HHS Proposes Rule to Bolster Cybersecurity Standards for Electronic Patient Data

On December 27, 2024, for the first time in over a decade, the United States Department of Health and Human Services (HHS) issued a notice of proposed rulemaking to modify the HIPAA Security Rule (the NPRM) to bolster cybersecurity protections for electronic protected health information (ePHI).  The HIPAA Security Rule, which establishes standards for the security of ePHI, was last updated in 2013.  The NPRM generally applies to HIPAA-covered entities, including health plans, healthcare clearinghouses and most healthcare providers, as well as the business associates of covered entities (together, referred to as regulated entities).  HHS states that the purpose of the NPRM is to “strengthen cybersecurity by updating the Security Rule’s standards to better address ever-increasing cybersecurity threats to the health care sector.” 

The Office for Civil Rights (OCR) has seen a substantial increase in reports of large data breach reports received over the last five years.  According to the OCR, from 2018 to 2023, reports of large data breaches increased by 102% and the number of individuals affected by such data breaches increased by more than 1,000%, primarily due to increases in hacking and ransomware attacks.  The OCR further advises that in 2023, over 167 million individuals were affected by large data breaches.

According to HHS, the provisions in the NPRM would increase the cybersecurity for ePHI by revising the Security Rule to address the following:

• Changes in the environment in which health care is provided.
• Significant increases in data breaches and cyberattacks.
• Common deficiencies the OCR has observed in investigations into Security Rule compliance by covered entities and their business associates.
• Other cybersecurity guidelines, best practices, methodologies, procedures and processes.
• Court decisions that affect enforcement of the Security Rule.

Some of the more significant provisions of the NPRM to strengthen the Security Rule’s standards and implementation specifications include:

• Require written documentation of all Security Rule policies, procedures, plans, and analyses.
• Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
• Require greater specificity for conducting a risk analysis.
• Strengthen requirements for planning for contingencies and responding to security incidents.
• Require regulated entities to conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements.
• Require that business associates verify at least once every 12 months for covered entities that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate.
• Require encryption of ePHI at rest and in transit, with limited exceptions.
• Require the use of multi-factor authentication, with limited exceptions.
• Require vulnerability scanning at least every 6 months and penetration testing at least once every 12 months.
• Require business associates to notify covered entities upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

HHS states the modifications set forth in the NPRM generally provide regulated entities with greater clarity and specificity regarding how to fulfil their obligations under the Security Rule. HHS also states that the proposed changes are not a significant departure from the Security Rule currently in effect.  Therefore, HHS proposes to apply the standard regulatory compliance date of 180 days after the effective date of a final rule for regulated entities to come into compliance with the updated cybersecurity standards. 

However, HHS states that it would afford regulated entities a transition period (beyond the 180-day compliance period) to modify business associate agreements or other written arrangements that would qualify for the longer transition period. 

Significantly, HHS emphasizes that while pursuing this rulemaking, the current HIPAA Security Rule remains in effect and enforceable against regulated entities. 

Stakeholders may file public comments on the NPRM within 60 days after its publication in the Federal Register.  Currently, the NPRM is scheduled to be published in the Federal Register on or about January 6, which would make comments due on March 6.

Regulated entities would be well served to monitor the progress of this NPRM through the rulemaking process.  If significant portions of this NPRM are finalized in a final rule, including the 180-day compliance requirement, regulated entities will likely be scrambling to meet the deadline for coming into compliance with the revisions or additions set forth in the updated cybersecurity standards. This would include not only updating your organization’s policies and procedures, but also amending all business associate contracts to comply with the new standards.

View a copy of the NPRM here. Check out HHS’s Fact Sheet on the NPRM.

Please contact Jeffrey S. Moore, Blake Adams, or any member of Phelps Health Care or Cybersecurity, Privacy and Data Protection teams if you have any questions or need advice or guidance.