In an era where cyberattacks on the health care industry have become alarmingly frequent and catastrophic, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has taken a bold step forward. The recently issued Notice of Proposed Rulemaking (NPRM) is OCR's direct response to the escalation of cyber threats and harm paired with perceived pervasive noncompliance with the HIPAA Security Rule across the health care sector. The NPRM introduces many detailed security requirements that far surpass all previous legal mandates from OCR and may set the highest bar in the United States for securing electronic data.
The proposed amendments are not merely incremental updates; they represent a seismic shift in the regulatory landscape. If these changes are finalized as drafted, compliance for many HIPAA-regulated organizations will be a resource-intensive endeavor and may be operationally impossible in such an interconnected industry with a wide range in the sophistication level of stakeholders. Certain requirements may pit data security obligations against the need for timely data for doctors and patients during patient care (e.g., system delays due to data encryption/decryption processing). In short, the NPRM signals a paradigm shift in cybersecurity compliance in health care, one that will require many regulated organizations to elevate their data security compliance programs to unprecedented levels to safeguard individually identifiable health information against the ever-evolving threat landscape.
What’s next?
Despite bipartisan support for cybersecurity, the questions of whether, when, and to what extent the proposed changes in the NPRM are finalized will be answered by the incoming Trump administration. In the meantime, covered entities, business associates, and other interested stakeholders may consider submitting comments to OCR on or before March 7, 2025. The NPRM will have significant financial and operational consequences for nearly every HIPAA-regulated entity, and stakeholders are urged to review the NPRM with their data security teams to identify and then challenge through the comment process the unrealistic or unnecessarily burdensome proposed obligations.
If finalized, the NPRM would require HIPAA-regulated organizations to comply with the following new and updated Security Rule standards.
Security measures
- Patch management. With few exceptions, regulated organizations will need to patch, update, and upgrade systems in accordance with specific timing requirements based on identified risk level: critical (15 days), high (30 days), and other risks (reasonable and appropriate). Organizations will be required to document how they identify, prioritize, acquire, install, and verify patches and updates to configurations of relevant systems. Organizations will also need to review and update their patch management policies and procedures at least once annually. These reviews must incorporate the most recent results of the risk analysis, vulnerability scans, monitoring of authoritative sources, and penetration tests.
- Access controls. Regulated organizations will be required to uniquely identify the activity of each user and technology asset, require a user to use separate accounts for different access privileges, terminate sessions after a period of inactivity, and disable accounts after a number of failed login attempts. The NPRM, if finalized, will also require reasonable and appropriate network segmentation.
- Encryption and decryption. Regulated organizations will be required to encrypt all electronic protected health information (ePHI) at rest and in transit, with limited exceptions, in accordance with prevailing cryptographic standards. Exceptions are limited to situations where an organization currently has a technology asset that does not support encryption, a patient has requested access to ePHI through an unencrypted manner, encryption is infeasible due to an emergency, or a medical device is involved. When an exception applies, an organization will be required to implement alternative measures that are reasonable and appropriate and approved by the organization’s designated security official.
- Authentication. Regulated organizations will be required to verify that a person or technology asset seeking access to a system is the one claimed. The requirement involves ensuring that unique passwords are used and multifactor authentication is implemented (with limited exceptions) on all technology assets and when a user is attempting to change a user’s privileges.
Risk management
- Technology asset inventories. Regulated organizations will need to develop and maintain a comprehensive technology asset inventory and network map of electronic information systems. Specifically, the network map must show movement of ePHI through the regulated organization’s systems, such as, for example, illustrating where the regulated organization’s technology assets are physically located at the worksite or accessed through the cloud. Updates to the technology asset inventories and network map will need to be made when there are changes to the regulated organization’s environment that may affect ePHI or at least once every 12 months.
- Risk analysis. Regulated organizations will be required to conduct an annual risk analysis that specifically includes written assessments containing (i) a review of the technology asset inventories and network map; (ii) the identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI; (iii) the identification of potential vulnerabilities and predisposing conditions to the regulated organization’s electronic information systems; (iv) a determination of the likelihood (e.g., “very low,” “low,” “moderate,” “high,” or “very high”) that a threat would exploit a vulnerability and a determination of the impact of such threat (e.g., loss of revenue, cost of repairs, effort level required to correct threat, loss of credibility and public confidence); (v) a determination of the level of risk to ePHI contained within the regulated organization’s electronic information systems; and (vi) documented risk assessment results.
- System activity review. Regulated organizations will need to review system activity (both users and technology assets) for suspicious behavior. Having the ability to monitor activity means setting up adequate activity logging. Larger organizations may be required to use automated solutions that trigger alerts. According to the NPRM, sources of activity would include, but would not be limited to, audit trails, event logs, firewall logs, system logs, data backup logs, access reports, anti-malware logs, and security incident tracking reports. The organization will need to reevaluate and update its activity-monitoring policies and procedures annually.
- Vulnerability management. Regulated organizations will need to identify and address technical vulnerabilities to their systems through vulnerability scans, monitoring authoritative sources on vulnerabilities, and penetration testing (at least annually). Compliance will also require installing patches and critical updates in a timely manner.
Contingency and incident response planning
- Security incident procedures. Regulated organizations will need to test and revise their security incident response plans at least every 12 months and document the results. Organizations will also be required to document investigations, analyses, mitigations, and remediation for security incidents, and written reports on incident response may be required.
- Contingency plan. Regulated organizations will need to implement procedures to restore their critical systems and data within 72 hours of the loss. The plan and procedures must prioritize the criticality of the systems and data, include ePHI and system backups and testing of those backups, and be tested and revised annually.
- Data and information system backup and recovery. Regulated organizations will need to have full ePHI backups no older than 48 hours; real-time monitoring and reporting of ePHI backup process success, failure, and errors; and monthly testing of the effectiveness of the ePHI backups. Organizations will also need to create and maintain backups of relevant systems and review their effectiveness at least every six months.
Program administration
- Written documentation. Regulated organizations will be required to document all of their HIPAA Security Rule policies, procedures, actions, activities, and assessments. Such documentation will need to be reviewed and updated after a security measure is modified or at least once every 12 months.
- Compliance audits. Regulated organizations will be required to perform and document a compliance audit against each HIPAA Security Rule standard and implementation specification at least once every 12 months.
Business associate relationships
- Business associate verification. Covered entities will need to obtain written verification from each of their business associates, at least once every 12 months, that the business associate has deployed the required technical safeguards. The verification must include a written analysis of the business associate’s relevant electronic information systems performed by a person with appropriate cybersecurity knowledge and experience, as well as a written certification from a person with authority to act on behalf of the business associate that the analysis has been performed and is accurate. Business associates will need to obtain similar verifications from their business associate subcontractors. The NPRM clarifies that a regulated organization remains liable for compliance with all applicable provisions of the Security Rule even when it delegates relevant activities to a business associate (or subcontractor).
- Business associate agreement. Regulated organizations will need to update their business associate agreements (BAAs) (and business associate subcontractor agreements) to include a provision obligating the business associate to report to the covered entity (or upstream business associate) any activation of its contingency plan without unreasonable delay, but no later than 24 hours after activation. If the NPRM is finalized without modification, regulated organizations will be able to operate under existing, compliant BAAs until the earlier of (1) the contract renewal date that falls on or after the compliance date of the final rule or (2) one year after the final rule’s effective date.
Group health plans
- Plan sponsor obligations. Regulated group health plans will be required to update plan documents to obligate a plan sponsor (otherwise not directly subject to HIPAA) that receives ePHI that is not limited to summary health information or enrollment or disenrollment information to (i) implement the safeguards of the Security Rule and (ii) report to the group health plan without unreasonable delay, but no later than 24 hours after any activation of its contingency plan.
Reed Smith will continue to follow developments with regard to the HIPAA Security Rule. If you have any questions about how the NPRM applies to or impacts your organization, please reach out to the authors of this alert or the health care lawyers at Reed Smith.
In-depth 2025-010
