The U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), recently issued a proposed rule that would make extensive changes to the HIPAA Security Rule. The proposed rule was published in the Federal Register on Jan. 6, 2025. The public has until March 7, 2025, to submit comments on the proposed rule for OCR’s consideration. After the comment period has closed, the OCR could issue a final rule, finalizing the proposed rule with or without modification.
The HIPAA Security Rule applies to electronic protected health information (ePHI) and focuses primarily on technical requirements to protect the confidentiality, integrity, and availability of ePHI. The OCR cites the significant increase in breaches (including ransomware events) and the increasing number of individuals affected by such breaches, as reasons for proposing the sweeping changes.
OCR’s proposed rule is extensive. In some instances, the proposed revisions provide more detail and clarification to existing Security Rule requirements. For example, covered entities and business associates are currently required to conduct a risk analysis, which is described generally in one sentence as “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” The proposed rule adds eight implementation specifications for the risk analysis.
In other instances, the proposed rule adds completely new requirements, including specifically requiring multi-factor authentication.
The proposed rule includes two major changes related to business associates:
- At least every year, covered entities would be required to obtain written verification from their business associates that the business associates have deployed the technical safeguards required by the HIPAA Security Rule
- Business associates would be required to report to their covered entities within 24 hours when activating a contingency plan
It remains to be seen how the incoming administration will move the proposed rule forward. If the proposed rule is finalized, covered entities and business associates will be faced with taking significant actions to comply with the changes, including:
- Implementing a number of new technical measures;
- Undertaking and documenting additional tasks such as audits;
- Drafting new and revised policies and procedures and other documentation; and
- Revising Business Associate agreements.
The OCR would likely begin enforcing a final rule eight months (240 days) after publication.
/Passle/6488d4630e7e25c9ac9f834a/MediaLibrary/Images/2025-01-13-19-35-32-591-67856b0417626bd704c1a0a4.jpg)
/Passle/6488d4630e7e25c9ac9f834a/SearchServiceImages/2025-01-10-22-16-01-995-67819c21f01b92931abcaac4.jpg)
/Passle/6488d4630e7e25c9ac9f834a/SearchServiceImages/2025-01-09-13-32-52-961-677fd0040155f36f244ef1c8.jpg)