The Department of Health and Human Services (HHS) kicked off a notice of proposed rulemaking on Dec. 27 that it said aims to change the existing Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule with the goal of improving cybersecurity protections for electronic protected health information (ePHI).
The HIPAA security rule is administered by the HHS Office for Civil Rights (OCR), which is conducting the notice of proposed rulemaking. The goal of the rulemaking, HHS said, is to “better address ever-increasing cybersecurity threats to the health care sector.”
The agency will be seeking public comment on the notice of proposed rulemaking through early March.
The rulemaking activity follows recommendations from the HHS Office of Inspector General (OIG) in November 2024 urging the agency to better ensure the protection of ePHI, and finding that OCR’s oversight of its HIPAA audit program “was not effective at improving cybersecurity protections at covered entities and business associates.”
The OIG report was publicly released the same week that Sens. Bill Cassidy, R-La., Maggie Hassan, D-N.H., John Cornyn, R-Texas, and Mark Warner, D-Va., introduced a bill aiming to bolster cybersecurity in the healthcare sector and safeguard Americans’ health data.
The bill – called the Health Care Cybersecurity and Resiliency Act of 2024 – would require HHS to update the HIPAA regulations for HIPAA-covered entities and business associates to use modern cybersecurity practices. These include multi-factor authentication, safeguards to encrypt protected health information, and requirements to conduct other “audits” such as penetration testing.
The proposed rulemaking covers some of those same items that are featured in the Senate bill, among more than two dozen new proposals and clarifications to the existing rule. They include:
- Removing the distinction between “required” and “addressable” implementation specifications;
- Updating definitions and revising implementation specifications to reflect changes in technology and terminology;
- Requiring the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis;
- Requiring greater specificity for conducting risk analysis;
- Requiring notification of certain regulated entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.
- Strengthening requirements for planning for contingencies and responding to security incidents;
- Requiring regulated entities to conduct a compliance audit at least once every 12 months;
- Requiring encryption of ePHI at rest and in transit, with limited exceptions.
- Requiring regulated entities to deploy anti-malware protections and remove extraneous software;
- Requiring the use of multi-factor authentication;
- Requiring vulnerability scanning at least every six months and penetration testing at least once every 12 months; and
- Requiring network segmentation.
