Last fall at the Safeguarding Health Information: Building Assurance Through HIPAA Security 2024 conference, U.S. Department of Health & Human Services Office for Civil Rights (OCR) promised that before year’s end, it would publish amendments to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. On December 27, 2024, OCR made good on that promise and released an unpublished version of the Security Rule amendments proposal.

OCR’s proposed Security Rule amendments are, among other things, in response to a substantial increase in large-scale data breaches over the past five years. According to OCR, between 2018 and 2023, large-scale data breaches, or breaches affecting 500 or more individuals, have increased by 100% and the number of affected individuals has increased by 950%. In 2023, OCR noted in the proposal, more than 160 million individuals were affected by large-scale data breaches, a new and alarming record. During this same time frame, breaches caused by hacking and ransomware have increased by 260% and 264% respectively. 

The proposal aims to strengthen the Security Rule in order to combat this trend. New requirements will apply to covered entities and their business associates alike, as the Security Rule applies equally to covered entities and business associates. Highlights include the following: 

Removing the Security Rule’s Distinction Between “Required” and “Addressable” Implementation Specifications. Under the proposed rule, all implementation specifications would be required, with limited exceptions. For example, encryption under the current Security Rule is “addressable,” which means that a regulated entity may opt to forego encryption if it has implemented and documented some other compensating security control. Under the proposed rule, encryption of data in motion and at rest would be mandatory, subject to limited exceptions such as if an individual requests to receive their ePHI in an unencrypted manner, when encryption is infeasible, or for ePHI that is created, received, maintained, or transmitted by certain Food & Drug Administration (FDA)-authorized medical devices.

Specifying Requirements For Conducting a Security Risk Analysis. The proposal expands on the existing, general requirement for conducting a security risk analysis by including specific, required steps, such as the review of a technology asset inventory and network map, identification of all reasonably anticipated threats to ePHI, identification of potential vulnerabilities to the regulated entity’s relevant electronic information systems and assessment of the risk level for each identified threat and vulnerability. These proposed requirements are a normal part of a security risk analysis, but since compliance with this standard has been historically lacking, as repeatedly communicated by the agency in its recent investigations where it indicated regulated entities failed to develop and implement holistic risk analysis programs, OCR is adding detail regarding what it expects to see in a security risk analysis, and not just generally requiring one and leaving the details to regulated entities. It proposed eight implementation specifications for the risk analysis standard and noted that a regulated entity’s risk analysis must include repeated consideration of, among other things, the type and amount of ePHI accessed by artificial intelligence tools, to whom the data is disclosed, and to whom the output is provided.

Imposition of New Timing Requirements for Various Security Standards. The proposal imposes a number of strict timing requirements, including a requirement for written policies to restore the loss of relevant information systems and data within 72 hours of an incident; a requirement for notification of certain regulated entities within 24 hours following termination of a workforce member’s access to ePHI or certain electronic information systems; and a requirement that business associates notify covered entities (and subcontractors to notify business associates) within 24 hours upon activation of contingency plans. Other requirements in the proposal include:

• Requiring both covered entities and business associates to conduct a compliance audit at least once every 12 months to ensure ongoing Security Rule compliance
• Requiring business associates and business associate subcontractors verify to their upstream entities at least once every 12 months that they have deployed technical safeguards required by the Security Rule. This certification must be completed by a subject matter expert confirming that it has been completed and is accurate. 
• Requiring the use of multi-factor authentication
• Requiring network segmentation
• Requiring group health plans’ plan documents to obligate group health plan sponsors or any agents to whom it provides ePHI to implement the Security Rule’s administrative, physical, and technical safeguards. Group health plan sponsors must also notify their group health plans within 24 hours upon activation of contingency plans

OCR’s view of the proposal is that it is primarily adding detail to existing requirements under the HIPAA Security Rule. While these details will bring the HIPAA into better alignment with other information security frameworks, it will require a significant compliance effort by both covered entities and business associates, including the revision of existing business associate agreements.

The comment period runs for 60 days following publication of the rule, which is expected on January 6, 2025, making the potential effective date March 7, 2025. OCR also proposed a standard compliance date of 180 days after the effective date of a final rule. These timelines, however, are subject to change because the incoming Trump Administration will have the opportunity to determine how it would like to proceed, if at all, with possible finalization, including pausing the process for review of and accounting for public comments or modifying the proposal.