Long-Awaited HIPAA Security Rule Revamp Formally Proposed with Significant Changes

The U.S. Department of Health and Human Services (HHS) published a Notice of Proposed Rule Making (NPRM) related to the HIPAA Security Rule, which went live on January 6, 2025, followed by a 60-day open comment period. The potential changes are the most significant to the HIPAA Security Rule in over a decade. The NPRM details some significant enhancements that covered entities and business associates, collectively “regulated entities,” should be aware of to begin evaluating how those enhancements may impact the organization and how best to address if they become final.

Some of the most significant impacts include:

• All security specifications are required: There will no longer be a distinction between required or addressable.
• Definition changes: There are 22 definition changes that cast a wider net of what regulated entities will need to consider when implementing and deploying tools and/or protocols aiming to enhance the clarity of the expectations set forth in the regulation. An example of a definition change is the term “technology assets,” which will encompass all the components of electronic information systems and not focus only on certain components.
• Formal documentation: All Security Rule policies, procedures, plans, and analyses will be expected to be formally documented, whether in paper and/or electronic form. Furthermore, it may be required that all documentation be reviewed and updated at least every 12 months.
• Testing implemented security safeguards: Regulated entities will be required to perform testing of some safeguards on a 12-month basis, while others may have more frequent testing. Below are examples of the frequency of testing being proposed:
  • Penetration testing – at least every 12 months
  • Vulnerability scanning – at least every six months
  • Incident response plan testing – at least every 12 months
  • Data backup and recovery testing – at least every 6 months
  • Contingency plan testing – at least every 12 months
  • Compliance audits – at least every 12 months
• Technology asset inventory and network map: Regulated entities will be required to document, review and update the inventory of all technology assets and not just those that create, receive, maintain or transmit electronic protected health information (ePHI). In addition to the inventory, data flow diagrams and network diagrams will need to be documented and reviewed at least every 12 months.
• Elevated expectations of technical controls: Technical controls that are considered best practice will now become requirements, which include, but are not limited to the following:
  • Multi-factor authentication (MFA)
  • Encryption of ePHI in transit and at rest
  • Network segmentation
• Expanded notification requirements: New expectations and timelines for notifying other regulated entities of events that may impact them so they can assess and respond accordingly, would include:
  • Workforce security access changes or terminations: Notifications to other regulated entities are expected to be as soon as possible but no later than 24 hours after the workforce members’ authorization of access is changed or terminated.
    o Contingency plan activation within a business associate agreement (BAA): A business associate would be required to report to a covered entity that they activated their contingency plan without unreasonable delay, but no later than 24 hours after activation.
• More specificity to achieve compliance: Details such as frequencies and/or expectations are provided for some specifications to assist regulated entities in meeting compliance. Examples include:
  • Data backups – Entities must ensure that copies of ePHI maintained are no more than 48 hours older than the ePHI maintained in the relevant electronic information system.
  • Patch implementation – Critical patches are expected to be applied within 15 calendar days and high-risk patches are expected to be applied within 30 calendar days.
  • Security awareness training – New workforce members are expected to complete security awareness training within 30 days after the first access to the entity’s electronic information systems and training must be provided every 12 months thereafter.
  • Information system activity review – Deploy tools that provide the regulated entity real time audit logging and monitoring of any activity that could present a risk to ePHI.
  • Unique identifiers – Similar to unique identifiers for user accounts, all technology assets will be required to have a unique identifier.
  • Group health plans – Plan sponsors will be required to report to group health plans if they activated their contingency plan no later than 24 hours after activation.
  • Healthcare clearing houses – Entities with clearing house activities will be required to isolate such activities and establish written procedures specific to the clearing house activities.

Recommended next steps

We recommend that regulated entities, while not yet required to comply with these changes, review what elements are needed in case these changes make it to a final rule, while also considering how to address:

• Evidence: Ensure proper evidence is available to support the organization’s compliance with these requirements, which should include the effort to comply, along with results and how the results are being addressed.
• Exceptions: For specifications that are now required and have established exception protocols, regulated entities may need to consider how to align their exception process to adhere to these proposed definitions.
• Roadmap: Even if some of these changes and their details are not accepted within the final rule, regulated entities may fare better during an investigation if they consider leveraging the NPRM as a roadmap of HHS’s expectations in achieving compliance. This will demonstrate to HHS investigators the regulated entity’s culture of compliance and commitment to security best practices.

Chip Wolford, Daniel Stone and Juli Ochs also contributed to this post.

For more information about these proposed changes and our healthcare and data privacy consulting services or to receive a comprehensive healthcare information security analysis, contact us.