On December 27, 2024, the Office for Civil Rights (OCR) at HHS issued a Notice of Proposed Rulemaking (the Proposed Rule) intended to update the Security Rule under the Health Insurance Portability and Accountability Act (HIPAA). The Security Rule establishes national standards for the protection of individuals’ electronic protected health information (ePHI) by covered entities, which include health plans, health care clearinghouses, and most health care providers, and business associates. OCR administers and enforces the Security Rule. The Proposed Rule was published in the Federal Register today, and comments on the Proposed Rule are due by March 7, 2025.
The Security Rule was originally published in 2003 and was most recently significantly updated in 2013. Citing both changes in technology and an increase in the number of individuals affected by cyberattacks involving ePHI, the 465-page Proposed Rule includes updates to the Security Rule, some of which create new obligations and requirements for stakeholders to comply. These updates cover a wide spectrum of cybersecurity areas, including:
- requiring that each covered entity and business associate document the policies and procedures it has implemented to comply with the Security Rule, and as part of that documentation, explain how it considered the factors at 45 C.F.R. § 164.306(b) (pertaining to the flexibility of approach in deciding which measures to use) in the development of its policies and procedures;
- modernizing definitions and language used in the Security Rule to reflect updates in technology;
- increasing requirements for planning and responding to cybersecurity incidents;
- requiring multifactor authentication;
- requiring encryption of ePHI in transit and at rest;
- requiring business associates and subcontractors to notify covered health entities no later than twenty-four hours after a cybersecurity contingency plan has been activated; and
- requiring that business associates and subcontractors provide written verification to the covered entity and the business associate, respectively, once every twelve months of their compliance with the Security Rule.
The Proposed Rule, published in the final days of the Biden Administration, is subject to modification or rescission by the incoming Trump Administration. It also asks for input from the public and affected health entities, which could also result in changes to the final rule. However, the stated motivations for the Proposed Rule —advances in technology and the rising risk and widespread impact of cyberattacks—are ones that are shared across the political spectrum.
For example, the new regulations proposed in the Proposed Rule impacting business associates and subcontractors are part of an increased focus on supply chain risks, which are seen across agencies and may very well survive the administration change. The Proposed Rule would require covered entities and upstream business associates to obtain written verification every twelve months from business associates and subcontractors, respectively, that the verifying entity has deployed the “required technical safeguards” in the Security Rule. That annual verification must include a written analysis of the relevant electronic information systems and be done by a knowledgeable person with authority to act on behalf of the business associate or subcontractor.
Finally, the Proposed Rule also appears to clarify an issue of regulatory interpretation, which may be in response to a recent Fifth Circuit decision, University of Texas M.D. Anderson Cancer Center v. U.S. Department of Health and Human Services, 985 F.3d 472, 478 (5th Cir. 2021), which interpreted the Security Rule’s requirements to have a “mechanism” for encryption of ePHI. In that case, the Fifth Circuit held that a covered entity can meet its obligations under the Security Rule concerning encryption and decryption of ePHI by implementing a mechanism to do so, without regard for the effectiveness of the implementation of that mechanism. The Security Rule’s current language requires covered entities and business associates to implement a “mechanism” to comply with multiple sections of the rule. The Proposed Rule would revise that language throughout the Security Rule to clarify that having an ineffective “mechanism” is not compliant with the Security Rule.
If a final rule is published, it would be effective sixty days after publication, and covered entities would have 180 days after publication to comply with the final rule.
The Proposed Rule is available here, and the OCR Fact Sheet accompanying the issuance of the Proposed Rule is available here.
