In this week’s installment of our blog series on the U.S. Department of Health and Human Services’ (HHS) HIPAA Security Rule updates in its January 6 Notice of Proposed Rulemaking (NPRM), we discuss HHS’s proposed rules for vulnerability management, incident response, and contingency plans (45 C.F.R. §§ 164.308, 164.312). Last week’s post on the updated administrative safeguards is available here.

Existing Requirements

HIPAA currently requires regulated entities to implement policies and procedures to (1) plan for contingencies and (2) respond to security incidents. A contingency plan applies to responses to emergencies and other major occurrences, such as system failures and natural disasters. When needed, the plan must include a data backup plan, disaster recovery plan, and an emergency mode operation plan to account for the continuation of critical business processes. A security incident plan must be implemented to ensure the regulated entity can identify and respond to known or suspected incidents, as well as mitigate and resolve such incidents.

Existing entities — especially those who have unfortunately experienced a security incident — are familiar with the above requirements and their implementation specifications, some of which are “required” and others only “addressable.” As discussed throughout this series, HHS is proposing to remove the “addressability” distinction making all implementation specifications that support the security standards mandatory.

What Are the New Technical Safeguard Requirements?

The NPRM substantially modifies how a regulated entity should implement a contingency plan and respond to security incidents. HHS proposes a new “vulnerability management” standard that would require regulated entities to establish technical controls to identify and address certain vulnerabilities in their respective relevant electronic information systems. We summarize these new standards and protocols below:

Contingency Plan – The NPRM would add additional implementation standards for contingency plans. HHS is proposing a new “criticality analysis” implementation specification, requiring regulated entities to analyze their relevant electronic information systems and technology assets to determine priority for restoration. The NPRM also adds new or specifying language to the existing implementation standards, such as requiring entities to (1) ensure that procedures are in place to create and maintain “exact” backup copies of electronic protected health information (ePHI) during an applicable event; (2) restore critical relevant electronic information systems and data within 72 hours of an event; and (3) require business associates to notify covered entities within 24 hours of activating their contingency plans.

Incident Response Procedures – The NPRM would require written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents, as well as how the regulated entity should identify, mitigate, remediate, and eradicate any suspected or known security incidents.

Vulnerability Management – HHS discussed in the NPRM that its proposal to add a new “vulnerability management” standard was to address the potential for bad actors to exploit publicly known vulnerabilities. With that in mind, this standard would require a regulated entity to deploy technical controls to identify and address technical vulnerabilities in its relevant electronic information systems, which includes (1) automated vulnerability scanning at least every six months, (2) monitoring “authoritative sources” (e.g., CISA’s Known Exploited Vulnerabilities Catalog) for known vulnerabilities on an ongoing basis and remediate where applicable, (3) conducting penetration testing every 12 months, and (4) ensuring timely installation of reasonable software patches and critical updates.

Stay Tuned

Next week, we will continue Bradley’s weekly NPRM series by analyzing justifications for HHS’s proposed Security Rule updates, how the proposals may change, and areas where HHS offers its perspective on new technologies. The NPRM public comment period ends on March 7, 2025.

Please visit HIPAA Security Rule NPRM and the HHS Fact Sheet for additional resources.

HHS Security Rule NPRM Proposes Makeover for Administrative Safeguard Compliance for Regulated Entities

By Eric Setterlund, Adriante Carter & Samuel Adams on February 13, 2025

Posted in Data Security, HIPAA / Electronic Health Information, U.S. Department of Health and Human Services (HHS)

Listen to this post

In this week’s installment of our blog series on the U.S. Department of Health and Human Services’ (HHS) HIPAA Security Rule updates in its January 6 Notice of Proposed Rulemaking (NPRM), we are exploring the proposed updates to the HIPAA Security Rule’s administrative safeguards requirement (45 C.F.R. § 164.308). Last week’s post on the updated technical safeguards is available here.

Background

Currently, HIPAA regulated entities must generally implement nine standards for administrative safeguards protecting electronic protected health information (ePHI):

1. Security Management Process
2. Assigned Security Responsibility
3. Workforce Security
4. Information Access Management
5. Security Awareness and Training
6. Security Incident Procedures
7. Contingency Plan
8. Evaluation
9. Business Associate Contracts and Other Arrangements

Entities are already familiar with these requirements and their implementation specifications. The existing requirements either do not identify the specific control methods or technologies to implement or are otherwise “addressable” as opposed to “required” in some circumstances for regulated entities. As noted throughout this series, HHS has proposed removing the distinction between “required” and “addressable” implementation specifications, providing for specific guidelines for implementation with limited exceptions for certain safeguards, as well as introducing new safeguards.

New Administrative Safeguard Requirements

The NPRM proposes updates to the following administrative safeguards: risk analyses, workforce security, and information access management. HHS also introduced a new administrative safeguard, technology inventory management and mapping. These updated or new administrative requirements are summarized here:

• Asset Inventory Management – The HIPAA Security Rule does not explicitly mandate a formal asset inventory, but HHS informal guidance and audits suggest that inventorying assets that create, receive, maintain, or transmit ePHI is a critical step in evaluating security risks. The NPRM proposes a new administrative safeguard provision requiring regulated entities to conduct and maintain written inventories of any technological assets (e.g., hardware, software, electronic media, data, etc.) capable of creating, receiving, maintaining, or transmitting ePHI, and to illustrate a network map showing the movement of ePHI throughout the organization. HHS would require these inventories and maps to be periodically reviewed and updated at least once every 12 months andwhen certain events prompt changes in how regulated entities protect ePHI, such as new, or updates to, technological assets; new threats to ePHI; transactions that impact all or part of regulated entities; security incidents; or changes in laws.

• Risk Analysis – While conducting a risk analysis has always been a required administrative safeguard, the NPRM proposes more-detailed content specifications around items that need to be addressed in the written risk assessment, including reviewing the technology asset inventory; identifying reasonably anticipated threats and vulnerabilities; documenting security measures, policies and procedures for documenting risks and vulnerabilities to ePHI systems; and making documented “reasonable determinations” of the likelihood and potential impact of each threat and vulnerability identified.

• Workforce Security and Information Access Management – The NPRM proposes that, with respect to its ePHI or relevant electronic information systems, regulated entities would need to establish and implement written procedures that (1) determine whether access is appropriate based on a workforce member’s role; (2) authorize access consistent with the Minimum Necessary Rule; and (3) grant and revise access consistent with role-based access policies. Under the NPRM, these administrative safeguard specifications would no longer be “addressable,” as previously classified, meaning these policies and procedures would now be mandatory for regulated entities. In addition, the NPRM develops specific standards for the content and timing for training workforce members of Security Rule compliance beyond the previous general requirements.

Next Time

Up next in our weekly NPRM series, we will dive into the HIPAA Security Rule’s updates to the Vulnerability Management, Incident Response, and Contingency Plans.

Please visit the HIPAA Security Rule NPRM and the HHS Fact Sheet for additional resources.