News & Articles

On December 27, 2024, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), announced a proposed rule that would modify the security requirements imposed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The proposed rule, if adopted, would modify the HIPAA Security Rule to require covered entities and their business associates to implement more stringent cybersecurity safeguards and measures to protect electronic protected health information (ePHI). These new requirements would include, among other things:

• Requiring written documentation of all HIPAA Security Rule policies, procedures, plans, and analyses.
• Adding specific compliance periods for existing HIPAA Security Rule requirements.
• Requiring the creation of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic systems and, at least every 12 months, reviewing the asset inventory and network map.
• Requiring notification of certain regulated entities within 24 hours when a workforce member’s access to ePHI or certain systems is changed or terminated.
• Requiring regulated entities to conduct a compliance audit at least once every 12 months.
• Requiring business associates verify at least once every 12 months for covered entities that they have deployed technical safeguards required by the Security Rule to protect ePHI.
• Requiring covered entities to test the effectiveness of their security measures at least once every 12 months.
• Requiring network segmentation.
• Requiring vulnerability scanning at least every six months and penetration testing at least once every 12 months.
• Requiring greater specificity for conducting a risk analysis.

These changes come in response to what the OCR sees as a “substantial increase in reports of large breach reports over the last five years.” According to the OCR, between 2018 and 2023, reports of large breaches increased by 102 percent, and the number of individuals affected by such breaches increased by ten times that, at 1002 percent. The proposed rule changes seek to improve the cybersecurity of critical health infrastructure by updating the Security Rule’s standards to better address the increase in cybersecurity threats in the health care sector. The proposed rule can be viewed in the Federal Register, where it is scheduled for publication on January 6, 2025. Stakeholders within the health care sector, including patients and covered entities, are welcome to submit comments on the proposed rule through regulations.gov for 60 days after its publication. While the proposed rule goes through the rulemaking process, the current Security Rule remains in effect. We will continue monitoring for developments.