For the first time in over 11 years, significant changes are proposed to the Security Rule component of the Health Insurance Portability and Accountability Act (HIPAA). In a Proposed Rule published today, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) aims to address the massive spike in cybersecurity incidents and breaches involving protected health information, and the glaring compliance deficiencies observed by OCR related to the Security Rule. 
 
The HIPAA Security Rule was created in the late 1990s and early 2000s in the age of the PalmPilot, dial-up internet, and much fewer cybersecurity threats, so OCR is “modernizing” the Security Rule to align with today’s security environment.  The current Security Rule is also very flexible - lacking precise safeguard requirements in the regulations.  These proposed changes signify a stark shift to more explicit and absolute mandates requiring ambulance services and their business associates to take a hard look at their existing security if implemented. 
 
Comments to the Proposed Rule are due March 7, 2025.  PWW is also monitoring another Proposed Rule issued in 2021 containing several proposed changes to the HIPAA Privacy Rule. OCR may issue a more extensive, consolidated “Omnibus Rule” containing both the Security and Privacy Rule updates simultaneously - stay tuned.
 
What Security Rule Changes Could We See:

• Required Specifications. Previously, some things in the Security Rule were “addressable.”  OCR wants to eliminate the distinction between “required” and “addressable” standards and make virtually all standards required.
• Written Policies, Plans, and Analysis. Undocumented practices will no longer suffice because OCR would require documentation of all Security Rule policies, procedures, plans, and analyses. 
• Network Map & Asset Inventory. Covered organizations would be required to have (and update every 12 months) a technology asset inventory and a network map illustrating the movement of ePHI throughout the regulated entity’s electronic information system(s).  
• Risk Analysis Guidance. Previously, OCR did not offer a mandatory “checklist” for conducting a Risk Analysis.  New express requirements would include a written assessment that contains, among other things:
  • A review of the technology asset inventory and network map.
  • Identify all reasonably anticipated threats to the confidentiality, integrity, and availability of electronic PHI (ePHI).
  • Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems
  • An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
• Contingency Planning and Security Incidents. OCR would strengthen requirements for planning for contingencies and responding to security incidents and require organizations to:
  • Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.
  • Perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration.
  • Establish written security incident response plans and procedures that document how workforce members are to report suspected or known security incidents and how the regulated entity will respond to them.
  • Implement written procedures for testing and revising written security incident response plans.
• Annual Security Rule Audits. OCR would require regulated entities to conduct a Security Rule audit at least once every 12 months.
• Business Associate Verification. 
  • The Proposed Rule would require that business associates verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate.
  • Business associates would also be required to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay but no later than 24 hours after activation.
• Encryption Requirement. OCR would require encryption of ePHI at rest and in transit, with limited exceptions.  
• Required Technical Controls and Safeguards. OCR wants to require regulated entities to have security measures, including:
  • Deploying anti-malware protection.
  • Removing extraneous software from relevant electronic information systems.
  • Disabling network ports in accordance with the regulated entity’s risk analysis.
  • Network segmentation.
  • Separate technical controls for backup and recovery of ePHI and relevant electronic information systems
• Multi-Factor Authentication. OCR proposes to require the use of multi-factor authentication, with limited exceptions.  
• Vulnerability Scans and Penetration Testing. Covered organizations would be required to conduct vulnerability scanning at least every six months and penetration testing at least once every 12 months.
  
  Questions? Please contact any attorney or consultant at Page, Wolfberg & Wirth, or PWW Advisory Group.