Addressable No More: HHS Proposes Significant Changes to HIPAA Security Rule

On December 27, 2024, the Department of Health and Human Services (“HHS”) proposed substantial revisions to the 20-year-old HIPAA Security Rule. Comments on the proposal will be due within sixty days of its publication in the Federal Register. In justifying its modifications, HHS notes that the changes are motivated in part by an increase in large breaches (from 2018-2023, the number of individuals affected by large breaches increased by 1002%) and particularly impacts of hacking and ransomware. HHS also notes that it does not believe the regulated community has implemented the current Security Rule effectively, based on reported breaches and the agency’s audits.

Unsurprisingly, the proposed changes to the rule therefore include many risk mitigation measures, such as vulnerability scans, penetration testing, multifactor authentication (“MFA”), and enhanced requirements related to existing requirements, including incident detection and response, system logging and monitoring, and contingency planning.

Highlights of the Proposal

The proposal is substantial, including multiple new requirements and modifications to almost every current requirement. The changes also significantly expand the scope of the rule. Some highlights:

• Detailed new requirements to create and maintain system inventories and network maps.
• New and expanded assessment requirements, including a new annual compliance audit requirement and enhanced evaluation and risk analysis requirements.
• Significant expansion of technical safeguards including new patch management, MFA, vulnerability scanning, penetration testing, malware controls, and network segmentation, with enhancements to audit logging and encryption. New requirements to remove “extraneous” software and disable network ports.
• More robust requirements related to training, incident response, and contingency planning, including specific timing related to each.
• Significantly more engagement on risk posed by business associates, including adding a new business associate verification process that will require submission of documentation, explicitly including this verification in the regulated entity’s risk analysis, and adding a new requirement for business associate agreements regarding contingency planning. This modification requires amendments to all business associate agreements.

A more detailed list of new or modified requirements is included at the end of this post.

Will this Proposal Ever Become Effective?

This proposal was made by the outgoing Biden Administration so there is some doubt about whether the incoming Trump 2.0 Administration will prioritize it or retain all of these modifications. However, it would be appropriate to take the proposal seriously for two key reasons:

First, during the Trump 1.0 Administration, security-related enforcement by HHS continued in earnest and was similar in nature to the security priorities (Risk analysis! Risk mitigation! Repeat!) of both the prior and subsequent Democratic administrations. (Refer to HHS actions from 2017-2020 for Trump 1.0 enforcement priorities.) Notably, each of these administrations focused on lack of effective risk analyses and responsive risk management activities. This consistency implies that the Trump 2.0 Administration may continue on this path. Even if HHS does not adopt the rule as proposed, the measures indicate the type of risk mitigation activities that HHS expects to be effective, and many have already been featured in HHS guidance and enforcement under the current rule.

Second, the Security Rule has always required a flexibility of approach intended to require security measures that may not appear explicitly in the rule, but which are necessary to effectively protect ePHI. HHS has taken the position that the existing risk mitigation requirement essentially requires measures that do not appear in the rule, such as maintaining a complete inventory of assets storing ePHI. In its proposal, HHS reiterates this point of view, claiming that the proposed changes are not significant because many organizations would already have fulfilled these requirements. In fact, HHS asserts that all larger regulated entities would already have taken the step of closing network ports and removing extraneous software. That sentiment is important to note for current compliance efforts, whether these measures are implemented or not.

What Now?

Comments on the proposal are due within sixty days of the rule’s publication, which is anticipated to be January 6, 2025. If that date holds, comments would be due on or about March 7, 2025. If you would like to discuss the implications of this proposal, potential comments, or parallels to other data security requirements in current federal and state regulations, please contact a member of our team.

Details of the Proposal

The proposal intentionally does not adopt or endorse any current certification, but it does adopt concepts from the National Institute of Standards and Technology (“NIST”). Among other things, the proposal:

• Retains the “flexibility of approach” but removes the “addressable” concept, which HHS believes some in the regulated community treated these obligations as optional. Instead, the proposal applies explicit, narrow exceptions to some requirements. However, these exceptions are much more limited than the prior addressability approach.
• Introduces the concept “relevant electronic information systems,” defined as any system that “creates, receives, maintains, or transmits” ePHI or that “otherwise affects the confidentiality, integrity, or availability” of ePHI. This scope is significantly broader than the current rule, which primarily focuses on media storing ePHI and direct access to ePHI. HHS states this change is due in part to an outdated concept of “electronic materials” in the current rule, which essentially excepted certain aspects of telecommunications, including VoIP. If these changes are adopted, these aspects of information systems will fall within the scope of the Security Rule.
• Includes a new standard to maintain a “thorough written inventory” and “network map” of all information systems and technology assets that “may affect” the confidentiality, integrity, or availability of ePHI. The inventory should include the “identification, version, person accountable, and location of each technology asset.” The network map must “illustrate[] the movement of ePHI throughout” the environment. Updates are required at least every 12 months and when any new technology is adopted, following upgrades or patching, in response to new threats, in response to a sale or merger, and in response to a security incident.
• Adds a corresponding physical safeguard to address receipt and removal of assets storing ePHI from facilities.
• Expands the risk analysis standard to require an “assessment” as a prerequisite. The “assessment” embodies HHS guidance and enforcement patterns by explicitly requiring identification of threats, vulnerabilities, and applicable security measures and a determination of the likelihood, impact, and risk level of each threat.
• Introduces a requirement to verify that business associates have deployed technical safeguards in compliance with the technical safeguards section of the rule. This includes a specification to obtain a written verification from each business associate every 12 months that includes a written analysis by a person “with appropriate knowledge of and experience with generally accepted cybersecurity principles and methods” and a written certification by a person with authorization to act for the business associate.
• Adds a new specification within the risk analysis requirement to assess the risks to ePHI of entering into or continuing a business associate contract with any business associate. The risk analysis would be based on a required, written verification from the business associate described above.
• Enhances required risk management documentation and processes, including an implication that proactive business associate mitigation is required due to the new verification and risk analysis requirements (i.e., if the business associate poses risk that remains unresolved by the verification process, mitigation will be required).
• Includes more detailed requirements related to sanctions, including review of the policy every 12 months.
• Includes a new “patch management” standard that requires evaluation of the criticality of patches, documentation of that determination, and mandates that critical patches be applied within 15 days and high-risk patches be applied within 30 days.
• Introduces a requirement to notify external parties within 24 hours of changes to access of workforce members (relevant to remote access).
• Adds a network segmentation requirement to limit ePHI access to authorized workstations (both administrative and technical measures).
• Enhances training requirements with timing added (i.e., every 12 months, within 30 days of access to PHI, 30 days after material change to roles or policies).
• Enhances security incident testing and response processes.
• Introduces a new standard permitting external security officers. (Cue the sales pitches from assessors.)
• In addition to the “evaluation” standard, adds a new “compliance audit” standard that requires an audit to be conducted every 12 months.
• Requires more specific documentation on workstations use and attributes.
• Adds a new “authentication” standard that requires MFA for tech assets in the “relevant electronic information systems.” MFA would be required for ePHI access and also to change user privileges with respect to ePHI access. Some exceptions are provided for emergencies, medical devices authorized by the FDA for marketing, or technology that does not support MFA (but the proposal requires a written plan to migrate to technology that does support MFA). All the exceptions require documentation and compensating controls. MFA is defined in the proposal but, in short, seems to use the “something you know, something you have, something you are” standard.
• Includes a new “vulnerability management” standard that requires vulnerability scanning every 6 months and a penetration test every 12 months.
• In addition to current access controls and new measures summarized above, implements a mysterious “data controls” specification that requires “Deploy[ment of] technical controls to allow access to electronic protected health information only to those users and technology assets that have been granted access rights to the covered entity’s or business associate’s relevant electronic information systems.” HHS does not provide much insight on its expectations for this new requirement, but states that regulated entities would need to distinguish between users and technology assets that are permitted to access the “relevant electronic information systems” and those that are not permitted to do so.
• Confirms that encryption of data in transit and at rest is no longer “addressable,” in keeping with the removal of that concept, but a series of exceptions are provided like those noted above for MFA. In addition, the exception for individuals receiving PHI in response to an access request would be codified but, importantly, regulated entities are not in compliance if they do not also advise the individual of the security risks. Currently, this concept is more of a safe harbor.
• Includes a new standard for “configuration management” that includes technical malware protection, removal of “extraneous” software, and disabling network ports and configuring assets in keeping with the risk analysis findings.
• Adds more robust and detailed audit log requirements that are reminiscent of NIST’s Cybersecurity Framework.
• Mandates an amendment to business associate contracts that requires notice to covered entities within 24 hours of activating their contingency plan. Get ready to update every BAA. Again.
• Introduces a new specification requiring safeguards to separate the plan sponsor (employer) from workforce engaged in plan administration and requires fairly substantial revisions to plan documents.