3 things to know about proposed HIPAA Security Rule updates

HIPAA will become more prescriptive

The HIPAA Security Rule, as it stands today, is known for its flexibility. The rule contains "addressable" and "required" implementation specifications. With addressable implementation specifications, covered entities have the option of addressing certain controls in different ways depending on the nature of their data, the size of their organization and other limiting factors.

The NPRM signifies a departure from this flexibility toward a more prescriptive set of controls by eliminating the distinction between addressable and required implementation specifications.

"They basically get rid of the addressable component and say everything's required," said Michael Madderra, an associate at Morgan Lewis who counsels on HIPAA compliance.

"But when you look closer at today's rule as it sits now, an addressable component is still required. All it means is that an entity has some flexibility if they implement it in a slightly different way than the rule contemplates so that they can achieve the same security protections. So, some of what this proposed rule is doing is clarifying and simplifying what the rule is already intending to provide for."

Tara Cho, partner at Womble Bond Dickinson and chair of the firm's privacy and cybersecurity team, noted that the proposed changes would introduce more prescriptiveness to HIPAA by way of concrete timelines and designated frequency and specificity of select cybersecurity controls.

For example, the proposed rule calls for required vulnerability scanning at least every six months and penetration testing at least once every 12 months. No such timelines for these activities exist in the current iteration of the HIPAA Security Rule.

"However, the interesting result is that many organizations who have historically aligned with the existing Security Rule would likely already be maintaining these controls," Cho said.

"In other words, in today's digital healthcare infrastructure, most organizations already encrypt ePHI, deploy pen testing, vulnerability scans, disaster recovery testing, HIPAA training and other measures. However, the proposed rules take those industry norms and standards and turn the 'flexibility of approach' concept into concrete requirements."

Even though the exact specifications could change after the comment period, the proposed rule firmly established HHS' intention to clarify and strengthen the cybersecurity controls required to remain HIPAA compliant.

HIPAA compliance implementation costs are top-of-mind

HHS acknowledged that implementing the variety of new processes mentioned in the proposed rule will come with upfront costs for covered entities.

In the NPRM, HHS estimated that the first-year costs will total approximately $9 billion. Years two through five will cost the sector an estimated $6 billion per year.

"That's a large figure, but HHS has also said that they anticipate that the figure will be offset by the benefits of implementing the new Security Rule," Madderra said.

Specifically, the NPRM suggested that "if the proposed changes in the NPRM reduce the number of individuals affected by breaches by 7 to 16 percent, the revised Security Rule would pay for itself."

However, Madderra noted that cyberthreat actors have a history of adapting to the threat landscape and continuing to perpetrate cyberattacks, even as defense improves.

"The idea that a reduction in cyberattacks will actually offset that cost remains to be seen," Madderra said.

HHS said that it does not expect the cost of compliance to be significant for small entities, nor should these costs disproportionately affect small entities.

Beth Pitman, healthcare partner at Holland & Knight, suggested that the proposed safeguards, including updates to business associate agreements (BAAs) and business associate audits, will increase the administrative burden and costs for providers.

"Both the cost and implementation estimate by HHS are unrealistic. Implementation of the proposed requirements, such as revision and execution of BAAs and new auditing requirements, will require significantly more time and resources," Pitman said.

"For small organizations, such as critical access hospitals and rural providers, already resource-strained, additional time and assistance will be needed.  It will be interesting to see how HHS steps up with meaningful assistance for these small providers."

While the exact number is uncertain and will vary greatly depending on entity type and existing security posture, covered entities can expect to take on some cost burden if the rule moves forward as written.

The future of the HIPAA proposed rule is uncertain

As stakeholders continue to dissect cost and implementation details, the future of the proposed rule itself remains uncertain.

HHS issued the NPRM in December 2024, toward the end of the Biden administration. Experts say that the new administration could choose not to continue pursuing HIPAA Security Rule updates, though the Trump administration has not made any formal statements on the matter.

"There's a lot of uncertainty right now as to whether the rule's going to stick," Madderra said.

"There's a new administration coming in, and so some of the major questions that I and others in the industry have are: Will the proposed rule continue and be implemented as it's currently written? Will it be modified? And if we do see modifications, are those going to be big or small, or are we going to see the rule scrapped entirely? Those are the big questions going forward."

Aside from the administration change, the 60-day public comment period will likely yield useful insight from the industry on how to improve the proposed rule.

"Given the complexity of the proposed rule and the great need for heightened security protections, the new administration should take time to give full consideration to comments from the healthcare industry," Pitman said.

With these comments in mind, the final rule could look different from the proposed one.

For now, HHS expects covered entities to comply with the HIPAA Security Rule as written. Madderra recommended that covered entities work to document existing processes and ensure compliance with HIPAA as it stands.

"Even looking further, conducting something that's not immediately required, like that data mapping, can provide downstream benefits," Madderra added. "Even if that does not become finalized in a rule, you can imagine having that system in place will promote trust in patients and the system, in that entity system as a whole."

The NPRM is open for public comments through March 7, 2025.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.