Articles

Client Alert: HIPAA Happenings: U.S. Department of Health and Human Services Proposes Updated HIPAA Cybersecurity Rules

Date: January 9, 2025
On January 6, 2025, the U.S. Department of Health and Human Services (“DHHS”) Office of Civil Rights (“OCR”) published a proposed rule entitled, “HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Health Regulation” (the “Proposed Rule”). The Proposed Rule aims to address extensive developments in the management, transmission, and protection of electronic protected health information (“ePHI”) that have arisen since the latest revisions to applicable HIPAA regulations in 2013. Such developments include the expansion of threats to the confidentiality, accessibility, and integrity of ePHI, including evolutions in malware, ransomware, social engineering scams, and other threats, as well as the increase in mobile devices that access and store ePHI, expanded use of remote/mobile workstations, and greater reliance on electronic and cloud-based data systems. 

Among other updates, the Proposed Rule seeks to eliminate the current distinction between “required” versus “addressable” implementation specifications and standards under HIPAA. With the elimination of this distinction, applicable specifications and standards under HIPAA will not be regarded as “optional.” Instead, covered entities/business associates will be required to adhere to applicable specifications/standards requirements or document why such adherence is not reasonable and necessary. The Proposed Rule is also aimed at resolving inconsistencies in regulatory language and misinterpretations of the intended meanings of regulations by healthcare providers, courts, and others. In proposing these updates, DHHS expresses its belief that new/modified requirements should not significantly impact regulated entities that have remained current on maintaining and protecting ePHI and other sensitive data consistent with industry standards, as such requirements are intended to reflect the evolution of such standards since the most recent updates to HIPAA regulations in 2013. Beyond the updates above, other key proposals include updates to:
  1. Administrative Safeguards (45 C.F.R. § 164.308)
Covered entities are to:
  1. Develop a written inventory of systems and technology that may affect the confidentiality, integrity, and availability of ePHI, as well as a network map covering the movement of ePHI through applicable systems, both to be reviewed and updated (as appropriate) once every 12 months or when there are operational changes.
  2. Conduct an analysis relating to risks, vulnerabilities, and potential threats affecting ePHI, to be reviewed and updated (as appropriate) once every 12 months or when there are operational changes. This includes the development of a written assessment of risks and vulnerabilities, assessment of applicable/available security measures, and the likelihood and impact of potential threats. Beyond such analyses, additional requirements reference the need to review broader policies (e.g., with respect to organizational risk management, sanctions of noncompliant workforce members, system activity/audits, workforce security, access management, security incident response, and contingency plans) at least every 12 months as well, with modifications as necessary.
  3. Identify, prioritize, install, and evaluate “patches,” updates, and upgrades to address known vulnerabilities to electronic systems, to be reviewed at least every 12 months. Further, patches are to be implemented within 15 days of identifying the need for a “critical” update or within 30 days of identifying an update necessary to address a “high risk.”
  4. Train and educate workforce members on security policies and procedures, with ongoing reminders and training to ensure awareness of emerging malware, social engineering, and other threats.
  1. Physical Safeguards (45 C.F.R. § 164.310)
Covered entities are to:
  1. Develop written policies and procedures on physical access to and safeguards of ePHI and enterprise electronic information systems, facilities, workstations (including those that are mobile), and devices (for all technology assets that maintain ePHI), to be reviewed and tested at least every 12 months.  
  2. Test facility access controls at least every 12 months.
  1. Technical Safeguards (45 C.F.R. § 164.312)
Covered entities are to:
  1. Implement and maintain secure baselines for electronic information systems/technology assets, including by appropriately updating software to resist malware/cyber threats. Covered entities must also remove software that is extraneous/no longer in use and disable network ports as appropriate to resist threats/address vulnerabilities.
  2. Implement technical controls to verify the identity of applicable users and technology assets before providing access to electronic information systems, including ensuring unique passwords and multi-factor authentication among users.
  3. Implement automated vulnerability scans and penetration testing of electronic information systems.
  4. Ensure that backups of ePHI are no more than 48 hours older than current ePHI data and that technical controls are implemented to monitor and alert workforce members of applicable system failures in real-time.  
  5. Observe and adhere to broader requirements in connection with data access control, encryption/decryption, audit trail/system log controls, data integrity, and transmission security.
  1. Organizational Requirements (45 C.F.R. § 164.314)
Covered entities are to:
  1. Include within applicable business associate agreements a requirement that the business associate notify the covered entity of the activation of a contingency plan within 24 hours (this requirement is to be distinct from breach reporting requirements). This requirement is in addition to further proposed updates under 45 C.F.R. § 164.308 (Administrative Requirements) that business associates be required to provide written verification of having implemented applicable technical safeguards at least every 12 months, such verification to include analysis of business associate information systems.
What this Means for Healthcare Providers

The above points do not include all updates noted under the Proposed Rule. Healthcare providers are encouraged to review the Proposed Rule, in particular Sections IV.D.3., IV.E.3, IV.F.3, and IV.G., which outline the updates noted above. Additional information regarding the Proposed Rule is available on the DHHS website at: https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html. Providers may also find it helpful to consult the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0, which includes comprehensive information and resources relating to industry best practices for protecting sensitive electronic data and is available here: https://www.nist.gov/cyberframework (note that DHHS used the NIST Framework as a significant reference in developing requirements outlined under the Proposed Rule).

If you have questions about the HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Health Regulation or ensuring compliance with applicable HIPAA regulations, please contact krene@whitefordlaw.com
The information contained here is not intended to provide legal advice or opinion and should not be acted upon without consulting an attorney. Counsel should not be selected based on advertising materials, and we recommend that you conduct further investigation when seeking legal representation.