Proposed Changes to the HIPAA Security Rule: What Regulated Entities Need to Know
In the final days of the Biden Administration, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a notice of proposed rulemaking (NPRM) to modify the Security Rule under the Health Insurance Portability and Accountability Act (HIPAA). The NPRM proposes sweeping changes that impact how health care providers, health plans, and health care clearinghouses (covered entities) and their business associates (collectively, regulated entities) implement, document, and maintain safeguards for electronic protected health information (ePHI). OCR is accepting public comments on the NPRM through March 7.
Initially published in 2003 and most recently revised in 2013, the Security Rule comprises the regulations codified in 45 C.F.R. Part 164, Subpart C. These regulations establish standards and implementation specifications to ensure the confidentiality, integrity, and availability of ePHI. The Security Rule is designed to be flexible and scalable, allowing regulated entities to choose security measures appropriate for their size, resources, and the nature of the security risks they face.
In the NPRM, published on January 6, OCR observes that many regulated entities are not consistently complying with the Security Rule. Further, the health care environment has changed significantly since the Security Rule was last revised, with increased reliance on health information technology, cloud-based services, and interconnected systems. OCR also notes the alarming growth in the number and severity of breaches and cyberattacks affecting the health care sector, which threaten patient safety, health care delivery, and public health. For these reasons, the agency believes it necessary to clarify and strengthen the Security Rule.
Key Changes in the Proposed Rule
The NPRM reflects a major overhaul of the Security Rule and, if finalized, will affect how regulated entities comply with the Security Rule by:
- Eliminating the distinction between required and addressable implementation specifications. Regulated entities must comply with certain standards in the Security Rule. Each standard includes various “implementation specifications” to ensure compliance with the standard. The Security Rule currently distinguishes between “required” and “addressable” implementation specifications, meaning that some security measures are mandatory for all regulated entities, while others are required on a case-by-case basis depending on a regulated entity’s assessment of a measure’s reasonableness and appropriateness. The NPRM eliminates the distinction and requires regulated entities to implement all standards and specifications unless an exception applies.
- Requiring documentation of security practices. Robust documentation practices have long been critical to Security Rule compliance, even if not strictly required. The NPRM mandates that regulated entities document in writing many of their security practices, including risk analyses, risk management plans, and contingency plans.
- Prescribing timeframes for completing security activities. The NPRM sets new compliance timeframes for certain security activities. For example, it requires covered entities to conduct risk analyses, and review and test security incident response plans and procedures at least once every 12 months.
New Security Standards and Implementation Specifications
The NPRM adds several new administrative, physical, and technical standards (and new defined terms) for safeguarding ePHI:
- Technology Asset Inventory: Regulated entities must conduct, maintain, and review and update a written inventory and network map of their electronic information systems and all technology assets that may affect the confidentiality, integrity, or availability of ePHI at least once every 12 months.
- Patch Management: Regulated entities must establish and implement written policies and procedures for applying patches and updating the configurations of their electronic information systems and technology assets. The policies and procedures must include identifying, prioritizing, acquiring, installing, evaluating, and verifying patches and updates, as well as documenting and addressing any exceptions.
- Compliance Audit: Regulated entities must perform and document an audit of their compliance with each standard and implementation specification in the Security Rule at least once every 12 months. The audit must include a review of the policies and procedures, actions, activities, assessments, and documentation required by the Security Rule.
- Technology Asset Controls: Regulated entities must implement policies and procedures governing how technology assets that maintain ePHI are received or removed from a facility and within a facility. The policies and procedures must address tracking, disposal, media re-use, and encryption.
- Configuration Management: Regulated entities must establish and deploy technical controls for securing relevant electronic information systems and technology assets, including workstations, in a consistent manner. These controls must include establishing a baseline level of security for each electronic information system and technology asset and maintaining such information systems and technology assets according to those baselines.
- Audit Trail and System Log Controls: Regulated entities must deploy either or both technology assets and technical controls that record and identify activity in their relevant electronic information systems that could present a risk to ePHI. The assets and controls must collect sufficient information to understand the nature of each activity and the actor responsible for the activity.
- Vulnerability Management: Regulated entities must establish and deploy technical controls to identify and remediate vulnerabilities in their electronic information systems and technology assets. These controls must include automated vulnerability scans, penetration testing, and patch and update installation.
- Information Systems Backup and Recovery: Regulated entities must deploy technical controls to create and maintain exact retrievable copies of ePHI and to restore ePHI in the event of a loss or disruption. These controls must include verifying the accuracy and completeness of the copies and the success of the restoration.
Additionally, the NPRM restructures several existing implementation specifications — namely, those for risk analysis, risk management, sanction policy, information system activity review, data backup and recovery, and encryption and decryption — into standalone security standards, each with its own new implementation specifications. Notably, these changes make the encryption and decryption of ePHI, which is currently an addressable specification, mandatory for all regulated entities unless an exception applies.
While the NPRM retains the Security Rule’s current standards, it modifies their implementation specifications with more detailed and prescriptive provisions, transforming many previously addressable specifications into mandatory obligations. Among these changes, the NPRM modifies the relationship between a covered entity and business associate by requiring the covered entity to obtain written verification from the business associate at least once every 12 months that confirms it has implemented the required technical safeguards. The NPRM also requires the business associate to report to the covered entity within 24 hours of activating its contingency plan. Recognizing the impact these changes will have on business associate agreements, the NPRM includes a transition period of up to 14 months after the publication of the final rule, during which covered entities and their business associates may continue their existing agreements.
AI and Other Emerging Technologies
The NPRM discusses emerging technologies in health care, including artificial intelligence (AI), quantum computing, and virtual and augmented reality, providing insight into OCR’s concerns regarding the security risks that these technologies pose to ePHI. With respect to AI, OCR notes that the Security Rule currently applies to ePHI in AI training data, prediction models, and algorithm data, and requires regulated entities to include the use of AI tools in their risk analyses and associated risk management activities. Under the NPRM, OCR expects that regulated entities will also include AI software used to create, receive, maintain, or transmit ePHI in their technology asset inventory and use patches, updates, and upgrades to address risks that may arise with AI. OCR requests comments regarding application of the Security Rule to AI and other new and developing technologies, including potential gaps in its application and any modifications or additional tools needed to address security and privacy challenges associated with ePHI in these technologies.
Key Takeaways
The NPRM is a significant rewriting of the HIPAA Security Rule. It introduces comprehensive changes that impose new obligations and potential costs on regulated entities. If OCR finalizes the NPRM, regulated entities should prepare for increased administrative burdens and potential new investments in technology and training. Whatever the outcome of the NPRM — which is uncertain given the change in presidential Administrations since the NPRM’s publication — OCR will likely continue its enforcement focus on compliance with the Security Rule, including its risk assessment and risk management requirements, amid the pervasive cybersecurity threats facing the health care industry. Regulated entities should analyze the potential impact of the NPRM on their operations and consider submitting comments by March 7.
