Proposed HIPAA Security Rule Shifts Warrant Study and Comment

The U.S. Department of Health and Human Services (HHS) has issued a Notice of Proposed Rulemaking (NPRM)¹ that strengthens the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA), which, if finalized, will have a significant impact on the healthcare sector.

HHS finalized the original Security Rule more than two decades ago, and it has not been updated substantively in more than 10 years. The agency observed that healthcare breaches can lead to harms far greater than breaches in other business sectors. Protected health information (PHI), unlike an individual's bank account numbers or passwords, is immutable. Therefore, "PHI can continue to be exploited throughout an individual's lifetime, making PHI likely to be far more valuable than an individual's credit card information," HHS indicated. Harms that could arise from a PHI breach or security incident, according to HHS, include the "potential to adversely affect an individual's health or quality of life, or even to cost an individual their life." For example, lives² and health may be at risk if a security incident interferes with a medical device's operations or the administrative or clinical operations of a healthcare provider. Rural health is particularly vulnerable and can result in closures and loss of necessary services for remote communities. Electronic medical records are ubiquitous, and healthcare delivery often requires electronic data storage and transmission. The number of PHI breaches reported to HHS had a 100 percent increase, and the number of people affected by such breaches had a 950 percent increase from 2018 to 2023. Accordingly, to help mitigate these risks, HHS is proposing sweeping changes to the Security Rule intended to address the leaps in technology and cybersecurity risk that have occurred over the past decade. The Security Rule applies only to electronic PHI (ePHI) held by "covered entities" and "business associates" (regulated entities). HHS noted that "[a]lmost every stage of modern health care relies on stable and secure computer and network technologies," and updates are needed to address cybersecurity, which "is a concern that touches nearly every facet of modern health care." HHS does not believe that current resources, such as the National Institute of Standards and Technology's (NIST) cybersecurity framework, provide sufficient instruction to help regulated entities comply with the Security Rule. The public is invited to submit comments on all aspects of the NPRM 60 days after the official publication in the Federal Register on Jan. 6, 2025. Even if the incoming presidential administration delays finalizing these regulations or makes significant changes, the proposed revisions offer insight into steps that healthcare entities may take to reduce the risk of a data breach and the associated costs.

HHS indicated that the NPRM's proposals are designed to address:

• changes in the healthcare environment and technology
• significant increases in cyberattacks and data breaches
• deficiencies that the HHS Office for Civil Rights (OCR), which enforces HIPAA, has observed when investigating regulated entities' compliance with the Security Rule
• cybersecurity best practices, methodologies, guidelines, processes and procedures
• court decisions affecting Security Rule enforcement

Pursuant to President Bill Clinton's Executive Order 13175 regarding Consultation and Coordination with Indian Tribal Governments, OCR is holding a meeting on Feb. 6, 2025, to solicit input from Tribal officials regarding the NPRM.

Definition Updates Proposed

The proposed rules aim to update or clarify many HIPAA Security Rule definitions to address ambiguity and technological advancements. For example, though the current definition of "electronic media" excludes certain voice and other transmissions via telephone "if the information being exchanged did not exist in electronic form immediately before the transmission."³ The NPRM would "revise the description of 'transmission media' to recognize that data is transmitted almost exclusively in electronic form today." The exception would involve data that is handwritten on paper and hand-delivered or mailed, such that the data is never on electronic storage material.

Definitions that are proposed to be modified are for the following terms: access, administrative safeguards, authentication, availability, confidentiality, information system, malicious software, password, physical safeguards, security or security measures, security incident, technical safeguards, user and workstation. Several new definitions have been proposed, including for the following terms: deploy, implement, electronic information system, multifactor authentication, relevant electronic information system, risk, technical controls, technology asset, threat and vulnerability.

HHS proposes to change the definition of "authentication." Currently, the Security Rule defines the term as related to corroboration that a person is who he or she claims to be.⁴ HHS proposes to require authentication of technology assets that are components of the regulated entity's electronic information systems. HHS, in discussing the interoperability requirements, stated that "[n]ot only must the individual be authenticated as a user, but the application must be authenticated such that the covered entity's software can verify that the application is what it claims to be." Organizations that are "actors" under the Information Blocking regulations should be cognizant of processes to ensure compliance with the security exception to Information Blocking (45 C.F.R. 171.203), including documentation, policies and nondiscriminatory application of "vetting" processes and requirements. The proposed rules also impose an obligation on the regulated entity to inform individuals of the risks of unencrypted transmission, receipt and storage of unencrypted ePHI when the individual requests such access. Vetting of such third parties is generally not allowed by the information blocking prohibitions.⁵ Absent such vetting, it is not clear how a regulated entity that is an "actor," as defined in the Information Blocking rules, could comply with the proposed Security Rule requirements related to individuals who want to acquire their ePHI through unencrypted means. In many instances, the third party may not be a HIPAA-regulated entity. Without first vetting the third-party app, it is not clear how a regulated entity permitting access through a third-party app would necessarily know whether encryption is implemented as required by HIPAA.

Authentication would also require multifactor authentication (MFA), which will be a new defined term if the proposed regulations are finalized in their current form. HHS now recognizes that combinations of usernames and passwords "are insufficient to secure sensitive information and … more sophisticated mechanisms for doing so have been developed." Regulated entities would have to verify user identities through at least two of three categories of information factors about the user. These factors are 1) information known by the user, such as a password or personal identification number (PIN), 2) items possessed by the user, including a token or a smart identification card, and 3) personal characteristics of the user, such as a fingerprint, facial recognition, gait, typing cadence or other biometric or behavioral characteristics.

Consistent with the proposed modification to include technologies and people in the definition of "authentication" is the proposal to expand the definition of "access" as it applies to the Security Rule. While expanding access to include "deleting" and "transmitting," HHS emphasized that access is "inclusive of hardware, software and people." The proposed expanded definition of access more closely aligns with its companion definition in the Information Blocking regulations (45 C.F.R. 171.102). The proposed HIPAA definition clarifies the scope of security safeguards required for access and addresses HHS's concern that access monitoring has been viewed by HIPAA-regulated entities as limited to persons and limited actions within an information system. HHS also noted that this proposed definition applies solely to the Security Rule and not to either the Privacy or Breach Notification Rules.

HIPAA's current definition of "security incident" is very broad and includes harmless incidents, such as pings, that could happen thousands of times a day with little consequence. Instead of modifying the definition of "security incident" to exclude such events, HHS seeks to modify the definition to make it clear that something is a security incident "regardless of whether an attempt to affect the information in the system or interfere with system operations is successful or not."

The proposed addition of a definition for "electronic information system" defines the scope of applicability of the Security Rule to a regulated entity's information systems and seeks to clarify HHS's position that the Security Rule obligations are applicable to the ePHI under the "direct management control" of the regulated entity and that the ePHI may be under control of multiple regulated entities, including both the covered entity and the business associate, and "'generally,' not just 'normally,' includes hardware, software data, communications and people.'" HHS did not propose a definition for "direct management control" and acknowledges that this may raise questions.

Proposed Changes to Security Standards

HHS "has concerns regarding the sufficiency of the security measures implemented by regulated entities," which are "not consistently complying with the Security Rule's requirements." The proposed rule would provide regulated entities more detail regarding how to comply with particular Security Rule obligations. For example, regulated entities are currently required to conduct a risk analysis, but the regulations provide little detail on what that means. If the proposed changes are finalized, regulated entities will have to perform specific tasks, such as conducting an inventory of technology assets, determining how ePHI flows through their systems and mapping the locations where the ePHI may be created, received, maintained or transmitted.

The 2003 final Security Rule included the concept of "addressable" and "required" implementation specifications as part HIPAA's intended flexibility. If a specification was addressable, the covered entity could decide if the safeguard was reasonable and appropriate. The NPRM would significantly modify this concept. HHS indicated that the addressability feature "is inadequate to ensure that regulated entities implement reasonable and appropriate security safeguards," in part because some regulated entities are treating these addressable standards as optional. HHS indicated that the Security Rule has always been the "floor for cybersecurity protections and that its flexibility is in allowing [regulated entities] to choose the manner in which they meet the standards and implementation specifications, not whether they meet them." That said, HHS indicated that this change "would not eliminate all of the Security Rule's flexibility and scalability" but instead would make it clear that regulated entities must meet the requirements but may take into consideration their needs and capabilities. For example, a small healthcare provider might choose to contract with a third party to provide information technology (IT) services rather than hiring its own personnel to serve in that role.

Encryption is one of the currently addressable requirements that the proposed rules would redesignate as required. The current Security Rule requires encryption to be implemented, but only if reasonable and appropriate. HHS observed in the NPRM that today, encryption is built into most software and, where it is not, "there are affordable and easily implemented solutions that can encrypt sensitive information." The proposed rule changes would expressly require ePHI to be encrypted, with only limited exceptions. For example, an individual could request receipt of unencrypted ePHI via text messaging. Before the disclosure, the regulated entity must inform the individual of the risks associated with the transmission of unencrypted ePHI. The exception would not apply to technology controlled by the regulated entity or when the individual requests to receive ePHI via email or messaging technologies implemented by the covered entity. Recognizing that encryption is not reasonable or appropriate in certain situations, HHS proposed to exclude certain medical devices and emergencies from the requirement.

Changes for Business Associate Relationships

HHS observed that "[v]endor management and identification of risks in a supply chain are essential to controlling the introduction of new threats and risks to a regulated entity." HHS noted that business associates are directly responsible for compliance with the Security Rule, so the 2013 revisions did not require covered entities to implement any additional safeguards to ensure that the business associates are, in fact, in compliance. OCR has learned, however, that many covered entities are providing ePHI to business associates that are not employing appropriate safeguards. The proposed additional safeguards include obtaining from business associates information that regulated entities may not currently possess. For example, as discussed below, a regulated entity would have to create a network map and technology asset inventory that would have to include a business associate's technology assets that affect the confidentiality, integrity or availability of ePHI, unless the business associate controls the ePHI entirely.

The current Security Rule does not require the regulated entity to verify that business associates are actually taking the necessary steps to protect ePHI. A regulated entity would have "to verify that the business associate has deployed the technical safeguards required by 45 C.F.R. 164.312" by obtaining written documentation from the business associate at least once every 12 months with an analysis of the business associate's relevant electronic information systems which would have to be performed by an appropriately qualified person. A person who has the authority to act on behalf of the business associate would have to certify in writing that the analysis has been performed and is accurate. A regulated entity that delegates actions, activities or assessments required by the Security Rule to a business associate would remain responsible for compliance with all applicable Security Rule provisions.

Proposed Changes to Documentation

The proposed regulatory changes would require specific documentation of compliance efforts. For example, regulated entities would have to maintain an accurate and thorough written inventory of its assets and a network map of its electronic information systems that may affect ePHI that tracks the movements of that ePHI. This inventory would form "the foundation for a fulsome and accurate risk analysis." HHS observed that understanding how ePHI flows throughout the organization "is crucial to understanding the risks ePHI is exposed to throughout an organization." The network map would have to be updated at least every 12 months and when there is a change in the entity's environment that may affect ePHI. The proposed definition for "electronic information systems" will inform the scope of the inventory and network map requirement.

Documented risk analyses would have to meet additional standards under the proposal. HHS indicated that risk analyses should include a number of "basic questions" that consider:

• all of the ePHI that the regulated entity creates, receives, maintains or transmits
• the external sources of ePHI
• the human, natural and environmental threats to information systems that contain ePHI
• the risks posed by legacy devices, as well as risks posed by replacing them

HHS indicated that there is no guarantee that any particular practice will comply with the Security Rule. Risk analyses would have to be revisited at least every 12 months or in response to an environmental or operations change that would affect ePHI. The regulated entity would also need to have a written plan sufficient to reduce the identified risks and vulnerabilities.

The proposed rule changes would require a "regulated entity to record and identify any activity that could present a risk to ePHI, meaning activity in all of its relevant information systems." This would go beyond just those systems that create, receive, maintain or transmit ePHI. Monitoring of this activity would have to "be continual and conducted in real-time."

Business associate agreements will need to be revised if the rules are finalized as proposed to include provisions specifying that the business associate will notify covered entities that it activated its contingency plan 24 hours after activation of such plan. Regulated entities can operate under existing business associate agreements until the earlier of the date the contract is renewed or a year after the effective date of the final rule.

Proposed Operational Changes

The proposed rules, if finalized, would require certain changes in a regulated entity's day-to-day operations. For example, if a workforce member's employment ends, his or her ePHI access would have to be terminated within one hour. If a workforce member has access to ePHI maintained by a third party, the regulated entity would have to notify the other entity within 24 hours. Written workforce security policies and procedures would have to be reviewed and tested at least once every 12 months to determine if they are reasonable and appropriate. Workforce members would have to receive security awareness training by the compliance date of the revised rule, if finalized, and at least once every 12 months thereafter. Regulated entities also would need to perform and document a compliance audit at least once every 12 months. The compliance audit would be separate from the risk analysis and include a compliance assessment of business associates.

The proposed rules would require a number of other operational updates. For example, there are proposed changes regarding protecting data in medical devices. Copies of ePHI that are no more than 48 hours older than the ePHI in the regular record system would need to be maintained in a backup system. Backups would be required to be tested at least monthly.

Self-Insured Employer-Sponsored Health Plans

Employers, as plans sponsors, are not covered entities or business associates under HIPAA, so they are not directly liable for Security Rule compliance. Therefore, a plan sponsor's security obligations are limited to the requirements set forth in the group health plan's plan documents. The current rule does not specifically require plan sponsors or any agents to comply with the Security Rule. HHS observed that it is "concerned that group health plans may not be monitoring plan sponsors to ensure that ePHI is disclosed to a plan sponsor only if the plan sponsor voluntarily agrees to use and disclose the information only as permitted by the regulations."

Deadlines

Though HHS acknowledges that it is "proposing to substantially revise the regulatory text," it believes that "most of the existing Security Rule's obligations for regulated entities would not be substantially changed by the proposed modifications." Instead, HHS aims to "codify those activities that are critical to protecting the security of ePHI as requirements and provide greater detail for such requirements in the regulatory text." The proposed rules would provide more guidance and specificity around many of the Security Rule requirements. HHS does "not believe that the proposed rule would pose unique implementation challenges that would justify an extended compliance period." Regulated entities would have 180 days to come into compliance with most of the requirements once the rules are finalized and effective. There would be a longer transition period to modify business associate agreements and other written arrangements.

Requests for Comment

Although the proposed revisions could provide useful guidance, there are still areas of ambiguity that warrant further clarification. Additionally, HHS has specifically solicited comment on certain topics, including new and emerging technologies such as quantum computing that could put standard encryption at risk or artificial intelligence (AI) that could result in impermissible uses and disclosures of PHI. The comment period, which ends on or about March 7, 2025, is the public's opportunity to provide input on the proposals. In addition to the topics for which HHS has specifically requested comment, regulated entities should consider requesting clarification on other topics, including:

• whether or when a covered entity's ePHI maintained and processed by a certified health IT vendor is considered under the covered entity's "direct management control" when the covered entity has no management control of the health IT vendor and no ability to require implementation or deployment of security safeguards
• whether the revision to the description of transmission media to exclude only handwritten paper information means that the Security Rule extends to paper-based mailing when the information is initially electronic, then typed or printed by machine, rather than handwritten, or whether the changes are intended to address only electronic transmission
• whether a business associate's obligation to provide notice of harmless pings and other security incidents could be fulfilled merely by including language in the business associate agreement that those things happen; alternatively, whether it would be less burdensome to further change the definition of "security incident" to exclude events that carry little risk to the security of ePHI
• how regulated entities can comply with the regulations by the deadline if they require obtaining detailed mapping and technology inventory information from third-party business associates, particularly when those business associates will also presumably have to obtain similar information from downstream contractors; at a minimum, the regulation could require business associates and subcontractors to provide such data to upstream regulated entities within a limited time after a request, and regulated entities that are unable to obtain this information from third parties will not be penalized if those third parties fail to meet the required deadlines
• clarification regarding whether that because a regulated entity is liable for compliance with provisions of the Security Rule that have been delegated to business associates, that means that both the business associate and the covered entity could both be penalized for the same violation; it is not clear whether the covered entity's liability would similarly extend to violations and breaches caused by downstream subcontractors of the business associate
• whether business associate agreements need to be revised in all cases; for example, if a business associate receives PHI through view-only access, does it still need to have a provision in its business associate agreements regarding contingency plans?
• provisions specifying when messaging technologies are "implemented by the covered entity" such that encryption applies; for example, if the patient has asked to receive appointment reminders via email, is encryption required merely because the covered entity has implemented technology on its end to send such texts to the patient's device? What compensating controls would be sufficient for individuals requesting unencrypted communications?
• recording all activity that could potentially create risk will likely result in a tremendous amount of data; once it is confirmed that the risk has been addressed or mitigated, may the underlying records be discarded, or do they have to be maintained for six years as specified for other HIPAA documentation?
• whether regulated entities that delegate their ePHI storage to third parties would still have to conduct backup tests at least monthly; for example, a self-insured employer-sponsored health plan may delegate the vast majority of ePHI-related functions to a third-party administrator, so a requirement to conduct monthly tests of backup systems would be infeasible for that plan sponsor
• clarification regarding obligations of plan sponsors; HHS's commentary indicates a concern that group health plans may not be monitoring plan sponsors; employer-sponsored health plans typically do not have employees and do not function as a separate corporation, although they are considered a separate entity for ERISA purposes; because employers as such are not subject to HIPAA, yet employers and their third-party administrators operate these plans, it is not clear how the group health plans themselves, when self-insured, should be fulfilling their obligations other than through the employer and the plan business associates; if the plan sponsor has to notify the group health plan of activation of a contingency plan, does HHS anticipate that anyone other than the administrative personnel within the plan sponsor itself will be notified initially?
• whether, in connection with the final rule, OCR will publish revised HIPAA business associate agreement provisions and associated suggested forms of written compliance verifications for business associates
• HHS concluded that the NPRM, "if adopted, would not result in a significant economic effect on a substantial number of small entities," yet notes that "[t]here are no Federal funds directed at Health Insurance Portability and Accountability act of 1996 (HIPAA) compliance activities"; it seems that requiring revision of thousands of business associate agreements, conducting compliance audits, drafting new documentation and training workforce members on the changes will have a significant financial impact on virtually all segments of the healthcare industry, and small entities may incur significant expense to implement the changes
• HHS's cost estimates are based on hourly wages; for example, it indicates that a lawyer's fully loaded hourly wage is $169.68, yet attorneys reportedly charged a national average of $327 per hour in August 2023;⁶ based on this, it is likely that the cost burdens for regulated entities will be significantly higher than HHS's estimate
• HHS estimates that a compliance audit would need an average of two hours of labor by an information systems analyst, and a business associate would spend an average of two hours determining how the company's cybersecurity measures comply; did HHS draw on data regarding the time spent by HHS and its contractors conducting past audits on behalf of OCR? HHS's published audit protocol,⁷ even when not considering the privacy portion, is extremely lengthy and complex, and two hours is unlikely to be sufficient; if HHS publishes updated audit protocols, it may help reduce costs and burdens for regulated entities

If finalized as is, the NPRM will mean big changes for covered entities and business associates, although many of the proposed provisions reflect activities that compliant companies should already be doing. There is also potential regulatory ambiguity. Regulated entities have a limited time to submit comments requesting clarification.

For more information or questions, please contact the authors.

Notes

¹ Federal Register: Health Insurance Portability and Accountability Act Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information.

² HHS noted that a ransomware attack may have contributed to a baby's death at an Alabama hospital in 2019 because an electronic display that would normally have provided information on the baby’s fetal heart rate was affected by the attack, so a change in the heart rate went unnoticed: "Ransomware attack might have caused another death," The Washington Post (Oct. 1, 2021).

³ 45 C.F.R. § 160.103.

⁴ 56 C.F.R. § 164.304.

⁵ See HealthIT.gov (indicating "for third-party applications chosen by individuals to receive their EHI from API technology certified to the Standardized API certification criterion, there would generally not be a need for ‘vetting’ the security of the app and such vetting actions would likely be interference").

⁶ U.S. News & World Report: "What Does Hiring a Lawyer Cost?" (March 1, 2024; visited Dec. 30, 2024).

⁷ HHS Audit Protocol (visited Dec. 30, 2024).

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.