The US Department of Health and Human Services (HHS) on January 6, 2025 issued a notice of proposed rulemaking (NPRM) seeking feedback on proposed updates to the Security Standards for the Protection of Electronic Protected Health Information (Security Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).
These modifications aim to enhance the confidentiality, integrity, and availability of electronic protected health information (ePHI) by addressing significant technological advancements since the Security Rule was last revised in 2013, as well as rising breaches and cyberattacks, observed compliance deficiencies, updated cybersecurity best practices, and relevant court decisions. Comments are due by March 7, 2025.
This LawFlash provides a brief summary of the NPRM, focusing on changes impacting group health plans and their plan sponsors.
For more on this update, please see our January 2, 2025 LawFlash.
BACKGROUND
The Security Rule establishes standards and implementation specifications for safeguarding ePHI to ensure confidentiality, integrity, and availability, promoting secure electronic transmission within our national health information system. To mitigate vulnerabilities, regulated entities—including healthcare providers, group health plans, and their business associates—are required to implement appropriate policies and procedures tailored to their size, resources, and risks. The NPRM attempts to modernize these requirements to ensure the Security Rule remains comprehensive and effective at safeguarding ePHI in the evolving healthcare landscape.
KEY CHANGES AND IMPLICATIONS FOR GROUP HEALTH PLANS AND PLAN SPONSORS
Updated Definitions
The proposed rule updates and modernizes several definitions to align with current technologies and practices. For example, “electronic media” now includes cloud computing and mobile devices, while the definition for “access” has been expanded to cover data deletion and transmission. It also introduces new definitions for terms like “multi-factor authentication,” “risk,” “threat,” and “vulnerability” for greater clarity, ensuring relevance in today's digital health landscape.
General Rules
The proposed changes aim to ensure that all ePHI in a group health plan’s environment are fully protected, emphasizing that group health plans must apply Security Rule requirements to all ePHI they create, receive, maintain, or transmit, and ensure their workforce complies with these safeguards. The NPRM underscores the importance of group health plans being able to recover from security incidents and adapt security measures to new risks and technologies. Most significantly, the proposed rule would eliminate the distinction between “addressable” and “required” standards. This means that group health plans must comply with both standards and specifications, with flexibility only in how they meet these requirements. HHS also proposes to remove the current Security Rule’s general maintenance provision and add explicit maintenance requirements to certain standards, making it clear that group health plans must regularly review, test, and modify their security measures, including policies, procedures, and technical controls. Testing could include simulating security events and evaluating employee compliance, with the outcomes of those tests resulting in modifications to such security measures.
Administrative Safeguards
HHS proposes that group health plans be required to implement and document all administrative safeguards to protect the confidentiality, integrity, and availability of ePHI. Specifically:
- Technology Asset Inventory: Group health plans would be required to maintain a detailed inventory of technology assets, create a network map illustrating the flow of ePHI, and regularly update these records.
- Risk Analysis: Group health plans must conduct a thorough risk analysis to identify and evaluate risks and vulnerabilities to ePHI, ensuring its confidentiality, integrity, and availability. This includes reviewing assets, identifying threats and vulnerabilities, assessing risk levels, and documenting the findings. The analysis must be regularly updated to account for changes in technology, operations, and new risks. A corresponding risk management plan is also required, detailing measures to reduce risks to a reasonable and appropriate level.
- Evaluation: Group health plans would be required to not only perform but document (in writing) both technical and nontechnical evaluations of any changes in their environment or operations. These written evaluations would assess the impact of these changes on ePHI, ensuring that group health plans proactively identify risks before making such changes and implement necessary safeguards.
- Patch Management: Group health plans would be required to implement written policies and procedures for timely patching, updating, and upgrading their electronic information systems to protect ePHI. This includes establishing processes for identifying and mitigating risks, with specific timeframes for addressing critical and high-risk vulnerabilities, while allowing exceptions with compensating controls when necessary.
- Risk Management: Group health plans would be required to establish and implement a risk management plan to reduce identified risks to ePHI to a reasonable and appropriate level, based on their specific circumstances. The proposal includes requirements for the planning, maintenance, prioritization, and timely implementation of security measures to address these risks, as well as regular reviews and documentation of decisions and actions taken.
- Sanction Policy: Group health plans would be required to establish and enforce written policies for sanctioning workforce members who fail to comply with security procedures for ePHI. This includes reviewing policies annually, applying sanctions when necessary, and documenting actions with the goal of improving compliance and cybersecurity awareness among workforce members.
- Information System Activity Review: Group health plans would be required to establish policies for regularly reviewing activity logs, including audit trails, event logs, and access reports, in their electronic systems to detect suspicious activities. The proposal also includes specific requirements for record retention, response to incidents, and annual policy reviews, with flexibility for different organizations based on their size and capabilities.
- Assigned Security Responsibility: Group health plans would be required to formally identify (in writing) the Security Official responsible for implementing policies, procedures, and technical controls.
- Workforce Security and Information Access Management: Group health plans would be required to implement written policies and procedures for controlling access to ePHI, including authorization, supervision, and timely termination of access for workforce members to prevent insider threats, as well as conduct regular reviews and updates to maintain compliance and improve safeguards against unauthorized access.
- Security Awareness Training: Group health plans would be required to annually conduct comprehensive training for all workforce members on security policies, incident reporting, and best practices.
- Security Incident Procedures: Group health plans would be required to implement written incident response plans, regularly test and revise them, and document all actions taken to respond to and mitigate incidents, ensuring faster recovery and reduced harm to ePHI.
- Contingency Plan: Group health plans would be required to establish and implement written contingency plans, perform criticality analyses, maintain accurate data backups, and restore systems and data within specific timeframes, as well as regularly test and revise these plans.
- Compliance Audit: Group health plans would be required to perform and document an audit of their compliance with each Security Rule standard at least annually, with flexibility regarding whether the audit is conducted internally or by an external party.
- Business Associates: Group health plans would be required to verify that business associates have deployed the necessary technical safeguards to protect ePHI, including obtaining written verification and annual certification of compliance. The NPRM clarifies that while group health plans can delegate certain roles and security-related tasks to their business associate(s), the plan ultimately remains responsible for ensuring compliance with all provisions of the Security Rule.
Physical Safeguards
HHS proposes to keep the four current standards for physical safeguards, with some modifications to address issues it has identified. Specifically:
- Facility Access Controls: The proposed rule modifies the implementation specifications associated with the current standard for facility access control and proposes that the plan’s policies and procedures must be in writing and address the physical access to all of the plan’s relevant electronic information systems and the facility or facilities in which those systems are housed. Such policies and procedures must be reviewed and updated at least annually.
- Workstation Security: Group health plans would be required to implement physical safeguards for all workstations, including mobile ones, that access ePHI. These updates would require written policies for workstation use and security, including addressing mobile workstations and implementing safeguards like cable locks and privacy screens, with annual reviews and updates of policies and procedures.
- Technology Asset Controls: HHS proposes changing the current “device and media controls” standard to “technology asset controls” to better address the growing range of components that affect ePHI security, including portable devices. Written policies would be required for managing the movement, disposal, and sanitization of technology assets and ePHI, including updating procedures in response to environmental changes, with annual reviews and modifications as necessary.
Technical Safeguards
HHS has proposed to retain the current technical safeguard requirements with certain additions and changes to the existing standards and implementation specifications.
- Access Control: Group health plans would be required to deploy technical controls to limit access to authorized users and technology assets, including unique user identification, administrative privileges, emergency access procedures, automatic logoff, and login attempts, among others. Additionally, new specifications are proposed for network segmentation, data controls, and ongoing maintenance, with an emphasis on regularly reviewing and testing technical safeguards to ensure compliance and protect ePHI.
- Encryption and Decryption: HHS has proposed making encryption of ePHI, both in transit and at rest, mandatory for group health plans in order to enhance ePHI protection, with specific exceptions for situations where encryption is not feasible or applicable, requiring compensating controls and regular reviews for ongoing security.
- Configuration Management: Group health plans would be required to establish secure baselines for their electronic information systems and assets, ensure anti-malware protections, and remove unnecessary software. Group health plans would also be required to enhance their audit trail controls to monitor and record all activities in these systems to safeguard ePHI, with regular reviews of the technical controls to ensure their effectiveness.
- Integrity: Group health plans would be required to deploy technical controls to protect ePHI from unauthorized alteration or destruction, both in transit and at rest, and to review these controls regularly. HHS has proposed removing the current implementation specification requiring electronic mechanisms to corroborate the integrity of ePHI, as these controls are typically integrated into modern hardware and protocols.
- Authentication: Group health plans would be required to deploy technical controls to verify that individuals or technology assets accessing ePHI are properly authenticated. HHS also proposes requirements for multi-factor authentication (MFA), including the removal of default passwords and using MFA for changes in user privileges that affect ePHI, allowing exceptions for devices or situations where MFA is not feasible. However, group health plans would be required implement alternative controls and regularly review them to ensure they are still effective in securing the data.
- Transmission Security: Group health plans would be required to to deploy technical controls that protect ePHI during transmission over electronic communication networks, including encryption and integrity measures. Plans would also need to review and test these controls at least annually or in response to changes, and remove the existing implementation specification for integrity controls, which are now incorporated into the integrity standard.
- Vulnerability Management: Group health plans would be required to deploy technical controls to identify and address vulnerabilities in their electronic information systems, including automated vulnerability scans, penetration testing, and patch management. Group health plans would need to monitor authoritative sources for known vulnerabilities, conduct periodic scans and testing, and apply patches or compensating controls to mitigate risks to ePHI.
- Data Backup and Recovery: Group health plans would be required to deploy controls for creating, maintaining, and testing exact retrievable copies of ePHI. This includes regular backup creation, real-time monitoring for errors, testing of backup effectiveness, and documenting results to ensure data can be restored after a breach or disaster.
- Information Systems Backup and Recovery: Group health plans would be required to deploy technical controls to create and maintain backups, review and test their effectiveness regularly, and modify them as needed.
Business Associate Agreements
HHS proposes that business associate agreements (BAAs) require the business associate to notify the group health plan within 24 hours of activating a contingency plan due to an emergency or security incident. This aims to ensure timely communication between business associates and group health plans in an emergency, allowing the group health plan to take the necessary steps to protect its electronic information systems.
While the notification must occur within 24 hours of contingency plan activation, the proposal does not require the business associate to provide the plan detailed information on the cause of the activation. In addition, the proposed rule does not alter a business associate’s breach reporting obligations under the current Breach Notification Rule.
Recognizing the potential burden of updating BAAs, the proposed rule permits group health plans and their business associates to operate under their existing BAAs for a limited transition period.
Group Health Plans
Unlike the group health plans they sponsor, plan sponsors are not directly liable under the Security Rule because they are HIPAA-covered entities. However, plan sponsors may perform critical administrative functions for the health plan, requiring access to ePHI. While plan sponsors are required to follow safeguards outlined in their group health plan's documents to protect ePHI, HHS believes the rise in cybercrime and security incidents necessitates explicit requirements in plan documents to ensure that plan sponsors apply adequate security measures. HHS is concerned that group health plans have not been effectively monitoring their plan sponsors to ensure those plan sponsors protect ePHI, or that plan sponsors only use and disclose it as permitted by the current regulations.
The proposed rule provides that group health plan documents must require plan sponsors to implement the same administrative, physical, and technical safeguards as the group health plans they sponsor. The proposed rule also introduces a new specification requiring plan sponsors to report contingency plan activation to the group health plan within 24 hours. The proposed rule allows flexibility for plan sponsors and group health plans to negotiate the specifics of this notification, keeping in mind that timely notification is crucial for the group health plan to protect ePHI and respond appropriately.
Policies and Procedures and Documentation Requirements
The Security Rule currently requires group health plans to implement reasonable and appropriate security policies and procedures. These policies must consider factors like the entity's size, technical infrastructure, costs of security measures, and the risks to ePHI. The entity can change these policies but must document and implement any changes in line with the Security Rule. If the Security Rule mandates any action, activity, or assessment, it must also be documented.
Group health plans would now need to not only document their policies and procedures, but those policies and procedures will need to explain how the plan considered specific factors in their development. Additionally, group health plans must document actions, activities, and assessments taken to comply with the Security Rule. Group health plans would be required to update their documentation at least annually and after modifications to their security measures. All required documentation would be permitted to be in electronic form.
CONCLUSION
The NPRM introduces extensive revisions to the HIPAA Security Rule that all group health plans and their plan sponsors should carefully evaluate. Given the significant and potentially costly changes proposed, it is uncertain whether these updates will be finalized as drafted under the Trump-Vance administration. If finalized, however, these changes may necessitate a thorough review and substantial updates to many plan sponsors’ information security programs.
While some group health plans may have already implemented certain administrative, physical, technical, organizational, and documentation standards for what are currently “addressable” implementation specifications, it is likely those standards will need to be updated to comply with proposed modifications to those Security Rule provisions.
It will be extremely important for plans to work with their plan sponsors’ information technology and security teams, as those workforce members will be largely responsible for carrying out compliance with these rules and may not be aware that they are even subject to them.