Publication
How Will OCR’s Proposed HIPAA Security Rule Impact HIPAA-Regulated Entities?
On January 6, 2025, the Department of Health and Human Services (HHS), Office of Civil Rights (OCR), published a Notice of Proposed Rulemaking (NPRM) proposing substantial revisions to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (45 C.F.R. Parts 160 and 164) (the Proposed Rule).1 These material updates (the first of their kind in over twenty years) would affect all HIPAA-regulated entities and are aimed at strengthening cybersecurity protections to better defend against cyber threats targeting the U.S. healthcare system. The comment period for the Proposed Rule closed earlier this month on March 7, 2025, with over 2,800 comments submitted. Many of the comments addressed the financial burdens of the proposed rule updates. OCR is now reviewing the comments and considering publication of a final rule.
Summary of the Proposed Rule
New and Updated Definitions
The Proposed Rule includes 10 new definitions and 15 changed definitions. Some of the new definitions address basic concepts that OCR had not defined previously, including “risk,” “threat,” and “vulnerability.”
Another change to the definitions section involves OCR’s proposed updates to defining “information systems,” as well as new definitions for “electronic information system” and “relevant electronic information system.” Throughout the Proposed Rule, OCR clarifies when all electronic information systems must abide by a rule versus only the relevant electronic information systems.
Removal of the Distinction Between “Addressable” and “Required” Security Implementations
The Security Rule sets forth three categories of safeguards an organization must maintain: (1) physical safeguards, (2) technical safeguards, and (3) administrative safeguards. Each set of safeguards contains a number of standards, and each standard consists of a number of implementation specifications, which is an additional detailed instruction for implementing a particular standard.
The Security Rule currently categorizes implementation specifications as either “addressable” (i.e., HIPAA regulated entities have flexibility in how to implement the specification) or “required” (i.e., the regulated entity must implement the specification).
With respect to addressable implementation specifications, a regulated entity currently has the option to (1) implement the addressable implementation specifications, (2) implement one or more alternative security measures to accomplish the same purpose, or (3) not implement either an addressable implementation specification or an alternative.
OCR has become concerned that HIPAA-regulated entities view addressable implementation specifications as optional, thereby undermining the effectiveness of the Security Rule. The Proposed Rule suggests removing the distinction between “addressable” and “required” specifications, making all implementation specifications required, except for a few narrow exemptions.
Required Technology Asset Inventories and Information System Maps
Currently, the Security Rule requires HIPAA-regulated entities to assess threats, vulnerabilities, and risks, but stops short of prescribing particular methods or means of doing so.
The Proposed Rule suggests turning these practices into explicit requirements to create a technology asset inventory and a network map. The technology asset inventory would require written documentation identifying all technology assets, including location, the person accountable for such assets, and the version of each asset. The network map must illustrate the movement of ePHI through electronic information systems, including how ePHI enters, exits, and is accessed from outside systems.
Regulated entities will need to review and update their asset inventory and network map on an ongoing basis, but at least once every 12 months and when there is a change in the environment or operations that may affect electronic protected health information (ePHI)
Risk Analysis Requirements
Risk analyses must consist of a written assessment that includes, among other things:
- Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI.
- Identification of potential and existing vulnerabilities to relevant IT systems.
- Assessment and documentation of the security measures used to protect ePHI.
- A reasonable determination of the likelihood that each identified threat would exploit the identified vulnerabilities.
- An assessment of risks to ePHI posed by current or prospective business associates.
Change Management Controls
The Proposed Rule contains requirements for technical and nontechnical evaluations prior to changes in the entity’s environment.
Patch Management Policies and Procedures
HIPAA-regulated entities would be required to review patch management processes at least once every 12 months and modify the processes as reasonable and appropriate. A “reasonable and appropriate” time period to patch critical vulnerabilities would be within 15 calendar days of identification.
Robust Risk Management Planning
The Proposed Rule contains more robust requirements for the establishment and implementation of a risk management plan for reducing the risks identified by the required risk analysis.
More Stringent Requirements for Monitoring and Incident Response
- A review of activity of the relevant IT systems, which should be customized to meet the risk management strategy and the promotion of awareness of any activity that could suggest a security incident.
- An incident response plan that includes disaster recovery planning procedures which will restore the loss of IT systems within 72 hours.
- Establish a written security incident response plan and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents; and
- Review and test contingency plans at least once every 12 months and modify such plans in accordance with test results.
- Implement written procedures for testing and revising written security incident response plans.
- An annual compliance audit to ensure compliance with the Security Rule requirements.
Additional Technical Safeguards
- Encrypt ePHI at rest and in motion, subject to limited exceptions.
- Use multi-factor authentication, subject to limited exceptions.
- Establish and deploy technical controls for configuring relevant IT systems in a consistent manner.
- Implement required configuration management controls, including deploying anti-malware protection, removing extraneous software, and disabling ports in accordance with the risk analysis.
- Conduct vulnerability scanning at least every six months and penetration testing at least once every 12 months.
- Use network segmentation.
- Deploy technical controls to create and maintain backups of relevant IT systems and to review and test the effectiveness of such controls once every six months.
Updates for Business Associates
The Proposed Rule also adds requirements for Business Associate Agreements (BAA). Specifically, if the Proposed Rule is enacted, a BAA must include a provision that requires a Business Associate to notify Covered Entities (and Subcontractors to notify Business Associates) upon activation of its contingency plan no later than 24 hours after activation.
The Proposed Rule places additional requirements on engagement with business associates, including requiring covered entities to annually obtain from business associates a written analysis and certification of compliance with the Security Rule’s technical safeguards. The analysis would need to be performed by “a person with appropriate knowledge of and experience with” ePHI cybersecurity principles.
Under the Proposed Rule, a HIPAA-regulated entity that delegates compliance activities required by the Security Rule to a business associate remains liable for compliance with the Security Rule.
What Can HIPAA-Regulated Entities Expect?
The final outcome of the Proposed Rule is unclear, as the Trump administration will determine whether to move forward with the rulemaking process. If the Proposed Rule goes into effect, healthcare organizations can expect to see significant changes in terms of planning and implementation with respect to increased documentation, compliance obligations, and Business Associate Agreements.
While there is bipartisan support to strengthen cybersecurity protections across the healthcare system, industry groups have also voiced strong concerns that the Proposed Rule’s requirements are too onerous, and costly.
Healthcare entities and providers should closely monitor development of the Proposed Rule and consider working with counsel to develop regulatory and compliance strategies if the Proposed Rule is accepted in current form.
**Any opinions expressed are the authors’, and not necessarily those of the firm or their colleagues.
About Snell & Wilmer
Founded in 1938, Snell & Wilmer is a full-service business law firm with more than 500 attorneys practicing in 17 locations throughout the United States and in Mexico, including Los Angeles, Orange County, Palo Alto and San Diego, California; Phoenix and Tucson, Arizona; Denver, Colorado; Washington, D.C.; Boise, Idaho; Las Vegas and Reno, Nevada; Albuquerque, New Mexico; Portland, Oregon; Dallas, Texas; Salt Lake City, Utah; Seattle, Washington; and Los Cabos, Mexico. The firm represents clients ranging from large, publicly traded corporations to small businesses, individuals and entrepreneurs. For more information, visit swlaw.com.
