A few days ago, the U.S. Department of Health and Human Services (“HHS”), through its Office for Civil Rights, issued the proposed rule HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information (the “Rule”) “to improve cybersecurity and better protect the U.S. health care system from a growing number of cyberattacks.”
The Rule would amend the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule and will mandate that health plans and the majority of health care providers and their business associates improve cybersecurity safeguards for the protected health information of individuals. The Rule reflects the pressing need to address growing cybersecurity threats in the health care sector but will undoubtedly have a big impact on the health care sector, both financially and operationally.
The following are some significant new requirements under the Rule:
The Rule would remove the distinction between “required” and “addressable,” which would increase the uniformity with which HIPAA-regulated entities implement existing standards. In the current rule, the regulated entities have some flexibility with respect to safeguards of the “addressable” classification. However, per the HHS, that was never the intent, and rather, it created confusion regarding the optionality of such safeguards. Numerous organizations disregarded such protections because they believed they were optional. The Rule would make it clear that the applicable entities must adhere to all security standards, with limited exceptions.
If the Rule is finalized, the regulated entities will be required to implement (and document in writing their implementation) a slew of enhanced safeguards, including:
- creating and maintaining an inventory and network map of all technology assets (regardless of where they are located) to document the movement of Electronic Protected Health Information (“ePHI”) through the entity’s electronic information systems and regular review of such inventory and network map (upon any changes or every twelve months);
- full risk assessments/compliance audit, consistent with exact specifications listed in the Rule, to be conducted at least every twelve months;
- timely assessment, management, and installation of patches and upgrades;
- implementation and compliance with detailed written procedures regarding risk management and response;
- contingency planning, which should include a data backup plan, allowing restoration of vital data within seventy-two hours of an event;
- ePHI must always be encrypted, with limited exceptions;
- multi-factor authentication must always be used, with limited exceptions;
- phones, tablets, and other devices would be subject to the same requirements as computer workstations, requiring regulated entities to assess their vulnerability and ability to access ePHI; and
- regulated entities must require their business associates to (a) confirm and certify in writing every twelve months that business associates have implemented the required technical safeguards to protect ePHI and (b) notify the regulated entity of an activation of a contingency plan no later than 24 hours thereafter.
Comments to the Rule are due on or before March 7, 2025. If finalized, the Rule will be effective 60 days after publication in the Federal Register. Deadline for compliance: most provisions of the Rule require compliance within 180 days after the Rule is effective.
Contact Cozen O’Connor if you have any questions about the current rule, the proposed changes, or other compliance questions.