Healthcare News

Articles, Jobs and Consultants for the Healthcare Professional

Home      View Jobs     Post Jobs     Library     Advertise     Plan Financials     About     Subscribe     Contact    

"Security! Security!" HHS Proposes Updates to HIPAA’s Security Rule

By Erica Erman
Attorney
Dickinson Wright PLLC

See all this Month's Articles

Original Publish Date: February 4, 2025

Can you remember healthcare security 20+ years ago? It seems like a different world from now. Believe it or not, the HIPAA Security Rule has barely changed since it was first enacted in 2003¹ and has been long overdue for a significant remodel. Read on for highlights of the proposed new Security Rule and action items.

A Very Brief HIPAA History

As a quick background, the HIPAA Security Rule was first penned in large part to create minimum security standards for electronic protected health information (ePHI) and to protect patients’ rights over their healthcare data. The Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 added the now well-known Breach Notification Rule as well as other significant changes in an effort to protect patient information. As healthcare professionals well know, much of the onus of protecting that information has fallen on HIPAA-covered entities and providers.

Questions, Concerns, Complaints – Comment Period Is Open

On January 6, 2025, the proposed new HIPAA Security Rule was added to the Federal Register. For any of our readers interested in filing comments to the proposed rule, please note that the comment period is open until March 7, 2025 (60 days after the proposed rule was published).

What Is In the Proposed Security Rule?

1. First and foremost, the new Security Rule removes the distinction between "required" and "addressable" standards to make clear that all standards listed as security measures are required. They have, in fact, always been needed but were labeled as "addressable" to allow flexibility in how each healthcare entity could implement the standard practically and successfully for their particular entity. Many healthcare entities that have been treating "addressable" items as "optional" will have significant policy work to update and implement quickly.

2. Think of the proposed changes as requirements to implement up-to-date cybersecurity best practices. Here are some of the best practices that the proposed Security Rule would require:

• Encryption and Multifactor Authentication – many healthcare entities have already found these steps to be prudent and necessary to secure PHI, and they are now required safeguards.
• Backing Up Data – having separate technical controls to enable backup and recovery of ePHI.
• Spring Cleaning – the proposed Security Rule requires entities actively remove any unnecessary software from the electronic information systems, and similarly, require disabling any unused network ports.
• Protection – anti-malware protection is required.
• Tests, tests, tests – Security Rule compliance audits must be conducted every 12 months at minimum. Reviews and tests of security measures must be conducted every 12 months at minimum. Penetration scans must be conducted every 12 months at minimum. Vulnerability scans must be conducted every 6 months at minimum.
• Getting Back Up and Running Faster – entities are required to develop written procedures for restoring data within 72 hours. The procedures must take into account the criticality of the data and prioritize restoration of the most critical data accordingly.
• Business Associate Check-Up – entities are required to verify their business associates’ and contractors’ security measures every 12 months at minimum.
• Box It Off – networks should be segmented for further protection.
• Software Patches – software patches and updates must be put into place in a timely manner.
• Network Map – the proposed rule requires entities to develop and revise a technology asset inventory and network map in a timely manner, showing the movement of ePHI through the entity’s electronic information systems, at minimum every 12 months.
• Risk Analysis – in short, you can’t have enough risk analysis. The proposed Security Rule requires entities to engage in multiple layers and levels of identifying risk. These steps include:
  • A review of the technology asset inventory and network map (addressed above);
  • Identifying all reasonably anticipated threats to PHI (including probable human and natural incidents that can negatively affect the entity’s ability to protect ePHI);
  • Identifying potential vulnerabilities and predisposing conditions to the entity’s electronic information systems;
  • Determining the likelihood that a threat would exploit one of those vulnerabilities, and then determining the impact of such a threat (depending on the threat event, some impacts may be able to be measured quantitatively and others qualitatively).
  • These risk assessment results must be documented and principally should detail: (1) All scenarios in which an identified threat can exploit an identified vulnerability (a threat/vulnerability pair); and (2) the likelihood and impact calculations, and the overall risk to ePHI for the threat/vulnerability pair. HHS recommends that HIPAA-covered entities consider sharing the risk assessment results with organizational leadership, whose involvement can be crucial to the organization’s ongoing risk management.

That’s Not All: Highlights of Privacy Rule HIPAA Changes

The HIPAA Security Rule is not the only part getting a makeover. The Privacy Rule is getting significant touch-ups of its own:

• Patient Access: Patients are now allowed to take notes and photographs of their PHI. HIPAA-covered entities will be required to have designated locations in their office where patients can privately inspect their PHI and take photos of their PHI.
• Timely Access: The timeframe for providing patient records is being shortened from 30 days to 15 days. The extension period is also being shortened to 15 days, so healthcare providers now have a maximum of 30 days (ideally 15 days) to get requested records to patients.
• Practice Pointer: There will likely be mandatory re-training of employees on the new HIPAA requirements.

HHS also recently updated 42 CFR Part 2 to align more closely with HIPAA. You can read more about these changes in my blog post: "2024 Revisions to Part 2: Key Changes, Impact, and Compliance Tips," available here.

You can find the proposed Security Rule and additional background information here.

¹The Health Insurance Portability and Accountability Act (HIPAA) itself was signed into law in 1996, and the modified HIPAA Privacy Rule was enacted in 2002.