Introduction
On December 27, 2024 [2] [8] [9] [10], the US Department of Health and Human Services (HHS) announced proposed updates to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. These updates are designed to address the increasing cybersecurity threats facing the healthcare sector [3], which have resulted in significant data breaches. The proposed changes aim to enhance the Security Rule to better protect electronic protected health information (ePHI) and ensure compliance with modern cybersecurity standards.
Description
On December 27, 2024 [2] [8] [9] [10], the US Department of Health and Human Services (HHS) proposed significant updates to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule through a Notice of Proposed Rulemaking (NPRM). This initiative is crucial in light of the alarming rise in cybersecurity threats targeting the healthcare sector, which has seen a dramatic increase in breaches affecting over 167 million individuals in 2023—a 102% rise since 2018 [3]. Notably, 79% of these breaches were attributed to hacking and ransomware attacks [3], including a significant incident involving Change Healthcare that compromised the electronic protected health information (ePHI) of up to 100 million individuals, marking it as the largest healthcare data breach in US history [9].
The proposed updates aim to enhance the Security Rule, which is currently viewed as inadequate in addressing modern cybersecurity threats that have escalated since the rule’s establishment in 2003. This marks the first significant update to HIPAA’s Security Rule in over a decade [11], with the last revision occurring in 2013 [11]. The NPRM [4] [8] [9], set for publication in the Federal Register on January 6, 2025 [6], outlines mandatory security measures for health plans, healthcare clearinghouses [2] [6] [7], most healthcare providers [2] [4] [6] [10] [11], and their business associates to bolster protections against both external and internal threats [6].
Key updates to the Security Rule will require healthcare organizations to maintain comprehensive technology asset inventories and conduct specific risk analyses, with documentation of these processes being essential. Organizations must also establish network segmentation, implement mandatory data encryption [1], and utilize multifactor authentication to secure ePHI against unauthorized access [1]. They are obligated to notify relevant entities within 24 hours of any changes in workforce access to ePHI and to restore critical systems within 72 hours following an incident. Additionally, written procedures for security incident response must be developed, detailing how to restore lost information systems and data [5].
The proposed rule emphasizes the necessity of annual compliance audits against Security Rule requirements and mandates the implementation of technical controls for systems processing ePHI, including anti-malware protection and the removal of unnecessary software [5]. Organizations will be required to conduct biannual vulnerability scans and annual penetration testing, as well as review and test security measures for effectiveness at least once a year. Separate technical controls for ePHI backup and recovery will also be necessary.
For business associates [1] [2] [3] [4] [5] [6] [8] [10], the proposals require notifying covered entities within 24 hours of activating contingency plans during emergencies affecting ePHI and providing annual written certifications of compliance with technical safeguards [8], verified by a subject matter expert. Group health plans must ensure that plan documents mandate compliance with the Security Rule [8], that agents adhere to the rule [8], and that there is timely reporting of contingency plan activations [8].
The NPRM also proposes eliminating the distinction between “required” and “addressable” implementation specifications [4], making all specifications mandatory [4], and updating definitions and implementation specifications to align with contemporary cybersecurity best practices and technological advancements. HHS Deputy Secretary Andrea Palm highlighted the importance of these updates in addressing the threats posed by cyberattacks to patient safety and the integrity of the healthcare system [4]. The implementation of these cybersecurity measures is estimated to cost $9 billion in the first year [1], with an additional $6 billion for ongoing security maintenance over the next four years. Smaller healthcare providers have expressed concern over these costs [11], while advocates argue that preventing breaches can lead to long-term savings [11], as a single data breach averaged $10.1 million in 2023 [11]. Following the NPRM’s publication [4] [9], stakeholders [1] [3] [4] [5] [9] [10], including patients [10], health plans [2] [3] [4] [5] [6] [7] [8] [10], and healthcare providers [2] [4] [6] [10] [11], will have until March 2025 to comment on the proposal before HHS finalizes the rule. In the meantime [4], covered entities are expected to continue adhering to the current HIPAA Security Rule [4]. These updates are crucial for protecting patient safety and maintaining trust in the healthcare system, as they clarify specific actions that covered entities and their business associates must take to safeguard ePHI and ensure ongoing compliance and security.
Conclusion
The proposed updates to the HIPAA Security Rule represent a significant step forward in addressing the evolving cybersecurity landscape within the healthcare sector. By mandating comprehensive security measures and eliminating outdated distinctions in implementation specifications, the updates aim to fortify protections for electronic protected health information. While the financial implications of these changes are substantial, the potential for long-term savings through breach prevention is considerable. As stakeholders review and comment on the proposal, the healthcare industry must prepare for the transition to these enhanced security standards, ensuring that patient safety and trust remain paramount.
References
[1] https://www.techmonitor.ai/technology/cybersecurity/hhs-hipaa-security-proposal
[2] https://www.hpnonline.com/healthcare-it/news/55252591/hhs-proposes-rule-to-strengthen-cybersecurity-in-us-healthcare-system
[3] https://natlawreview.com/article/ocr-proposed-tighter-security-rules-hipaa-regulated-entities-including-business
[4] https://www.techtarget.com/HealthtechSecurity/news/366617620/HHS-proposes-HIPAA-Security-Rule-changes
[5] https://www.jdsupra.com/legalnews/ocr-proposed-tighter-security-rules-for-2601401/
[6] https://www.risehealth.org/insights-articles/regulatory-roundup-ocr-proposes-rule-to-improve-cybersecurity-in-health-care-record-number-of-consumers-enroll-in-aca-coverage-for-2025-and-more/
[7] https://www.infosecurity-magazine.com/news/hipaa-update-healthcare-data/
[8] https://www.huntonak.com/privacy-and-information-security-law/hhs-announces-notice-of-proposed-rulemaking-to-update-the-hipaa-security-rule
[9] https://www.thehaugengroup.com/updating-the-hipaa-security-rule-ocrs-plan-to-combat-cybersecurity-threats/
[10] https://securityaffairs.com/172518/breaking-news/hhs-updates-hipaa-security-rule.html
[11] https://www.greenbot.com/healthcare-data-breach/
