For the first time in 11 years, the US Department of Health and Human Services (HHS) has proposed updating the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Proposed Rule, to be published on January 6, 2025, aims to “increase the cybersecurity” for electronic protected health information (ePHI) by addressing the changing healthcare environment, increased frequency of breaches and cyberattacks, common compliance deficiencies observed by the HHS Office for Civil Rights, and other relevant changes to the legal landscape such as court decisions and best practices. Comments to the Proposed Rule are due March 7, 2025.
The Proposed Rule makes a number of significant changes to the Security Rule (Security Standard for the Protection of Electronic Protected Health Information), including the following:
- Revises and clarifies definitions
- Removes the distinction between “required” and “addressable” implementation specifications
- Adds compliance time periods and documentation requirements
- Includes specific details on risk analysis requirements
- Implements notice requirements for workforce access termination status changes
- Revises requirements for contingencies and security incident responses
- Mandates new security controls, including encryption of ePHI at rest and in transit and the required use of multi-factor authentication
For example, HHS observed that “some regulated entities proceed as if compliance with an addressable implementation specification is optional—and that where there is an addressable implementation specification, that compliance with the relevant standard is also option. This interpretation is incorrect.”
Indeed, as currently written, 45 CFR § 164.306(d) states that “addressable” implementation specifications must be implemented if doing so is “reasonable and appropriate,” or the entity must document why implementing an addressable specification is not reasonable and appropriate and “implement an equivalent alternative measure if reasonable and appropriate.”
The Proposed Rule aims to strengthen security standards by clarifying for regulated entities that all implementation specifications of the Security Rule are required unless an exception applies. As HHS writes:
We believe that compliance with the implementation specifications currently designated as addressable is not—and should not be—optional, particularly in light of the shift to an interconnected and cloud-based environment and a significant increase in the number of breaches of unsecured PHI from both internal and external actors, regardless of the regulated entity’s specific circumstances.
HHS has released a high-level fact sheet summarizing major proposed changes to the Proposed Rule in advance of its publication. Given the breadth of these proposed changes, covered entities, business associates, and HIPAA compliance professionals alike will need to familiarize themselves with the new rules and requirements.
HHS estimates that the first-year cost of the Proposed Rule will total approximately $9 billion, with annual costs of $6 billion for years two through five (rounded to $34 billion over five years). These costs are associated with compliance activities for regulated entities and health plan sponsors. Nonetheless, HHS explained that the changes in the Proposed Rule “would likely reduce the number of breaches of ePHI and mitigate the effects of breaches that nonetheless occur. The break-even analysis estimates that if the proposed changes in the NPRM reduce the number of individuals affected by breaches by 7 to 16 percent, the revised Security Rule would pay for itself.”
[View source.]
