Top 10 takeaways from the new HIPAA security rule NPRM
Thomson Reuters
On Jan. 6, 2025, the U.S. Department of Health and Human Services (HHS) proposed new regulations to enhance cybersecurity protections for electronic protected health information (ePHI) under the Health Insurance Portability and Accountability Act (HIPAA). This Notice of Proposed Rulemaking, opens new tab (NPRM) marks the first significant update since the HIPAA Security Rule's original publication in 2003 and its last revision in 2013.
HHS provided multiple justifications for this proposal, including, among others, the high utilization of electronic medical records among providers, the associated risks to patient safety during a cyber incident, and the inconsistent implementation of security controls under the current framework. Thus, HHS proposes significant updates to the Security Rule aimed at strengthening data security and compliance requirements, including more rigorous security controls and processes to protect against, or minimize the impact of, a cyber incident.
After analyzing the proposed rule, here are our Top 10 key takeaways from the NPRM.
1. Annual technical inventory and data mapping requirement
Although a critical step in evaluating security risks to ePHI, the HIPAA Security Rule does not currently mandate a formal data and technology asset inventory.
The NPRM proposes a new administrative safeguard, requiring regulated entities to conduct and maintain written inventories of assets (e.g., hardware, software, electronic media, data, etc.) capable of creating, receiving, maintaining, or transmitting ePHI, and to create a map showing the movement of ePHI throughout the organization.
HHS proposes these inventories and maps be updated at least annually or when certain events occur, including threats to ePHI, security incidents, changes in law, and transactions or technology acquisitions that impact the entity.
2. More rigorous security risk assessments
While conducting a risk analysis has always been a core requirement, the NPRM proposes more-detailed specifications surrounding the risk analyses processes.
These include reviewing the technology asset inventory, identifying anticipated threats and vulnerabilities, documenting security measures, establishing policies and procedures for tracking risks and vulnerabilities, and making documented "reasonable determinations" of the likelihood and potential impact of identified threats and vulnerabilities.
3. Rigorous vendor oversight
HHS has generally refrained from imposing specific oversight responsibilities on covered entities regarding their vendors' compliance with the Security Rule — beyond obtaining substantial assurances through a business associate agreement (BAA). In FAQs, opens new tab reaffirmed as recently as 2023, HHS stated that entities are not required to actively oversee how their business associates implement HIPAA safeguards.
However, the NPRM includes significant changes for covered entities, business associates, and BAAs. Regulated entities now would be required to assess the risks of entering a downstream BAA based on the written verifications from the business associate, which would need to be validated by a cybersecurity subject matter expert and certified by a person of authority at the business associate.
Further, business associates and their subcontractors would be required to notify covered entities within 24 hours upon activation of their contingency plan. Similar to the 2013 HITECH rule, HHS proposes a transition period, allowing entities to update BAAs while maintaining compliance with prior requirements. HHS has proposed a compliance date of 180 days after the effective date of publication of the Final Rule, which is 240 days after its publication.
4. Mandatory authentication controls
One significant categorical change is that HHS would remove the existing flexibility under "addressable" security standards. The HIPAA Security Rule includes both "required" and "addressable" implementation specifications. Required specifications are mandatory, but addressable specifications provide entities with the flexibility to adopt an equivalent alternative when adoption is not reasonable and appropriate. Multi-factor authentication (MFA) currently is an addressable authentication control that adds an additional layer of security to protect ePHI accessible from the internet.
Under the NPRM, however, HHS would require MFA for all technology assets, with limited exceptions for certain legacy systems and pre-March 2023 FDA-approved medical devices, provided the entity has a transition plan in place to migrate ePHI to MFA-supported technology. In its public comments, the American Medical Association supported retaining addressable flexibility for rural and small to medium-sized physician practices to address measures based on their risk assessment, existing security measures, and available resources.
5. Mandatory encryption standards
Likewise, encryption methods would no longer be an addressable requirement. HHS seeks to reduce breach risks by requiring entities to deploy encryption of ePHI on servers, laptops, mobile devices, and during transmission, with limited exceptions (e.g., individual requests for unencrypted ePHI). Commentators likewise have raised concerns about managing legacy systems and the financial challenges of deploying encryption across all ePHI systems.
6. Formalize incident response planning
The NPRM would require more-formalized written security incident response plans and procedures, documenting how workforce members are to report suspected or known security incidents, as well as how the regulated entity should identify, mitigate, remediate, and eradicate any suspected or known security incidents.
Incident response plans must be reviewed and tested at least once every 12 months and modified thereafter as reasonable and appropriate.
7. Disaster recovery and backups
The NPRM would add additional implementation standards that impact contingency planning. HHS is proposing a new "criticality analysis" implementation specification, requiring regulated entities to analyze their relevant electronic information systems and technology assets to determine priority for restoration. Recognizing that other IT systems and assets may be crucial to patient care or other business needs, this analysis is not limited to only systems that create, receive, maintain, or transmit ePHI.
The NPRM also adds new or specifying language to the existing implementation standards, such as requiring entities (1) to ensure that procedures are in place to create and maintain "exact" backup copies of ePHI during an applicable event; (2) to restore critical relevant electronic information systems and data within 72 hours of an event; and (3) as noted above for business associates, to notify upstream covered entities within 24 hours of activating their contingency plans.
8. Annual compliance audits
Recognizing that compliance audits are important to maintain a robust security program, HHS will now require regulated entities to conduct annual compliance audits to ensure adherence to the Security Rule's standards and specifications. Such audits must be performed at least once every 12 months. HHS, however, does not specify whether the audits should be performed internally or by an external party.
9. Workforce security access management
The NPRM proposes that, with respect to ePHI or relevant electronic information systems, regulated entities would need to establish and implement written procedures that (1) determine whether access is appropriate based on a workforce member's role; (2) authorize access consistent with the Minimum Necessary Rule; and (3) grant and revise access consistent with role-based access policies.
Additionally, HHS proposes additional new termination procedures which would require a workforce member's access to be terminated as soon as possible, but no later than one hour after the employment or work arrangement ends. HHS also proposes that regulated entities notify other regulated entities within 24 hours if the workforce member is or was authorized to access ePHI at such other regulated entities. Such workforce security policies must be reviewed and tested every 12 months and should be modified as reasonable and appropriate thereafter.
10. Network testing, segmentation, and configuration
A slew of new technical controls come with the Security Rule update. Of note, regulated entities will be required to conduct vulnerability scanning at least every six months. Penetration testing must also be performed at least once every 12 months.
HHS also proposes new network segmentation requirements. Network segmentation is a physical or virtual division of a network into multiple segments, creating boundaries to reduce risks of lateral movement during an attack. The new network segmentation specification requires regulated entities to establish, implement, and maintain policies and procedures to ensure that ePHI is segmented to limit system access in a reasonable and appropriate manner.
If finalized, the proposed rule would require regulated entities to consistently maintain technical controls across their network, including deploying anti-malware protection and removing unsupported software susceptible to new vulnerabilities.
The comment period for the NPRM ended March 7, 2025, with over 4,000 comments submitted. Stay tuned as we continue to track this rule's progress.
Republished with permission. The original article, "Top 10 takeaways from the new HIPAA security rule NPRM," was published by Reuters Legal and also appeared in WestLaw Today on March 14, 2025.
