all technology assets affecting ePHI, updated every 12 months.
• Risk Assessment: Conduct comprehensive risk assessments with specific components, reviewed and updated annually.
• Patch Management: Implement policies for timely patch installation for critical and high risks.
• Activity Review: Elevate and specify requirements for reviewing information systems activity.
• Access Termination: Terminate access to ePHI within one hour of workforce termination, with notifications to relevant entities within 24 hours.
• Workforce Training: Annual training on detecting malicious software and social engineering.
• Incident Response: Establish and test incident response and contingency plans annually, with a 72-hour recovery timeline.
• Compliance Audits: Annual audits of HIPAA Security Rule compliance.
• Verification from Business Associates: Obtain annual verification of deployed technical safeguards from business associates and subcontractors.

Physical Safeguards (45 C.F.R. Sec. 164.310)

• Apply physical safeguards to all ePHI and technology assets within a facility.
• Require written plans for contingency operations, facility security, and access control.
• Address physical attributes and movement of workstations, especially in vulnerable areas.
• Expand “device and media” to “technology asset” controls.
• Review and test security measures annually.

Technical Safeguards (45 C.F.R. Sec. 164.312)

• Access Controls: Detailed user and asset identification procedures, login attempts, and inactivity.
• Network Segmentation: Dividing networks into segments to reduce risks.
• Encryption: Elevate encryption to a standard for all ePHI at rest and in transit.
• Anti-Malware: Deploy anti-malware software, remove extraneous software, and disable network ports.
• Audit Trails: Detailed logging and real-time monitoring of all activity in electronic information systems.
• Multi-Factor Authentication (MFA): MFA is required for all technological assets, with limited exceptions.
• Vulnerability Scanning: Scanning is done every six months, and penetration testing is done annually.
• Data Backups: Create and maintain retrievable copies of ePHI, with monthly restoration tests and backups every six months.

Organizational Requirements and Transition Provisions (45 C.F.R. Secs. 164.314 and 164.318)

• BAA Notifications: Business associates must notify covered entities of contingency plan activation within 24 hours. Similar requirements apply to subcontractors and group health plans.
• Transition Provisions: Allow regulated entities to operate under existing BAAs until the BAA is renewed or a year after the final rule’s effective date.

Documentation Requirements (Sec. 164.316):

• Strengthen documentation requirements, mandating that regulated entities maintain written documentation of all policies, procedures, actions, activities, and assessments related to HIPAA Security Rule compliance.
• Documentation must explain how factors in Section 164.306 were considered and be updated at least every 12 months.

New and Emerging Technologies

• The NPRM seeks comments on the security implications of new technologies like quantum computing, AI, and virtual/augmented reality.
• It highlights the benefits and stresses the need for regulated entities to address associated risks in their risk assessments.

Source References

• HHS Office for Civil Rights Proposed HIPAA Rule Amendment Press Release
• Federal Register: HIPAA Security Electronic Protected Health Information (ePHI) Proposed Rule.
• HIPAA Security Proposed Rule Fact Sheet

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.