January 2025 Notice of Proposed Rulemaking Brings Notable Changes to HIPAA Security Rule
Client AlertIn January 2025, the U. S. Department of Health and Human Services (HHS) filed a Notice of Proposed Rulemaking (NPRM) to amend many portions of the current Health Insurance Portability & Accountability Act (HIPAA) Security Rule. Comments to the proposed rule are due by March 7, 2025.
The broad focus of these proposed changes is on enhancing covered entities’ and business associates’ cybersecurity practices. Because these rule changes were initiated under the Biden Administration, we are unsure whether the current Administration will maintain the rule changes as drafted. However, cybersecurity has historically been a bipartisan issue.
The NPRM proposes the following for HIPAA covered entities (CEs):
1. Requires CEs to conduct a compliance audit at least once every 12 months to ensure compliance with the Security Rule requirements.
2. Requires CEs to annually train workforce members on the following topics:
a. The entity’s written policies and procedures with respect to electronic protected health information (ePHI);
b. Guarding against, detecting, and reporting suspected or known security incidents, including malicious software and social engineering; and
c. The entity’s written policies and procedures for accessing relevant electronic information systems.
3. Requires a CE to terminate a workforce member's access to ePHI within one hour of their employment ending.
4. Requires CEs to perform vulnerability scanning at least every 6 months and penetration testing at least once every 12 months.
5. Requires CEs to conduct and document a Technology Asset Inventory and Network Map of its electronic information systems and all technology assets that may affect the confidentiality, integrity, or availability of ePHI. The inventory must include identification, the person accountable for, and the location of each technology asset.
6. Requires CEs to complete written risk analyses that include a review of the technology asset inventory and network map; identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI; identification of potential vulnerabilities to the CE’s electronic information systems; and an assessment of the risk level for each identified threat and vulnerability to the CE’s ePHI. Currently, the HIPAA Security Rule does not specify a frequency for risk assessments, but the NPRM requires risk assessments to be reviewed and updated annually or when regulatory changes necessitate a risk assessment.
7. Requires CEs to plan for contingencies and how they will respond to security incidents. CEs must:
a. Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours;
b. Perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration;
c. Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the entity will respond to suspected or known security incidents; and
d. Implement written procedures for testing and revising written security incident response plans.
The proposed rule also sets forth important proposed changes for business associates (BAs). The NPRM requires that BAs verify to CEs at least once every 12 months through a written analysis of the BA’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate that they have deployed technical safeguards required by the Security Rule to protect ePHI.
If you have questions about the January 2025 NPRM or HIPAA Security Rule, please contact BMD Member Daphne Kackloudis at dlkackloudis@bmdllc.com or BMD Attorney Jordan Burdick at jaburdick@bmdllc.com.