The U.S. Department of Health and Human Services (HHS) recently released a proposed rule to better protect electronic health data from cybersecurity threats. The proposed rule would apply to health plans, healthcare providers, healthcare clearinghouses, and their business associates, such as billing companies, third-party administrators, and pharmacy benefit managers.

Rapid Insights

• HHS has proposed a rule to shore up cybersecurity protections for electronic health records under the Health Insurance Portability and Accountability Act (HIPAA).
• The new rules would apply to HIPAA-regulated entities, such as healthcare providers, hospitals, and others that handle electronic medical data.
• The public can submit comments on the proposed rule until March 7, 2025.

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule has remained largely unchanged since its last significant revision in 2013. In light of increasing cybersecurity risks within the healthcare sector, the Department of Health and Human Services (HHS) released a proposed rule on January 6, 2025, aimed at enhancing cybersecurity measures for personal health information gathered by healthcare entities, including providers, hospitals, insurers, and related organizations. The public has until March 7, 2025, to provide feedback on this proposal.

Should these changes be finalized, they would affect all entities covered by HIPAA as well as their business associates, enforcing tougher regulations regarding risk assessments, data encryption, multifactor authentication, and additional areas. Notably, the suggested rule would remove the differentiation between "required" and "addressable" implementation specifications, rendering all specifications mandatory. This alteration would strip away a significant amount of the flexibility currently enjoyed by HIPAA-regulated entities in deciding whether to adopt "addressable" measures, instead establishing more detailed and prescriptive requirements to guarantee adherence to all security standards.

The suggested regulation would additionally mandate:

• written documentation of policies, procedures, plans, and analyses related to complying with the HIPAA Security Rule;
• covered entities to develop and update a technology asset inventory and a network map that illustrates the movement of electronic health information throughout the electronic information system;
• covered entities to conduct a more robust risk analysis than under the current rule, including incorporation of the entity’s technology asset inventory and network map; identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of electronic health information; and an assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each threat will exploit vulnerabilities;
• encryption of electronic health information at rest and in transit;
• the use of multifactor authentication;
• covered entities to use anti-malware protections and remove extraneous software from electronic information systems;
• an audit at least once per year to confirm compliance with the HIPAA Security Rule;
• covered entities at least once per year to obtain written certification from business associates that they have deployed the technical safeguards required by the HIPAA Security Rule;
• covered entities to review and test the effectiveness of certain security measures at least once every twelve months;
• vulnerability scanning at least every six months and penetration testing at least once every twelve months;
• network segmentation and separate technical controls for backup and recovery of electronic health information and electronic information systems;
• covered entities to establish written procedures to restore the loss of certain electronic information systems and data within seventy-two hours, and document how employees should report security incidents and how the regulated entity will respond to security incidents. Business associates would have to notify covered entities upon activating their security contingency plans no later than twenty-four hours after activation;
• covered entities to cut off a former employee’s access to personal health information no later than one hour after the employment has been terminated; and
• group health plans to include in their plan documents requirements for their plan sponsors to comply with the administrative, physical, and technical safeguards of the HIPAA Security Rule.

Future Actions

Employers and the public have until March 7, 2025, to submit comments about the proposed rule. The final rule would take effect sixty days after being published in the Federal Register. The existing HIPAA Security Rule remains in effect while the rulemaking is underway.

Entities covered by HIPAA, along with the employers who support them, should consider reassessing their cybersecurity strategies and policies concerning electronic health information. They ought to identify any discrepancies between their current practices and the proposed regulations. Although some of these proposed modifications align with security measures already adopted by numerous HIPAA-covered entities, if the new rules are enacted, employers should be prepared for additional expenses to ensure their practices comply with the outlined requirements. This is particularly relevant for larger employers providing self-insured health plans, as they hold the primary responsibility for HIPAA compliance regarding the plans they sponsor.