On January 6, 2025, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued a notice of proposed rulemaking (the “proposed rule”), which proposes a number of significant updates to the HIPAA Security Rule.  According to OCR’s announcement, the proposed rule seeks to “improve cybersecurity and better protect the U.S. health care system from a growing number of cyberattacks” and “better align the Security Rule with modern best practices in cybersecurity.” The preamble states that the proposed rule seeks to address common areas of non-compliance with the Security Rule identified by OCR in its recent investigations, as well as build on recommendations from the National Committee on Vital Health Statistics and guidelines and best practices recommended by other parts of the government, such as the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST).

Below, we provide a brief summary of the proposed changes. The proposed rule is open for comment until March 7, 2025.

Key Provisions

  • Removal of the Distinction Between “Addressable” and “Required” Implementation SpecificationsFor background, the Security Rule contains specific administrative, physical, technical, organizational, and documentation standards and associated implementation specifications. The current Security Rule contains both “required” and “addressable” implementation specifications. Required specifications must be implemented. Addressable specifications require that the covered entity or business associate (either, a “regulated entity”) assess whether the specification is reasonable and appropriate in the regulated entity’s environment with reference to the likely contribution to protecting electronic protected health information (ePHI) and, if the specification is not reasonable and appropriate, document why and implement an equivalent alternative measure that is reasonable and appropriate. The proposed rule would remove the distinction between “required” and “addressable” implementation specifications and require all implementation specifications, except in limited circumstances.  In the preamble, OCR states that it is concerned that some regulated entities misunderstand “addressable” specifications to be optional.  While the preamble emphasizes that the proposed rule aims to maintain flexibility in the Security Rule, the removal of this distinction is meant to clarify that implementation of the specifications is not optional; a regulated entity must implement the standards and associated specifications and adopt reasonable and appropriate security measures to achieve such implementation.
  • Creation of Technology Asset Inventory and Network MapThe proposed rule would require regulated entities to conduct and document an accurate and thorough written technology asset inventory and network map of its electronic information systems and all technology assets that may affect the confidentiality, integrity, or availability of ePHI. Any technology asset inventory and network map would be required to take into account the processes that involve movement of ePHI into and outside of a regulated entity’s systems, including those that may involve another entity (i.e., a covered entity’s network map would be required to account for technology assets used by its business associates to create, receive, maintain, or transmit ePHI).
  • Greater Specificity for Risk AnalysesWhile the current Security Rule requires that a regulated entity conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the regulated entity, the proposed rule would impose more specific requirements for such risk analyses. In particular, the proposed rule would require a written assessment that takes into account and documents details related to eight specifications, including:
    • a review of the regulated entity’s technology asset inventory and network map; identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI; identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems; and a determination of the potential impact of each identified threat, among other requirements.
    The preamble states that these requirements for risk analyses would be distinct from the evaluation standard, which requires a regulated entity to proactively consider whether risks or vulnerabilities will be introduced by any changes to the regulated entity’s environment or operations.
  • Incident and Disaster Response RequirementsThe proposed rule would require that a regulated entity establish a security incident response plan and implement procedures for testing and revising those plans at least once every 12 months. A regulated entity would also be required to develop and maintain documentation of investigations, analyses, mitigation, and remediation for suspected or known security incidents. Further, a regulated entity would be required to have contingency plans in place, including procedures to restore its critical electronic information systems and data within 72 hours of a loss and restore other systems and data in accordance with the criticality analysis contained in the regulated entity’s written contingency plan. A business associate would be required to notify covered entities (or a subcontractor business associate to notify business associates) upon activation of their contingency plans without unreasonable delay, but in no later than 24 hours after activation.
  • Verification of Business Associates’ Technical SafeguardsThe proposed rule would require that a regulated entity verify that an entity that creates, receives, maintains, or transmits PHI on its behalf is in fact taking necessary steps to protect ePHI. In particular, the proposed rule would require that a covered entity obtain a written verification, at least once every 12 months that a business associate has deployed technical safeguards required by the Security Rule, including a written analysis of the business associate’s relevant electronic information systems. The same requirement would apply to business associates with respect to their subcontractor business associates.
  • Patch ManagementThe proposed rule would include a new standard for patch management, which would require that a regulated entity implement policies and procedures to identify, prioritize, and apply software patches throughout its electronic information systems that create, receive, maintain, or transmit ePHI or otherwise affect the confidentiality, integrity, or availability of ePHI. The proposed rule would impose specific timing requirements for patching, updating, or upgrading the relevant electronic information system: (i) 15 calendar days for a critical risk patch; (ii) 30 calendar days for a high risk patch; and (iii) a reasonable and appropriate period of time based on the entity’s policies and procedures for all other patches.
  • Strengthened Access Control Requirements. The proposed rule would require that a regulated entity implement written policies and procedures related to its workforce members’ access to ePHI and relevant electronic information systems, including termination of such access where appropriate, such as upon termination or a change in an employee’s role. The proposed rule would also require that a regulated entity notify other regulated entities after a change in or termination of a workforce member’s authorization to access ePHI of those other regulated entities as soon as possible but no later than 24 hours after the change or termination.
  • Compliance AuditsThe proposed rule would require a regulated entity to perform and document an audit of its compliance with each standard and implementation specification of the Security Rule at least once every 12 months.
  • Documentation RequirementsThe proposed rule would require that a regulated entity document in writing all policies, procedures, plans, and analyses required by the Security Rule, and review that documentation at least annually and in response to changes in its security environment or operations. This would include (but not be limited to) the requirements related to the technology asset inventory, network map, and risk analysis discussed above.
  • Workforce SanctionsThe proposed rule would include additional specifications related to the sanctioning of workforce members who fail to comply with a regulated entity’s security policies and procedures, including the requirement to establish and maintain written policies and procedures related to workforce sanctions and document instances of and the circumstances leading to a regulated entity imposing sanctions on a workforce member.
  • Additional Security Measures. The proposed rule would require a number of additional security controls, each with limited exceptions, related to:
    • encryption of ePHI at rest and in transit;
    • multi-factor authentication;
    • network segmentation;
    • vulnerability scanning at least once every six months and penetration testing at least once every 12 months;
    • deployment of anti-malware protection;
    • removal of extraneous software from electronic information systems;
    • disablement of network ports in accordance with a regulated entity’s risk analysis; and
    • backup and recovery of ePHI.
Photo of Anna D. Kraus Anna D. Kraus

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience…

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience with, and valuable insight into, the programs and issues within the purview of HHS, including Medicare, Medicaid, fraud and abuse, and health information privacy. Ms. Kraus regularly advises clients on Medicare reimbursement matters, the Medicaid Drug Rebate program, health information privacy issues (including under HIPAA and the HITECH Act), and the challenges and opportunities presented by the Affordable Care Act.

Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Elizabeth Brim Elizabeth Brim

Elizabeth Brim is an associate in the firm’s Washington, DC office. She is a member of the firm’s Health Care and Data Privacy and Cybersecurity Practice Groups, advising clients on a broad range of regulatory and compliance issues. In addition, Elizabeth maintains an…

Elizabeth Brim is an associate in the firm’s Washington, DC office. She is a member of the firm’s Health Care and Data Privacy and Cybersecurity Practice Groups, advising clients on a broad range of regulatory and compliance issues. In addition, Elizabeth maintains an active pro bono practice.