The U.S. Department of Health and Human Services (“HHS”) issued a Notice of Proposed Rulemaking (the “Proposed Rule”) on December 27, 2024, to significantly amend HIPAA’s Security Rule, which sets forth the security standards for the protection of protected health information by covered entities and their business associates. The Proposed Rule’s issuance was expected, especially in light of the growing number of health data breaches and disclosures of large scale foreign cyberattacks.
The Proposed Rule takes aim at several key areas of the Security Rule, including updates to:
- Standards for Assessing Adequacy of Safeguards – The Proposed Rule seeks to remove the distinction between “required” and “addressable” safeguards, which has the practical effect of generally rendering all implementation specifications to be required. The Proposed Rule would eliminate this distinction by requiring that regulated parties implement all of the standards and specifications, but would continue to afford regulated parties with a measure of flexibility in how they go about satisfying the standards and specifications.
- Administrative Safeguard Requirements – The Security Rule requires regulated parties to implement a number of written policies and procedures which are tailored to protecting ePHI. The Proposed Rule requires adoption of several new policies and procedures, and even requires that those policies and procedures be tested on a yearly basis as well as after certain operational changes.
- Technical Safeguard Requirements – The Proposed Rule seeks to add a significant number of new standard requirements, such as multi-factor authentication, contingency planning, vulnerability scans, and numerous others.
- Standards for Business Associate Agreements – The Proposed Rule makes a number of revisions to the requirements applicable to Business Associate Agreements, including: (1) requiring business associates to notify covered entities upon activation of their contingency plans no later than 24 hours after activation (which would be required to be prepared under the Proposed Rule); and (2) requiring that covered entities obtain written verification from their business associates, at least once per 12 months, that such business associates have deployed technical safeguards required by the Security Rule.
- Encryption – The Proposed Rule clarifies that regulated parties must encrypt ePHI both in transit and at rest, subject to certain exceptions. This requirement could have a tremendous impact to the extent regulated parties have relied on non-encrypted vehicles for communication (e.g., text messaging) to facilitate care.
It is important to note that the current Security Rule remains in effect until HHS publishes a Final Rule. Following publication in the Federal Register, a 60 day window for submission of public comments ensues. We anticipate that HHS will receive many comments to work through given the potential impact of the Proposed Rule. Due to the change in administration, the Proposed Rule will likely receive increased scrutiny and therefore, it may be some time before a Final Rule is published. However, given the importance of mitigating cybersecurity risks in the healthcare industry, we expect the Proposed Rule will be finalized in some form.
In addition to federal developments such as the Proposed Rule, the state landscape continues to evolve with states passing consumer health information laws. We will continue to monitor these developments.