HHS OCR Proposes Updates to the HIPAA Security Rule to Respond to Emerging Threats

On Dec. 27, the Department of Health and Human Services (HHS) issued proposed updates to the HIPAA Security Rule to address evolving cybersecurity threats in healthcare. Introduced through a Notice of Proposed Rulemaking (NPRM) by the Office for Civil Rights (OCR), the substantial updates aim to enhance the protection of electronic protected health information (ePHI) while aligning the two-decade-old regulations with current technological advancements. These changes are especially crucial in a healthcare environment increasingly reliant on electronic health records (EHRs), online patient portals, telehealth platforms, and interconnected medical devices.

Since its adoption in 2003, the HIPAA Security Rule has served as the foundation for safeguarding ePHI. However, the healthcare landscape has changed dramatically with the rise of cyber threats like ransomware, phishing attacks, and hacking incidents that result in data breaches. OCR’s investigations into HIPAA compliance across the healthcare industry have also revealed significant inconsistencies, underscoring the need for updated regulations that provide clarity and enforceability.

Revisiting “Addressable” vs. “Required” Specifications

Among the most significant aspects of the proposed changes in the NPRM is the reconsideration of the distinction between “required” and “addressable” implementation specifications, a hallmark of the original Security Rule that has often caused confusion. Required specifications must be implemented as outlined, with no exceptions. Addressable specifications, on the other hand, give entities the flexibility to evaluate their feasibility and adopt alternative measures if implementing the original specification is deemed unreasonable or inappropriate. This flexibility has often been relied on by mid and small-sized HIPAA-covered entities in their compliance efforts.

The NPRM proposes eliminating the concept of “addressable” implementation specifications and making all implementation specifications required, with limited exceptions. This includes reclassifying encryption of ePHI at rest and in transit as a required specification, reflecting its essential role in mitigating cyber risks and its widespread availability. Previously, entities could justify not using encryption if they documented their rationale and implemented alternative measures. The proposed change eliminates this flexibility, simplifying compliance expectations and reinforcing encryption as a baseline safeguard for ePHI. This same change would follow for other specifications under the rule, highlighting OCR’s desire to strengthen and simplify the Security Rule.

Strengthened Administrative Safeguards

The NPRM introduces several enhancements to administrative safeguards to address modern security risks. Comprehensive risk analysis remains a cornerstone of HIPAA compliance, but the proposed updates add specificity to these requirements. Entities will be required to maintain a detailed inventory of all technology assets that interact with ePHI and map how ePHI flows within their systems. This mapping ensures visibility into where sensitive data resides and how it is accessed, helping organizations proactively identify and address vulnerabilities. The inventory and map would then be required to be reviewed every 12 months as part of an entity’s risk assessment and risk management processes.

Incident response planning is also emphasized. Entities must develop robust written plans that include protocols for detecting, containing, and recovering from cyberattacks or breaches. These plans should be regularly updated to align with emerging threats and best practices. Workforce training requirements are also expanded under the NPRM, with a focus on providing comprehensive and role-specific education. These programs must address unique vulnerabilities tied to specific job functions and be updated regularly to combat threats like phishing and social engineering.

Strengthened Physical and Technical Safeguards

Physical and technical safeguards also receive significant attention in the NPRM. To secure ePHI, physical access to facilities and devices must be tightly controlled through advanced measures such as biometric authentication, badge systems, and video surveillance. These controls aim to protect ePHI from unauthorized access, theft, or tampering.

The NPRM proposes a definition of the term “multi-factor authentication” (MFA) that entities would be required to apply when implementing the proposed rule’s specific requirements for authenticating users’ identities through verification of at least two of three categories of factors of information about the user, such as passwords combined with biometrics, to secure access to systems containing ePHI. Additionally, the NPRM encourages using advanced threat detection tools like intrusion detection systems, AI-powered anomaly detection, and real-time breach alerts to proactively address security risks.

Addressing Challenges for Small and Rural Providers

HHS recognizes the unique challenges faced by smaller healthcare providers, particularly those in rural and tribal areas, where resources for implementing complex security measures are often limited. The NPRM seeks to provide scalability, allowing entities to implement solutions proportional to their size and complexity. Tailored guidance and tools are expected to support these providers, and regional collaborations are encouraged to pool resources and expertise for improved cybersecurity.

Implications for Stakeholders

For healthcare providers and business associates, the proposed updates necessitate significant investment in technology, training, and compliance infrastructure. Allocating budgets for tools like encryption and MFA, revising and drafting policies and procedures, and updating vendor contracts to ensure alignment with new standards are critical steps. Failure to comply with these updated requirements could lead to stricter enforcement actions and penalties. Fortunately, the proposed changes also remove some of the guesswork needed to comply with the Security Rule. Making areas where investment is needed easier to identify.

Patients stand to benefit significantly from the proposed changes, as stronger protections for sensitive health information can help rebuild trust in healthcare systems. By reducing the frequency and severity of breaches, the NPRM supports greater patient engagement and the adoption of digital health technologies. Regulators, equipped with clearer enforcement guidelines, will be better positioned to ensure compliance and address violations effectively.

Alignment with Broader Cybersecurity Efforts

The proposed updates align with national and international cybersecurity frameworks, including the NIST Cybersecurity Framework and the General Data Protection Regulation (GDPR). These alignments position the U.S. healthcare sector as a global leader in data security while promoting best practices like continuous monitoring, risk management, and strong encryption.

Implementation Timeline and Next Steps

The NPRM is to be published in the Federal Register on Jan. 6, 2025, after which a 60-day public comment period will follow. The final rule will take effect 60 days post-publication. Entities will have 180 days to achieve compliance, with additional time provided to update business associate agreements. The NPRM encourages stakeholders to provide feedback on the practicality and cost-effectiveness of the proposed changes during the comment period.

Conclusion: A Necessary Evolution in Cybersecurity

The proposed updates to the HIPAA Security Rule represent a critical step forward in securing ePHI against today’s sophisticated cyber threats. By reclassifying key specifications, enhancing safeguards, and providing greater clarity for compliance, the NPRM builds a robust framework for protecting both patients and providers. While these changes may pose challenges for some organizations, they are an essential evolution in safeguarding sensitive data in an increasingly digital world. As healthcare continues its digital transformation, these updates underscore the importance of cybersecurity as a cornerstone of quality care and public trust. Investment in a strong cybersecurity posture up front will prove valuable and ultimately save the entire healthcare industry in the long run.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.