Bradley is launching a multipart blog series on the U.S. Department of Health and Human Services’ (HHS) proposed changes to strengthen cybersecurity protections for electronic protected health information (ePHI) regulated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Notice of Proposed Rulemaking (NPRM) was published on January 6, 2025 and applies to covered entities and their business associates under HIPAA. This proposal marks the first update since the HIPAA Security Rule’s original publication in 2003 and its last revision in 2013. The HHS Office for Civil Rights (OCR) will accept comments through March 7, 2025.

In this weekly series, we will explore the key changes and their implications and provide insights and takeaways on the following items:

  • Implementation Specifications and Compliance Grace Period
    • OCR has identified gaps and ambiguities in current law that require clarification or the introduction of new standards. OCR revises and adds definitions and implementation specifications to address these and emerging challenges as well as to reflect advancements in technology.
    • Implementation specifications would become required, not addressable, with limited exceptions.
    • OCR interprets security requirements for artificial intelligence (AI) and provides guidance to incorporate AI considerations into compliance and risk assessments.
    • Regulated entities would have a total time frame for compliance of 240 days from the date of publication of the final rule and would be provided deeming provisions for contracts that are not renewed or modified.
  • Administrative Safeguards
    • Annual and ongoing technology asset inventory and network mapping would become a discrete part of the administrative safeguards.
    • OCR leverages its informal guidance documents and tools on security risk analyses along with the NIST Cybersecurity Framework and recent guides for greater specificity in implementing the risk assessment standard.
    • Regulated entities would need to annually perform and document audits that cover compliance with each standard and implementation specification.
    • Workforce clearance, access management, and patch management processes would be specified.
  • Incident and Vulnerability Management 
    • Security incident procedures and response plans would be enhanced.
    • Contingency planning requirements would be strengthened to mandate system restoration within 72 hours and annual testing of the contingency plan for its effectiveness.
    • OCR provides specifics for the enhanced data backup and recovery requirement.
  • Technical Safeguards 
    • Encryption and MFA would become mandatory, with limited exceptions.
    • Annual penetration testing and semi-annual vulnerability scanning would be required.
    • Network segmentation protocols are specified.
  • Business Associate (BA) Issues 
    • Regulated entities must assess the risks of entering a downstream BA Agreement based on the written verifications from the BA. Entities also must obtain written verification of technical safeguards validated by cybersecurity subject matter experts and certified by a person of authority at the BA. 
    • BAs and their subcontractors must notify clients within 24 hours when activating contingency plans.
    • OCR would maintain a grace period allowing entities to update their BA Agreements while remaining compliant with previous requirements, similar to the transitional process implemented after the HITECH Rule was finalized in 2013.
  • Group Health Plan Compliance
    • Group health plans and sponsors would have expanded compliance obligations.
    • OCR is considering transition provisions for compliance.

Stay tuned as Bradley’s Health Information Technology, Privacy & Security team dives into the implications of these proposals for the healthcare industry as interested stakeholders submit comments to HHS during the comment period that ends on March 7, 2025. We will provide summaries and analyses of these significant regulatory changes, offer insights and perspectives, and consider broader industry implications. Please visit HIPAA Security Rule NPRM and the HHS Fact Sheet for additional resources.

Photo of Amy Leopard Amy Leopard

Amy Leopard advises clients on complex health matters, including health IT and privacy and security issues. Amy brings practical insights and knowledge from over 25 years in healthcare, including serving as a vice president in both academic medical center and community hospital settings…

Amy Leopard advises clients on complex health matters, including health IT and privacy and security issues. Amy brings practical insights and knowledge from over 25 years in healthcare, including serving as a vice president in both academic medical center and community hospital settings with responsibilities for medical staff, clinical departments, quality improvements and medical records. She structures and negotiates technology contracts, licenses, joint ventures, data use, sharing and transfer agreements at the intersection of healthcare and technology. Amy has served as counsel on health information exchange (HIE) projects and has worked with electronic health record (EHR) and personal health record (PHR) vendors on privacy and security, fraud and abuse, and other regulatory issues. She taught advanced courses on Legal Issues in Health Information for the Kent State University M.S. in Health Informatics program. Amy has been listed in The Best Lawyers in America® for Health Care Law since 2006.

Photo of Eric Setterlund Eric Setterlund

Eric Setterlund serves as counsel in Bradley’s Healthcare and Cybersecurity and Privacy practice groups. He has extensive experience with matters related to healthcare privacy, security protections and regulatory compliance. Prior to joining the firm, Eric served as chief privacy officer and privacy and…

Eric Setterlund serves as counsel in Bradley’s Healthcare and Cybersecurity and Privacy practice groups. He has extensive experience with matters related to healthcare privacy, security protections and regulatory compliance. Prior to joining the firm, Eric served as chief privacy officer and privacy and data counsel for BlueCross BlueShield of Tennessee. He draws upon his real-world business and program management experience to provide his clients practical advice for complex regulatory and transactional matters.