Privacy & Information Security Law Blog

On December 27, 2024, the U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) announced a Notice of Proposed Rulemaking (“NPRM”) to update the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule.  The NPRM is intended to strengthen cybersecurity protections for electronic protected health information (“ePHI”) in light of increasing cybersecurity threats to the health care sector.

The NPRM, among other items, proposes requiring covered entities and business associates to  implement the following security measures:

• Encrypt ePHI at rest and in transit, with limited exceptions;
• Use multi-factor authentication (MFA), with limited exceptions;
• Implement network segmentation;
• Create written documentation of all Security Rule policies, procedures, plans, and analyses;
• Within 24 hours of a workforce member’s termination of or change in access to ePHI, notify other covered entities or business associates where the workforce member is or was authorized to access such ePHI;
• Develop (and update at least once annually) technology asset inventories and network maps illustrating the movement of ePHI through electronic information systems;
• Conduct more detailed risk analyses, including the (a) review of required technology asset inventories and network maps, (b) identification of threats to the confidentiality, integrity and availability of ePHI, (c) identification of potential vulnerabilities to electronic information systems, and (d) assessment of risk level for each identified threat and vulnerability;
• Strengthen security incident response plans and procedures, including by (a) implementing procedures to restore the loss of certain electronic information systems and data within 72 hours following an incident, (b) conducting an analysis of criticality of electronic information systems and technology assets to determine priorities for system and data restoration, (c) documenting how workforce members must report incidents to the covered entity or business associate, and (d) implementing written procedures to test and revise written security incident response plans;
• Conduct a compliance audit against the Security Rule’s requirements at least once annually;
• Implement technical controls for electronic information systems processing ePHI, including (a) the deployment of anti-malware protection, (b) the removal of extraneous software, and (c) the disablement of network posts in accordance with risk analysis results.
• Conduct vulnerability scans at least once every six months and penetration testing at least once annually;
• Review and test the effectiveness of certain security measures at least annually;
• Create separate technical controls for backup and recovery of ePHI and relevant electronic information systems;
• For business associates:
  • Notify covered entities within 24 hours of activation of the business associate’s contingency plan in the event of an emergency or other occurrence that adversely affects electronic information systems that contain ePHI (including but not limited to security incidents); and
  • At least once annually, provide to covered entities a written certification by a subject matter expert that that the business associate has deployed technical safeguards required by the Security Rule to protect ePHI; and
• For group health plans: (a) include in plan documents requirements for plan sponsors to comply with the Security Rule, (b) require agents to comply with the Security Rule, and (c) require plan sponsors to report to group health plans within 24 hours after activation of their contingency plan.

The NPRM also proposes revising the Security Rule by:

• Creating specific compliance deadlines for certain existing requirements;
• Removing the distinction between “required” and “addressable” implementation specifications, to make all implementation specifications required with specific, limited exceptions; and
• Updating definitions and revising implementation specifications to reflect changes in technology and terminology (including the definition of “access” and “security incident”).

The unpublished version of the NPRM currently is available on the Federal Register website. The official NPRM is scheduled to be published on January 6, 2025. Once published, the public will have 60 days to comment on the NPRM.