Guide to Understanding the Proposed HIPAA Security Rule Change

Guide to Understanding the Proposed HIPAA Security Rule Change

On January 6, 2025, the Department of Health and Human Services (HHS) issued a notice of proposed rulemaking (NPRM) to modify the Security Standards for the Protection of Electronic Protected Health Information (Security Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The notice effectively kicked off a 60-day public comment period, during which time actors in the healthcare industry can chime in with feedback, before the proposals made by HHS become final.

To those new to the process, what HHS wants to do is substantially strengthen HIPAA’s Security Rule. The Security Rule is one of the constituent parts of HIPAA, which protects the privacy and security of individuals’ protected health information (PHI).

What is the Security Rule?

First published in 2003, the Security Rule only applies to electronic PHI (ePHI), which is individually identifiable health information (IIHI) transmitted by or maintained in electronic media.

The Security Rule was initially published in 2003 – more than twenty years ago. And it’s most recently been revised in 2013 – over a decade ago.

The purpose of the Rule is to better protect the confidentiality, integrity, and availability of ePHI. However, much has changed since the Security Rule was last revised, specifically, as HHS argues, “the environment in which health care is provided.”

Deterioration in the cyber environment affecting healthcare

Cyber security, for one, has become a singular factor in the provision of health care, as recent cyber incidents – some of which have halted care altogether – have demonstrated.

These incidents aren’t one offs, either. They’re part of a pattern. And trendlines are only getting worse, according to data from HHS’ Office for Civil Rights (OCR).

From 2018 to 2023, OCR reported that large breaches resulting from hacker and ransomware attacks increased by 102 percent. And it’s not just the number of attacks, it’s the number of individuals affected by those attacks that’s increasing, as well. That figure has skyrocketed by a staggering 1,002 percent over the same period.

As a result of this marked deterioration in the security environment, state regulators and policymakers have intervened in their respective markets. However, the welter of state action, notes HHS, might have the unintended effect of creating “difficulties” for entities that work across state lines.

Instead, what HHS wants to do with this recent Security Rule change is establish a federal baseline for cybersecurity protection, one informed by the most recent guidelines, best practices, methodologies, procedures, and processes for protecting ePHI.

So, what are the new rules being proposed? We summarize the most important below.

What’s the actual Rule Change?

An overarching change proposed, based on a recommendation from the National Committee on Vital and Health Statistics (NCVHS), is removing the distinction between “required” and “addressable” implementation specifications.

What’s the difference between the two? Simply put, if an implementation specification is described as required, it must be implemented.

Addressable implementation specifications, on the other hand, are intended to provide entities additional flexibility in complying with security standards. Oftentimes, entities, instead of complying, can just document a reason for their noncompliance with addressable implementation specifications.

HHS wants to do away with that wiggle room. Going forward then, entities will have to tackle compliance with the next set of proposals head on.

Technology asset inventory and network map

The first such meaningful proposal is a new requirement to conduct and maintain an accurate and thorough written technology asset inventory and a network map of an entity’s electronic information systems and all technology assets that may affect the confidentiality, integrity, or availability of ePHI. Such an inventory is believed to form the foundation of a “fulsome and accurate” risk analysis, changes to which are also addressed in the NPRM.

To comply, an entity must identify the information systems that create, receive, maintain, or transmit ePHI and all technology assets that may affect ePHI in those information systems in order to secure them.

The standard also requires each regulated entity to determine the movement of ePHI (a) through, (b) into, and (c) out of its information systems, and to describe such movement in a network map.

To more rapidly detect and respond to potential risks and vulnerabilities, the regulated entity’s network map should reflect where its technology assets are, e.g., physically located at a worksite, accessed through the cloud, etc.

Enhanced risk analysis standard

As noted, these changes have much to do with uplifting the basic level of cyber security risk management in the industry. And so, the regulated entity will compile a written inventory of its technology assets and create its network map then identify the potential risks and vulnerabilities to its ePHI. This forms the basis of the second major proposal: the enhanced risk analysis.

Risk analysis recommendations aren’t new to the industry, as OCR notes. In fact, the NPRM addresses the fact that regulators have “made available an abundance of free and widely publicized guidance tools.”

However, regulated entities still haven’t complied. The main points of contention are systematic inability to:

• Identify and assess the risks to all of the ePHI in their possession or even develop and implement policies and procedures for conducting a risk analysis.
• Identify threats and vulnerabilities to consider their potential likelihoods and effects, and to rate the risk to ePHI.
• Review and periodically update a risk analysis in response to changes in the environment and/or operations, security incidents, or occurrence of a significant event.
• Conduct risk analyses consistent with policies and procedures.

As a result, HHS’ Rule change cites the following eight implementation specifications for the risk analysis standard:

1. Review the technology asset inventory and the network map to identify where ePHI may be created, received, maintained, or transmitted within its information systems.
2. Identify all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits.
3. Identify potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems.
4. Create an assessment and documentation of the security measures it uses to ensure that the measures protect the confidentiality, integrity, and availability of the ePHI created, received, maintained, or transmitted by the regulated entity.
5. Make a reasonable determination of the likelihood that each identified threat would exploit the identified vulnerabilities.
6. Make a reasonable determination of the potential impact of each identified threat should it successfully exploit the identified vulnerabilities.
7. Create an assessment of risk level for each identified threat and vulnerability.
8. Create an assessment of risks to ePHI posed by entering into or continuing a business associate agreement or other written arrangement with any prospective or current business associate, respectively, based on the written verification obtained from the prospective or current business associate.

In addition, a regulated entity will be required to review, verify, and update the written assessment on an ongoing basis, i.e., no less frequently than at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.

Evaluation standard

How about different means to analyze risk? Proposed changes also address evaluation criteria, with the evaluation itself looking at a specific change that a regulated entity intends to make before the change is made.

Here, HHS proposes to require technical and nontechnical evaluation(s) to be in writing and performed to determine whether change in the regulated entity’s environment or operations may affect the confidentiality, integrity, or availability of ePHI.

Beyond that, HHS also proposes the following two implementation specifications:

• Requiring a regulated entity to conduct the evaluation within a reasonable period of time before making a change to its environment or operations
• Requiring a regulated entity to respond to the evaluation in accordance with its risk management plan

What would a change in the regulated entity’s environment or operations look like? According to HHS, such changes would include any of the following:

• The adoption of new technology assets
• The upgrading, updating, or patching of technology assets
• Newly recognized threats to the confidentiality, integrity, or availability of ePHI
• A sale, transfer, merger, or consolidation of all or part of the regulated entity with another person
• A security incident that affects the confidentiality, integrity, or availability of ePHI
• Relevant changes in Federal, State, Tribal, and territorial law

Risk management

In keeping with the concern for risk management, HHS is also proposing to require regulated entities establish and implement a plan for reducing the risks identified through risk analysis activities. Specifically, the proposed Rule would require a regulated entity to implement security measures that are sufficient to reduce risks and vulnerabilities to all ePHI to a reasonable and appropriate level.

Alongside that proposal comes four implementation specifications that HHS believes are consistent with previously issued guidance; those implementation specifications include:

• Require a regulated entity to establish and implement a written risk management plan for reducing risks to all ePHI, including, but not limited to, those risks identified by the regulated entity’s risk analysis, to a reasonable and appropriate level.
• Require a regulated entity to review the written risk management plan at least once every 12 months, and as reasonable and appropriate in response to changes in its risk analysis.
• Require a regulated entity’s written risk management plan to prioritize the risks identified in the regulated entity’s risk analysis based on the risk levels determined by that analysis.
• Require a regulated entity to implement security measures in a timely manner to address the risks identified in the regulated entity’s risk analysis.

Security incident procedures and contingency planning

Beyond enhanced risk analysis and planning, HHS is also interested in increasing the level of incident readiness. That clear preoccupation colors proposed changes to security incident procedures and contingency plans.

With regard to the former, HHS is requiring the regulated entity to implement written procedures for testing and revising the security incident response plan(s). And then, using those written procedures, the entity will have to review and test security incident response plans at least once every 12 months as well as document the results of such tests.

Per the Rule change, the regulated entity will also be required to modify the plan(s) and procedures as reasonable and appropriate, based on the results of such tests and the regulated entity’s circumstances.

As part of contingency planning, HHS is proposing to clarify a new requirement to establish (and implement as needed) written procedures to restore both critical relevant electronic information systems and data within 72 hours of the loss, and to restore the loss of other relevant electronic information systems and data in accordance with the regulated entity’s criticality analysis.

Increased incident preparedness

There are a few more broad changes under the banner of increased incident preparedness that are worth commenting on. The first is the requirement to implement a security awareness and training program for all workforce members, including management. This proposed change comes with four associated implementation specifications including:

• Periodic security updates
• Procedures for guarding against, detecting, and reporting malicious software
• Procedures for monitoring log-in attempts and reporting discrepancies
• Procedures for creating, changing, and safeguarding passwords

The next change concerns security incident procedures to address security incidents. The one implementation specification associated with this standard requires regulated entities to identify and respond to suspected or known security incidents; to mitigate, to the extent practicable, harmful effects of security incidents that are known to the regulated entity; and to document security incidents and their outcomes.

To plan for such incidents, though, HHS proposes that regulated entities establish and implement as needed, policies and procedures for responding to an emergency or other occurrence that damages systems that contain ePHI. That Rule change, however, includes the following five implementation specifications:

• Requires a regulated entity to establish and implement procedures to create and maintain exact copies of ePHI that are retrievable
• Requires a regulated entity to establish, and implement as needed, procedures to restore any lost data
• Requires a regulated entity to establish, and implement as needed, procedures to enable continuation of critical business processes for protecting the security of ePHI while the regulated entity is operating in emergency mode
• Addresses the implementation of procedures for periodic testing and revision of contingency plans
• Addresses the assessment of the relative criticality of specific applications and data in support of other contingency plan components

Next steps

The proposed Rule changes are all being made in advance of the incoming Trump Administration, which as of this writing has not yet commented in detail on the NPRM.

Whether the new Administration intends to administer the changes as written is open to question, what isn’t, though, is a growing bipartisan consensus on the need to better secure ePHI against cyber criminals.

Indeed, the Health Care Cybersecurity and Resiliency Act, proposed by a group of bipartisan senators in late 2024, is evidence of that trend.

That proposed legislation requires hospitals and other healthcare organizations to adopt multi-factor authentication (MFA) and other minimum cybersecurity standard as well as mandates more effective coordination between HHS and the Cybersecurity and Infrastructure Security Agency (CISA) on the matter of cybersecurity in the healthcare and public health sector.

Other important measures include providing federal training for health-sector owners and operators on cybersecurity best practices, grants to help providers improve their security posture, and additional support for rural clinics on breach prevention, resilience, and coordination with federal agencies.

In other words, the direction of traffic is toward increased regulation. Nor is increased regulatory scrutiny (or sanction) the only threat facing providers.

Cyberattacks themselves are penalty enough, given the monetary stakes. Healthcare, according to the Ponemon Institute, remains the most expensive industry for responding to and recovery from data breaches. Indeed, the average cost for a data breach in healthcare in 2024 was nearly $10 million.

Providers, therefore, have the stark choice to sit back and invite attacks or take action and get ahead of regulations by enhancing their cyber security risk and incident management programs.

If they are looking to do the latter, they will find a partner in Noggin. Our integrated resilience management workspace manages events and risk from the smallest incident to a major crisis or emergency.

Don't just take our word for it though, request a demo to find out how.