On December 27, 2024, in the midst of the holiday season, the U.S. Department of Health and Human Services (HHS) deployed a proposed rule that would significantly modify the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Specifically, the proposed new rule includes express requirements for Covered Entities when conducting a Security Risk Assessment (SRA).

New requirements would include a written assessment that contains, among other things:

• A review of the technology asset inventory and network map
• Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI
• Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems
• An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.

Notably, while the “new” requirements have yet to be finalized or take effect, HHS’s Office of Civil Rights (HHS-OCR) has already begun to enforce these requirements on Covered Entities including the imposition of fines and penalties against Covered Entities whose failure to implement the proposed requirements result in a data breach affecting its patients’ protected health information (PHI).

For some time, HHS-OCR has acknowledged that the HIPAA Security Rule does not prescribe a specific risk analysis methodology, and it has recognized that methods of conducting a SRA will vary depending on the size, complexity, and capabilities of the organization. Further, HHS-OCR Guidance on Risk Analysis does not endorse or recommend any particular risk analysis or risk management model. While HHS-OCR provides a free proprietary tool for small to medium-size organizations to use when conducting a SRA, its product contains a disclaimer that use of the tool does not guarantee compliance with federal, state, or local laws. 

Covered entities are therefore left to their own devices in discerning what methodologies and management models are appropriate for their organization when conducting a SRA. At the same time, the adopted methodology that an organization chooses may not be considered insufficient under HHS-OCR’s undisclosed standards. A Covered Entity with no SRA or an insufficient SRA may face significant fines and penalties in the event they are subject to a data breach and subsequent HIPAA compliance audit.

While Covered Entities may turn to third-party vendors that market themselves as specialists in providing HIPAA compliance services, including conducting SRAs, there is no guarantee this will satisfy the requirements under HIPAA. Recently, HHS-OCR has regarded SRAs performed by these vendors as deficient without providing any specific guidance to the Covered Entity as to exactly what aspects of their SRA were noncompliant with HIPAA.

This conundrum has recently dismayed a number of Covered Entities that are now facing fines and penalties in light of HHS-OCR’s recent HIPAA Security Risk Assessment enforcement initiative, which it has relentlessly pursued since October of 2024. It’s not yet clear whether the proposed requirements will make compliance with HIPAA’s Security Rule easier or create further confusion.