Proposed Changes from the HHS to HIPAA Security Rule

Author’s Note: This article discusses proposed changes to existing regulations. These changes are not in effect as of the date of this article and may themselves change significantly before inclusion in an interim or final rule. Monitor the corresponding official Web sites below for the latest information on publication specifics.

On December 27, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule (45 CFR Parts 160 and 164). HHS has issued a good Fact Sheet summarization of the proposed changes (referred to as the Proposed Rule herein), but you are going to want to read the entire NPRM carefully. HHS has shared in depth their thinking on the current state of healthcare security, patterns they have observed in healthcare cybersecurity incidents, and why they are proposing the changes described.  HHS is accepting comments through March 7, 2025 on the Proposed Rule.

The Proposed Rule represents a long-needed update to the Security Rule to align it to modern cyber security threats and remove loopholes. As all compliance standards should, it represents a reasonable minimum baseline, or starting point, for cyber security.  Compliance does not equal security, but is rather a subset of security, a starting point, and a tool to move organizations toward a secure state commensurate with the risk appetite of its stakeholders – including the regulatory or contractual bodies issuing the standards.

Most of the proposed changes align the Security Rule with other common cyber security frameworks, which ensures effectiveness and should make it a little easier for organizations to fully comply. Indeed, NIST sources are frequently cited throughout the Proposed Rule.  Key proposed changes are as follows.

• Ten new terms have been defined, and fifteen terms have been updated, to better align with modern technology and controls.  Many of those terms have significant impact on the meaning and scope of the Rule components.  For example, the new term “relevant electronic information system” explicitly and significantly extends the scope of the Rule to include not just those “technology assets” storing, processing, or transmitting ePHI, but those that “affect the confidentiality, integrity, or availability of ePHI.”
• The concept of “addressable” versus “required” has been removed.  These terms have historically caused confusion; all components of the rule have always been mandatory, but the means by which they were to be implemented could vary for “addressable” specifications.  Several proposed specifications detail where alternative measures/compensating controls can be used and the corresponding conditions and requirements related to same.
• Technical controls must actually be implemented. Simply having policies and procedures in place is not sufficient.
• All actions, activities, and assessments required by the Security Rule must be documented.
• A technology asset inventory (with specific required data points) and a “network map” (network diagrams and ePHI data flow diagrams) must be documented, reviewed, and updated every 12 months and after any significant change.
• All controls must be reviewed and regularly tested at least every 12 months. A couple of controls mandate more frequent testing.  Annual compliance audits and risk analyses are required.
• Multiple mainstream cyber security controls have been added, including vulnerability and patch management, multi-factor authentication (MFA), and continuous monitoring. Applicability of controls to “medical devices” is addressed.
• Annual verification of business associate compliance with the Security Rule and business associate agreements is required.
• Business resilience and incident management requirements are more specific and detailed.
• Several requirements include specific time periods within which certain activities must be completed under certain conditions.  Examples include:
  • A terminated workforce member’s access to in-scope systems must be revoked within one hour after access authorization (employment, contract term, etc.) ends.  (Yes, one hour.)
  • Patches deemed critical must be applied within fifteen (15) calendar days.  Patches deemed high must be applied within thirty (30) days.
  • In a disaster recovery scenario, systems deemed critical must be restored within 72 hours.
  • Copies of ePHI (made for BC/DR purposes) must not be more than 48 hours older than the corresponding live data.

It is very likely that you already have many of these controls in place for other compliance or risk reasons.  All of these controls can materially contribute to mitigating unacceptable risk.  Keep an eye on the rulemaking process as it unfolds and participate in the comment period if you can. GuidePoint Security can provide expert guidance with your HIPAA compliance efforts. GuidePoint offers HIPAA gap assessment, OCR-compliant risk assessment, and advisory services, delivered by consultants with operations backgrounds who understand how to apply the HIPAA requirements to your environment.