OCR Proposes Major Changes to the HIPAA Security Rule

On January 6, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) published proposed modifications to the security regulations implementing the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) (collectively, the HIPAA Security Rule or Rule).¹ The proposed modifications (Proposed Rule), if adopted, will impose significant requirements and deadlines on HIPAA-regulated entities to enhance the confidentiality, integrity, and availability and protection of “electronic protected health information” (ePHI).² These requirements include, among others, making all “addressable” (i.e., flexible) standards under the Rule now “required” standards, placing onerous reporting requirements on business associates, and requiring encryption of all ePHI. In addition, regulated entities may want to consider whether these proposed safeguards and controls, if implemented, would increase the industry standard for handling sensitive personal information more broadly. Comments on the Proposed Rule are due to OCR no later than March 7, 2025.

Background

The HIPAA Security Rule, first promulgated in 2003 and later revised in 2013, comprises a set of standards for the security of ePHI by entities regulated under HIPAA (e.g., health plans, health care providers conducting standard electronic transactions, and health care clearinghouses) (“covered entities”), and their respective service providers who require access to ePHI to perform services for the covered entity (“business associates”).

Through the Proposed Rule, OCR seeks to increase the federal standard of cybersecurity for ePHI in response to the markedly increased frequency of data security breaches and cyberattacks reported to the agency and in the health care sector over the past decade. In the preamble to the Proposed Rule, OCR states, “Between 2015 and 2019, cyberattacks on health care organizations increased by 125 percent. And between 2022 and 2023, ransomware attacks against the U.S. health care sector increased 128 percent.”³

Proposed Modifications

Elimination of “Addressable” Concept

Currently, the HIPAA Security Rule distinguishes between “addressable” and “required” implementation standards. “Addressable” standards must be considered by each HIPAA-regulated entity, but if a regulated entity concludes that a particular “addressable” implementation standard is not reasonable or appropriate in light of factors specific to that entity’s HIPAA security compliance program, it may determine not to implement the addressable standard (and document the reasons behind that determination).

In the preamble to the Proposed Rule, OCR expressed concern that some entities misinterpret “addressable” standards as optional, and as a result, fail to implement addressable specifications even when it is reasonable and appropriate to do so. To address this misconception, the Proposed Rule would eliminate the distinction between “addressable” and “required” standards entirely. The Proposed Rule would require regulated entities to comply with all the Security Rule standards and would clarify that there is flexibility only in the manner in which — and not whether — the standards are met.

OCR has invited comment on whether removing the distinction between “required” and “addressable” implementation standards would result in unintended negative consequences for regulated entities, among other topics. It also seeks recommendations for how OCR should clarify how regulated entities are required to implement the security measures described in the Proposed Rule.

There is a long-standing tension in security-related safeguards and policy initiatives driving them between providing a list of specific, identifiable safeguards (a checklist) and providing more flexible standards which are easier for a company to implement, but which becomes outdated more easily. OCR suggests that the Proposed Rule aims to strike a balance between these competing principles without compromising the protection of ePHI.

Administrative Safeguards

The Proposed Rule would clarify and augment regulated entities’ obligations to implement administrative safeguards to protect ePHI. Key proposed requirements include (but are not limited to) the following:

Business Associates Notification Requirements: The Proposed Rule includes a new implementation specification that requires business associates to notify a covered entity within 24 hours of an activation of the business associate’s contingency plan and of any change in or termination of a workforce member’s access to ePHI.⁴

Technology Asset Inventory and Network Map: While the current Rule requires HIPAA-regulated entities to have security management processes, including conducting risk assessments that require a review of all information systems and ePHI (and the threats and vulnerabilities thereto), the proposed updates to the Rule would provide more specificity on the expectations for this security management process. This would include a specific requirement to develop and maintain a technology asset inventory that reflects the components of an electronic information system (e.g., hardware, software, and data), as well as a network map that illustrates the movement of ePHI throughout the entity’s electronic information system(s) and reflects where technology assets are located or accessed. These network maps, like assessments, will be subject to review and revision (now with a definitive period of at least once every 12 months).

Formalizing Risk Assessments: To address OCR’s expressed concern that few regulated entities properly fulfill their regulatory responsibilities to document efforts to develop, maintain, update, and implement policies and procedures for conducting risk assessments, the Proposed Rule provides more specific directives for risk assessments.⁵ This includes a specific requirement to prepare detailed written assessments of the potential risks and vulnerabilities to ePHI that document, among other things:

• The regulated entity’s technology asset inventory and network map
• All reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI
• Potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems
• The risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities

The written risk assessments would need to be reviewed and updated at least annually, and sooner in response to any change in the entity’s environment or operations that might affect ePHI.

Specificity on Risk Management Plans: While regulated entities are required to implement risk management plans under the current Rule, the Rule does not specify the manner of how an entity does this. Under the Proposed Rule, regulated entities would be required to establish and implement a written risk management plan to reduce the risks identified through a regulated entity’s risk analyses, and to review and update the plan at least annually.

Evaluation of Planned Alterations: Under the current Rule, a regulated entity is required to conduct evaluations in response to a change in its environment or operations that might affect ePHI. The proposed modifications to the Rule require a regulated entity to take a proactive, rather than a retroactive, approach to evaluating security risks by requiring it to conduct evaluations of the security risks associated with any planned change in a regulated entity’s environment or operations that might affect ePHI before the change is made.

Implementation of Patch Management: The Proposed Rule includes a new requirement for the establishment of written policies and procedures for timely installation of patches and updates throughout a regulated entity’s systems containing ePHI, to be reviewed and modified as reasonable and appropriate, and at least annually.

Implementation of Contingency and Disaster Recovery Plans: While contingency and disaster recovery plans are required under the current Rule, the Proposed Rule provides more specificity regarding the implementation of these plans. This includes the implementation of a written contingency and disaster recovery plan for (1) responding to an emergency or other occurrence that adversely affects relevant electronic information systems and (2) restoring the loss of critical electronic information systems and data within 72 hours of the loss.

Timeframes for Workforce Training: The Proposed Rule modifies the current training requirements by providing specific requirements regarding the timing and frequency of training for all workforce members. The Proposed Rule would now expressly require regulated entities to provide security awareness training to all workforce members on protection of ePHI and relevant information systems at least once every 12 months (and to new work force members within 30 days after they first access the regulated entity’s relevant electronic information systems).

Additional Administrative Safeguards

The Proposed Rule would also require:

• Covered entities to obtain written verification from their business associates that the business associate has deployed the required technical safeguards at least once every 12 months
• Regulated entities to perform and document an audit of their compliance with each standard and implementation specification of the Security Rule at least once every 12 month

OCR has sought comments on the above and on specific items, including whether OCR should require additional administrative safeguards not provided for in this update or whether there should be any exceptions to the administrative safeguards.

Physical Safeguards

The Proposed Rule would require regulated entities to implement new facility access and media and device controls. For example, in recognition of the increased portability of devices, media, workstations, and information systems, the Proposed Rule would clarify that all devices that access ePHI, including those that are mobile, are subject to the physical safeguards. Regulated entities would be required to review and test these written policies and procedures at least once every 12 months.

Specificity on Technology Asset Controls

While the current Rule provides that regulated entities must implement policies and procedures regarding receipt, removal, and disposal of technology assets, the proposed modifications provide specific implementation requirements, such as requiring a regulated entity to implement written policies and procedures that govern the receipt and removal of technology assets that maintain ePHI in and out of the facility, including the proper standards for disposing of and sanitizing these technology assets. A regulated entity would also be required to implement electronic media sanitization procedures, a new requirement under the Proposed Rules, to ensure the ePHI cannot be recovered before the media is made available for re-use. The regulated entity would need to review and test these written policies and procedures at least once every 12 months or in response to an environmental or operational change.

OCR has sought comment on, among other things, whether every 12 months is an appropriate frequency for review of a regulated entity’s written policies and procedures for physical safeguards and whether the proposed implementation specifications for media disposal should apply to technology assets that do not maintain ePHI.

Technical Safeguards

The Proposed Rule would require new technical safeguards, including but not limited to access controls, encryption, and multi-factor authentication.

Enhancing Access Controls

While the current Rule requires the implementation of technical controls to restrict access to ePHI by workforce members, it permits flexibility on how and when such controls are deployed. The Proposed Rule clarifies that a regulated entity must also deploy technical controls in its relevant electronic information systems to only allow access to users and technology assets that have been granted access rights. To accomplish this, the regulated entity would have to assign a unique identifier to each technology asset to enable the identification and tracking of unauthorized activity, as well as a new requirement to implement network segmentation to ensure that the entity’s relevant electronic information systems are segmented to limit access to ePHI to authorized workstations.

Requiring Encryption

Under the current Rule, encryption is an addressable implementation specification under the standard for access control (i.e., certain ePHI at rest) and transmission security (i.e., ePHI in transit).⁶ The Proposed Rule would now require regulated entities to configure and implement technical controls to encrypt and decrypt all ePHI at rest and in transit in a manner consistent with prevailing cryptographic standards, except under certain limited exceptions, thereby creating significant burdens on regulated entities.

Requiring Multi-Factor Authentication

To prevent unauthorized access to ePHI, the Proposed Rule provides for new authentication requirements, including unique passwords and multi-factor authentication to access all technology assets in a regulated entity’s relevant electronic information systems, with the exception of limited circumstances.

OCR has solicited comment on, among other things, whether the agency should require encryption of all relevant electronic information systems and whether it should specify the deployment of a particular form or manner of encryption.

Request For Information on New and Emerging Technologies

OCR has also requested comment on new and emerging technologies, such as quantum computing, artificial intelligence, and virtual and augmented reality, and how the HIPAA Security Rule protects ePHI when used in those technologies, including any benefits, drawbacks, or unintended consequences therefrom.

Specifically, the agency is seeking feedback on whether its understanding of how the Security Rule applies to new technologies involving ePHI is not comprehensive, whether there are technologies that may harm the security and privacy of ePHI in ways that the Security Rule could not mitigate without modification, and whether there are additional policy or technical tools that the agency may use to address the security of ePHI in new technologies.

Key Takeaways

The Proposed Rule, if adopted as is, will significantly alter the obligations of HIPAA-regulated entities under the HIPAA Security Rule. All previously flexible standards under the Security Rule will become required standards, business associates will have to adhere to onerous reporting requirements, and regulated entities will have to encrypt ePHI, which could be very expensive and may impact data accessibility (either entirely or because it is difficult to accomplish at a larger scale). Regulated entities would also need to implement new administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of all ePHI.

The public comment period provides companies with a way to provide meaningful input to OCR on how to make the Proposed Rule more achievable, meaningful, and effective to their organization. Parties interested in assistance with submitting comments to the OCR are encouraged to contact any of this Advisory’s authors or their Arnold & Porter contact(s).

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.