HIPAA Security Rule: What the Proposed Rule Change Means for Healthcare Providers

On December 27, 2024, HHS published a proposed update to the HIPAA Security Rule. The revised rule aims to strengthen cybersecurity in the U.S. healthcare system by clarifying the required administrative, technical and physical safeguards that regulated entities must implement. Learn which changes the HIPAA Security Rule Update will bring in our overview.

HIPAA Security Rule Update

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to safeguard the privacy of protected health information (PHI) stored and processed by healthcare entities, from hospitals and healthcare providers to insurers and clearinghouses. HIPAA contains many different obligations, but there are two main areas of interest.

  • 1

    The Privacy Rule sets standards for who is allowed to access protected health information, who covered entities are allowed to disclose it to.

  • 2

    The Security Rule establishes required administrative, technical and physical safeguards that covered entities must implement to ensure the confidentiality of PHI.

Despite these federal guardrails, the healthcare industry is plagued by data breaches, cyberattacks and ransomware. Every week, new healthcare data breaches make the news.

To bolster cybersecurity in the health sector, the Office for Civil Rights (OCR) โ€“ the HHS body responsible for enforcing HIPAA โ€“ published a proposed change to the Security Rule. This proposal would update mandatory safeguards in line with current best practices and the Biden administration’s commitment to improving critical infrastructure cybersecurity.

Sources:

When Will the Security Rule Update Go Into Effect?

The proposed rule is open for comments until March 7, 2025. If the rule is finalized as is, it would go into effect 60 days after official publication. This means the earliest date the rule change could take effect is May 6, 2025.

Once in effect, regulated entities will have 180 days to comply with the new security requirements and an additional 180 days to modify business associate agreements as needed.

This timeline assumes that the rulemaking process will not be affected by the transition in U.S. leadership.

HIPAA Security Rule Update: What Changes?

1

Make All Safeguards Required Rather Than “Addressable”

The HIPAA Security Rule contains both general security targets (standards) and specific steps to achieve these goals (implementation specifications). These implementation specifications were marked either “required” or “addressable”. Addressable, in this case, means that entities had to assess whether the implementation as described is reasonable and appropriate for their organization.

Addressable, however, does not mean optional. If a specification does not fit the organization, they are required to document why they decided against it and then implement an equivalent alternative measure instead. This approach was designed to give entities the flexibility to tailor specifications to their unique environment, not skip them altogether.

In its proposal, the Office for Civil Rights notes that some regulated entities unfortunately interpreted “addressable” specifications as optional and that the Security Rule would benefit from additional clarity on this point. Under the new rule, all implementation specifications are required, with specific, limited exceptions. This is intended to “set an acceptable minimum level of security”.

2

Asset Inventory & Network Map

Under the updated Security Rule, covered entities must maintain:

  • A written inventory of technology assets of both the entity and business associates.

  • A network map that illustrates the movement of ePHI through information systems.

  • The Inventory and map must be reviewed and updated at least every 12 months, as well as following relevant changes in the IT environment, the organization structure or applicable law.

This new standard is consistent with the Asset Management function of the NIST Cybersecurity Framework.

3

Detailed Risk Analysis

Risk analysis is already mandatory under the existing Security Rule, but the proposal updates the rule to give more detail on how to meet this requirement.

Entities must conduct a written assessment of potential risks that endanger PHI and create a risk management plan to reduce these risks. The risk assessment draws on the asset inventory and network map to identify where health information is created, received, stored and transmitted.

As part of their risk analysis, entities must identify potential vulnerabilities and reasonably anticipated threats to PHI. Based on these threats and an assessment of the security measures taken by the entity and their business associates, entities must then determine the likelihood and potential impact of each identified threat.

The written risk assessment and risk management plan must be reviewed, verified and updated on an ongoing basis, but at least every 12 months and in response to changes in the IT environment. In addition, entities must conduct a risk assessment before entering into a new business associate agreement.

4

Strict Access Control for PHI

Ensuring appropriate access to PHI is already required under the existing Security Rule as part of its Workforce Security and Access Control standards. The rule proposal maintains and expands existing requirements, while adding a new security standard of Information Access Management.

Entities have to implement written policies and procedures to ensure all workforce members have appropriate access to ePHI and to prevent unauthorized access. OCR specifically names role-based access control as a model consistent with Security & Privacy Rule requirements.

As part of offboarding procedures, access must be terminated within one hour of employment ending, and the entity must notify business associates and other covered entities within 24 hours if the person also had access to PHI at these organizations. To meet this standard, organizations need an effective approach to user lifecycle management.

In addition, entities must implement policies and procedures to document, review and modify access for each user and technology asset. This requires both the means for in-depth data access governance and user access reviews.

Access reviews, in-depth reporting and automated on/offboarding: tenfold offers comprehensive access governance with faster time to value!

With no-code configuration and out-of-the-box support for Windows, Microsoft 365 and common workplace apps, tenfold can be set up quickly and used productively without the need for full time IAM engineers.

White paper

Access Governance Best Practices for Microsoft Environments

Everything you need to know about implementing access control best practices in Active Directory, from implementation tips to common mistakes.

5

Encryption At Rest & In Transit

Covered entities are now explicitly required to encrypt protected health information both at rest and in transit in a way that “meets prevailing cryptographic standards”.

Under the current Security Rule, encryption is an addressable requirement. However, OCR notes that in a 2021 Healthcare Cybersecurity Survey, only half of respondents reported encrypting data across their enterprise โ€“ despite existing guidance from both NIST and HHS.

6

Multi-Factor Authentication

Under the Authentication standard, the revised rule now mandates implementing multi-factor authentication to verify that the person or seeking access is the one claimed.

Multi-factor authentication is required for all IT systems and as an additional safeguard for any action that would change a user’s privileges and ability to access PHI. If a tech asset does not support MFA, the entity can either migrate PHI to a system that does or (within limited exceptions) implement compensating controls. In addition, there are exceptions to the MFA requirement for FDA approved medical devices.

7

Technical Safeguards

The Security Rule NPRM includes a number of new or expanded technical security requirements:

  • Deploy anti-malware protection for all tech assets

  • Network segmentation to limit access to PHI (especially between internal IT and associates)

  • Remove unnecessary software from workstations and tech assets

  • Disable network ports based on the conducted risk analysis

  • Implement patch management and apply updates within 15 days for critical risks and 30 days for high risks

8

Workforce Training

Covered entities must provide security awareness training for all workforce members as necessary “to carry out their assigned functions”. Security awareness training must cover:

  • The policies and procedures implemented to safeguard protected health information.

  • How to guard against, identify and report security incidents.

  • How to safely access information systems (password strength and safe usage).

Workforce members must receive security training within 30 days of receiving access to IT systems and training must be renewed at least once yearly.

9

Incident Response & Contingency Plans

Incident response and disaster recovery is another topic that is already mandatory under the existing Security Rule, but where the rulemaking proposal goes into greater detail about implementation specifics.

Covered entities must establish a written incident response plan, documenting how workforce members are to report suspected incidents and how the organizations will respond โ€“ with the goal of mitigating immediate harm, identifying and remediating the root cause and documenting the investigation of the incident.

Entities must also implement a written contingency plan to address such risks as vandalism, fire, natural disaster, system failure or security incidents. This emergency plan must include backups of PHI and IT systems, as well as a recovery plan to restore access to critical systems within 72 hours.

Incident response and contingency plans must be reviewed and tested at least once every 12 months, and modified based on the outcomes of these tests.

10

Security Tests

With the new Security Rule update, Healthcare entities regulated by HIPAA would be required to conduct vulnerability scans at least every six months and perform penetration testing once every 12 months.

11

Compliance Audits

Under the new rule, organizations must perform and document a compliance audit every 12 months to verify that they and their business associates are compliant with each security standard and implementation specification of the the Security Rule.

tenfold: Simple & Effective Access Control for PHI

As you can see, the rule proposal for the HIPAA Security Rule brings a renewed focus on cybersecurity with much stricter implementation standards. Healthcare organizations that lag behind existing guidance from NIST and HHS will have to double down on security to meet these new standards.

To comply with the access control requirements of HIPAA, entities need to:

  • Ensure appropriate, role-based access for all IT users

  • Correctly offboard exiting users to prevent unauthorized access

  • Document who has access to PHI in the organization

  • Regularly review access rights to ensure compliance

tenfold is a powerful and easy-to-use access governance platform that provides everything you need to comply with the relevant HIPAA requirements! Automated user lifecycle management ensures that every user receives the right privileges for their role in the organization, and loses them when they leave. In-depth reporting makes it easy to track access to PHI and streamlined access reviews make auditing a breeze.

But what truly sets tenfold apart is its quick deployment and time to value. Our entire platform can be configured through its no-code UI โ€“ no scripting or custom code required! And thanks to out-of-the-box support for Active Directory, Microsoft 365 and workplace apps, tenfold is ready to go in just a few weeks when conventional solutions take months or years to get off the ground.

Don’t waste your time with endless setups! Start on the path to fast and convenient access governance today by booking a personal tenfold demo.

Govern Identities & Data Access With Ease: Learn How tenfold Can Help

About the Author: Joe Kรถller

Joe Kรถller is tenfoldโ€™s Content Manager and responsible for the IAM Blog, where he dives deep into topics like compliance, cybersecurity and digital identities. From security regulations to IT best practices, his goal is to make challenging subjects approachable for the average reader. Before joining tenfold, Joe covered games and digital media for many years.