51
New Articles
Find Your Next Job !
On January 6, 2025, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a “Notice of Proposed Rulemaking,” HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information (the “Proposed Rule”).1
The Proposed Rule aims to strengthen cybersecurity protections for electronic protected health information (ePHI), including pursuant to a March 1, 2023, directive from President Biden.2 Specifically, OCR is revising the HIPAA Security Standards for the Protection of Electronic Protected Health Information (the “Security Rule”) to address the following:
With respect to all ePHI, the Proposed Rule removes the distinction between “required” and “addressable” implementation specifications for all types of enumerated safeguards under the Security Rule and makes all implementation specifications required with specific, very limited exceptions. The Proposed Rule also includes changes to—and the addition of new—definitions used in the Security Rule, bringing such definitions in line with current cybersecurity risk and control environments (e.g., multi-factor authentication). The Proposed Rule includes sweeping changes with increased specificity to the standards and implementation specifications to both Administrative and Technical Safeguard requirements.
Administrative Safeguards
Under the proposed changes, Regulated Entities would be required to implement and document, in writing, their implementation of the administrative safeguards required by the Security Rule.
In place of the existing standard for security management process, Regulated Entities would be required to develop a technology asset inventory and a network map that illustrates the movement of ePHI into, through, and out of the Regulated Entity’s electronic information system(s). As an example, OCR has proposed a Regulated Entity’s network map must include the technology assets used by its business associates, including offshore business associates, regardless of the physical location of such assets, even though such assets are not part of the Regulated Entity’s own electronic information system.
With respect to the risk analysis (sometimes referred to as an enterprise security risk assessment) standard, OCR proposes eight specific implementation specifications that Regulated Entities would be required to perform and document, and to review, verify and update on an ongoing and at least every 12-month basis:
Other proposed changes to the administrative safeguard requirements include that a Regulated Entity must:
Technical Safeguards
Generally, OCR retains the requirements for technical safeguards and proposes additions and modifications to the existing standards and implementation specifications. Under the Proposed Rule, Regulated Entities would need to:
Physical Safeguards
Generally, OCR retains the four standards that comprise the Security Rule’s physical safeguards and proposes several modifications to address OCR’s expectations regarding implementation specifications, memorializing policies and procedures in writing, documenting the implementation of, reviewing, and modifying such policies and procedures and clarifying the scope of the electronic information systems and their components that Regulated Entities are expected to consider when establishing their policies and procedures.
Business Associate Agreements
To address the increased risk of security incidents and deficiencies in protections, OCR proposes an implementation specification that would require a business associate agreement to include a provision for a business associate to report to the covered entity (and subcontractors to notify business associates) activation of its contingency plan (maintained in compliance with 45 CFR 164.308(a)(13)) without unreasonable delay, but no later than 24 hours after activation. The Proposed Rule does not require reporting on the cause of the contingency plan activation; rather, reporting is required solely on the fact that the contingency plan was activated. Additionally, this proposed requirement would not alter the business associate’s breach reporting obligations under the Breach Notification Rule.
Documentation Requirements
While 45 C.F.R. § 164.316 currently addresses policies and procedures and documentation, the section does not require or include standards to govern how Regulated Entities must implement, maintain and document the implementation of all security measures. OCR believes this to be a deficiency and therefore proposes the following requirements for Regulated Entities:
The Proposed Rule requires group health plans to include certain requirements in their plan documents for their group health plan sponsors to:
Public comments on the Proposed Rule are due 60 days after publication of the Proposed Rule in the Federal Register, which is March 7, 2025.
[1] See Health Insurance Portability and Accountability Act Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information, 90 Fed. Reg. 898 (Jan. 6, 2025), available at https://www.govinfo.gov/content/pkg/FR-2025-01-06/pdf/2024-30983.pdf.
[2] See https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf.
More Upcoming Events
You are responsible for reading, understanding, and agreeing to the National Law Review’s (NLR’s) and the National Law Forum LLC’s Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free-to-use, no-log-in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates, or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys, or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.
Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com intended to be a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional. NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us.
Under certain state laws, the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.
The National Law Review – National Law Forum LLC 2070 Green Bay Rd., Suite 178, Highland Park, IL 60035 Telephone (708) 357-3317 or toll-free (877) 357-3317. If you would like to contact us via email please click here.
Copyright ©2025 National Law Forum, LLC
Français 
English