HHS Proposes Costly Updates to HIPAA to Address Cybersecurity Threats

The U.S. Department of Health and Human Services (HHS) issued a proposed rule to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to improve cybersecurity.

“This proposed rule to upgrade the HIPAA Security Rule addresses current and future cybersecurity threats. It would require updates to existing cybersecurity safeguards to reflect advances in technology and cybersecurity, and help ensure that doctors, health plans, and others providing health care meet their obligations to protect the security of individuals’ protected health information across the nation,” HHS Office for Civil Rights (OCR) Director Melanie Fontes Rainer said in a press release.

The proposed rule, issued Dec. 27 through the HHS OCR, would require health plans, health care clearinghouses, and most health care providers, along with their business associates, to follow more specific instructions to protect the security of electronic protected health information (ePHI). The proposed changes seek to address a recent uptick in cyberattacks targeting the U.S. health care system.

The rule would implement several administrative and physical safeguards. Among the proposed requirements is “the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI,” as stated in an HHS Fact Sheet about the proposed rule. Additionally, the rule would require greater specificity in conducting risk analysis, yearly compliance audits, and encryption of ePHI at rest and in transit.

Several new regulatory terms and updated definitions for existing regulatory terms are also included in the proposed rule to better address the current threat landscape. Among those is a requirement that all regulated entities and business associates use multifactor authentication to better protect ePHI. The proposed categories are:

• information known by the user, including but not limited to a password or personal identification number;
• item possessed by the user, including but not limited to a token or a smart identification card;
• and a personal characteristic of the user, including but not limited to fingerprint, facial recognition, gait, typing cadence, or other biometric or behavioral characteristics.

The rule would also require written documentation of all Security Rule policies, procedures, plans, and analyses and specific compliance time periods for many existing requirements.

HHS estimates the first-year total costs associated with regulated entities’ compliance with the requirements in this proposed rule to be approximately $9 billion. Business associates will face costs in keeping their obligations to verify compliance with technical safeguards and to provide written proof to covered entities.

Public comments on the proposed rule are being accepted now through March 7.

Sources:

https://public3.pagefreezer.com/content/HHS.gov/02-01-2025T05:49/https://www.hhs.gov/about/news/2024/12/27/hhs-office-civil-rights-proposes-measures-strengthen-cybersecurity-health-care-under-hipaa.html

https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html