Home > Newsroom > HIPAA Security Rule: Big Changes May Be Coming for Covered Entities & Business Associates

Stay in Touch

Subscribe To Our Newsletters

Explore our Microsites

MICHAEL BEST STRATEGIES LLC
Connecting Companies With Industry Innovators And Influential Allies

VENTURE BEST®
Your Legal Partner For High-Growth Entrepreneurs

News

Jan 16, 2025Client Alert

HIPAA Security Rule: Big Changes May Be Coming for Covered Entities & Business Associates

Organizations in the health care sector should be aware that changes to the HIPAA Security Rule may be on the horizon. Recently, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), issued a proposed rule focused on improving cybersecurity and protecting the health care system from the rapidly increasing number of cyberattacks.

The proposed rule would completely overhaul the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule for covered entities and business associates (together referred to as “regulated entities”). The proposed regulations eliminate much of the flexibility offered by the current rules and would involve a multitude of new regulatory requirements for entities dealing with electronic protected health information (ePHI).

A summary of the proposed rules is below. The public may submit comments on the proposed regulations until March 7, 2025. Importantly, the upcoming change in administration may impact the viability of the proposed regulations.

Background / OCR’s Justifications

The HIPAA Security Rule was enacted in 2003 and last amended in 2013. OCR pointed to this passage of time and the significant changes in technology as justification for revisiting the Security Rule. OCR cited changes in cyberbreach trends and the staggering number of cyberattacks in the health care industry as necessitating stricter rules and regulations for protecting the confidentiality, integrity, and availability of ePHI. OCR states that the proposed regulations will “enable regulated entities to identify, mitigate, and remediate the damage more quickly if there is a breach or other security incident, thereby reducing harm to individuals and the overall costs of such occurrences to regulated entities and to the U.S. health care system.”

Change in Standard: Required vs. Addressable

The proposed rules remove certain flexibility and discretion offered by the current Security Rule. Under the current rules, there is a distinction between “required” and “addressable” implementation specifications. For specifications that are “addressable,” regulated entities are permitted some degree of flexibility in determining the reasonableness and appropriateness of implementing safeguards based on their unique circumstances. This flexibility would largely be eliminated if the proposed rules are adopted as currently drafted, and instead, all implementation specifications would become required, subject to very limited exceptions.

Written Documentation Requirements

Technology asset inventory and network map. All regulated entities would be required to maintain an accurate and thorough written inventory and a network map of their electronic information systems and technology assets that may affect the confidentiality, integrity, or availability of ePHI. The network map would need to track the movement of ePHI through the entity’s electronic information systems. Both the asset inventory and network map would need to be updated regularly (at least every 12 months and in response to certain changes).
Risk Analysis. Regulated entities would be required to conduct a more detailed written assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI created, received, maintained, or transmitted. The proposed rule points to eight specific factors that must be addressed in the risk analysis. The risk analysis would need to be revisited at least annually and following environmental or operational changes that impact ePHI. In addition, regulated entities will need to have a separate written plan that addresses how it plans to reduce the risks and vulnerabilities identified in the risk analysis.
Compliance Audit. Separate from the risk analysis described above, all regulated entities would need to conduct an annual audit of its compliance with the standards and implementation specifications of the Security Rule.
Contingency/Security Incident Response Plans. All regulated entities would need to adopt and implement robust contingency and security incident response plans. Specifically, regulated entities would need to have written procedures to restore the loss of certain electronic information systems and data within 72 hours of a breach. A separate analysis would also need to be conducted and documented that evaluates the criticality of information systems and assets.

Technical Requirements – Regulated entities would be required to:

Deploy multi-factor authentication, subject to limited exceptions.
Encrypt ePHI at rest and in transit, except in limited situations.
Conduct vulnerability scanning at least every 6 months and penetration testing at least once every 12 months.
Implement required configuration management controls (including deploying anti-malware protection, removing extraneous software, and disabling ports in accordance with a risk analysis).
Use network segmentation.
Establish new technical controls for maintaining backups of certain IT systems and reviewing/testing the effectiveness of these controls every 6 months.

Business Associates

Business associates would be subject to a new requirement whereby they must notify covered entities within 24 hours upon activating a contingency plan. As such, all Business Associate Agreements (BAAs) currently in effect would need to be revised to include this requirement.
Business associates will be required to provide annual written compliance reports to the covered entities it has BAAs with verifying compliance with the Security Rule. The same requirement would apply to subcontractors. The reports would need to be conducted by a subject matter expert and include written analysis of the relevant electronic information systems that meets certain criteria described in the proposed rules.

Organizational/Workforce

Covered entities would need to adopt and implement a process to notify other regulated entities within 24 hours of when a workforce member's access to ePHI is terminated or changed.
All regulated entities would need to implement sanctions policies.
Regulated entities would need to incorporate new content into existing HIPAA/Security Rule training programs.

Health Plans

The proposed rules would require health care insurers and third-party administrators to revise health plan documents to reflect that health plan sponsors that receive ePHI (that is not limited to summary health information or disenrollment information) are protecting ePHI with the administrative, physical, and technical safeguards detailed in the Security Rule and notify their group health plans upon activation of the plan sponsors’ contingency plan.

If you have questions regarding HIPAA compliance or how these proposed regulations may impact your health care organization, please reach out to a member of the Michael Best health care team.

Related People

Download vCard
Preview Attorney's Biography
Katelyn assists public and private companies with a variety of corporate and transactional matters, including corporate governance, business structuring, mergers and acquisitions, securities, tax, and succession planning.
Katelyn A. Pellitteri
kapellitteri@michaelbest.com
T.414.270.2708

Related Industry

Healthcare