Bradley is launching a multipart blog series on the U.S. Department of Health and Human Services’ (HHS) proposed changes to strengthen cybersecurity protections for electronic protected health information (ePHI) regulated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Notice of Proposed Rulemaking (NPRM) was published on January 6, 2025 and applies to covered entities and their business associates under HIPAA. This proposal marks the first update since the HIPAA Security Rule’s original publication in 2003 and its last revision in 2013. The HHS Office for Civil Rights (OCR) will accept comments through March 7, 2025.
In this weekly series, we will explore the key changes and their implications and provide insights and takeaways on the following items:
- Implementation Specifications and Compliance Grace Period
- OCR has identified gaps and ambiguities in current law that require clarification or the introduction of new standards. OCR revises and adds definitions and implementation specifications to address these and emerging challenges as well as to reflect advancements in technology.
- Implementation specifications would become required, not addressable, with limited exceptions.
- OCR interprets security requirements for artificial intelligence (AI) and provides guidance to incorporate AI considerations into compliance and risk assessments.
- Regulated entities would have a total time frame for compliance of 240 days from the date of publication of the final rule and would be provided deeming provisions for contracts that are not renewed or modified.
- Administrative Safeguards
- Annual and ongoing technology asset inventory and network mapping would become a discrete part of the administrative safeguards.
- OCR leverages its informal guidance documents and tools on security risk analyses along with the NIST Cybersecurity Framework and recent guides for greater specificity in implementing the risk assessment standard.
- Regulated entities would need to annually perform and document audits that cover compliance with each standard and implementation specification.
- Workforce clearance, access management, and patch management processes would be specified.
- Incident and Vulnerability Management
- Security incident procedures and response plans would be enhanced.
- Contingency planning requirements would be strengthened to mandate system restoration within 72 hours and annual testing of the contingency plan for its effectiveness.
- OCR provides specifics for the enhanced data backup and recovery requirement.
- Technical Safeguards
- Encryption and MFA would become mandatory, with limited exceptions.
- Annual penetration testing and semi-annual vulnerability scanning would be required.
- Network segmentation protocols are specified.
- Business Associate (BA) Issues
- Regulated entities must assess the risks of entering a downstream BA Agreement based on the written verifications from the BA. Entities also must obtain written verification of technical safeguards validated by cybersecurity subject matter experts and certified by a person of authority at the BA.
- BAs and their subcontractors must notify clients within 24 hours when activating contingency plans.
- OCR would maintain a grace period allowing entities to update their BA Agreements while remaining compliant with previous requirements, similar to the transitional process implemented after the HITECH Rule was finalized in 2013.
- Group Health Plan Compliance
- Group health plans and sponsors would have expanded compliance obligations.
- OCR is considering transition provisions for compliance.
Stay tuned as Bradley’s Health Information Technology, Privacy & Security team dives into the implications of these proposals for the healthcare industry as interested stakeholders submit comments to HHS during the comment period that ends on March 7, 2025. We will provide summaries and analyses of these significant regulatory changes, offer insights and perspectives, and consider broader industry implications. Please visit HIPAA Security Rule NPRM and the HHS Fact Sheet for additional resources.