HHS proposes major overhaul of the HIPAA Security Rule

The Department of Health and Human Services (HHS) published a notice of proposed rulemaking (Proposed Rule) on December 27, 2024 to modify the Security Standards for the Protection of Electronic Protected Health Information (ePHI) (Security Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).

Below, we take a concise look at the Proposed Rule and its potential implications.

Summary of the Proposed Rule

Notably, the current Security Rule is not as detailed or rigorous as many state standards (eg, NY Department of Financial Services) or standards required for federal government systems (eg, the Federal Information Security Management Act). Rather, historically, HHS’s intent has been for the Security Rule requirements to be scalable based on the size, scope, and overall complexity of the covered entities and business associates (regulated entities) subject to HIPAA. This left discretion to regulated entities to analyze their own needs and implement solutions that were appropriate based on their specific technical and physical environment, size, and available resources.

Now, nearly 20 years after the initial effective date of the Security Rule, the Proposed Rule seeks to strengthen the Security Rule’s standards and implementation specifications. Described in more detail below, these proposed requirements would remove a major component of the discretion previously afforded to regulated entities to create cybersecurity programs tailored to their specific circumstances.

Some of the Proposed Rule’s requirements include:

• Mandating system recovery periods without regard to the size, scope, or sophistication of a cyberattack


• Mandating termination of a workforce member’s access to ePHI within one hour of their employment’s end, and notice from one regulated entity to another within 24 hours if a workforce member’s employment has ended


• Creating new and burdensome reporting requirements for business associates such as notification to covered entities within 24 hours of activating a contingency plan


• Creating new and burdensome verification requirements for business associates such as annual certifications to covered entities


• Requiring annual penetration testing and vulnerability scanning every six months


• Codifying and expanding previously non-binding HHS guidance on performing HIPAA risk analyses into federal law


• Mandating new security documentation, including asset inventory and network maps to illustrate data flows on an ongoing basis, and


• Mandating the adoption of new safeguards, which were previously not required, likely requiring significant new expenditures on cybersecurity.

“Required” vs. “addressable”

Currently, each category of safeguards under the Security Rule includes certain technology-neutral standards and "implementation specifications" that provide instructions for implementing those standards. The Security Rule designates these "implementation specifications" as either "required" or "addressable." Compliance with the standards and "required" implementation specifications are mandatory because HHS believes that they are "so basic that no [regulated] entity could effectively protect electronic protected health information without implementing them."

An "addressable" implementation specification, however, operates differently. If a regulated entity determines that an “addressable” implementation is not reasonable and appropriate, it must either implement an equivalent measure, or, if the standard is otherwise met, it may choose not to implement the specification or an equivalent measure. When choosing not to implement the specification, the regulated entity must maintain documentation as to the reasons why.

Again, in a major departure from how HHS has historically regulated security for ePHI, the Proposed Rule removes the distinction between required and addressable implementation specifications. Instead, with limited exceptions, if HHS finalizes the Proposed Rule, all implementation specifications would now be required. For example, whereas encryption of data at rest was an addressable implementation specification, the Proposed Rule would make it a required implementation specification with limited exceptions.

Other key proposals: Written notification, system restoration, and verification requirements

As mentioned above, HHS seeks to create new and burdensome reporting requirements. For example, under the Proposed Rule, business associates would be required to notify covered entities (and subcontractor business associates to notify upstream business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation. In effect, this creates not only a new incident reporting requirement for business associates to report to their upstream customers, but also one of the strictest incident reporting deadlines across US laws.

The Proposed Rule would also require a regulated entity to establish (and implement as needed) written procedures to restore both its critical relevant electronic information systems and data within 72 hours of the loss of functionality, and to restore the loss of other relevant electronic information systems and data in accordance with its criticality analysis. While likely a response to high-profile ransomware attacks, this new requirement would arbitrarily dictate a recovery time that may not be possible for regulated entities in the absence of investment in an expensive, fully redundant facility. Typical response to a cybersecurity incident may take weeks to months, not days. Accordingly, for regulated entities, many of which are nonprofits, this expense may be out of reach.

Further, business associates would be required to verify at least once every 12 months for covered entities (and that downstream business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written assessment of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate. If finalized, this would be a boon to technical consultants and yet another line item on regulated entities’ information security budgets.

Takeaways of the proposed changes to HIPAA

In aiming to update the Security Rule for a more complex technical world, the Proposed Rule reflects an aggressive approach that removes the flexibilities that allowed for HIPAA and its regulations to adapt to changing technologies. If adopted, the new rulemaking will require material changes to regulated entities’ HIPAA compliance functions. In fact, HHS itself estimates an annual HIPAA compliance cost increase of roughly $4.6 billion for regulated entities and an additional $4.6 billion for health plan sponsors. Further, the Proposed Rule seeks to regulate the minutiae of highly technical cybersecurity matters that are best left, and which historically have been left, to regulated entities and their information security teams. As such, we expect that the new administration, which has expressed opposition to onerous regulations, will revoke or rework the Proposed Rule.

Comments to the Proposed Rule are due March 7, 2025.

DLA Piper will continue to monitor developments surrounding updates to the Security Rule. For more information about these developments, please contact your DLA Piper relationship partner, the authors of this alert, or any member of our Data Privacy or Healthcare industry groups.