HHS proposes HIPAA Security Rule changes

The HHS Office for Civil Rights proposed modifications to the HIPAA Security Rule to address the increasing frequency of cyberattacks in the sector and enhance security requirements for covered entities and their business associates. The proposal signifies the most substantive updates to the HIPAA Security Rule in over a decade.

In its unpublished notice of proposed rulemaking (NPRM), set to publish on Jan. 6, 2025, HHS noted that significant changes in technology paired with evolving data breach and cyberattack trends were among the reasons why it chose to pursue updates to the HIPAA Security Rule.

While voluntary guidance like the Health Industry Cybersecurity Practices publication and HHS' own cybersecurity performance goals (CPGs) have been helpful, HHS said it did not believe that those documents would remain "sufficiently instructive" for helping covered entities maintain Security Rule compliance. However, many of the proposals within the NPRM are aligned with the CPGs, as experts predicted.

Among the list of proposed changes is a move to require healthcare organizations to develop a technology asset inventory and network map that illustrates the movement of electronically protected health information (ePHI) throughout the covered entity's information system on an ongoing basis.

Additionally, the proposed rule championed more specificity when it comes to conducting a risk analysis. As HIPAA stands now, there is no specific methodology that covered entities must use to conduct a risk analysis. The proposed changes would require a written assessment that specifically includes a review of the technology asset inventory and network map, identification of all anticipated threats to ePHI and an assessment of the risk level for each identified threat and vulnerability.

Notably, the NPRM also suggests removing the distinction between "required" and "addressable" implementation specifications in order to make all specifications required.

What's more, HHS proposed requiring the use of multifactor authentication, network segmentation, vulnerability scanning every six months and antimalware protection. Covered entities must conduct a compliance audit at least once every 12 months, and business associates must confirm that they have implemented the proper technical safeguards at least once every 12 months via a written certification.

The proposed changes are more prescriptive than the current iteration of the HIPAA Security Rule, providing more direct instruction for how providers, health plans and business associates can better protect ePHI and ensure HIPAA compliance.

"The increasing frequency and sophistication of cyberattacks in the health care sector pose a direct and significant threat to patient safety," Andrea Palm, HHS deputy secretary, said in an accompanying press release.

"These attacks endanger patients by exposing vulnerabilities in our health care system, degrading patient trust, disrupting patient care, diverting patients, and delaying medical procedures. This proposed rule is a vital step to ensuring that health care providers, patients, and communities are not only better prepared to face a cyberattack, but are also more secure and resilient."

Once the NPRM is published in the Federal Register, stakeholders will have 60 days to submit comments on the nearly 400-page proposal, all of which will be considered before HHS issues its final rule. As rulemaking continues, covered entities are expected to continue complying with the current HIPAA Security Rule.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.