The U.S. Department of Health and Human Services (HHS) recently released a proposed rule to better protect electronic health data from cybersecurity threats. The proposed rule would apply to health plans, healthcare providers, healthcare clearinghouses, and their business associates, such as billing companies, third-party administrators, and pharmacy benefit managers.

Quick Hits

• HHS has proposed a rule to shore up cybersecurity protections for electronic health records under the Health Insurance Portability and Accountability Act (HIPAA).
• The new rules would apply to HIPAA-regulated entities, such as healthcare providers, hospitals, and others that handle electronic medical data.
• The public can submit comments on the proposed rule until March 7, 2025.

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule has not undergone a major overhaul since 2013. However, in response to rising cybersecurity threats across the healthcare industry, on January 6, 2025, HHS published a proposed rule that would update and bolster cybersecurity protections for personal health information that’s collected by healthcare providers, hospitals, insurers, and other companies. The public has until March 7, 2025, to submit comments on the proposal.

If finalized, these changes would apply to all HIPAA-covered entities and their business associates, imposing stricter requirements around risk assessments, data encryption, multifactor authentication, and more. Importantly, the proposed rule would eliminate the distinction between “required” and “addressable” implementation specifications, making all implementation specifications required. This shift would remove much of the discretion that HIPAA-regulated entities presently have in determining whether to implement “addressable” measures, instead introducing more granular, prescriptive requirements to ensure compliance with all security standards.

The proposed rule also would require:

• written documentation of policies, procedures, plans, and analyses related to complying with the HIPAA Security Rule;
• covered entities to develop and update a technology asset inventory and a network map that illustrates the movement of electronic health information throughout the electronic information system;
• covered entities to conduct a more robust risk analysis than under the current rule, including incorporation of the entity’s technology asset inventory and network map; identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of electronic health information; and an assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each threat will exploit vulnerabilities;
• encryption of electronic health information at rest and in transit;
• the use of multifactor authentication;
• covered entities to use anti-malware protections and remove extraneous software from electronic information systems;
• an audit at least once per year to confirm compliance with the HIPAA Security Rule;
• covered entities at least once per year to obtain written certification from business associates that they have deployed the technical safeguards required by the HIPAA Security Rule;
• covered entities to review and test the effectiveness of certain security measures at least once every twelve months;
• vulnerability scanning at least every six months and penetration testing at least once every twelve months;
• network segmentation and separate technical controls for backup and recovery of electronic health information and electronic information systems;
• covered entities to establish written procedures to restore the loss of certain electronic information systems and data within seventy-two hours, and document how employees should report security incidents and how the regulated entity will respond to security incidents. Business associates would have to notify covered entities upon activating their security contingency plans no later than twenty-four hours after activation;
• covered entities to cut off a former employee’s access to personal health information no later than one hour after the employment has been terminated; and
• group health plans to include in their plan documents requirements for their plan sponsors to comply with the administrative, physical, and technical safeguards of the HIPAA Security Rule.

Next Steps

Employers and the public have until March 7, 2025, to submit comments about the proposed rule. The final rule would take effect sixty days after being published in the Federal Register. The existing HIPAA Security Rule remains in effect while the rulemaking is underway.

HIPAA-covered entities (and employers that sponsor them) may wish to review their cybersecurity practices and policies as they relate to electronic health information and evaluate gaps between existing practices and documentation and the rules as proposed. While some of the proposed changes reflect common security measures already implemented by many HIPAA-covered entities, if the proposed rule takes effect, employers can expect to incur extra costs to align their practices with those outlined by the proposed rules. This is especially true for large employers that offer self-insured health plans to their workers, since employers are generally responsible for HIPAA compliance for the self-insured health plans they sponsor.