HHS Proposes Adjustments to Strengthen HIPAA Safety Rule

Materials updates to the HIPAA Safety Rule might be on the best way — affecting all HIPAA-regulated entities — for the primary time in 20 years. The Division of Well being and Human Providers (HHS) issued a Discover of Proposed Rulemaking (Proposed Rule) aiming to strengthen cybersecurity protections and higher defend towards cyber threats concentrating on the U.S. well being care system. The remark interval will shut on March 7, 2025 (60 days after the Proposed Rule was revealed within the Federal Register).

This proposal to strengthen the safety safeguards required underneath the HIPAA Safety Rule is HHS’ response to the numerous enhance in cyber assaults within the well being care sector. Particularly, from 2018 to 2023, HHS acknowledged that reviews of huge breaches ensuing from hacker and ransomware assaults elevated by 102 %, and the variety of people affected by these breaches elevated by 1,002 %.

Abstract of the Proposed Rule

The Proposed Rule makes an attempt to strengthen the necessities of the Safety Rule by clarifying and revising definitions and eradicating the excellence between “required” and “addressable” implementation specs. The Proposed Rule provides new implementation necessities to raised assist be certain that HIPAA-regulated entities implement compliance actions in keeping with business customary finest practices, such because the NIST Cybersecurity Framework.

Regulated entities can be required to doc, in writing, all Safety Rule insurance policies and procedures, which embody:

• The creation and upkeep of a written stock of expertise property and a community map. Regulated entities might want to evaluate and replace their asset stock and community map on an ongoing foundation, however at the least as soon as each 12 months and when there’s a change within the atmosphere or operations that will have an effect on digital protected well being info (ePHI).
• Annual danger analyses with extra specificity. Danger analyses will include a written evaluation that features, amongst different issues:
  • Identification of all moderately anticipated threats to the confidentiality, integrity, and availability of ePHI.
  • Identification of potential and present vulnerabilities to related IT techniques.
  • Evaluation and documentation of the safety measures used to guard ePHI.
  • An affordable willpower of the probability that every recognized menace would exploit the recognized vulnerabilities.
  • An evaluation of dangers to ePHI posed by present or potential enterprise associates.
• Institution of change administration controls. The Proposed Rule comprises necessities for technical and nontechnical evaluations previous to modifications within the entity’s atmosphere.
• Patch administration insurance policies and procedures. HIPAA-regulated entities can be required to evaluate patch administration processes at the least as soon as each 12 months and modify the processes as cheap and applicable. A “cheap and applicable” time interval to patch crucial vulnerabilities can be inside 15 calendar days of identification.
• Sturdy danger administration planning. The Proposed Rule comprises extra strong necessities for the institution and implementation of a danger administration plan for lowering the dangers recognized by the required danger evaluation.
• Stringent necessities for monitoring and incident response insurance policies and procedures. The Proposed Rule would require:
  • A evaluate of exercise of the related IT techniques, which needs to be custom-made to satisfy the chance administration technique and the promotion of consciousness of any exercise that might counsel a safety incident.
  • An incident response plan that features a catastrophe restoration planning procedures which can restore the lack of IT techniques inside 72 hours.
  • An annual compliance audit to make sure compliance with the Safety Rule Necessities.

Past written insurance policies and procedures, the Proposed Rule makes an attempt to broaden the Safety Rule’s technical safeguards, which might require regulated entities to:

• Encrypt ePHI at relaxation and in movement, topic to restricted exceptions.
• Use multi-factor authentication, topic to restricted exceptions.
• Set up and deploy technical controls for configuring related IT techniques in a constant method.
• Implement required configuration administration controls, together with deploying anti-malware safety, eradicating extraneous software program, and disabling ports in accordance with the chance evaluation.
• Conduct vulnerability scanning at the least each six months and penetration testing at the least as soon as each 12 months.
• Use community segmentation.
• Deploy technical controls to create and preserve backups of related IT techniques and to evaluate and take a look at the effectiveness of such controls as soon as each six months.

As well as, the Proposed Rule provides necessities for enterprise affiliate agreements (that means enterprise affiliate agreements will should be up to date if the Proposed Guidelines is enacted into legislation). Particularly, a enterprise affiliate settlement should embody a provision that requires a enterprise affiliate to inform coated entities (and subcontractors to inform enterprise associates) upon activation of its contingency plan, with out unreasonable delay, however no later than 24 hours after activation. Additional, the Proposed Rule locations further necessities on engagement with enterprise associates, together with requiring coated entities to acquire from enterprise associates yearly a written evaluation and certification of compliance with the Safety Rule’s technical safeguards. The evaluation would should be carried out by “an individual with applicable data of and expertise with” ePHI cybersecurity ideas. The Proposed Rule makes clear {that a} HIPAA-regulated entity that delegates compliance actions required by the Safety Rule to a enterprise affiliate stays accountable for compliance with the Safety Rule.

New and Rising Applied sciences Request for Data

By way of the Proposed Rule, HHS is searching for feedback associated to rising applied sciences, reminiscent of synthetic intelligence, quantum computing, and digital and augmented actuality, and HIPAA’s position in regulating these rising applied sciences. The Proposed Rule notes that earlier than HIPAA-regulated entities implement these new and rising applied sciences, an correct and thorough evaluation of the potential dangers and vulnerabilities to ePHI ought to happen.

What’s Subsequent for HIPAA-Regulated Entities

At this level, the way forward for the Proposed Rule is unclear, because the newly elected administration will doubtless decide whether or not to maneuver ahead with the rulemaking course of. Though cybersecurity protections have obtained bipartisan assist, and through the first Trump administration there was a deal with info safety, the Trump administration is predicted to take a stance towards elevated rules. As such, HIPAA-regulated entities ought to proceed to watch these developments. Given the brief turnaround, nevertheless, entities must also evaluate the Proposed Rule to find out in the event that they want to submit feedback in case the Proposed Rule strikes ahead in its present state. 

Well being care information privateness continues to quickly evolve and thus HIPAA-regulated entities ought to intently monitor any new developments and proceed to take needed steps in direction of compliance. In case you have any questions on compliance with HIPAA or the ramifications of the Proposed Rule and different latest modifications to well being care information privateness legal guidelines — or would really like help submitting feedback concerning the Proposed Rule — please contact any of the authors or any of the Companions or Senior Counsel in Foley’s Cybersecurity and Knowledge Privateness Group or Well being Care Observe Group.