Over the past year, Windham Brannon has closely monitored the likelihood of enhanced compliance requirements for the Health Insurance Portability and Accountability Act Security Rule of 1996 (HIPAA), which manages the privacy and protection of individuals’ health care information. The proposed updates, focused on advanced cybersecurity protections for businesses that manage electronic private health information (ePHI), could impact the way clients prepare for HIPAA Security Rule audits in areas of technology, risk analysis, documentation and policies and procedures.
The U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights, which administers and enforces the HIPAA Security Rule, issued a Notice of Proposed Rulemaking (NPRM) on December 27, 2024, to “strengthen cybersecurity protections for [ePHI].” HHS also published a data sheet outlining its vision for a stronger Security Rule including the following top-level requirements for each business responsible for securing customers’ electronic protected health information (ePHI):
- A deeper evaluation of risk analysis processes pertaining to cybersecurity
- A timeline for implementing new required security protocols
- A need for rigorous documentation of policies and procedures
Companies should be aware of the proposed requirement for an annual audit to confirm compliance with the updated Security Rule, as well as verification by their business associates that appropriate technical safeguards are in place to protect ePHI.
What Should Clients Do Now to Prepare for the Updated HIPAA Security Rule?
Proposed rulemaking is expected this year but our professional services team believes it is helpful now for companies to gather a deep understanding of proposed compliance requirements and evaluate their current systems, policies and procedures, technologies and risk analysis practices to prepare for the enhanced Security Rule. We also recommend notifying business partners (business associates) of the impending changes.
What Will Be in the Updated HIPAA Security Rule?
As detailed on an above-mentioned data sheet (published here on the HHS website), the newly proposed updates could include the following requirements from each affected organization:
- Updating cyber-risk implementation specifications from “recommended” to “required”
- Allowing fewer exceptions for non-compliance
- Increasing documentation requirements of risk mitigation policies
- Establishing a timeline to meet updated compliance requirements
- Evaluating all parts of the organization’s electronic information system through which ePHI moves for security purposes
- ePHI encryption
- Deploying malware detection and removing extraneous technologies
- Requiring multi-factor authentication
- Vulnerability scanning every six months and penetration testing every year
- Creating clarity about the effectiveness of security measures
Additionally, the updated Security Rule would introduce new risk analysis requirements from each entity’s technology including:
- Requiring the organization to create a technology asset inventory and network map
- Requiring the organization to identify threats to the confidentiality, integrity and availability of ePHI and assess the risk level of each threat and vulnerability
Finally, the Rule would require organizations to develop contingency plans in response to security incidents, such as:
- Developing written procedures for how the organization would restore lost, relevant electronic data within 72 hours
- Prioritizing critical technologies that need to be restored due to a security incident
- Outlining procedures for teams to report suspected or known security incidents
Group health plans must ensure their plan sponsors and agents understand and comply with the security and cyber-risk safeguards covered by the enhanced Security Rule.
Why is the HIPAA Security Rule Being Updated?
The last major update to the HIPAA Security Rule was more than ten years ago (the Omnibus Final Rule in 2013), leaving more than a decade of technologies to emerge that would avoid security and risk management guidance under the Security Rule. In its 2024 Healthcare Data Breach Report, the HIPAA Journal reported 725 reported breaches of at least 500 health records (the third consecutive years of as many breaches), affecting more than 275 million patient records – or approximately 82% of the US population. This compares to the exposure of only 57 million records two years previously.
The report describes a staggering 93.7% increase of data breaches between 2018 and 2021 due to more frequent hacking and ransomware incidents. This data demonstrates a longer-term trend and reveals an increasing prevalence and sophistication of cyber breaches of PHI against health care companies responsible for their security.
HHS’s proposed modernization of the HIPAA Security Rule became part of the department’s response to President Biden’s 2023 National Cybersecurity Strategy, and included a healthcare cybersecurity concept paper, which evaluated improvements in the healthcare sector to protect hospitals, patients and others threatened by cyberattacks.
How Does Windham Brannon Help Companies Comply with the HIPAA Security Rule?
Windham Brannon performs HIPAA Security Rule assessment audits for , delivered independently or as part of a broader SOC2 plus (“HIPAA Security Rule”) examinations. Additionally, as mentioned, the enhanced Security Rule could require an audit on an annual basis.
Our professionals monitor HIPAA legislation and proposed changes to ensure our audits align with our clients’ existing security and compliance systems with current healthcare policies. We believe the enhanced Security Rule with additions to new cybersecurity protections is imminent, but the exact date of implementation is unknown at this time.
In the meantime, please reach out to Dean Flores and our Risk Advisory team to learn about compliance requirements under the existing Security Rule. Our goal is to ensure your healthcare partners know your business takes ePHI security seriously.
