News & Insight

NOTICE OF PROPOSED RULEMAKING RELEASED BY OFFICE FOR CIVIL RIGHTS FOR HEALTH AND HUMAN SERVICES

On January 6, 2025, the Office for Civil Rights for Health and Human Services released a Notice of Proposed Rulemaking  (NPRM) [1].   This NPRM is closely related to the existing security rule requirements, and if established would impose additional requirements on Covered Entities and Business Associates to increase and harden their organizations against cybersecurity threats. 

As a quick recap, under the Administrative Procedure Act, federal agencies must publish rules in the Federal Register and open the NPRM for review and solicit feedback (the Notice and Comment Period).  Taking any comments into consideration, the agency can then make modifications to the rule and publish a Final Rule.  Once a Final Rule is published in the Federal Register, no less than 30 days must pass before the new Final Rule becomes effective.  We provide this background on the rulemaking process because a NPRM is simply that – a proposal – and it is likely that what is approved is not exactly what is released in this NPRM.  However, NPRMs do regularly provide reliable guidance on what to expect from the regulators, providing additional time to proactively work towards any necessary changes to the operational environment.

The HIPAA security regulations have not changed dramatically since implementation in 2003, with the exception being the HITECH additions in 2009 as part of the American Recovery and Reinvestment Act.  So, the fact that this NPRM is over 100 pages of significant changes is not a surprise.  It is also not surprising that the OCR has proposed significant enhancements to current rules when considering:

  • The massive change in the use and involvement of technology since HIPAA was enacted;
  • The explosion of bad actors and hackers that seek to exfiltrate and hijack Protected Health Information for financial gain; and
  • The growth of Business Associates that provide necessary services for Covered Entities to continue operations.

Additionally, the OCR calls out in the NPRM that results of their audits revealed that:

  • Only 14% of Covered Entities and 17% of Business Associates were “substantially fulfilling their regulatory responsibilities to safeguard ePHI;” and
  • 94% of Covered Entities and 88% of Business Associates “failed to implement appropriate risk management activities sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”

As such, HMBR experts expect wide sweeping and significant changes to HIPAA and HITECH security mandates when a Final Rule is published.

A summary of some of the more substantial propositions in the NPRM follows:

  • Clarifying that the term “addressable” does not mean optional. Particularly in the context of encrypting ePHI at rest and in transit.
  • Requiring the creation and maintenance of a written inventory that details:
    • Full list of technology assets (hardware, software, media)
    • Data network map showing where ePHI is stored and how it moves through information systems
    • The version of software and firmware, responsible person, and physical location of each asset within an organization including where Business Associates fit into the inventory.
    • The written inventory must be updated regularly and no less often than once every 12 months or sooner if there is a change in the inventory that may impact the ePHI
  • Implementation of network segmentation to isolate systems that process ePHI from those that do not.
  • Additional guidance and requirements for an annual security risk assessment including:
    • Review of technology asset inventories and network map
    • Identification of all reasonably anticipated threats to ePHI
    • Identification of potential vulnerabilities to relevant information systems
    • Assessment of the likelihood of each threat or vulnerability being exploited
  • Additional responsibilities on Covered Entities to ensure that Business Associates that possess, use, or access ePHI are following the security rule’s requirements. Assessment requirements go beyond a mere attestation or written assurance. 
  • Conduct a proper and comprehensive compliance audit no less than every 12 months.
    • Audit may be conducted by internal or external resources.
  • Implementing new written policies to comply with required rules within 30 days of rule changes.
  • Mandatory and documented workforce education.
  • Installation of software patches including time requirements with limited exceptions to required timeline.
  • Required multi-factor authentication controls.
  • Additional requirements surrounding a business continuity plan including an assessment of all technology that holds ePHI for criticality, data backups, disaster recovery, restoration of data after a disaster, emergency operations, testing of the disaster/business continuity plan.

HMBR experts will continue to monitor this NPRM and work with our clients to prepare for the impact if most or all the proposed changes are implemented with the Final Rule. 

[1] 90 FR 898 (Jan. 6, 2025)

  Jan 15, 2025  |  By    |   On Firm News
© 2025 Hogan Marren Babbo & Rose, Ltd. All Rights Reserved. Attorney Advertising and Legal Notices. Sitemap  |  A PaperStreet Web Design