Download PDF

HIPAA Security Proposed Rule – Summary

January 20, 2025

On December 27, 2024, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This proposal is intended to strengthen cybersecurity protections for electronic protected health information (ePHI). OCR administers and enforces the Security Rule, which establishes national standards for the protection of individuals’ ePHI by covered entities (health plans, healthcare clearinghouses, and most healthcare providers), and their business associates (together, “regulated entities”). You can find the proposed rule here, and the HHS press release and fact sheet here, and here. Comments are due March 7, 2025. Also, for reference purposes, the current regulatory text (as contrasted with what is proposed in the rule outlined below), can be found here.

I. Key Takeaways

• OCR says regulated entities are failing to perform compliant risk analyses and policy changes are needed and that only 14 percent of covered entities and 17 percent of business associates are currently in compliance.
• Maintaining an asset inventory is not explicitly required under the current Security Rule but OCR calls it a “fundamental component of conducting a risk analysis” and says many healthcare organizations (HCOs) are not maintaining these inventories. In place of the existing standard for security management process OCR proposes to require a regulated entity to conduct and maintain an accurate and thorough written technology asset inventory and a network map of its electronic information systems and all technology assets that may affect the confidentiality, integrity, or availability (CIA) of ePHI. OCR calls for this to happen no less than every 12 months or following a significant event.
• OCR has proposed a compliance date of 180 days after the effective date of the final rule, which is 240 days after its publication.
• OCR is proposing to remove “addressable” implementation standards and make all standards required. OCR would allow regulated entities to determine the security measures that are reasonable and appropriate to fulfill the required standards and implementation specification and that there would be a variety of ways to achieve compliance.
• While OCR recognizes challenges small and rural healthcare providers face, they feel it’s just as important for small and rural healthcare providers to implement strong security measures as it is for larger ones.
• NOTE: There is a likelihood that the incoming Trump administration will freeze this rule along with several others. Until or unless that happens, CHIME plans to submit comments. More will be known in the days following the start of the new administration. Please review our Monday e-newsletter – the Washington Debrief – for breaking news. To subscribe, please reach out to us at [email protected] and we will add you.

II. Background

HIPAA was signed into law 1996 and the Security Rule was initially finalized and published in 2003. HIPAA was amended in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act to mandate stronger safeguards for protecting ePHI in 2009. Congress amended HITECH with H.R. 7898 which resulted in P.L. 116-321 in 2021. It requires HHS to take into account a regulated entities’ use of recognized security practices when enforcing the Security Rule. This change in law was a direct result of CHIME advocacy.

The Biden administration has issued a proposal which re-opens and would update the rule to “increase cybersecurity for ePHI” by addressing:

• Changes in the environment in which healthcare is provided;
• Significant increases in breaches and cyberattacks;
• Common deficiencies OCR has observed in investigations into Security Rule compliance by regulated entities;
• Other cybersecurity guidelines, best practices, methodologies, procedures, and processes; and
• Court decisions that affect enforcement of the Security Rule.

While OCR does not believe that their proposed changes will prevent all breaches, they do believe that it will prevent many and enable regulated entities to respond more quickly when there is a “significant event,” including a cyber incident. OCR states: “Today, cybersecurity is a concern that touches nearly every facet of modern healthcare, certainly more than it did in 2003 or even 2013.” They note the growing escalation in cyberattacks and breaches impacting 500 or more individuals and the negative impact these incidents can have on patient care. OCR further notes that there is a growing patchwork of state-specific laws aimed at protecting PHI, which may create difficulties for regulated entities that are located or operate in multiple states, and none address protecting ePHI specifically.

President Biden designated the Healthcare and Public Health (HPH) Sector as a critical infrastructure sector and HHS as the Sector Risk Management Agency (SRMA) and directed federal agencies to establish and implement minimum requirements for risk management.

III. Overview of Proposed Policies

OCR’s justification for re-opening the Security Rule includes the following reasons:

• Significant transformation undergone by the healthcare sector in last decade;
• High value that stolen medical records fetch by cyber criminals;
• Increased risk to ePHI posed by artificial intelligence (AI);
• Other threats to ePHI like internal actors and system outages like Crowdstrike;
• Inconsistent use of cyber best practices;
• Failures by HCOs to maintain “a current inventory of sensitive and valuable data and where those reside”;
• Need for regulatory clarity given the recent court case, University of Texas M.D. Anderson Cancer Center v. HHS (“M.D. Anderson”), where the U.S. Court of Appeals for the Fifth Circuit vacated a $4.3 million fine finding security mechanisms need not be effective or implemented throughout an enterprise. The court found that, “the Security Rule does not say anything about how effective a mechanism for encryption must be,” and thus “under the court’s interpretation, a regulated entity can meet its obligations under the Security Rule concerning encryption and decryption of ePHI by implementing a mechanism to do so, without regard for the effectiveness of the implementation.” The court also said that asking employees to sign an agreement that requires encryption of portable devices as sufficient to meet the Security Rule and HHS disagreed with this interpretation; and
• HHS’ HIPAA advisory body, the National Committee on Vital and Health Statistics (NCVHS), made several recommendations to OCR on how they could improve the Security Rule including removing addressable implementation specifications because many are treating this as a choice as opposed to adopting a reasonable alternative.

OCR is proposing that regulated entities would have until the “compliance date” (i.e., 240 days after publication) to establish and implement policies, procedures, and practices to achieve compliance with any new or modified standards. In other words, regulated entities must comply with the applicable new or modified standards or implementation specifications no later than this date.

OCR does not propose to adopt referenced best practices as the standard or implementation specifications unless otherwise specified in the proposed regulatory text but there are discussions and references to certain HHS Cybersecurity Performance Goals (CPGs) and National Institute of Standards and Technology (NIST) guidance, among others, throughout the proposed rule.

Please see our crosswalk to the rule and HHS’ CPGs here.

IV. Definitions

A. Section 160.103 (page 72)

OCR proposes to update the definition of "electronic media" to include media used for recording, maintaining, or processing data, while at rest, in transit, or in process. This change emphasizes the need to protect data in process, as it is vulnerable to breaches when unencrypted.

Additionally, to ensure that the definition includes future technology, OCR proposes to add to the list of examples “any other form of digital memory or storage” on which data may be recorded, maintained, or processed.

OCR further proposes to revise the definition of "transmission media" to reflect that data is mostly transmitted electronically today, with a limited exception for handwritten data. Public networks will be included as examples of transmission media. A technical correction will replace "electronic storage media" with "electronic storage material" to ensure consistency in definitions.

B. Section 164.304—Definitions (page 76)

OCR proposes to add ten new terms and modify the definitions of fifteen existing terms. The proposed new regulatory terms would be: Deploy, Implement, Electronic information system, Multi-factor Authentication, Relevant Electronic Information System, Risk, Technical controls, Technology Asset, Threat, and Vulnerability.

OCR proposes to modify the following terms: Access, Administrative safeguards, Authentication, Availability, Confidentiality, Information System, Malicious Software, Password, Physical Safeguards, Security or Security Measures, Security Incident, Technical Safeguards, User, and Workstation.

1. Clarifying the Definition of “Access” (pages 76 and 356)

OCR is proposing to expand the list of activities that should be considered under the term by adding the activities of “deleting” and “transmitting.” They also propose to replace “system resource” with “component of an information system” which would clarify that the term includes any and all components of an information system and an information system as a whole.

2. Clarifying the Definition of “Administrative Safeguards” (pages 77 and 356)

To address the minor inconsistencies between the definitions of “administrative” and “physical” safeguards and to ensure that each is afforded an equal weight of importance, OCR proposes the following changes:

Administrative safeguards are administrative actions and related policies and procedures to manage the selection, development, implementation, and maintenance (including updating and modifying) of security measures to protect ePHI, and to manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of that information.

3. Clarifying the Definition of “Authentication” (pages 78 and 356)

OCR proposes to clarify the definition of “authentication” to mean corroboration that either a person or technology asset is the one they are claiming to be.

4. Clarifying the Definition of “Availability” (pages 79 and 356)

Given the increased connectivity of the healthcare environment, OCR proposes to clarify the definition of “availability” to mean the property that data or information is accessible and usable upon demand by an authorized person or technology asset.

5. Clarifying the Definition of “Confidentiality” (pages 80 and 356)

OCR proposes to clarify the definition of confidentiality to specify that it means the property that data or information is not made available or disclosed to unauthorized persons, technology assets, or processes.

6. Adding Definitions of “Deploy” and “Implement” (pages 80 and 356)

OCR is concerned that some regulated entities are interpreting the requirement to implement technical policies and procedures to mean they are only required to establish written policies and procedures but do not need to apply effective, automated technical policies and procedures to all ePHI throughout their enterprise. OCR references the M.D. Anderson v. HHS case as justification for these proposals. OCR proposes to define the term “deploy” to mean to configure technology for use and implement such technology.

OCR proposes to define the term “implement” to clarify that a safeguard must be put into place and be in effect throughout the enterprise, as opposed to only some components of a regulated entity’s relevant information systems (e.g., some laptops or servers) or applied to a subset of ePHI. OCR proposes to expressly clarify that implement also means that a safeguard must function as expected.

Under this proposal, OCR would not consider a safeguard to be implemented if it is not functioning in the manner in which it is expected. They further state that, “a regulated entity’s administrative policy requiring it to take action to prevent infections from malicious software is not implemented until it is applied throughout the enterprise, meaning that the entity has ensured that anti-malware protections have been put into place on all relevant electronic information systems that create, receive, maintain, or transmit ePHI or that otherwise affect the confidentiality, integrity, or availability of ePHI throughout the enterprise.” Proposed definition below.

Implement means to put into effect and be in use, operational, and function as expected throughout the covered entity or business associate.

7. Adding a Definition of “Electronic Information System” (pages 83 and 356)

OCR proposes to add a definition of “electronic information system” to better distinguish the concept from the broader category of an information system and calls for limiting the definition to an interconnected set of electronic information resources under the same direct

management control that shares common functionality. The proposed definition is:

Electronic information system means interconnected set of electronic information resources under the same direct management control that shares common functionality. An electronic information system generally includes technology assets, such as hardware, software, electronic media, information, and data.

8. Modifying the Definition of “Information System” (pages 84 and 357)

OCR proposes to modify the definition of “information system,” to clarify that an information system “generally, not just “normally,” includes hardware, software, data, communications, and people. OCR gives the following example: “both a healthcare provider and a cloud-based EHR vendor have direct management control over the ePHI in the cloud-based EHR. Accordingly, such ePHI generally is part of both the information system of the healthcare provider and of the cloud-based EHR vendor.” They also clarify that, “a technology asset may be included as part of the information systems of multiple regulated entities where such regulated entities all have direct management control over the technology asset.” OCR proposes that:

Information system means an interconnected set of information resources under the same direct management control that shares common functionality. An information system generally includes hardware, software, information, data, communications, and people.

9. Modifying the Definition of “Malicious software” (pages 85 and 357)

OCR proposes to replace the current definition of malicious software to define it to mean software or firmware intended to perform an unauthorized action or activity that will have adverse impact on an electronic information system and/or the confidentiality, integrity, or availability (CIA) of ePHI. Thus, it would clarify that malicious software could include either software or firmware and that the negative effects of the malicious software may not be limited to damaging or disrupting a system. Rather, effects of the software could be intended to have any type of adverse impact on an electronic information system and/or the CIA of ePHI. OCR further proposes to include in regulatory text a non-exhaustive list of examples, such as viruses, worms, Trojan horses, spyware, and some forms of adware, to assist regulated entities in understanding what constitutes malicious software.

10. Adding a Definition of “Multi-factor Authentication” (MFA) (pages 86 and 357)

OCR proposes to define the term “multi-factor authentication” to provide regulated entities with a specific level of authentication for accessing relevant electronic information systems. Regulated entities would be required to apply this proposed definition when implementing the proposed rule's specific requirements for authenticating users' identities through verification of at least two of three categories of factors of information about the user. The proposed categories would be:

• Information known by the user, including but not limited to a password or personal identification number (PIN).
• Item possessed by the user, including but not limited to a token or a smart identification card.
• Personal characteristic of the user, including but not limited to fingerprint, facial recognition, gait, typing cadence, or other biometric or behavioral characteristics.

MFA relies on the user presenting at least two factors. Authentication that relies on multiple instances of the same factor, such as requiring a password and PIN, is not MFA because both factors are “something you know.” For example, where MFA is deployed, users could seek access by entering a password. However, without the entry of at least a second factor such as a token or smart identification card, the user is not granted access and the password is useless by itself. Cybercriminals seeking access to MFA-protected information systems require significantly more resources to launch the attack because there are multiple data points required to succeed.

OCR points to HHS’ 405(d) Program’s “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (HICP) as rationale for inclusion.

11. Clarifying the Definition of “Password” (pages 89 and 357)

OCR proposes to add examples to the definition of “password” to further clarify what constitutes a character, and adds “such as letters, numbers, spaces, other symbols” to the existing definition. They believe these regulatory examples would provide necessary context for regulated entities that deploy safeguards involving passwords.

12. Clarifying the Definition of “Physical Safeguards” (pages 89 and 357)

OCR proposes to clarify that the policies and procedures referred to in the definition are those that specifically are related to physical measures, and to replace “buildings” with “facilities” because facility is a defined term under the Security Rule and has an equivalent meaning. OCR says they always intended that physical safeguards apply to any location where a regulated entity might possess ePHI, including the physical premises and interior and exterior of a building, and any location that might affect the CIA of ePHI. Additionally, given the mobility of technology today, including workstations that may access ePHI, OCR believes it would be more appropriate to use the term facility to make clear that the physical safeguards are to apply throughout the premises of the regulated entity. Thus, their new definition is:

Physical safeguards are physical measures and related policies and procedures to protect a covered entity’s or business associate’s relevant electronic information systems, and related facilities and equipment, from natural and environmental hazards and unauthorized intrusion.

13. Adding a Definition of “Relevant Electronic Information System” (pages 90 and 357)

OCR proposes to add the term “relevant electronic information system” to mean an electronic information system that creates, receives, maintains, or transmits ePHI or that otherwise affects the CIA of ePHI. This proposal is intended to further clarify the scope of regulated entities' compliance obligations, including the obligation of regulated entities to understand the relationship between their various electronic information systems and the CIA of ePHI. One example they offer is a covered entity’s food and beverage or gift shop systems.

Cybercriminals may be able to access ePHI by leveraging vulnerabilities in electronic information systems that do not themselves create, receive, maintain, or transmit ePHI where they are connected to or can affect those that do. Thus, OCR interprets an electronic information system as otherwise affecting the CIA of ePHI if it is insufficiently segregated physically and electronically from an electronic information system that creates, receives, maintains, or transmits ePHI or one that otherwise affects the CIA of ePHI.

An electronic information system would also fit the category of “otherwise affecting” if it contains information that relates to an electronic information system that creates, receives, maintains, or transmits ePHI or to another electronic information system that otherwise affects the CIA of ePHI. OCR provides several examples of this, including an electronic information system that contains the decryption keys for a regulated entity's encryption algorithms.

14. Adding a Definition of “Risk” (pages 92 and 358)

OCR believes that defining the term “risk” would clarify several existing and proposed provisions of the Security Rule – including the factors regulated entities must consider when determining the security measures they will implement and the importance and purpose of conducting the required risk analysis. OCR proposes to define this term as:

Risk means the extent to which the confidentiality, integrity, or availability of ePHI is threatened by a potential circumstance or event.

15. Clarifying the Definitions of “Security or Security Measures” and “Security Incident” (pages 93 and 358)

OCR proposes to modify the definition of “security or security measures.” OCR says, “The existing definition does not make clear that a security incident may result from two types of behaviors—those related to attempted or successful but unauthorized access, use, disclosure, modification, or destruction of information in an information system, and those that are related to the attempted or successful unauthorized interference with system operations in an information system.” Proposed definition below:

Security or security measures encompass all of the administrative, physical, and technical safeguards in or applied to an information system. Security incident means any of the following: (1) The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information in an information system. (2) The attempted or successful unauthorized interference with system operations in an information system.

16. Adding Definitions of “Technical Controls” (pages 95 and 358)

OCR proposes to add and define the term “technical controls” to mean:

Technical controls means the technical mechanisms contained in the hardware, software, or firmware components of an electronic information system that are primarily implemented and executed by the electronic information system to protect the information system and data therein.

17. Modifying the Definition of “Technical Safeguards” (pages 96 and 358)

OCR proposes to modify the definition of “technical safeguards” to mean:

The technology, technical controls, and related policies and procedures governing the use of the technology that protects and controls access to electronic protected health information.

18. Adding a Definition of “Technology Asset” (pages 96 and 358)

OCR proposes to distinguish the requirements that apply to all components of an electronic information system vs. those that only apply to certain components. Proposed definition below:

Technology asset means the components of an electronic information system, including but not limited to hardware, software, electronic media, information, and data.

19. Adding a Definition of “Threat” (pages 97 and 358)

OCR plans to define the term “threat” broadly and to include hackers, malicious insiders, and malicious software. Proposed definition below:

Threat means any circumstance or event with the potential to adversely affect the confidentiality, integrity, or availability of electronic protected health information.

20. Clarifying the Definition of “User” (pages 98 and 358)

OCR proposes to clarify the definition of user as a person with authorized access.

21. Adding a Definition of “Vulnerability” (pages 98 and 358)

OCR plans to define “vulnerability” largely as NIST has to mean:

A flaw or weakness in an information system, information system security procedures, design, implementation, or technical controls that could be intentionally exploited or accidentally triggered by a threat.

22. Clarifying the Definition of “Workstation” (pages 100 and 358)

OCR proposes to modernize the definition of “workstation” to mean:

An electronic computing device and electronic media stored in its immediate environment. Workstation includes but is not limited to the following types of devices: a server, desktop computer, laptop computer, virtual device, and mobile device such as a smart phone or tablet.

V. Security Standards: General Rules - Section 164.306 (page 102)

OCR is concerned that regulated entities are misinterpreting the general requirements of the Security Rule such that it applies to only some ePHI, rather than all ePHI. They are furthermore concerned that many are misconstruing the difference between required and addressable implementation specifications and are treating addressable ones as optional. They state, “we must squarely confront the problem of regulated entities treating addressable implementation specifications as optional. Relatedly, we also believe that we must consider modifying the Security Rule to set an acceptable minimum level of security specifications.”

OCR proposes to remove the distinction between “required” and “addressable” standards stating: “Importantly, removing the distinction between required and addressable would not eliminate all of the Security Rule’s flexibility and scalability. Instead, it would simply clarify for regulated entities where the floor of protection must lie, and regulated entities must implement solutions that meet that floor, taking into consideration their needs and capabilities.” They offer the following illustrative examples:

For example, a small or rural healthcare provider must implement a solution that ensures the protection of ePHI in the manner required by the Security Rule, but the specific solution that it chooses would reflect consideration of its particular circumstances, including available resources. In some cases, a small or rural healthcare provider might opt to implement a cloud-based EHR or other software solution that could reduce the healthcare provider’s need to separately invest in data storage, backup systems, and IT personnel. And in other circumstances, a small or rural healthcare provider might choose to contract with a third party to provide IT support, rather than hiring its own workforce members to perform such functions.

The agency also proposes to require each regulated entity to protect against any reasonably anticipated threats or hazards to the CIA of all ePHI, instead of to the security or integrity of ePHI. Additionally, OCR calls for requiring each regulated entity to ensure that its workforce complies not only with the Security Rule, but also all administrative, physical, and technical safeguards. OCR clarifies that regulated entities are to apply reasonable and appropriate security measures to implement the standards and implementation specifications of the Security Rule.

OCR proposes to add a new element to the list of factors that regulated entities must take into account when deciding whether a particular security measure is reasonable and appropriate for implementing a standard: the effectiveness of the security measure in supporting the resiliency of the regulated entity. Said another way, OCR states they propose “to require a regulated entity to consider the ability of its implementation of a particular security measure to aid it in preventing, withstanding, and recovering from an emergency or other occurrence that affects the CIA of ePHI, including a successful security incident.”

OCR also proposes to remove the maintenance implementation specifications for specific standards, when applicable.

To read the rest of the summary click here.