Proposed HIPAA Security Rule Updates: A Summary
On December 27, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a proposal to update the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Since the last update in 2013, the healthcare industry has become almost entirely dependent on technology for patient care, prompting the need for modernization. Key drivers for this update include:
- The very rapid adoption of healthcare IoT and connected medical devices.
- The increasingly widespread use of artificial intelligence (AI) and machine learning (ML) tools to analyze the huge amount of data generated in healthcare environments.
Background
HIPAA, originally passed in 1996, predates the widespread adoption of digital health technologies. At that time, most hospitals had not transitioned to digital records, and high-speed internet was rare. Over time, updates like the HITECH Act in 2009 and the Omnibus Rule in 2013 addressed technological advances and gaps in security requirements. However, the Security Rule has consistently lagged behind the rapid evolution of technology.
Announcement of Proposed Changes
The Notice of Proposed Rulemaking (NPRM) aims to strengthen protections for electronic protected health information (ePHI) against increasing Cybersecurity threats in the healthcare sector. The full list of proposed changes is available on the HHS website in their Fact Sheet.
Many of the proposed changes reflect practices already adopted by larger healthcare organizations but may not yet be in place across all entities. Notably, what was previously considered “addressable” is now categorized as mandatory.
Key Proposed Changes
- Terminology Updates:
- “Covered Entity” (CE) and “Business Associate” (BA) are now collectively referred to as “Regulated Entities” (RE).
- Terms like “electronic media” have been updated to reflect technologies such as VoIP, telehealth, cloud computing, and AI.
- Requirement Standardization:
- The distinction between “required” and “addressable” safeguards has been removed; all are now mandatory, with specific compliance deadlines.
- Asset and Data Tracking:
- REs must maintain an updated inventory of all network-connected devices and a network map illustrating the flow of ePHI. Updates must occur annually or when new devices are added.
- Entities must know where all PHI resides within their systems, including third-party platforms.
- Network Security:
- Network segmentation between operational and IT networks is now required.
- Enhanced Testing and Risk Analysis:
- Regular testing of security measures is mandated, including asset inventories, network mapping, and improved threat, vulnerability, and risk identification.
- Regulated entities are required to conduct vulnerability scanning at least every six months and penetration testing at least once every 12 months.
- Access Control and Incident Response:
- Improved auditing of PHI access is required.
- Enhanced business continuity, contingency planning, and security incident response capabilities must be implemented.
- Multi-factor authentication is mandatory.
- Notification Timeline:
- Subcontractors must notify Business Associates within 24 hours of a security incident, and Business Associates must notify REs within the same timeframe.
- The NPRM specifies that regulated entities must notify certain parties within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.
- Encryption Requirements:
- The proposal requires encryption of ePHI at rest and in transit, with limited exceptions.
- Compliance Audits: Regulated entities must conduct a compliance audit at least once every 12 months to ensure adherence to the Security Rule requirements.
Impact on Healthcare Entities
If regulated entities are already in compliance with current HIPAA rules, we expect minimal updates may be required. However, the OCR found that 94% of entities fail to implement sufficient risk management practices, indicating that most organizations have significant work to do. (Source: OCR Report published December 2020, see the embedded link above.) It is reasonable to assume that smaller entities will face a steeper path toward compliance.
Intent of the Changes
The proposed updates aim to eliminate inconsistencies in the application of the Security Rule. Key objectives include:
- Removing ambiguities around “reasonableness” and “addressable” specifications, which often led to lax implementation.
- Requiring evaluations of the effectiveness of security controls to improve resiliency against threats like ransomware and denial-of-service attacks.
- Promoting robust disaster recovery and business continuity practices to reduce system downtime.
Preparing for the Updates
Depending on your current state, it may be important to focus on:
- Identifying and securing connected IoT and medical devices.
- Mapping data flows and ensuring proper segmentation of IT and operational networks.
- Enhancing risk assessments, security testing, and vulnerability remediation.
These updates address the growing imbalance between increasingly sophisticated cyber threats and underfunded healthcare security measures. By improving Cybersecurity, these changes aim to protect patient safety, ensure healthcare availability, and reduce the risks associated with prolonged system outages.
With technology now central to patient care, robust security controls are critical to safeguarding healthcare operations in an increasingly digital world.
How Magister Business Advisors can help
MBA personnel has extensive experience with HIPAA and information security. We have implemented these types of requirements in healthcare and other environments and can assist you in becoming compliant. Lets discuss your specific needs. Call us at 760-759-5900
More Reading
HHS NPRM
Reuters
Biden administration proposes new cybersecurity rules to limit impact of healthcare data leaks
WSJ
Healthcare Providers Face Stiffer Cyber Rules Even as They Cry for Help
