Overview
The U.S. Department of Health and Human Services Office for Civil Rights (HHS-OCR) has announced proposed modifications to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (the Proposed Rule). The Proposed Rule was published in the Federal Register for comment on January 6, 2025. It aims to strengthen the security and privacy of electronic protected health information (ePHI) in response to the evolving threat landscape and emerging technological challenges. If finalized as proposed, the Proposed Rule will have significant implications for healthcare organizations, their business associates, and other entities subject to HIPAA compliance requirements (the “regulated entities”). This alert represents the first in a multipart series outlining the most pertinent of the proposed rules and the potential implications for regulated entities.
Background
While the Security Rule has been a frequent subject of published enforcement actions and regulatory guidance by HHS-OCR, the Rule itself has not been revised since 2013. The Proposed Rule aims to preserve some of the flexibility and scalability embodied by the existing Rule, while also providing more prescriptive requirements that reflect and clarify HHS-OCR’s expectations regarding the appropriate level of security of ePHI.
The Security Rule generally requires regulated entities to implement reasonable technical, physical, and administrative safeguards intended to mitigate the potential impermissible use or disclosure of PHI. However, in order to allow for flexibility and scalability across different regulated entities, the current formulation of the rule distinguishes between “required” implementation specifications and “addressable” implementation specifications. The Proposed Rule would eliminate the distinction between “required” and “addressable” specifications, to reflect HHS-OCR’s view that all specifications are effectively required. The currently “addressable” items, which are the subject of the proposed revisions, include measures such as multifactor authentication, network segmentation, and penetration testing.
The Proposed Rule also includes considerable enhancements to existing documentation requirements, including requirements that covered entities establish procedures to restore the loss of PHI within 72 hours, more robust incident response plan requirements, and annual compliance audits. Similarly, the Proposed Rule would require greater cooperation and reporting from business associates on issues of cybersecurity, compliance, and incident response.
If promulgated as drafted, these heightened requirements would present a significant burden for regulated entities with tighter resource and bandwidth constraints but may result in considerable security improvements for regulated entities nationwide.
Key Takeaways for Regulated Entities
At this stage, the Proposed Rule is tentative and subject to further review and comment from the public and regulators. However, regulated entities would be well-served to note HHS-OCR’s position that—even for the existing Security Rule—“addressable” does not necessarily mean “optional,” and that many of the key controls that are currently noted as “addressable” are, in fact, effectively required for overall compliance.
Further, HHS-OCR’s commentary surrounding the Proposed Rule indicates that a number of collateral cybersecurity frameworks, although not specifically required by the existing Security Rule, were strongly influential on the new requirements reflected in the Proposed Rule. Regulated entities should consider whether alignment with one of these collateral frameworks may help to mitigate the risk of sanction from HHS-OCR in the present regulatory environment, as well as to ease the transition to newly required controls in whichever form they may take.
The Wilson Sonsini team is continuing to closely monitor developments associated with data protection and cybersecurity regulations, including HIPAA. If you have any questions or need assistance with compliance planning or incident response preparations, please do not hesitate to contact Tracy Shapiro, Haley Bavasi, Demian Ahn, Colin Black, or any other member of our data, privacy, and cybersecurity practice.