Understanding the HHS’s proposed modifications to HIPAA's Security Rule

On December 27, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) proposed updates to the HIPAA Security Rule to improve cybersecurity protections in the U.S. healthcare system. It marked the first revision of the Security Rule since 2013. The updates aim to address the increasing frequency and sophistication of cyberattacks which have jeopardized patient safety. 

How the changes impact the HIPAA Security Rule

The recent notice of proposed rulemaking (NPRM) by the Department of Health and Human Services (HHS) seeks to modify the HIPAA Security Rule to improve the cybersecurity of electronic protected health information (ePHI). The initiative arises from the increasing frequency and severity of cyberattacks on healthcare systems. 

The proposed changes aim to address the growing number of breaches impacting large populations and the deficiencies observed in compliance investigations conducted by the Office for Civil Rights (OCR). The updates would introduce more in depth requirements for risk management, including regular vulnerability assessments and adherence to best practices in cybersecurity.

The main changes

1. The distinction between "required" and "addressable" implementation specifications will be eliminated, making all specifications mandatory with limited exceptions.
2. Encryption of electronic protected health information (ePHI) at rest and in transit will be classified as a required specification, reinforcing its importance in cybersecurity.
3. Organizations will need to maintain a detailed inventory of technology assets interacting with ePHI and map how ePHI flows within their systems, ensuring better visibility and risk management.
4. Covered entities must develop comprehensive written plans for detecting, containing, and recovering from cyberattacks or breaches, with regular updates to align with  threats.
5. Training requirements will be broadened to include role-specific education on vulnerabilities relevant to particular job functions, focusing on combating threats like phishing.
6. Organizations will need to implement advanced physical access controls, such as biometric authentication and video surveillance, as well as technical safeguards like multi-factor authentication.
7. Business associates will be required to verify their technical safeguards annually through a written analysis by a subject matter expert.
8. The NPRM promotes the use of tools such as intrusion detection systems and AI-powered anomaly detection to proactively address security risks.

How it impacts healthcare organizations 

One of the most impactful aspects of the NPRM is the removal of the “addressable” specification category which means all security measures will now be mandatory. Organizations are compelled to adopt comprehensive cybersecurity practices without exception. The shift places a greater responsibility on healthcare providers to implement security measures like mandatory encryption which may require an increased investment in technology and training. 

The NPRM also discusses the need for thorough risk assessments, including maintaining a detailed inventory of technology assets and mapping how ePHI flows in their systems. For smaller healthcare providers, particularly those in rural areas with limited resources, these changes could present challenges. The HHS has indicated that it will provide tailored guidance to help these entities comply effectively.   

How healthcare organizations can ensure compliance

1. Regularly assess risks to ePHI and maintain a detailed inventory of technology assets.
2. Ensure that encryption for ePHI at rest and in transit is utilized and that multi-factor authentication is adopted for accessing sensitive systems.
3. Create and regularly update written plans for detecting, containing, and recovering from cyber incidents or breaches.
4. Provide role-specific training on cybersecurity best practices and vulnerabilities relevant to employees' job functions.
5. Utilize tools such as intrusion detection systems and AI-driven analytics to monitor for potential security threats.
6. Regularly evaluate and revise security policies and procedures to ensure they align with the updated regulations.
7. Work with other healthcare providers to share resources and knowledge about cybersecurity practices, especially for smaller organizations.
8. Actively monitor updates from the HHS regarding the finalization of the NPRM and participate in public comment periods to provide input.

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

What is the process of vulnerability assessment? 

• The identification of assets
• Threat identification 
• Vulnerability scanning 
• Risk evaluation 
• Prioritization 

How do healthcare organizations approach addressable requirements? 

Healthcare organizations approach addressable requirements by evaluating each specification's relevance to their specific circumstances. 

How does an NPRM come into effect as part of legislation? 

After the publication, there is a period for public comment after which the NPRM is available submitted for comments. Once these steps have been completed, the final rule is issued and implemented.