OCR Issues Proposed Rule to Strengthen Cybersecurity for ePHI

The Office for Civil Rights (“OCR”) under the U.S. Department of Health and Human Services (“HHS”) recently issued a Notice of Proposed Rulemaking (the “Proposed Rule”) to modify the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule with the aim of increasing cybersecurity protections for electronic protected health information (“ePHI”).¹ ePHI is individually identifiable health information that is transmitted by or maintained in electronic media. The Security Rule, one of several HIPAA rules, establishes national standards for the protection of individuals’ ePHI by covered entities (health plans, health care clearinghouses, and most health care providers), and their business associates (together, “Regulated Entities”).

In its Fact Sheet², OCR and HHS identified today’s “ever-increasing cybersecurity threats to the health care sector” as the Proposed Rule’s basis. The HIPAA Security Rule was initially published in 2003 and most recently revised in 2013. Although OCR indicates its intent that the Security Rule will remain flexible and scalable to the size, complexity, and capabilities of each covered entity or business associate, the Proposed Rule would make significant changes which OCR expressly acknowledges would “reduce that flexibility.”³

The Proposed Rule includes various updates to the Security Rule to address changes to the cybersecurity landscape, the increases in breaches and cyberattacks, and other methodologies and best practices that affect HHS and OCR’s enforcement of the Security Rule. In its Background to the Proposed Rule, HHS indicated the Proposed Rule substantially revises the regulatory text of the Security Rule, however it avers that most of the Security Rule’s requirements for regulated entities would not be changed by the Proposed Rule, if enacted, as the Proposed Rule will codify activities that are critical to securing and protecting ePHI by regulated entities. Notable clarifications and revisions the Proposed Rule would make to the Security Rule include changes to:

• Remove “Required” v. “Addressable”: Remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required with specific, limited exceptions.
• Written Documentation: Require written documentation of all Security Rule policies and procedures, plans, and analyses.
• Definitional Changes: Update definitions and revise specifications to reflect changes in technology and terminology (e.g., the definition and examples of “electronic media” and “electronic storage material”; the definition and scope of “access,” “authentication,” etc.).
  • The Security Rule currently defines “access” as the “ability or the means necessary to” perform a set of activities by describing how a user may interact with a system resource. These activities are reading, writing, modifying, communicating data/information, or otherwise using any component of an information system.
  • The Proposed Rule would expand the list of activities under the term “Access” by adding “deleting and “transmitting.”
• Specific Timeframes: Add specific compliance time periods for many existing requirements.
• Asset Inventory: Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect the handling of or access to ePHI.
• Risk Analysis: Identify greater specificity for conducting a risk analysis. New express requirements would include a written assessment that requires each Regulated Entity to perform and document the following:
  • Identify all reasonably anticipated threats to the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits;
  • Identify potential vulnerabilities and predisposing conditions to the Regulated Entity’s relevant electronic information systems;
  • Create an assessment of risks to ePHI posed by entering into or continuing a business associate agreement or other written arrangement with any prospective or current business associate, respectively, based on the written verification obtained from the prospective or current business associate.
• Notification: Require notification of certain Regulated Entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.
• 72-Hour Data Restoration Plan: Strengthen requirements for planning for contingencies and responding to security incidents. For example, by establishing written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.
• Annual Compliance Audit: Require Regulated Entities to conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule.
• Business Associate Annual Verification: Require that business associates verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate.
• Encryption: Require encryption of ePHI at rest and in transit, with limited exceptions.
• MFA: Require the use of multi-factor authentication, with limited exceptions.
• Vulnerability Scanning: Require vulnerability scanning at least every six months and penetration testing at least once every 12 months.
• Technical Requirements: Add various additional, specific technical requirements, such as network segmentation and separate technical controls for backup and recovery of ePHI and relevant electronic information systems.
• Business Associate 24-Hour Contingency Plan Activation Notification: Require business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.
• Business Associate Agreement Revisions: Require business associate agreements to include additional terms, which could require revisions to virtually all business associate agreements. The Proposed Rule includes a transition rule with would give Regulated Entities up to one year from the effective date of the final rule to amend preexisting business associate agreements to address the new content requirements.

The proposals are largely consistent with the perspective on security that OCR has espoused over recent years, and in many respects align with trends in best practices. However, if enacted, the proposals would represent significant changes in regulatory requirements for covered entities and their business associates. Regulated Entities should monitor the evolution of the proposed rule, and consider submitting comments, either of support or concern. HHS is encouraging comments to be submitted to the Proposed Rule via regulations.gov. Public comments are due by March 7, 2025.

For additional information or assistance understanding the HIPAA Security Rule, please contact Kevin Coy, Madison Pool, or Kadeja Watts.

[1] The Proposed Rule is viewable at https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information.

[2] Fact Sheet viewable at https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html.

[3] 90 FR 898, 918 (1/6/2025).