On December 27, 2024, the Department of Health and Human Services (HHS) issued a notice of proposed rulemaking (NPRM) related to the Security Rule under the Health Insurance Portability and Accountability Act (HIPAA). The NPRM signals the current administration’s focus on modernizing security requirements under HIPAA in response to a year over year increase in healthcare data breaches and cyberattacks. The NPRM comment period is open until early March 2025. Given the coming change in administration, it is difficult to anticipate when the proposed rule will be finalized or if the NPRM will be withdrawn.
Addressing Outdated Language
The Security Rule was initially published in 2003 and has experienced little change since that time. Portions of the Security Rule are outdated compared with similar regulations in other industries. For example, the Security Rule, as currently written, does not require any form of encryption. Rather, this is considered an “addressable” specification, meaning a regulated entity can comply with HIPAA and not encrypt its data if it can articulate how encryption is not reasonable or appropriate for its security environment and can implement a reasonable alternative. What’s more, this “addressable” language is often incorrectly interpreted as marking a specification as optional, resulting in many HIPAA-regulated entities simply forgoing this safeguard altogether. By today’s standards, in view of our technological progress since 2003 and the threats posed against that technology, encryption is a functional requirement for maintaining a sophisticated security program.
Stricter Security Requirements
Under the proposal, HIPAA-regulated entities would be required to implement several new technical safeguards, including multifactor authentication, patch management, network segmentation, login attempt limitation procedures, configuration management, network port disabling procedures, vulnerability management, and penetration testing. The revised Security Rule would also further specify the existing risk analysis requirement, elevating it from a specification to a standard and introducing specifications within it, including developing and maintaining a technology asset inventory and a network map that shows the movement of an entity’s data within the entity’s system.
Addressable Specifications were Never Optional
While the structure of the rule will remain in place — including divisions among technical, physical, and administrative safeguards — HHS has proposed removing the concept of “addressable” specifications entirely to remedy any confusion related to the optionality of such requirements. Initially, the goal of the “addressable” language was to signal flexibility in how the requirements of the Security Rule could be met. However, given the Office for Civil Rights’ (OCR) experience in investigating regulated entities that fail to comply with such specifications, coupled with growing concern that many such entities may view the addressable specifications as optional, HHS is reconsidering its initial position on the amount of flexibility that the Security Rule should offer.
Finalization Falls on the Incoming Administration
The NPRM is long and detailed in its attempt to modernize the Security Rule. Given its weight and complexity, the incoming administration is likely to take its time reviewing comments and finalizing the rule — if it does so at all. To address this concern, HHS offered two considerations to the incoming administration: (1) the provision of healthcare is now, more than ever, dependent upon networked information systems, and such a shift from disparate devices to those connected through the internet warrants an update to the rules regulating their security; (2) the healthcare industry has become a prime target of increasingly aggressive cyberattacks, showing a 100% increase in the number of breaches reported to HHS and a 950% increase in the number of individuals affected by such breaches from 2018 to 2023. Whether the rule is finalized in this form or another, its focus on security safeguards related to patching vulnerabilities in security signals an increased interest at HHS in enforcing in this space. HIPAA-regulated entities should consider implementing those technical safeguards cited in the proposal, especially penetration testing.
Conclusion
As the new administration enters office and begins to show its comfort with modifying and increasing regulations, we will understand more about the likely outcome of this NPRM. Goodwin’s healthcare regulatory attorneys will continue to monitor any changes and proposals related to HIPAA. Please contact Jonathan Ishee or Michael Paluzzi if you have any questions.
This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.
Contacts
- /en/people/i/ishee-jonathan
Jonathan Ishee
Partner - /en/people/p/paluzzi-michael
Michael Paluzzi
Associate