# Advisory Blog Series: HIPAA Security Rule Updates
As you may have already heard, the HIPAA Security Rule is undergoing a much-needed update. We wanted to discuss what Covered Entities and Business Associates – now referred to as “Regulated Entities” – can expect as the new rule moves through the federal register phases of the Notice of Proposed Rulemaking (NPRM) Request for Public Comments period, and the guidance and enforcement periods of the Final Rule. The Atredis Risk and Advisory team will be giving our thoughts on what regulated entities should expect from the proposed changes and our thoughts on how to navigate them to ensure your organization remains compliant.
Regulated entities come in every shape and size and the new rule will pose challenges for all of them. Small and medium-sized organizations could be disproportionately impacted as they tend to be more resource constrained, lacking the Cybersecurity resources needed to change and navigate the new standards. Additionally, the new rule is expected to increase scrutiny and enforcement actions against regulated entities and their subcontractors who fail to protect PHI.
**What’s Happening?**
US Department of Health and Human Services (HHS) through the Office of Civil Rights (OCR), the governing and enforcement body for HIPAA, is proposing modifications to the HIPAA Security Rule to strengthen protections for electronic protected health information (ePHI) in response to new and evolving cybersecurity threats, increased data breaches due to ransomware and other high impact security incidents involving bad actors, and regulated entities neglect in implementing existing safeguards. The rule addresses deficiencies identified during compliance investigations conducted over the past few decades, clarifies security implementation requirements, and incorporates prescriptive cybersecurity requirements such as mandatory encryption and multi-factor authentication. The goal is to continue to ensure the confidentiality, integrity, and availability of ePHI while keeping pace with modern technological advancements and court rulings that impact enforcement.
**Why Are the Changes Being Proposed?**
Many of the changes appear to be data driven based on results of investigations into breaches by the OCR, and how the current Security Rule and standards held up in court cases. To help close some of these loopholes and to adapt to the ever-changing landscape of cybersecurity attacks, HHS is creating new standards as well as modifying the language of some existing standards, creating newly defined terms for use, and updating existing definitions and standards to make their intent clearer to security professionals at regulated entities. The proposed changes were published on January 6, 2025, for a 60-day public comment period that ends on March 7, 2025.
**What Do We Expect to Change Based on the Notice of Proposed Rulemaking?**
While there are some changes that we can reasonably expect, there are numerous variables in play resulting from HHS’s evaluation of the public comments received, the general uncertainty within the government due to the administration change after the election, and many other factors that may change how things ultimately become finalized. Our goal is to continually monitor events as they unfold and communicate that information as it becomes more actionable.
While it is impossible to be certain of what changes will ultimately be finalized, we have referenced the fact sheet published on the HHS website to create the list below of some of the most impactful changes we expect:
– **Removing the distinction between “required” and “addressable” implementation specifications and making all implementation specifications required with specific, limited exceptions:** The proposed rule modifies the current “addressable” safeguards to be “required” to ensure stronger cybersecurity protections. This includes mandatory encryption, MFA, technology asset inventories, and ePHI data flow mapping, where the implementations were all previously addressable based on the results of a risk analysis. The shift is intended to close security gaps and improve enforcement, but it may require additional compliance efforts from regulated entities.
– **Updating definitions and revising implementation specifications to reflect changes in technology and terminology:** The Department is proposing to add or modify regulatory terms that would either clarify how regulated entities should apply the standards and implementation specifications, or modernize the rule to better account for changes in the environment in which health care is provided. These changes are long overdue, and the list demonstrates the need for these proposed revisions. The HHS proposes adding ten new defined terms and modifying the definitions of fifteen existing terms. As security professionals, it is shocking to review this list and consider any of these as “new” definitions HHS is proposing to add:
1)Deploy, 2)Implement, 3)Electronic information system, 4)Multi-factor authentication, 5)Relevant electronic information system, 6)Risk, 7)Technical controls, 8)Technology asset, 9)Threat, and 10)Vulnerability
The definitions HHS proposes to modify are for the following terms:
1)Access, 2)Administrative safeguards, 3)Authentication, 4)Availability, 5)Confidentiality, 6)Information system, 7) Malicious software, 8)Password, 9)Physical safeguards, 10)Security, 11)Security measures, 12)Security incident, 13)Technical safeguards, 14)User, and 15)Workstation
– **Requiring the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI:** The proposed rule mandates that regulated entities create and maintain a Technology Asset Inventory listing all ePHI-related devices and systems and develop a Network Map tracking how ePHI flows through their systems. These expectations were previously implied but will now be required as part of a regulated entity’s risk analysis and risk management process.
– **Requiring that business associates verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate:** The proposed rule requires business associates to verify HIPAA Security Rule compliance at least once every 12 months for their covered entities. Business associate subcontractors must do the same for their direct business associates. This enhances accountability and strengthens third-party risk management, reducing cybersecurity vulnerabilities in healthcare. This proposed change is significant because the burden of responsibility used to lie only with the covered entity to the manage the risk of engaging with business associates via internal third-party risk management programs and contractual agreements.
– **Require encryption of ePHI at rest and in transit, with limited exceptions:** The proposed rule makes encryption mandatory for ePHI both in transit and at rest, eliminating the current addressable flexibility. This change reflects modern cybersecurity needs, aiming to prevent breaches of unsecured ePHI, and align HIPAA with current security best practices. Regulated entities must encrypt all ePHI by default, with only narrow exceptions requiring justification.
**What Do We _Actually_ Know About the Proposed Changes?**
The proposed rule in its current state does not guarantee that any part of the new rule will be finalized as proposed. HHS will carefully consider and respond to credible comments it receives during the public comment period and may alter the content during that time. HHS proposes to provide additional time for regulated entities to comply with certain requirements, but these provisions depend on the finalization of the rule at an unknown future date.
One key takeaway from all of this is the only thing any security professional knows for sure is the published content of the proposed rule so far, and that the rule is still currently open for public comment. Everything else at this point is conjecture, so be wary of firms or sales teams trying to convince you otherwise.
Atredis will be posting updates to this blog series as new information is published, along with our professional opinion on the next steps your organization can take to prepare for the changes. Contact us to work with our Risk and Advisory team to help mature your HIPAA Security Program.