Employee Benefits & Executive Compensation Advisory | Health Plan Impact of HHS’s Proposed HIPAA Security Rule Update

At the close of 2024, the Department of Health and Human Services (HHS) Office of Civil Rights issued a proposed update to the HIPAA Security Rule. While these proposed rules have the attention of many health care providers, health plans and their business associates also should pay close attention. In addition to new technological and documentation requirements, the proposal requires plan amendments and new business associate agreements. Public comments on the rule are due by March 7, 2025.

Health plans will need to comply with most of the new Security Rule requirements 180 days after the final rule’s effective date. Health plans have more obligations under the proposed rule than other HIPAA covered entities (health care providers and health care clearinghouses), as well as areas where they might find compliance more difficult than other HIPAA covered entities.

Business associates of health plans will also want to pay attention to the proposed rule because they will also be subject to the revised Security Rule. The rule requires business associates to notify plans (or other covered entities) without unreasonable delay and no later than 24 hours after activation of the new contingency plan that the proposed Security Rule requires.

Plan Amendment Requirement Imposes Compliance Obligations on Both Plans and Plan Sponsors

Under the proposed rule, health plans will be required to adopt a plan amendment that applies the Security Rule to both the plan and the plan sponsor. A group health plan must ensure that its plan documents require the plan sponsor to reasonably and appropriately safeguard electronic protected health information (ePHI). This requirement applies unless the only ePHI disclosed to the plan sponsor is: (1) summary health information about an individual’s participation in or enrollment or disenrollment in a health plan; (2) summary health information for premium bids or modifying, amending, or terminating the plan; or (3) authorized by the individual. To implement this requirement, the plan amendment must require the plan sponsor to:

• Implement the administrative, physical, and technical safeguards that covered entities and business associates must implement under 45 C.F.R. §§ 164.308(a), 164.310, and 164.312.
• Ensure adequate separation from the plan is supported by the administrative, physical, and technical safeguards.
• Make sure that any agent to whom the plan sponsor provides the plan’s ePHI implements the administrative, physical, and technical safeguards.
• Report to the plan any security incident of which it becomes aware.
• Report to the plan without unreasonable delay and in no case later than 24 hours any activation of the plan sponsor’s contingency plan adopted consistent with the proposed Security Rule’s administrative safeguard requirements.

Plans, Plan Sponsors, Business Associates, and Agents Must Adopt a Contingency Plan 

As a result of the plan amendment requirement, both the plan (and its business associates) and the plan sponsor (and its agents) will need a written contingency plan. The proposed rule requires the contingency plan to consist “of written policies and procedures for responding to an emergency or other occurrence, including, but not limited to, fire, vandalism, system failure, natural disaster, or security incident, that adversely affects relevant electronic information systems.” The written contingency plan requirements include:

• Criticality Analysis. Perform and document an assessment of the relative criticality of relevant electronic information systems and technology assets.
• Data Backups. Establish and implement written procedures to create and maintain exact retrievable copies of ePHI, including verification that the ePHI has been copied accurately.
• Information Systems Backups. Establish and implement written procedures to create and maintain backups of relevant electronic information systems, including verification of success of backups.
• Disaster Recovery Plan. Establish (and implement as needed) written procedures to restore loss of: (1) critical relevant electronic information systems and data within 72 hours of the loss; and (2) other relevant electronic information systems and data in accordance with the criticality analysis.
• Emergency Mode Operation Plan. Establish (and implement as needed) written procedures to enable continuation of critical business processes for protection of the security of ePHI while operating in emergency mode.
• Testing and Revision Procedures. Establish written procedures for testing and revising contingency plans. Review and test contingency plans at least once every 12 months, document the results of such tests, and modify such contingency plans as reasonable and appropriate in accordance with the results of those tests.

Plan Amendment, Contingency Plan, and Compliance with Most New Requirements Required Within 240 Days After Final Rule Published

Like most of the new or updated requirements in the proposed Security Rule, the plan amendment and contingency plan will need to be adopted within 180 days after the effective date of the final rule. The final rule’s effective date will be the date 60 days after its publication in the Federal Register. As a result, plans and plan sponsors will need to move quickly to establish and implement the new Security Rule once it is finalized.

New Business Associate and Subcontractor Agreements Required, but Longer Transition Period Might Be Available

The proposed Security Rule requires plans and their business associates to execute new business associate or subcontractor agreements. However, this requirement has a longer transition period under the proposed rule. As proposed, a limited deemed compliance period is available if: (1) the written contract with the business associate (or subcontractor) complies with the requirements for business associate agreements under the current rule; and (2) the business associate agreement is not renewed or modified from 60 days after publication of the final rule in the Federal Register until 240 days after publication. A business associate (or subcontractor) agreement that meets those requirements shall be deemed compliant until the earlier of: (1) the date the contract or arrangement is renewed on or after 240 days after the final rule’s publication; or (2) one year and 60 days after the final rule’s publication.

Proposed Security Rule Requirements

As our Health Care and Privacy, Cyber & Data Strategy teams discussed in their advisory about the proposed Security Rule updates that are generally applicable to HIPAA covered entities (i.e., health plans, health care providers, and health care clearinghouses) and their business associates, the proposed rule eliminates the distinction between “required” and “addressable” implementation specifications in favor of compliance with all standards (see New Year, New HIPAA Security Rule: OCR Adds to Health Care Entities’ New Year’s Resolutions). These standards include:

Administrative safeguards

• Technology Asset Inventory. Conduct and maintain an accurate and thorough written inventory and a network map of electronic information systems and all technology assets that may affect the confidentiality, integrity, or availability of ePHI.
• Risk Analysis. Conduct an accurate and comprehensive written assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI created, received, maintained, or transmitted.
• Evaluation. Perform a written technical and nontechnical evaluation to determine whether a change in environment or operations may affect the confidentiality, integrity, or availability of ePHI. Note that the rule requires this to be done within a reasonable period of time before making a change to the environment or operations, which will require careful coordination among different departments of plans and their sponsors.
• Patch Management. Implement written policies and procedures for applying patches and updating the configuration(s) of relevant electronic information systems.
• Risk Management. Implement security measures sufficient to reduce risks and vulnerabilities to all ePHI to a reasonable and appropriate level.
• Sanction Policy. Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures.
• Workforce Security. Implement written policies and procedures to ensure that all workforce members have appropriate access to ePHI and relevant electronic information systems, and to prevent those workforce members who are not authorized to have access from obtaining access to ePHI and relevant electronic information systems. Significantly, a “workforce member’s access must be terminated as soon as possible but no later than one hour after the employment of, or other arrangement with, a workforce member ends,” which might be difficult to implement in situations when employment terminations are sudden and unexpected (among many other common workplace scenarios). Additionally, other covered entities and business associates must be notified no later than 24 hours after a workforce member’s change in or termination of access to ePHI or relevant electronic information systems.
• Information Access. Establish and implement written policies and procedures for authorizing access to ePHI and relevant electronic information systems.
• Security Awareness Training. Implement security awareness training for all workforce members as necessary and appropriate for the workforce members.
• Security Incident Procedures. Implement written policies and procedures to respond to security incidents.
• Compliance Audit. Perform and document an audit at least once every 12 months of compliance with each of the Security Rule’s standards and implementation specifications.
• Business Associate Agreement. The business associate agreement requirement is familiar to health plans but is updated to require that covered entities such as the plan obtain the business associate’s written verification that it has deployed the Security Rule’s technical safeguards at least once every 12 months. The business associate’s written verification must include:
  • A written analysis of the business associate’s relevant electronic information systems by a person with appropriate knowledge of and experience with generally accepted cybersecurity principles and methods for ensuring the confidentiality, integrity, and availability of ePHI to verify compliance with each standard and implementation specification for technical safeguards.
  • A written certification that the analysis has been performed and is accurate by a person who has the authority to act on behalf of the business associate.
  If finalized, this requirement effectively adds a new duty for plans and other covered entities to monitor compliance by the business associates on a regular, ongoing basis.
• Delegation to Business Associate. A plan, other covered entity, or business associate may delegate a business associate to serve as their security official but will remain liable for compliance with all Security Rule requirements.

Physical safeguards

• Facility Access Controls. Establish and implement written policies and procedures to limit physical access to all relevant electronic information systems and the facilities in which they are housed, while ensuring that properly authorized access is allowed.
• Workstation Use. Establish and implement written policies and procedures that govern the use of workstations that access ePHI or relevant electronic information systems.
• Workstation Security. Implement and modify physical safeguards for all workstations that access ePHI or relevant electronic information systems.
• Technology Asset Controls. Establish and implement written policies and procedures that govern the receipt and removal of technology assets that maintain ePHI into and out of a facility, and the movement of these assets within the facility.

Technical safeguards

• Access Control. Deploy technical controls in relevant electronic information systems to allow access only to users and technology assets that have been granted access rights. Note that this requires separate user identities from identities used for administrative and other increased access privileges, among other requirements.
• Encryption and Decryption. Deploy technical controls to encrypt and decrypt ePHI using encryption that meets prevailing cryptographic standards. Note that this requires encryption of all ePHI at rest and in transit. The proposed rule provides a few exceptions to this requirement. Health plans should note that they can provide unencrypted ePHI to individuals who request unencrypted access to their PHI, but the individual first must be informed of the risks associated with the transmission, receipt, and storage of unencrypted ePHI. Note that this exception does not apply when the individual receiving the ePHI is using technology controlled by the plan or its business associate.
• Configuration Management. Establish and deploy technical controls for securing relevant electronic information systems and technology assets, including workstations, in a consistent manner, and maintain such electronic information systems and technology assets according to established secure baselines.
• Audit Trail and System Log Controls. Deploy technology assets and/or technical controls that record and identify activity in the covered entity’s or business associate’s relevant electronic information systems.
• Integrity. Deploy technical controls to protect ePHI from improper alteration or destruction, both at rest and in transit; and review and test the effectiveness of such technical controls at least once every 12 months or in response to environmental or operational changes, whichever is more frequent, and modify as reasonable and appropriate. Among other things, this requirement makes use of multi-factor authentication mandatory for accessing electronic information systems that contain ePHI or changing user privileges to systems with ePHI.
• Transmission Security. Deploy technical controls to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network; and review and test the effectiveness of such technical controls at least once every 12 months or in response to environmental or operational changes, whichever is more frequent, and modify as reasonable and appropriate.
• Vulnerability Management. Deploy technical controls in accordance with the required patch management policies and procedures to identify and address technical vulnerabilities in relevant electronic information systems.
• Data Backup and Recovery. Deploy technical controls to create and maintain exact retrievable copies of ePHI.
• Information Systems Backup and Recovery. Deploy technical controls to create and maintain backups of relevant electronic information systems; and review and test the effectiveness of such technical controls at least once every six months or in response to environmental or operational changes, whichever is more frequent, and modify as reasonable and appropriate.

These standards include detailed implementation specifications that plans, other covered entities, and business associates (and their subcontractors) must follow. Most implementation specifications require ongoing review every 12 months, six months, or when changes are or will be made. While it is uncertain when HHS might publish the final rule or what the final rule will contain after HHS reviews public comments, plans, other covered entities, and their business associates should start making themselves aware of the proposed requirements and prepare accordingly because they will have only 240 days to document and implement the new Security Rule once it is finalized.

Reminder: HIPAA applies to almost all group health plans regardless of whether they are subject to ERISA, but the Department of Labor’s cybersecurity guidance applies to all ERISA employee benefit plans of any kind.

Almost all health plans must comply with HIPAA. However, all employee benefit plans subject to ERISA, including health plans, other welfare plans, and retirement plans, must comply with the cybersecurity guidance by the Department of Labor (DOL). In September 2024, the DOL clarified that its April 2021 cybersecurity guidance generally applies to all employee benefit plans and not only retirement plans. The DOL intended the 2021 guidance to help plan sponsors, fiduciaries, service providers and participants in plans safeguard plan data, personal information, and plan assets. The guidance has three parts:

1. Tips for Hiring a Service Provider. Includes recommended RFP questions and contract terms for plan sponsors.
2. Cybersecurity Program Best Practices.
   1.  Lists 12 cybersecurity best practices for service providers that the DOL would expect to see if auditing the plan or a service provider.
   2. States that pension and health and welfare plans are tempting targets for cyber criminals because the plans: (1) often hold millions of dollars in assets; and (2) store and/or transfer participants’ personally identifiable data.
3.  Online Security Tips. Tips for participants and beneficiaries to reduce the risk of fraud.

The DOL’s 2024 guidance also referenced HHS cybersecurity publications to help plans and their service providers maintain good cybersecurity practices:

• Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.
• Technical Volume 1: Cybersecurity Practices for Small Healthcare Organizations.
• Technical Volume 2: Cybersecurity Practices for Medium and Large Healthcare.

Health and welfare plans should ensure compliance with the DOL’s cybersecurity guidance now that the department has clarified that the guidance does not apply only to retirement plans. Additionally, due to HHS’s updates to the new Security Rule, plans should watch for updates to the HHS cybersecurity publications that the DOL cites.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

If you have any questions, or would like additional information, please contact one of the attorneys on our Employee Benefits & Executive Compensation team.