The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued a Notice of Proposed Rulemaking (NPRM) that aims to bolster cybersecurity protections within the healthcare sector under the Health Insurance Portability and Accountability Act (HIPAA). This proposed rule, issued on December 27, 2024, and added to the Federal Register January 6, is a response to changes in the environment in which healthcare is provided, significant increases in breaches and cyber threats and attacks, common deficiencies OCR has observed in Security Rule compliance by Covered Entities and their Business Associates, and other cybersecurity guidelines, best practices, methodologies, procedures and processes. The aim of the NRPM is to better safeguard the privacy and security of sensitive health data.
Key Changes in the Proposed Rule
The NPRM proposes several important modifications to existing HIPAA regulations that could have significant impacts on healthcare entities’ cybersecurity practices. Some major changes include:
- Expanded Requirements for Risk Assessments and Cybersecurity Measures
- Old Rule: Covered entities (CEs) and business associates are required to conduct risk assessments under the Security Rule, but there is no defined temporal requirement, and no explicit focus on cybersecurity controls or procedures for data protection against evolving cyber threats.
- New Rule: The proposal introduces specific requirements for entities to adopt proactive cybersecurity measures, including stronger and more frequent risk assessments, bi-annual vulnerability scanning and annual penetration testing, more detailed documentation of cybersecurity practices, and the adoption of industry-recognized security frameworks. The new rule will also remove the distinction between “addressable” and “required” standards; all implementation specifications will be required with specific limited exceptions. For example, encryption will no longer be addressable; it will be mandatory. Additionally, multi-factor authentication of systems will be required, with limited exceptions.
- Contingency Plan Activation Requirements
- Old Rule: Breach notifications under HIPAA are required for incidents involving unauthorized access to protected health information (PHI), but there is no clear mandate for business associates to notify covered entities regarding cybersecurity-related vulnerabilities that do not result in a technical breach.
- New Rule: Under the NPRM, business associates would be required to notify covered entities within twenty-four (24) hours if the business associate activates its contingency plan in response to an emergency or other occurrence that may adversely affect relevant electronic information systems. The purpose of this notice is to flag for the covered entity that there is a vulnerability within its business associate’s operation, and enable the covered entity to take the necessary steps to protect its own relevant electronic information systems, and implement its own contingency plans if necessary and appropriate.
- Increased Accountability for Business Associates (BAs)
- Old Rule: BAs are responsible for protecting PHI, but some of their obligations were unclear in relation to specific cybersecurity measures.
- New Rule: The proposed changes clarify that BAs must be held accountable for their own cybersecurity practices. BAs will now be required to verify, at least once every 12 months, to covered entities (and subcontractors must verify at least once every 12 months to business associates) that they have deployed technical safeguards required by the Security Rule to protect electronic PHI (ePHI). This must be verified through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert, and a written certification that the analysis has been performed and is accurate.
These proposed changes would shift the current paradigm of HIPAA compliance and impose requirements that are potentially burdensome and challenging for organizations to strictly adhere to. The current Security Rule primarily focuses on safeguarding ePHI through administrative, physical, and technical safeguards, but does not specifically address contemporary cybersecurity risks such as ransomware, phishing, or data breaches arising from cyberattacks. The proposed amendments emphasize cybersecurity resilience and proactive measures. These include requirements to implement frameworks that address these specific risks, which are major vulnerabilities to the healthcare organizations and their technology vendors.
Next Steps for Healthcare Entities
The proposed rule significantly strengthens cybersecurity protections in healthcare, expanding obligations for risk assessments, reporting, and vendor accountability. However, these changes will require a potentially significant and dedicated overhaul to HIPAA-governed entities’ existing policies and procedures. Stakeholders are advised to conduct audits to evaluate existing cybersecurity practices, risk assessments, and breach notification procedures to identify gaps between current practices and proposed regulatory requirements. Once the rule is finalized, it will be imperative for all HIPAA-covered entities and their business associates to revisit these compliance policies and procedures to ensure alignment with the new cybersecurity regulations.
How Frier Levitt Can Help
Frier Levitt can assist covered entities and their business associates update or draft new policies that align with the new rule, ensuring that they meet all requirements for cybersecurity, incident reporting, and breach notifications. Regular risk assessments, adoption of security frameworks, and enhanced breach reporting protocols will be essential for continued compliance.
If your organization is interested in submitting comments to HHS regarding the new proposed rules, Frier Levitt can help. The public comment period is open until March 7, 2025, and submissions are an important way for stakeholders to express concerns, suggest improvements, or provide feedback on the rule’s impact.
For more detailed information, or to discuss how Frier Levitt can assist your organization to navigate these regulatory changes, contact us today.
