On December 27, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) to enhance cybersecurity protections under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The proposed updates address growing cyber threats and ensure better protection of electronic protected health information (ePHI) managed by covered entities and their business associates.
Background on the HIPAA Security Rule
The HIPAA Security Rule establishes national standards for safeguarding ePHI. The NPRM builds on existing frameworks by integrating updates aligned with evolving cybersecurity challenges and supports President Biden’s National Cybersecurity Strategy to enhance the resilience of critical infrastructure sectors, including healthcare.
Key Proposed Changes
The NPRM includes several significant updates aimed at strengthening cybersecurity practices:
- Uniform Implementation Standards
- Eliminates the “required” vs. “addressable” distinction for implementation specifications, making all specifications mandatory with limited exceptions.
- Comprehensive Documentation
- Mandates written policies, procedures, plans, and analyses for Security Rule compliance.
- Enhanced Risk Analysis Requirements
- Requires detailed written assessments that include asset inventories, network maps, identified threats, vulnerabilities, and risk levels.
- Incident Response and Contingency Planning
- Establishes a 72-hour recovery period for electronic systems following incidents.
- Introduces written incident response plans with ongoing testing and revision requirements.
- Annual Compliance Audits
- Requires regulated entities to conduct annual audits to ensure Security Rule compliance.
- Specific Technical Controls
- Encryption of ePHI in transit and at rest (limited exceptions).
- Deployment of anti-malware, multi-factor authentication, and network segmentation.
- Regular vulnerability scanning and penetration testing.
- Increased Accountability for Business Associates
- Mandates annual certifications by business associates and subcontractors to verify technical safeguards.
- Requires notification of covered entities within 24 hours of contingency plan activation.
- Health Plan-Specific Measures
- Group health plans must align their documents with the Security Rule’s safeguards and promptly notify plans of contingency plan activations.
Call for Stakeholder Engagement
OCR emphasizes the importance of public participation in shaping the proposed updates. Stakeholders, including healthcare providers, patients, advocacy groups, and government entities, are encouraged to submit comments via regulations.gov.
The NPRM’s comment period is open for 60 days following its publication in the Federal Register. Additionally, HHS plans to host a Tribal consultation meeting to gather input. View the NPRM below to submit a formal comment.
Why This Matters
The proposed updates reflect a robust effort to address escalating cybersecurity risks in the healthcare sector. By mandating more specific and comprehensive safeguards, the rule aims to fortify the confidentiality, integrity, and availability of ePHI in an increasingly digital world.
For more details on the proposed rule and to submit comments, visit the Federal Register site.
