Health Care / Privacy, Cyber & Data Strategy Advisory | New Year, New HIPAA Security Rule: OCR Adds to Health Care Entities’ New Year’s Resolutions

Last fall, the Office for Civil Rights (OCR) promised covered entities and business associates that it would be releasing a highly anticipated proposed rule to update the HIPAA Security Rule to strengthen cybersecurity protections for electronic protected health information (ePHI) before the end of the year. With just days to spare, the agency delivered an unpublished version of the notice of proposed rulemaking (NPRM) on December 27, 2024, along with a Fact Sheet. The NPRM was published in the Federal Register on January 6, 2025. The NPRM marks the first update to the HIPAA Security Rule in over a decade (with the 2013 HITECH Final Rule) and the first significant changes to the regulations since their inception over 20 years ago. Public comments on the NPRM are due on March 7, 2025.

The NPRM comes during an era of increased frequency and sophistication of cyberattacks. In its press release announcing the NPRM, OCR noted the substantial increase in large breaches reported to the agency in the last five years, including a 102% increase in reported large breaches caused by ransomware and an 89% increase in reported large breaches caused by hacking. The NPRM, OCR states, is necessary to address the significant shifts in the health care landscape since the rule’s last update, inconsistent compliance and noncompliance with the HIPAA Security Rule by regulated entities (both covered entities and business associates alike), and the industry’s need for clarity in applying the rule.

The proposed changes to the HIPAA Security Rule would be a transformational change — moving away from a flexible approach to account for the various types of regulated entities to a more rigid approach, with prescriptive, strict security requirements that are arguably beyond what we have seen from other federal and state cyber regulators (such as the Federal Trade Commission’s Amended Safeguards Rule and New York State Department of Financial Services’ (NYDFS) Cybersecurity Regulation).

OCR estimates the total first-year cost of compliance with the proposed HIPAA Security Rule modifications across all regulated entities to be approximately $9 billion, with annual recurring costs estimated at $6 billion the following four years. OCR argues that the substantial costs are justified by the long-term benefits of reduced breaches (and breach costs), as well as patient safety.

Definitions (45 C.F.R. Secs. 106.103 and 164.304)

The NPRM proposes one change to the term “electronic media” at Section 160.103 and introduces 10 newly defined terms and modifications to 14 existing terms at Section 164.304.

The proposed revision of the definition of “electronic media” would include not only storage material where data is recorded but also where it is maintained or processed, such as voice over internet (VoIP) technologies; technologies that electronically record, transcribe, or summarize telehealth sessions or other patient encounters; and messaging services that electronically store audio messages. This revision acknowledges the increasing use of diverse technologies for storing and processing ePHI, including cloud-based systems, other digital memory or storage, and artificial intelligence. The definition would also include updating the existing list of examples of what constitutes electronic storage material to include a catch-all for future technology developed for recording, maintaining, or processing data.

The NPRM also introduces new security-focused terms: deploy, implement, electronic information system, multi-factor authentication, relevant electronic information system, risk, technical controls, technology asset, threat, and vulnerability. For example, the NRPM clarified that “threat” would be defined as “any circumstance or event with the potential to adversely affect the confidentiality, integrity, or availability of ePHI.”

In response to concerns that regulated entities were merely establishing written policies and procedures about technical requirements, OCR also added definitions of “deploy” and “implement” to clarify the actual requirement to operationalize written security policies and procedures, emphasizing the need for both planning and action in protecting ePHI: 

• Deploy means to configure technology for use and implement such technology.” Deploy is meant to be a specific type of “implementation” for the use of technology.
• Implement means to put into effect and be in use, operational, and function as expected throughout the covered entity or business associate.” This added definition is intended to clarify that a safeguard must actually be in place, functioning as expected, throughout the enterprise, not only on some information systems or ePHI.

OCR also proposes to modify previously defined terms in the HIPAA Security Rule, including: access, administrative safeguards, authentication, availability, confidentiality, information system, malicious software, password, physical safeguards, security or security measures, security incident, technical safeguards, user, and workstation. Modifications are meant to align the terms with the other changes to the rule, including expanded definitions. For example, “access” would include deletion and transmission activities, and “security or security measures” would be expanded to cover safeguards applied to information systems, not just those in the systems. 

Security Standards: General Rules (45 C.F.R. Sec. 164.306)

OCR aims to balance flexibility and scalability with inconsistencies in the application of HIPAA Security Rule standards to ePHI. The agency is concerned that regulated entities have (1) focused on the cost of security measures over their reasonableness and appropriateness; (2) relied on flexibility and scalability at the expense of protecting all ePHI; and (3) misinterpreted addressable implementation specifications to mean they are optional. To address its concerns, OCR proposes, for example:

• Clarifying that regulated entities must apply the HIPAA Security Rule requirements to all ePHI. This simple, but important, revision addresses OCR’s concern that some regulated entities are misinterpreting the rule to apply to only some ePHI.
• Eliminating the distinction between “required” and “addressable” implementation specifications and requiring regulated entities to comply with all standards and implementation specifications. The rule uses a two-tiered structure of standards and implementation specifications to define its requirements. Each standard represents a required safeguard, while the implementation specifications provide further instruction on how the regulated entity should meet that standard.
• Adding a new element for entities to consider when designing a particular security measure: the effectiveness of the security measure in supporting the resiliency of the regulated entity. “Resiliency” refers to the entity’s ability to withstand and recover from adverse events.
• Increasing specificity in the maintenance requirements (to test security measures) by delineating maintenance implementation specifications for specific administrative, physical, and technical standards. Per OCR, regular review and modification of security measures helps regulated entities address evolving cybersecurity threats so they remain effective in their protection of ePHI.

Administrative Safeguards (45 C.F.R. Sec. 164.308)

The NPRM emphasizes the importance of administrative safeguards to manage and execute security measures. OCR proposes changes to address common deficiencies of regulated entities to perform all elements of the risk management process for all relevant electronic information systems and to ensure that the business associates to whom covered entities entrust their ePHI have appropriate safeguards to protect the ePHI. The proposed changes include, for example:

• Adding a new requirement for regulated entities to maintain an accurate technology asset inventory and network map of its electronic information systems and all technology assets that may affect the confidentiality, integrity, or availability of ePHI, which must be updated every 12 months. OCR expects regulated entities to have a fulsome understanding of where ePHI resides and how it moves throughout electronic information systems within the regulated entities’ environments, how it enters and exits the regulated entities’ environments, and how ePHI may be accessed outside the regulated entities’ networks.
  
  As technology environments have become more complex, with many more connected devices and technology assets, this new requirement will likely be a significant undertaking for regulated entities, not only initially but also to regularly maintain and update. This is particularly the case because the technology asset inventory requirement is not limited to certain assets, such as corporate-owned assets; rather, it applies to all assets that may affect the confidentiality, integrity, or availability of ePHI. Further, similar to the asset inventory requirement in the NYDFS’s recent second amendment of its Cybersecurity Regulation (summarized here), the proposed written technology asset inventory must include the version of the technology asset, the person accountable, and the location of each technology asset (which can be challenging given the variety of assets, many of which may be legacy health care technology assets difficult to track).
• Mandating a comprehensive written assessment of potential risks and vulnerabilities to ePHI, including greater specificity on the components of the risk analysis and how to conduct the risk analysis. The requirement to perform a risk analysis would be elevated from an implementation specification to a standard, and eight implementation specifications would be added, including a review of the technology asset inventory and map, identification of all reasonably anticipated threats to ePHI, and documentation requirements. Regulated entities also would be required to review, verify, and update the written assessment every 12 months.
• Adding new standards for patch management. Regulated entities would be required to implement policies and procedures for installing patches, updates, and upgrades throughout its relevant electronic information systems. Under the proposed amendment, patches for “critical” risks must be patched within 15 calendar days and “high” risks must be patched within 30 calendar days of identifying the need to patch.
• Adding specificity to the requirement to review information systems activity by elevating the current implementation specification to a standard and adding five new implementation specifications to the standard.
• Requiring regulated entities to terminate workforce member access to ePHI no later than one hour after termination, and if the workforce member accesses ePHI through another entity (such as a business associate accessing a covered entity’s systems), notifying that entity no later than 24 hours after the termination. These very quick timeframes would likely require automated processes.
• Mandating workforce training every 12 months and including in such training how to detect malicious software and social engineering.
• Strengthening requirements for responding to security incidents, including establishing a written incident response plan, implementing procedures for testing and revising the incident response plan at least once every 12 months, and more prescriptive actions to be taken to respond to a suspected or known security incident, including identifying and remediating the root causes of the security incident. Regulated entities must also maintain written contingency plans that must be tested at least once every 12 months. These plans must include disaster recovery plans that address restoration of critical information systems and data within 72 hours of the loss. The current rule does not include any such timeline; the 72-hour timeline may be difficult to meet because there are typically a number of critical and competing priorities that must be addressed within the first 72 hours of a security incident.
• Adding new standards for annual compliance audits, requiring regulated entities to review their compliance with the HIPAA Security Rule at least once every 12 months.
• Requiring covered entities to obtain from business associates (and business associates from subcontractors) verification of the deployment of technical safeguards at least once every 12 months. HHS specifically used “deployed” here to ensure that the business associate verifies that the technology is configured and operational, not merely addressed in policies and procedures. The verification would include written analysis of the business associate’s relevant electronic information systems by a subject-matter expert and a written certification that the analysis has been performed and is accurate.

Physical Safeguards (45 C.F.R. Sec. 164.310)

The NPRM largely retains existing physical safeguards, while adding clarity to the regulatory text and emphasizing the mobile nature of ePHI. OCR’s proposals include, for example:

• Clarifying that physical safeguards apply to all ePHI and relevant technology assets within a regulated entity’s facility.
• Requiring that plans for contingency operations, facility security, and access control and validation procedures must be in writing.
• Explaining that policies and procedures must address physical attributes of workstations, including their movement within and outside a facility, and whether they are located in areas more vulnerable to loss or theft.
• Expanding the standard for “device and media” controls to “technology asset” controls to more accurately capture the various categories of a regulated entity’s electronic information systems.
• Requiring regulated entities to review and test their security measures at least once every 12 months.

Technical Safeguards (45 C.F.R. Sec. 164.312)

The NPRM seeks to strengthen technical controls and improve compliance by providing clarity to the regulatory text. According to OCR, the proposed changes are intended to address regulated entities’ purported failure to achieve the degree of protection the agency expects. OCR also recognizes in its proposals the health care industry’s general shift to a digital environment and the increasingly low cost and accessibility of technical solutions, such as encryption. The proposed changes include, for example:

• Enhancing access controls by requiring detailed procedures for user and asset identification, login attempts, and inactivity.
• Adding a network segmentation requirement, which is a physical or virtual division of a network into multiple segments. Network segmentation creates boundaries between the operational and IT networks to reduce risks, such as threats caused by phishing attacks. The proposed rule does not specify how or to what extent the network segmentation must be configured, just that it be reasonable and appropriate.
• Elevating encryption from an implementation specification to a standard, requiring encryption that meets “prevailing cryptographic standards” for all ePHI at rest and in transit, with limited exceptions, such as when the technology asset in use does not support encryption. This would be a significant undertaking, specifically encryption at rest, and it is unclear whether disk-level, file-level, or data-level encryption would be required.
• Requiring regulated entities to deploy anti-malware software on all technology assets, remove extraneous software from the regulated entity’s information systems, and disable network ports in accordance with the regulated entity’s risk analysis.
• Requiring a more detailed audit trail and logging and the deployment of technical controls for real-time monitoring of all activity occurring in a regulated entity’s relevant electronic information systems and identify indications of unauthorized persons or activity. “Activity” is defined as “creating, accessing, receiving, transmitting, modifying, copying, or deleting… electronic protected health information [ePHI] [or] relevant electronic information systems and the information therein.” Based on this definition and the more detailed audit trail and logging requirement, regulated entities seemingly may need to maintain activity logs, not just authentication and access logs. While activity logs (theoretically) may help regulated entities more quickly identify a potential security incident, activity logs are also notoriously voluminous, requiring significant storage (which is costly). Further, deploying monitoring tools and developing alerting rules to detect suspicious activity may require significant, ongoing resources because the alerting rules will likely need to be configured and regularly tweaked to account for the evolving cyber landscape.
• Mandating the use of multi-factor authentication (MFA). With limited exceptions (similar to the exceptions for encryption, such as if the technology asset does not support MFA), MFA would be required for all technology assets in a regulated entity’s relevant electronic information systems to verify that the person seeking access to its relevant electronic information system is the user that the person claims to be. In the limited exceptions, OCR requires compensating controls and a written plan to migrate ePHI to a technology asset that supports MFA. This MFA requirement is similar to other recent amendments to state and federal cyber regulations, including the FTC’s Amended Safeguards Rule and the NYDFS’s second amendment to its Cybersecurity Regulation.
• Requiring vulnerability scanning at least every six months and penetration testing at least once every 12 months.
• Requiring regulated entities to deploy technical controls to create and maintain exact retrievable copies of ePHI that are no more than 48 hours old. Tests of data restoration would be required at least monthly. In addition, under the proposed changes, electronic information systems must be backed up at least once every six months or in response to environmental or operational changes.

Organizational Requirements and Transition Provisions (45 C.F.R. Secs. 164.314 and 164.318)

The proposed changes to the organizational requirements build upon the changes to the administrative and technical safeguards impacting the actions of business associates. For example, business associate agreements (BAAs) would be required to include a provision stating that a business associate must notify a covered entity of activation of its contingency plan without unreasonable delay, but no later than 24 hours after activation. Similar notification requirements would apply to business associates and their subcontractors, as well as between group health plans and their plan sponsors, ensuring consistent security practices across the health care ecosystem. The proposed rule would not affect the breach notification obligations under the Breach Notification Rule.

Recognizing the administrative burden and cost of implementing the BAA changes as proposed, OCR would provide transition provisions for compliance. New transition provisions at Section 164.318 would allow regulated entities to continue to operate under certain existing BAAs until the earlier of: (1) the date the BAA is renewed on or after the compliance date of the final rule; or (2) a year after the effective date of the final rule.

Documentation Requirements (Sec. 164.316)

The NPRM clarifies and strengthens existing documentation requirements, mandating that regulated entities maintain written documentation of all policies and procedures implemented to comply with the HIPAA Security Rule and that such documentation would include an explanation of how the regulated entity considered the factors set forth in Section 164.306 in the development of its policies and procedures. Furthermore, regulated entities would be required to document all actions, activities, and assessments required by the rule, creating a comprehensive record of their security practices. Finally, under the proposed changes, documentation must be updated at least once every 12 months.

New and Emerging Technologies

The NPRM requests comments on new and emerging technologies and their implications for ePHI security, including (1) quantum computing; (2) artificial intelligence (AI); and (3) virtual and augmented reality. The NPRM acknowledges the potential benefits of these technologies while also emphasizing the need for regulated entities to proactively address the associated risks and vulnerabilities to ePHI and incorporate these technologies into their comprehensive risk assessments. For example, before deploying an AI tool, the regulated entity’s risk analysis must consider the type and amount of ePHI accessed by the AI tool, to whom the data is disclosed, and to whom the output is provided. 

What Happens Next

The NPRM may be the last significant act of the OCR under the Biden Administration. It will be up to the Trump Administration to determine if, and when, and to what extent the proposed changes in the NPRM are finalized. In the meantime, covered entities, business associates, and other interested stakeholders should take the time to understand the potential requirements of a new HIPAA Security Rule and submit their comments to OCR on or before March 7, 2025.

Alston & Bird continues to track the proposed rulemaking. Please reach out to one of our health care or privacy attorneys to discuss further or for assistance in preparing comments to the NPRM.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

If you have any questions, or would like additional information, please contact one of the attorneys on our Health Care Team or one of the attorneys on our Privacy, Cyber & Data Strategy Team.