HHS Proposal To Strengthen HIPAA Security Rule

HHS Proposal To Strengthen HIPAA Security Rule
Healthcare, medical provider holding an ipad

Earlier this year, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) adopted a new proposal to strengthen the Health Insurance Portability and Accountability Act (HIPAA) security standards (Security Rule). 

The proposed changes mark the first update to the Security Rule in more than a decade. 

The Notice of Proposed Rulemaking (NPRM) aims to enhance cybersecurity standards and address significant technological advancements and rising numbers of breaches experienced by covered entities and business associates (regulated entities). From 2018-2023, large breach reports to OCR more than doubled, and the number of individuals affected by such breaches increased more than tenfold, largely due to hacking and ransomware attacks. In 2023, more than 167 million individuals were affected by large HIPAA breaches.

Proposed Security Standards

The current HIPAA Security Rule distinguishes between “required” and “addressable” implementation specifications, allowing regulated entities to choose security measures based on their size, resources, and the risk level addressed. “Addressable” specifications only need to be implemented in a way that is reasonable and appropriate. OCR is concerned that entities are treating addressable specifications as optional, prioritizing cost over security. To address this, OCR has proposed eliminating the distinction between reasonable and addressable, explicitly requiring regulated entities to comply with all standards and implementation specifications. While this proposal reduces current flexibility, entities may still tailor solutions to their needs and capabilities. For example, a rural healthcare provider could adopt a cloud-based electronic health record system to reduce investment in backup services or its IT staff. 

Proposed Administrative Safeguards 

Section 164.308 of Title 45 of the Code of Federal Regulations (CFR) outlines the administrative requirements for managing and implementing security measures under the HIPAA Security Rule. To improve compliance with security management processes, OCR has proposed the following changes:

  • Technology asset inventory and network map. Regulated entities must maintain an inventory of technology assets and a network map showing the movement of electronic protected health information (ePHI) within their electronic information system(s). This must be updated at least annually and whenever changes in their environment or operations may affect ePHI. Unfortunately, the rules do not clearly define which devices or systems are included, which can be problematic in hybrid or cloud environments. As the rules do not currently address virtual/augmented reality, artificial intelligence, or quantum computing, there is significant uncertainty about compliance requirements for organizations that utilize these emerging technologies. 
  • Enhanced risk analysis. Regulated entities must conduct an annual written risk analysis that includes, among other things: 
    • Review of technology asset inventory and network map, ensuring up-to-date ePHI movement within the electronic systems
    • Identification of threats, recognizing all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI
    • Identification of vulnerabilities, including conditions that could expose electronic information systems to risks
    • Risk-level assessment for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities
  • Patch management and systems updates. Regulated entities must establish policies and procedures for installing patches, updates, and upgrades throughout their electronic information systems to maintain security.
  • Access change notifications. Certain regulated entities must be notified within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.
  • Establish contingency planning and incident response. Regulated entities would be required to:
    • Establish written restoration procedures. Implement procedures to restore the loss of certain relevant electronic information systems and data within 72 hours. While large, sophisticated organizations may be familiar with these types of tight turnarounds, this may be impractical for smaller entities with limited IT resources. 
    • Analyze criticality. Assess the relative criticality of electronic information systems and technology assets to determine restoration priorities.
    • Develop incident response plans. Develop written plans and procedures for reporting suspected or known security incidents and responding to suspected or known security incidents.
    • Test and revise incident response plans. Implement procedures for testing and updating incident response plans to ensure effectiveness.
  • Annual compliance audits. Regulated entities must perform a compliance audit at least once every 12 months to verify adherence to the Security Rule requirements. The current version of the proposed rules significantly increases the administrative burden but lacks clear guidance on the acceptable methodologies or metrics for such compliance audits.

Proposed Technical Safeguards

Section 164.312 of Title 45 CFR outlines technical safeguards under the HIPAA Security Rule. However, OCR has found gaps in implementation and is proposing updates to strengthen technical controls. The proposed changes to the Security Rule would require regulated entities to address the following: 

Encryption and Network Security
  • Encrypt ePHI. Encrypt ePHI both at rest and in transit, with limited exceptions. The proposal does not clearly define what qualifies as an exception, which may create compliance challenges for entities with complex systems.
  • Network segmentation. Use network segmentation to isolate sensitive systems and data, reducing the impact of potential breaches. The proposed changes lack detailed guidance on implementation standards, leaving effected organizations to determine the appropriate scope and method.
Authentication and Vulnerability Management
  • Multifactor authentication (MFA). Use multifactor authentication to access systems containing ePHI, with limited exceptions. The criteria for exceptions are not specified, leading to uncertainty about when it is permissible to bypass MFA.
  • Vulnerability scanning and penetration testing. Conduct vulnerability scanning at least every six months and penetration testing at least once every 12 months to identify and address security weaknesses.
Configuration and System Controls
  • Consistent configuration management. Implement technical controls to consistently configure electronic information systems, including workstations. New express requirements would include:
    • Anti-malware protection. Deploying anti-malware protection to protect systems from malicious software.
    • Software minimization. Removing unnecessary software from relevant electronic information systems to minimize vulnerabilities.
    • Network port security. Disabling unused network ports based on the regulated entity’s risk analysis to reduce attack surfaces.
Backup and Recovery Controls
  • Separate technical controls for the backup and recovery of ePHI and critical electronic information systems to enhance data resilience and business continuity. 

Proposed Updates to Business Associate Contracts

Under the 2013 Omnibus Rule, covered entities are not required ensure that business associates are complying with the HIPAA Security Rule. However, OCR has identified gaps in compliance among business associates. To address these issues, OCR has proposed the following changes: 

  • Annual verification requirement. Business associates must provide covered entities with a written verification at least once every 12 months that they have implemented the technical safeguards required by the HIPAA Security Rule to protect ePHI. This verification must include: 

    • A written analysis of the relevant electronic information systems conducted by a subject matter expert 
    • A written certification that the analysis was performed and is accurate

    The current proposal does not specify the qualifications required for the subject matter expert conducting the analysis, nor does it specify the level of responsibility for covered entities in verifying the accuracy of the content of these certifications. 

  • Contingency plan notifications. Business associates (and subcontractors) must notify covered entities upon activating contingency plans without unreasonable delay but no later than 24 hours after activation. It is currently unclear whether this applies to all incidents or only those that involve significant data breaches, which may be difficult for organizations that have limited IT resources.
  • Compliance and transition timeline. Regulated entities must review and update their business associate agreements to ensure compliance if the proposed rule is finalized. Regulated entities can continue to operate under existing business associate agreements until the earlier of: (1) the renewal date on the contract on or after the final rule’s compliance date or (2) one year after the final rule’s effective date. The regulations lack guidance on the timing of modifying legacy contracts where there may be subcontractor agreements, which can create significant uncertainty for complex business relationships that are common in the industry. Furthermore, there is no clear transition guidance for entities that may be facing complex system upgrades mandated by the rules. 

Request for Comment

Public comments to the proposed rule were due by March 7, 2025. Additionally, OCR sought feedback on the application of the Security Rule to new technologies, such as quantum computing, artificial intelligence, and virtual and augmented reality. Presently, it is unclear how this feedback may influence the final rule, which may lead to uncertainty regarding future regulatory expectations. 

It is unclear how these proposed changes may overlap with other cybersecurity regulations, such as 16 CFR Part 314 (the Federal Trade Commission’s Safeguards Rule) or National Institute of Standards and Technology’s standards, which may lead to potential compliance conflicts or redundancies. 

After the NPRM was submitted to the Federal Register, an executive order implemented a "regulatory freeze." which required additional review of NPRM's submitted to the Federal Register. The impact of this order on the OCR's proposed updates to the Security Rule is unclear, but as of March 7, 2025, comments to the NPRM were closed.

Practical Relevance to Business 

If these proposed modifications are finalized, they will significantly affect compliance strategies, operational processes, and financial planning. Organizations should begin assessing their current systems and workflows to prepare for the potential requirements as additional investment in updated technology and infrastructure for both covered entities and business associates will be required. More frequent assessments—including annual written risk analyses, compliance audits, and vulnerability scanning—may require additional resource allocation of both capital and personnel, reconfiguring legacy electronic systems, modifying IT management practices, updating internal-facing policies, and training staff on the new requirements. Additional procurement and legal spend will be necessary to modify existing business associate agreements and review new contracts, including renegotiating terms. Furthermore, the requirement for business associates to verify and certify compliance may necessitate hiring third-party experts. Regulated entities need to take the following steps: 

  1. Budget and resource planning. Additional funds will be necessary for technology updates, third-party audits, and legal review of business associate agreements (including any renegotiation of terms). Budget cycles are often planned far in advance, and previously submitted or approved budgets may need to be supplemented to ensure adequate resources. 
  2. Compliance and risk assessments. Implement regular compliance audits and risk assessments to identify gaps and prioritize remediation. 
  3. Engage legal and compliance professionals. Consult with legal professionals to interpret the requirements and align them with existing cybersecurity frameworks. 
  4. Incident response enhancement. Incident response capabilities need to be strengthened to meet the new 24-hour reporting requirement. 
  5. Pilot and test implementation. Conduct pilot programs to test compliance strategies before full deployment. 
  6. Align with business associates. Meet with business associates to align on verification and certification expectations.
  7. Stakeholder training and communication. Educate stakeholders on the changes, and timely update internal policies and procedures. 

As noted throughout this Update, there are a number of areas with significant uncertainty and potential implementation challenges. Organizations should closely monitor regulatory developments and prepare for potential changes based on public feedback and final rule adjustments.

Print and share

Authors

Explore more in

Technology Transactions & Privacy Law Healthcare

Related insights
© 2025 Perkins Coie LLP