Written By: Guy Milhalter, and Riya Anchi
On December 27, 2024, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued a notice of proposed rulemaking which, for the first time in over 10 years, will modify the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). The proposed changes to the HIPAA Security Rule aim to strengthen cybersecurity protections for the U.S. healthcare system.
Rationale for Amending the Security Rule
A significant increase in cyberattacks and breaches of healthcare infrastructure led OCR to propose modifications to the Security Rule for the first time in over a decade. Based on findings from the HHS Breach Portal, between 2018 and 2023, the number of reported breaches of unsecured protected health information (PHI) increased by 100%. There was a staggering increase of 950% in the number of individuals affected by such data breaches. Cyberattacks using hacking and ransomware increased by 260% and 264% respectively during the same period. Per OCR’s 2022 annual report, in 2022, approximately three-fourths of the large data breaches (breaches affecting 500 or more individuals per incident) of unsecured PHI resulted from hacking of electronic equipment or network servers. In 2023, a record-breaking 160 million individuals were affected by a large breach involving PHI. OCR expects the 2024 number to be higher.
In recognition of the significant threat to patients caused by a substantial increase in the frequency and sophistication of attacks on healthcare entities, OCR has issued a notice of proposed rulemaking to enhance the protections provided to patients by the Security Rule. Among other measures, the modifications include updated definitions and revised implementation specifications; new and more specific requirements for conducting risk analysis; enhanced requirements for contingency plans and incident response; annual compliance audits for “covered entities” and “business associates” which are the regulated entities under HIPAA; new notification requirements for change in workforce members’ access to electronic PHI; encryption requirements for electronic PHI; required use of multi-factor authentication, vulnerability scans every six months and annual penetration tests; and deployment of technical controls for configuring relevant electronic information and for backup and recovery of these information systems.
Summary of Modifications to the Security Rule
1. No Distinction between “Required” and “Addressable” Implementation Specifications
Currently, the Security Rule requires regulated entities to comply with certain administrative, physical and technical safeguard standards, and certain implementation specifications, of which some are deemed “required” while others are deemed “addressable”. Regulated entities must implement required specifications while addressable specifications may only be implemented if it is “reasonable and appropriate” for the regulated entity to do so. If it is not reasonable and appropriate, regulated entities must document the reason for this, and implement an equivalent that would be reasonable and appropriate.
OCR concluded that regulated entities often misinterpret the “addressable” implementation specifications as optional which leads them not to adopt implementation specifications where it would have been reasonable and appropriate for the to implement. In order to eliminate such misunderstandings and to increase protection of electronic PHI, OCR has proposed removing the distinction between “required” and “addressable” implementation specifications.
Therefore, under the new proposed rule, all implementation specifications would be required, subject to certain exceptions. Regulated entities would no longer need to analyze whether an addressable specification is reasonable and appropriate before implementing the specification. Instead, all implementation specifications would be mandatory. However, OCR clarified that while implementation would be mandatory, the manner in which regulated entities implement the measures is left to the entities’ discretion. Accordingly, regulated entities would still have the flexibility to choose how they implement solutions based on their particular circumstances and needs.
2. Technology Asset Inventory and Network Maps
The existing security management process at 45 CFR 164.308(a)(1) would be modified to require regulated entities to maintain an inventory of all their technology assets that may affect the confidentiality, integrity, or availability of electronic PHI. This includes technology infrastructure that creates, receives, maintains or transmits electronic PHI.
Further, regulated entities would be required to create a network map that would reflect the flow of electronic PHI through their technology assets. A network map would show where each of the technology assets that affect electronic PHI is located.
Regulated entities would also be required to review and update the inventory and network map once every 12 months and when there is a change in a regulated entity’s operations, such as the adoption of new assets or upgradation of existing assets, a merger or consolidation involving the regulated entity, bankruptcy or a security incident affecting electronic PHI.
3. Notification of Activation of Contingency Plans
Under 45 CFR 164.308(a)(7) (Administrative Safeguards – Contingency Plan), regulated entities are currently required to maintain a contingency plan that includes procedures for responding to an incident that damages infrastructure containing electronic PHI. The proposed 45 CFR 164.314(a)(2)(i)(D) would require a business associate to notify the covered entity, or a subcontractor to notify the business associate, of activation of its contingency plan without unreasonable delay but in no event later than 24 hours. This does not alter a regulated entity’s obligations under the Breach Notification Rule. It must be noted that the covered entity, or business associate, does not need to be notified of the cause of the contingency plan activation, only that the contingency plan has been activated. Similarly, plan sponsors are required to provide group health plans notice of activation of their contingency plan within 24 hours of the activation.
4. Documentation Requirements
45 CFR §164.316 requires regulated entities to maintain written policies and procedures with respect to administrative, physical and technical safeguards of their information systems. The proposed modifications will require regulated entities to explain how they considered the relevant factors in developing such policies and procedures. Relatedly, regulated entities would also be required to document all of the actions, activities and assessments they have undertaken to comply with the Security Rule.
HHS has also imposed time limits for the documentation requirements. Under the proposed rules, regulated entities would be required to update their documentation annually and within a reasonable time after a security measure is modified.
Applicability
The proposed rule is open for public comment until March 7, 2025. Following the public comment period, the final rule will become effective. Regulated entities will have 180 days from the effective date to comply with the modified standards unless a later compliance date is specified.
The proposed rule, if finalized, would initially require significant operational adjustments and potential cost increases for business associates and covered entities. However, HHS believes that these measures would ultimately lead to enhanced information protection in the healthcare industry and a reduction in data breaches over time.
