Proposed Rule Change to Strengthen the Cybersecurity of Electronic Protected Health Information
The Department of Health and Human Services (HHS) recently published a proposed rule change on January 6, 2025, to modify the “HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information” (ePHI). These updates aim to enhance the cybersecurity of ePHI in response to the evolving healthcare environment, increasing cyberattacks, and observed compliance deficiencies. This comprehensive 125-page document provides detailed guidelines for the protection of PHI and ePHI. Here is a high-level summary of the key proposals that covered entities and Business Associates need to know (please read the proposal here for more details; https://www.govinfo.gov/content/pkg/FR-2025-01-06/pdf/2024-30983.pdf):
- Removal of “Addressable” vs. “Required” Standards:
- All implementation specifications are now mandatory, eliminating the previous flexibility in interpretation
- Mandatory Documentation:
- Written documentation of all policies, procedures, plans, and analyses is required to ensure thorough and consistent compliance
- Technology Asset Inventory and Network Mapping:
- Entities must maintain an up-to-date inventory of technology assets and a network map illustrating ePHI movement. This inventory and map must be updated annually or as needed
- Enhanced Risk Analysis Requirements:
- The proposed rule specifies greater detail for conducting risk analyses, including identifying threats, vulnerabilities, and potential impacts on ePHI
- Regular Security Testing:
- Annual compliance audits, penetration tests, and biannual vulnerability scans are now required to ensure ongoing security and compliance
- Data Restoration Procedures:
- Entities must develop procedures to restore critical data within 72 hours, prioritizing the most critical data to minimize disruption
- Vendor Management:
- Entities are required to verify the security measures of business associates and contractors to ensure they meet the new standards
- Encryption and Multifactor Authentication:
- These measures are now explicitly required safeguards to enhance the security of ePHI
- Removal of Unnecessary Software:
- Entities must actively remove unused software and disable unused network ports to reduce potential vulnerabilities
Additional Points of Interest:
- Public Comment Period: Stakeholders have until March 7, 2025, to submit comments on the proposed rule. This is an opportunity for covered entities, business associates, and other stakeholders to provide feedback and suggestions
- Tribal Consultation: The HHS is seeking input from Tribal governments on the proposed rule, indicating a commitment to inclusive consultation
- Impact on Small Entities: The proposed rule changes are expected to have a significant impact on small entities, including small healthcare providers and business associates. Key points include:
- Increased Compliance Costs: Small entities may face higher costs to comply with the new mandatory requirements, such as maintaining detailed documentation, conducting regular security testing, and implementing advanced security measures like encryption and multifactor authentication.
- Resource Allocation: Small entities might need to allocate more resources, both financial and human, to meet the enhanced cybersecurity standards. This could be challenging for organizations with limited budgets and staff.
- Operational Adjustments: The need to maintain an up-to-date technology asset inventory and network map, conduct comprehensive risk analyses, and verify the security measures of business associates may require significant operational changes.
- Compliance Timeline: The proposed rule outlines specific timelines for compliance to ensure that covered entities and business associates have adequate time to implement the new requirements:
- Public Comment Period: Stakeholders have until March 7, 2025, to submit comments on the proposed rule.
- Final Rule Publication: The final rule is expected to be published sometime in 2026.
- Grace Period: Once the final rule is published, there will be a six-month grace period for compliance, allowing entities time to adjust their policies and procedures to meet the new standards.
- Enforcement and Penalties: The proposed rule includes detailed enforcement mechanisms and potential penalties for non-compliance:
- Enforcement Mechanisms: The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) will oversee the enforcement of the new standards. This includes conducting audits and investigations to ensure compliance.
- Penalties for Non-Compliance: Entities that fail to comply with the new requirements may face significant penalties. The proposed rule emphasizes the importance of adhering to the standards to avoid fines and other enforcement actions.
- Increased Accountability: The proposed rule aims to enhance accountability by requiring detailed documentation of security measures and regular security testing. This ensures that entities are actively maintaining and improving their cybersecurity practices.