Publications
Article

HHS OCR Releases Notice of Proposed Rulemaking to Expand Cybersecurity Protections for ePHI

The Legal Intelligencer

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a notice of proposed rulemaking (NPRM) on Dec. 27, 2024, which revises the Health Insurance Portability and Accountability Act of 1996 (HIPAA) security rule in an effort to increase cybersecurity protections for electronic protected health information (ePHI).

Public comments on the NPRM are due 60 days after its publication in the Federal Register. It remains uncertain whether the Trump administration will completely rescind the NPRM or only pursue modifications, which many in the healthcare industry support due to the potentially substantial implementation costs, which are estimated to be between $6-9 billion. What is clear is that the healthcare sector has led the nation in data breaches for over a decade, which shows no signs of diminishing. Of note, even if the NPRM is weakened in any way, many states maintain statutes and regulations requiring security of sensitive personal information. While the NPRM is under review, the current HIPAA security rule will remain in effect.

The NPRM introduces the first significant updates to HIPAA’s security rule in over a decade. The NPRM revises definitions of existing terms and adds new key terms to align with current cybersecurity best practices. Notably, the NPRM also removes the distinction between “required” and “addressable” implementation specifications, making all of them “required” with a few exceptions, and also adds specific compliance time periods for many existing requirements. Additionally, the NPRM requires all HIPAA-regulated entities to document all security rule policies, procedures, plans and analyses.

Key modifications to the security rule outlined in the NPRM include:

Administrative Safeguards

  • Asset Inventory—requires HIPAA-regulated entities to conduct and maintain a technology asset inventory and a network map that illustrates the movement of ePHI throughout the entity’s electronic information system(s) on an ongoing basis. This must be conducted at least once annually and where there is a change to the entity’s environment or operations affecting ePHI.
  • Risk Analysis—requires risk analyses to now include: a review of the HIPAA-regulated entity’s technology asset inventory and network map; identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI; identification of potential vulnerabilities and predisposing conditions to the HIPAA-regulated entity’s relevant electronic information systems; and (4) an assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
  • Patch Management—requires HIPAA-regulated entities to implement written policies and procedures for patch management as well as to review, test, and, where applicable, modify such policies and procedures at least once annually. This further requires patching, updating, or upgrading the configuration of a relevant electronic information system within a specified period of time relative to the type of risk (e.g., low, critical, or high risk).
  • Workforce—requires notification to relevant covered entities and business associates within 24 hours when a workforce member’s access to ePHI or certain electronic information systems maintained by such covered entity or business associate is modified or terminated.
  • Security Incident—expands requirements for the planning of all contingencies and responding to security incidents. Specifically, HIPAA-regulated entities would be required to:
  • Establish written policies and procedures to restore the loss of certain relevant electronic information systems and data within 72 hours;
  • Perform an assessment of the relative criticality of all relevant electronic information systems and technology assets to determine the priority level for restoration;
  • Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents, and how the HIPAA-regulated entity will respond to suspected or known security incidents should they occur, and;
  • Implement written policies and procedures for testing and modifying written security incident response plans.
  • Compliance Audits—requires HIPAA-regulated entities to conduct a compliance audit at least once annually to ensure compliance with the Security Rule requirements.
  • Oversight of Business Associates—requires that business associates verify at least once annually for covered entities (and that subcontractors also verify at least once annually for business associates) that they have deployed the technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert, and a written certification that the analysis has been performed. Also requires business associates to notify covered entities (as well as subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, and no later than 24 hours after activation.

Technical Safeguards

  • Network Segmentation—requires network segmentation.
  • Encryption—requires encryption of ePHI at rest as well as in transit, with limited exceptions.
  • Configuration Management—requires HIPAA-regulated entities to establish and use technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner. Examples of new express requirements include: deploying anti-malware protection; removing extraneous software from relevant electronic information systems; and disabling network ports in accordance with the HIPAA-regulated entity’s risk analysis.
  • Audit Trails and System Logs—requires HIPAA-regulated entities to deploy technology assets and technical controls that can monitor in real-time all activity in their relevant electronic information systems, and also identify indications of unauthorized persons or unauthorized activity as determined by the entity’s risk analysis, as well as alert relevant workforce members of such indications.
  • Multifactor authentication—requires the use of multi-factor authentication for all technology assets in the HIPAA-regulated entity’s electronic information systems, with limited exceptions.
  • Vulnerability Scanning—requires vulnerability scanning at least every six months and penetration testing at least once annually.
  • Backups—requires HIPAA-regulated entities to create backups of ePHI with such frequency as to ensure retrievable copies of ePHI are no more than 48 hours older than the ePHI maintained in the HIPAA-regulated entity’s relevant electronic information systems. This also requires separate technical controls for the backup and recovery of relevant electronic information systems, which must be reviewed, tested and, where applicable, modified at least once every six months or in response to any environmental or operational changes.

Physical Safeguards

  • Facility Access Controls—requires HIPAA-regulated entities to implement written policies and procedures to limit physical access to all of its relevant electronic information systems and the facility or facilities in which they are housed, while also ensuring that authorized access is properly allowed.
  • Workstation—requires HIPAA-regulated entities to establish written policies and procedures that, (not only exclusively) specify the physical attributes of workstation surroundings, including the removal of workstations from a facility and the movement of workstations within and outside of a facility. HIPAA-regulated entities must also review, test, and, where appropriate, modify such policies and procedures at least once annually. 

Many of the proposed changes to the security rule described in the NPRM have already been part of regulatory enforcement actions, including by the Federal Trade Commission and states’ Attorneys General. Executing these extensive technical changes will require substantial investments of time, money, and resources to implement. Accordingly, while HIPAA-regulated entities should continue to monitor comments and developments related to the NPRM, they should also proactively evaluate and enhance their cybersecurity maturity as is suggested by the NPRM. Compliance with industry standards such as National Institute of Standards and Technology CSF and HITRUST may assist HIPAA-regulated entities in complying with the NPRM’s requirements.

"HHS OCR Releases Notice of Proposed Rulemaking to Expand Cybersecurity Protections for ePHI," by Sharon R. Klein, Alex C. Nisenbaum, and Karen H. Shin was published in The Legal Intelligencer on March 24, 2025.

Reprinted with permission from the March 24, 2025, edition of The Legal Intelligencer © 2025 ALM Properties, Inc. All rights reserved. Further duplication without permission is prohibited.

LinkedIn icon X icon Email icon