Proposed HIPAA Security Rule Updates — Implications for Covered Entities and Their Information Security Programs

At a Glance

• If finalized in its current form, the Proposed Rule would require covered entities — health plans, health care clearinghouses and health care providers who transmit information electronically in connection with a transaction for which HHS has adopted a standard — to take significantly more responsibility in establishing and maintaining robust defenses against security risks.
• We summarize the major changes in the Proposed Rule.
• The Proposed Rule is open for public comment, and covered entities have until March 7, 2025, to submit comments.

On January 6, 2025, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) published a notice of proposed rulemaking (Proposed Rule) updating the Health Insurance Portability and Accountability Act Security Rule (HIPAA Security Rule) for the first time since 2013. The Proposed Rule aims to enhance the protection of electronic protected health information (ePHI) by addressing emerging challenges such as increased cybersecurity threats, changes in health care environments and common compliance deficiencies. If finalized in its current form, the Proposed Rule would require covered entities — health plans, health care clearinghouses and health care providers who transmit information electronically in connection with a transaction for which HHS has adopted a standard — to take significantly more responsibility in establishing and maintaining robust defenses against security risks. Below is a summary of the major changes.

Elimination of Distinction Between “Required” & “Addressable” Implementation Specifications

Currently, the HIPAA Security Rule distinguishes between “required” and “addressable” implementation specifications, offering flexibility to covered entities based on their specific circumstances, such as their risk analyses and available resources, to determine whether certain implementation specifications are reasonable and appropriate safeguards. The Proposed Rule would remove this distinction entirely. OCR has found that many covered entities misinterpret “addressable” to mean optional, leading them to skip implementing certain safeguards even when they would be reasonable and appropriate. OCR found this to be particularly concerning in light of the ongoing shift to an interconnected and cloud-based environment, and the notable rise in breaches of unsecured ePHI from both internal and external sources. By eliminating the distinction between “required” and “addressable” implementation specifications, the Proposed Rule clarifies that all implementation specifications are mandatory, with limited exceptions, ensuring that there is a baseline level of protection for ePHI.

Risk Analysis

While the current HIPAA Security Rule requires covered entities to conduct risk analyses, it does not specify the frequency or timing of these assessments. The Proposed Rule would address this by requiring covered entities to review, verify and update their risk assessments on an ongoing basis, and at a minimum once every 12 months and in response to a change in the covered entity’s environment or operations that may affect ePHI. Additionally, the Proposed Rule establishes eight new requirements for what must be included in risk assessments conducted by covered entities.

Technology Asset Inventory & Network Map

The Proposed Rule would require covered entities to maintain a written inventory of their technology assets and a network map for their electronic information systems that may impact the confidentiality, integrity or availability of ePHI. The inventory must include all technology assets, such as hardware, software, electronic media and data, which handle ePHI, along with those that may affect it, detailing each asset’s identification, version, responsible person and location. Additionally, the Proposed Rule would require covered entities to develop a network map that illustrates how ePHI flows through the entities’ systems, including its entry, exit and remote access points. Covered entities would be required to review and update both the inventory and map at least annually, or when changes occur that affect ePHI, such as adopting new technology, system updates, security incidents, or changes in laws or operations.

Compliance Audits, Penetration Tests & Vulnerability Scans

The Proposed Rule would require covered entities to perform and document an audit of their compliance with each of the Security Rule’s standards and implementation specifications at least once every 12 months. Additionally, the Proposed Rule introduces a new standard requiring covered entities to conduct vulnerability scans of their electronic information systems at least once every six months and in alignment with the covered entity’s risk analysis to identify technical vulnerabilities, such as outdated software and missing patches. Once vulnerabilities are identified, assessed, and prioritized, appropriate corrective actions must be taken, such as applying patches, hardening systems, or retiring outdated equipment. In addition, the Proposed Rule mandates that covered entities conduct a penetration test at least once every 12 months.

Contingency Planning and Incident & Disaster Response

The Proposed Rule seeks to enhance the HIPAA Security Rule’s contingency planning requirements to ensure that covered entities can quickly recover from unforeseen events, including disasters and cyberattacks, specifically requiring covered entities to establish a written contingency plan that contains procedures for responding to emergencies impacting electronic information systems, and creating and maintaining retrievable copies of ePHI backups. The Proposed Rule also requires covered entities to perform a criticality analysis to assess and document the relative importance of their electronic information systems and technology assets, including those not directly involved with ePHI, to determine their restoration priority. The Proposed Rule mandates that covered entities test the contingency plan annually. The Proposed Rule would require covered entities to restore critical systems and data within 72 hours and follow their criticality analysis for restoring other systems.

Security Awareness & Training

The Proposed Rule contains a new standard for security awareness and training which requires covered entities to establish and implement security awareness training for all workforce members on the following key areas:

• Written policies and procedures required by the HIPAA Security Rule and necessary for workforce members to fulfill their roles
• Guidance on identifying and reporting security incidents such as malicious software and social engineering
• Written policies and procedures for securely accessing electronic information systems

Covered entities would be required to provide these trainings by the compliance date of the final rule and at least once every 12 months thereafter. Additionally, the Proposed Rule would require covered entities to provide security awareness trainings to new hires within 30 days of their access to the covered entity’s electronic information systems.

Other Requirements

Other notable requirements under the Proposed Rule include:

• Requiring the use of multifactor authentication by those seeking access to electronic information systems
• Implementing network segmentation to limit access to ePHI to those authorized and to reduce risk of phishing and other breaches
• Encrypting all ePHI it maintains, as well as all ePHI it transmits (with few limited exceptions)
• Reviewing all software on its electronic information systems and removing extraneous software that pose risks and are not necessary to its operations

Comment Period, Effective Date & Compliance Date

The Proposed Rule is open for public comment, and covered entities have until March 7, 2025, to submit comments. Once the Proposed Rule is finalized, it will take effect 60 days after its publication in the Federal Register. OCR has proposed a standard compliance date of 180 days after the effective date of the final rule.