The following provides a brief summary of the recommended changes. The proposed rule is open for comment until March 7, 2025.
Required v Addressable
By way of background, the Security Rule contains specific administrative, physical, technical, organizational and documentation standards, as well as associated implementation specifications. The current Security Rule contains both “required” and “addressable” implementation specifications. Required specifications must be implemented. Addressable specifications require that the covered entity or business associate (either one deemed as a “regulated entity”) assess whether the specification is reasonable and appropriate in the regulated entity’s environment with reference to the likely contribution to protecting electronic protected health information (ePHI) and, if the specification is not reasonable and appropriate, document why and implement an equivalent alternative measure that is reasonable and appropriate.
The proposed rule would remove the distinction between “required” and “addressable” implementation specifications and require all implementation specifications, except in limited circumstances. Accordingly, a regulated entity must implement the standards and associated specifications and adopt reasonable and appropriate security measures to achieve such implementation.
Asset Inventory and Network Map
The proposed rule would require regulated entities to conduct and document an accurate and thorough written technology asset inventory and network map of its electronic information systems and all technology assets that may affect the confidentiality, integrity or availability of ePHI. Any technology asset inventory and network map would be required to take into account the processes that involve movement of ePHI into and outside of a regulated entity’s systems, including those that may involve another entity (i.e., a covered entity’s network map would be required to account for technology assets used by its business associates to create, receive, maintain or transmit ePHI).
Risk Analyses
While the current Security Rule requires that a regulated entity conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by the regulated entity, the proposed rule would impose more specific requirements for such risk analyses. In particular, the proposed rule would require a written assessment that takes into account and documents details related to eight specifications, including:
- A review of the regulated entity’s technology asset inventory and network map;
- Identification of all reasonably anticipated threats to the confidentiality, integrity and availability of ePHI;
- Identification of potential vulnerabilities to the regulated entity’s relevant electronic information systems; and
- A determination of the potential impact of each identified threat, among other requirements.
The OCR states that these requirements for risk analyses would be distinct from the evaluation standard, which requires a regulated entity to proactively consider whether risks or vulnerabilities will be introduced by any changes to the regulated entity’s environment or operations.
Incident Response Requirements
The proposed rule would require that a regulated entity establish a security incident response plan and implement procedures for testing and revising those plans at least once every 12 months. A regulated entity would also be required to develop and maintain documentation of investigations, analyses, mitigation and remediation for suspected or known security incidents.
Further, a regulated entity would be required to have contingency plans in place, including procedures to restore its critical electronic information systems and data within 72 hours of a loss and restore other systems and data in accordance with the criticality analysis contained in the regulated entity’s written contingency plan. A business associate would be required to notify covered entities (or a subcontractor business associate to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.
Business Associate Safeguards
The proposed rule would require that a regulated entity verify that an entity that creates, receives, maintains or transmits PHI on its behalf is in fact taking necessary steps to protect ePHI. In particular, the proposed rule would require that a covered entity obtain a written verification, at least once every 12 months, that a business associate has deployed technical safeguards required by the Security Rule, including a written analysis of the business associate’s relevant electronic information systems. The same requirement would apply to business associates with respect to their subcontractor business associates.
Patch Management
A regulated entity would need to implement policies and procedures to identify, prioritize and apply software patches throughout its electronic information systems that create, receive, maintain or transmit ePHI, or otherwise affect the confidentiality, integrity or availability of ePHI. The proposed rule would impose specific timing requirements for patching, updating or upgrading the relevant electronic information system: (a) 15 calendar days for a critical risk patch; (b) 30 calendar days for a high-risk patch; and (c) a reasonable and appropriate period of time based on the entity’s policies and procedures for all other patches.
Access Control Requirements
The proposed rule would require that a regulated entity implement written policies and procedures related to its workforce members’ access to ePHI and relevant electronic information systems, including termination of such access where appropriate, such as upon termination or a change in an employee’s role. The regulated entity must also notify other regulated entities after a change in or termination of a workforce member’s authorization to access ePHI of those other regulated entities as soon as possible but no later than 24 hours after the change or termination.
Audits and Documentation
The proposed rule would require a regulated entity to perform and document an audit of its compliance with each standard and implementation specification of the Security Rule at least once every 12 months.
Regulated entities would be required to document in writing all policies, procedures, plans and analyses required by the Security Rule, and review that documentation at least annually and in response to changes in its security environment or operations. This would include (but not be limited to) the requirements related to the technology asset inventory, network map and risk analysis discussed above.
Workforce Sanctions
Sanctioning of workforce members who fail to comply with a regulated entity’s security policies and procedures would be required under the rule. The entity must also establish and maintain written policies and procedures related to workforce sanctions and document instances of, and the circumstances leading to, a regulated entity imposing sanctions on a workforce member.
Additional Security Measures
The proposed rule would require a number of additional security controls, each with limited exceptions, related to:
- Encryption of ePHI at rest and in transit;
- Multi-factor authentication;
- Network segmentation;
- Vulnerability scanning at least once every six months and penetration testing at least once every 12 months;
- Deployment of anti-malware protection;
- Removal of extraneous software from electronic information systems;
- Disablement of network ports in accordance with a regulated entity’s risk analysis; and
- Backup and recovery of ePHI.
To see the full text of the proposed rule, you can click on the following link: Federal Register :: HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information.