The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced a Notice of Proposed Rulemaking (NPRM) aimed at enhancing cybersecurity protections for electronic protected health information (ePHI) under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Issued on December 27, 2024, this NPRM seeks to modernize and strengthen the Security Rule’s standards in response to escalating cyber threats targeting the healthcare sector.
Key Proposed Changes
The NPRM introduces several significant modifications to the Security Rule, reflecting advancements in technology and the evolving cybersecurity landscape. These include:
- Mandatory Implementation Specifications: Removing the distinction between “required” and “addressable” implementation specifications, making all specifications mandatory with limited exceptions.
- Enhanced Documentation: Requiring written documentation of all Security Rule policies, procedures, plans, and analyses.
- Technology Asset Management: Mandating regulated entities to develop and annually update a technology asset inventory and network map illustrating ePHI movement.
- Specific Risk Analysis Requirements: Introducing detailed written assessments of threats, vulnerabilities, and risk levels.
- Contingency and Incident Response Plans: Strengthening requirements for planning and responding to security incidents, including recovery procedures and prioritized restoration efforts.
- Technical Safeguards: Requiring encryption of ePHI at rest and in transit, multi-factor authentication, vulnerability scanning, and penetration testing.
- Business Associate Compliance: Requiring business associates to verify technical safeguards and notify covered entities within 24 hours of contingency plan activation.
Background and Objectives
These updates align with the Biden-Harris Administration’s commitment to enhancing critical infrastructure cybersecurity. The NPRM builds on the National Cybersecurity Strategy and HHS’s Healthcare Sector Cybersecurity initiatives, addressing the growing threats to ePHI and introducing greater accountability and enforcement.
OCR Director Melanie Fontes Rainer emphasized the importance of the proposed changes, noting that they aim to “better protect patients’ sensitive information and address the increasing cybersecurity risks impacting the healthcare sector.”
Call for Public Participation
HHS is inviting all stakeholders, including patients, healthcare providers, professional associations, and government entities, to submit comments on the NPRM through regulations.gov within 60 days of its publication in the Federal Register. The Department will also conduct a Tribal consultation meeting, with details forthcoming.
Encouraging Stakeholder Engagement
HSToday urges healthcare professionals, organizations, and policymakers to review the full NPRM, available at the Federal Register, and participate in shaping these critical updates to the HIPAA Security Rule.
Read the full NPRM here.
