In an effort to strengthen cybersecurity protections for electronic protected health information (ePHI), at the end of last year the Department of Health and Human Services (HHS) ₋₋ through its Office of Civil Rights (OCR) ₋₋ issued a Notice of Proposed Rulemaking (NPRM) to modify the Security Standards for the Protection of Electronic Protected Health Information (“Security Rule”) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). The NPRM has received over 4,000 comments from HIPAA-regulated entities, healthcare industry stakeholders and the public. As discussed in this article, while it is unclear whether this proposed rule will be finalized (and if so, in what form), the NPRM contains helpful guidance for plan sponsors on what OCR considers to be best practices as it relates to the protection of ePHI.

Background

The HIPAA Security Rule, originally issued in 2003 and modified in 2013, adopted standards for the security of ePHI to be implemented by covered entities (i.e., health plans, health care clearinghouses and certain health care providers) and business associates (collectively, “regulated entities”).[1] At a high level, the Security Rule requires regulated entity to implement appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of ePHI.

As the preamble to the NPRM notes, since the Security Rule’s initial publication in 2003 and subsequent modification in 2013, the environment that regulated entities are operating in has undergone significant changes, and cybersecurity has become a critical concern affecting nearly every aspect of modern healthcare.[2] The preamble details a number of horror stories showing the impact that cyberattacks can have on the healthcare industry and patient health. For example, in 2019 an Alabama hospital fell victim to a ransomware attack that disabled a large digital display, which likely contributed to the death of a newborn. In another example, a trauma center was hit by a ransomware attack that left it without access to electronic health records (EHRs) for 25 days. The attack affected 5,000 computers and destroyed the trauma center’s electronic information systems that contained ePHI.

In response to these serious incidents and their consequences, OCR has also stepped up its enforcement on covered entities that fail to meet the Security Rule requirements. These investigations uncovered some covered entities’ minimal or insufficient efforts to mitigate the risks to their ePHI.

Proposed Modifications to HIPAA Security Rule

Relying on the recommendations of the National Committee on Vital and Health Statistics (NCVHS), OCR’s enforcement experience, news reports and the HHS’ assessment of the environment, the 2024 NPRM proposes several significant changes to the existing Security Rule and discusses “best practices” contained in previously published guidance. The major proposed modifications which may impact group health plans, plan sponsors and their business associates are highlighted below. Due to the extensive nature of these changes, this article only provides an overview and does not contain a detailed description of each proposed change.

Revised and New Definitions

The NPRM proposes modifying the definition of “electronic media” to include not only data storage but also data maintenance and processing, reflecting the technologies now used by regulated entities for remote communication, such as communication applications on a smartphone or another computing device and messaging services that electronically store audio messages. This modification would also expand the definition to include future technologies like “any other form of digital memory or storage.”

The NPRM also proposes adding ten new defined terms and modifying the definitions of fifteen existing terms to clarify how regulated entities should apply the standards and implementation specifications, and modernize the rule to better account for changes in the environment in which health care is provided.[3]

No Optional Implementation Specification

In the 2003 Security Rule the HHS introduced “addressable” as distinguished from “required,” implementation specifications to give covered entities flexibility in deciding whether certain safeguards were necessary, based on factors such as risk and cost. However, in HHS’s view some covered entities misinterpreted this, treating compliance with “addressable” standards and specifications as optional. The NPRM would remove the distinction between “addressable” and “required,” clarifying that regulated entities are required to implement all the standards and implementation specifications and must adopt “reasonable and appropriate” security measures that allow the entity to achieve such implementation.

A required factor in determining whether a security measure is reasonable and appropriate is “the effectiveness of the security measures in supporting the resiliency of the regulated entity.”[4] To reduce the impact that cyberattacks can have on the healthcare industry and patient health, information system resilience ensures that systems can operate under adverse conditions or stress, even in a degraded state, while maintaining essential functions and recover to effective operation status within a time frame consistent with mission needs.

Proposed Changes to Safeguards

Administrative Safeguards: The NPRM proposes adding explicit maintenance requirements to certain standards to address concerns that regulated entities may be misinterpreting the regulatory text regarding administrative safeguards, including:

  • elevating the security management process to standard-level status
  • requiring regulated entities to conduct a comprehensive written risk analysis of all ePHI
  • mandating written assessments of changes impacting ePHI security
  • requiring written policies and procedures for managing patches affecting ePHI
  • elevating the risk management specification to address identified risks
  • elevating the sanction policy specification to enforce consequences for non-compliance
  • elevating the activity review specification covering all relevant electronic systems handling ePHI.

Physical Safeguards: The NPRM proposes to modify the existing standards that comprise the Security Rule’s physical safeguards to clarify compliance obligations. The modification focuses on:

  • clarify that physical safeguards apply to all ePHI within a regulated entity’s facilities
  • require written policies for controlling physical access to relevant systems and facilities
  • ensuring that regulated entities properly consider physical safeguards for all workstations
  • capturing various components of a regulated entity’s electronic information systems that impact ePHI confidentiality, integrity, or availability.

Technical Safeguards: The NPRM proposes to modify the existing standards and implementation specifications to address the current failures to implement adequate technical controls or, in some cases, any technical controls. These proposed modifications include:

  • clarifying that the requirement to implement and document technical safeguards applies to all technical safeguards
  • requiring regulated entities to deploy technical controls in relevant electronic information systems to restrict access to authorized users and technology assets
  • ensuring that any adopted encryption solution meets prevailing cryptographic standards before use
  • requiring regulated entities to deploy technical controls that record and identify activity in their relevant electronic information systems and verify the identity of individuals or technology assets seeking access to ePHI.

Business Associate Agreements and Plan Documents – Contingency Plan

Under the existing Security Rule, a regulated entity must establish a contingency plan for responding to an emergency or other occurrence that damages systems that contain ePHI. The NPRM modifies this requirement by specifying the form and content of the contingency plan.

A business associate would be required to report the activation of their contingency plan to the covered entity within 24 hours. A subcontractor of a business associate would also be required to notify such incidents to business associate. Furthermore, the NPRM requires this reporting obligation to be included in business associate agreements between covered entities and business associates, as well as in agreements between business associates and their subcontractors.The NPRM extends this obligation to plan sponsors, requiring that plan documents include language ensuring plan sponsors or their agents to implement Security Rule Safeguards for ePHI protection.

Written Verification from Business Associate

Under the existing Security Rule, a regulated entity must obtain written satisfactory assurances that its business associates will appropriately safeguard ePHI before allowing them to create, receive, maintain or transmit ePHI on its behalf. The NPRM requires further that a regulated entity verify its business associates’ implementation of required technical safeguards. This includes obtaining annual written verification that business associate has deployed the technical safeguards, a cybersecurity analysis of business associate’s electronic systems by a qualified professional, and a written certification from an authorized representative of business associate confirming the accuracy of the analysis. A covered entity would not be required to obtain such satisfactory assurances or verification from a business associate that is a subcontractor.

How the Security Rule would Apply to Artificial Intelligence (AI)

The preamble provides a brief discussion of the application of Security Rule with respect to the use of AI in medical devices and recognizes AI’s enormous potential benefits. (The term AI is defined in Section 238(g) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019.) For example, the preamble notes that AI is being used in healthcare to summarize complex patient information from EHRs, aid in detecting conditions like diabetic retinopathy, and screen for cancer. However, as the preamble discusses, AI can also be used to harm individuals, both intentionally and unintentionally. For example, bad actors include using generative AI to threaten the privacy and security of ePHI more effectively through phishing and other social engineering.

The preamble clarifies that ePHI in AI training data, prediction models, and algorithm data that is maintained by a regulated entity for covered functions is covered by the Security Rule. Specifically, the preamble outlines the following expectations for a regulated entity using AI:

  • Including AI tools in its risk analyses and risk management activities
  • Performing a risk analysis to assess the impact of AI tools on the confidentiality, integrity, and availability of ePHI
  • Including AI software that creates, receives, maintains, transmits, or interacts with ePHI, including when ePHI is used to train the AI, in the entity’s technology asset inventory, which feeds into the risk analysis
  • Monitoring authoritative sources for known vulnerabilities and remediate them according to its patch management program
  • Ensuring patches, updates, and upgrades addressing critical and high risks are applied promptly.

The preamble also states that the adoption of the cybersecurity best practices is an important first step to ensuring that AI tools are deployed by regulated entities in a manner that protects the confidentiality, integrity, and availability of ePHI.

Implications of the Proposed Modifications

While President Trump’s January 20, 2025, memorandum entitled “Regulatory Freeze Pending Review,” directed postponing effective date for the final and proposed rules, the comment period for the proposed modifications to the Security Rule has not been extended. Since the comment period ended on March 7, 2025, the proposed modifications, issued by OCR under the Biden Administration, have been under review by the Trump administration, which will decide whether to publish a final rule or withdraw it. Even if a final rule is issued, it could differ significantly from the NPRM. Nonetheless, the NPRM offers valuable insights on best practices related to cybersecurity standards for protecting ePHI to help avoid cyber and ransomware attacks, cyber breaches and potential OCR HIPAA civil monetary penalties.

Notably, in addition to bipartisan support[5] for stronger healthcare cybersecurity requirements due to the ongoing rise in cyberattacks and data breaches, ERISA employee benefit plans, including group health plans, should pay close attention to their cybersecurity standards, as they must also comply with the DOL’s cybersecurity guidance. In light of the proposed modifications to the Security Rule and the government’s growing focus on improving cybersecurity, group health plans, plan sponsors and their business associates should take appropriate action to follow cybersecurity NPRM best practice guidance.

[1]    The 2003 HIPAA Security Rule adopted standards for the security of ePHI to be implemented by covered entities. Following the enactment of the HITECH Act, in 2013, HHS made minor modifications to the Security Rule to implement the HITECH Act’s provisions that extended direct liability to business associates for compliance with the Security Rule.

[2]    In April 2021, the Department of Labor’s (DOL) Employee Benefit Security Administration for the first time ever issued cybersecurity guidance. This guidance was updated in September 2024, to, among other things, clarify and confirm that it applies to all types of ERISA plans, including health and welfare plans and all employee benefit plans.

[3]    For example, the proposed new definitions include “Deploy,” “Implement,” and “Multi-factor authentication.” The definitions that the NPRM proposes to modify include “Administrative safeguards,” “Physical safeguards,” and “Technical safeguards.”

[4]    In light of the rising cybercrime, National Institute of Standards and Technology (NIST) described “cyber resiliency” as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” Developing Cyber-Resilient Systems: A Systems Security Engineering Approachhttps://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160v2r1.pdf

[5]    On November 21, 2024, the new bill, The Health Care Cybersecurity and Resiliency Act of 2024, was introduced by HELP Committee ranking member Dr. Bill Cassidy, R-La., along with Sens. Mark Warner, D-Va., John Cornyn, R-Texas, and Maggie Hassan, D-N.H. This bill aims to strengthen healthcare organizations’ ability to prevent and respond to cyberattacks and calls for improved collaboration between the HHS and the Homeland Security department’s Cybersecurity and Infrastructure Security Agency (CISA) to address healthcare cybersecurity needs.