HIPAA Gets Face Lift | Providers Expected to Do Security Better

Happy New Year and cheers to your IT plans for 2025!

On January 6, 2025, the Department of Health and Human Services (HHS) published proposed modifications to the Security Standards for the Protection of Electronic Protected Health Information (ePHI) under HIPAA (the Proposed Rule). ​ These changes are in response to significant increases in breaches and cyberattacks, changes in the healthcare environment, and observed compliance deficiencies. ​ The Proposed Rule aims to enhance the confidentiality, integrity, and availability of ePHI by updating definitions, standards, and implementation specifications to reflect technological advancements and evolving cybersecurity threats. ​

For small to mid-sized healthcare providers especially, these changes, if put into effect, will have a substantial impact on business operations by creating a higher standard for your IT security and compliance. While the current HIPAA rules allow for the consideration of an entity’s size (42 CFR 164.306), when judging an entity’s compliance performance, the Proposed Rule’s commentary seems to suggest that such leniency may not be so lenient anymore. HHS cites significant deficiencies by small providers who had policies but did not implement or enforce them and finds them among the most vulnerable because of their limited resources. Anecdotally, I agree as I see healthcare clients with some security policies on the protection of data for example, but are using unsecured commercial email programs like Gmail, Yahoo and the like. Many practices also text patient information insecurely, particularly in on-call situations, use screenshots with sensitive information, and have the out-of-box Wi-Fi hardware all of which can potentially put ePHI over public spaces without realizing it. Additionally, the proliferation of AI to do so many seemingly benign business tasks could also be exposing your sensitive ePHI to the public. 

A good IT vendor is key for healthcare providers. Many of the revisions in the Proposed Rule are around higher physical and technical safeguard standards. In the era of cloud-based EMRs and file storage, we are no longer worried about paper on desks and locked file cabinets and doors, but locked ports on network devices and access points into cloud-based applications like document management programs, imaging devices and EMRs. 

Using a third-party to manage this data and expecting that vendor has it covered is no longer a reliable strategy—even with a BAA. First, as the owner of ePHI, you are responsible for the safekeeping of your data, even if you let someone else handle it. In the earlier iterations of HIPAA, HHS expressly stated it would hold business associates accountable for failure to maintain ePHI. However, in these Proposed Rules, HHS is seemingly putting the onus back on the data owners to ensure their vendors are doing what they are supposed to be doing. Second, that means that as a healthcare provider, you must vet and hold your IT vendors accountable in an area for which you may not have expertise. Many IT vendors say they are HIPAA compliant, but like many commodity providers, not all IT vendors are created equal. HHS’s intent in the Proposed Rule is to give providers some specific standards to help with that oversight.

In addition to IT management, workforce training requirements and updates to business associate agreements would also be required under the Proposed Rule. Here is a list of some key proposed changes: 

1. Administrative Safeguards

   • Risk Analysis and Management: Strengthening requirements for conducting thorough risk analyses and implementing risk management strategies.

   • Technology Asset Inventory: Requirement to conduct and maintain an accurate inventory and network map of electronic information systems and technology assets. ​

   • Patch Management: Policies and procedures for timely application of patches and updates. ​

   • Sanction Policy: Policies for sanctioning workforce members who fail to comply with security policies. ​

   • Information System Activity Review: Regular review of records of activity in electronic information systems. ​

   • Workforce Security: Procedures to ensure appropriate access to ePHI and prevent unauthorized access. ​

   • Security Incident Procedures: Response plans for security incidents. ​

   • Contingency Plan: Procedures for responding to emergencies affecting electronic information systems. ​

   • Compliance Audit: Annual audits of compliance with security standards.

     ​

2. Physical Safeguards

   • Facility Access Controls: Ensuring physical safeguards apply to all relevant electronic information systems and technology assets, including mobile and cloud-based environments. ​

   • Technology Asset Controls: Procedures for the receipt, removal, and disposal of technology assets. ​

   • Maintenance Requirements: Adding requirements for regular review and testing of physical safeguards. ​

     
     

3. Technical Safeguards

   • Encryption and Decryption: Requiring the implementation of encryption mechanisms for ePHI both in transit and at rest. ​

   • Multi-Factor Authentication (MFA): Mandating the use of MFA to enhance access controls. ​

   • Technical Controls: Introducing requirements for network segmentation, intrusion detection systems, and other technical controls to protect ePHI. ​

   • Configuration Management: Technical controls for securing electronic information systems and technology assets. ​

   • Transmission Security: Technical controls to protect ePHI during transmission. ​

   • Vulnerability Management: Regular vulnerability scanning and penetration testing. ​

   • Data Backup and Recovery: Technical controls for creating and maintaining backups of ePHI. ​

     
     

4. Business Associate Agreements ​

   • Notification Requirements: Requiring business associates to promptly notify covered entities of any security incidents or breaches. ​

   • Verification of Safeguards: Ensuring business associates verify the implementation of required technical safeguards. ​

   • Notification of Contingency Plan Activation: Prompt notification to covered entities upon activation of a contingency plan. ​

     
     

5. Documentation Requirements

   • Comprehensive Documentation: Strengthening documentation requirements to ensure all actions, activities, and assessments related to security measures are thoroughly documented.

   • Regular Updates: Mandating regular updates to documentation to reflect changes in the security environment and organizational practices. ​

     
     

6. Transition Provisions

   • Extended Compliance Period: Allowing additional time for updating business associate agreements and plan documents to comply with the revised Security Rule. ​

   • Standard Compliance Date: Proposing a standard compliance period of 180 days after the effective date of the final rule. ​

   • Grandfathering Existing Contracts: Providing a transition period for existing contracts to be updated. ​

     
     

7. New and Emerging Technologies ​

   • Request for Information: Seeking input on the impact of new technologies such as quantum computing, artificial intelligence (AI), and virtual/augmented reality (VR/AR) on the security of ePHI. ​

As I review the list of changes, I see many terms and concepts that the non-tech saavy user does not fully appreciate. Thus, the swift engagement with your IT vendor is critical. I would also recommend shopping multiple vendors to have a reference point and compare capabilities and fit with your company. Even if the Proposed Rule does not go into effect, many of the changes are merely a more express written rule which should have been implied anyway under the current rule (i.e., if you have a policy, that you follow and enforce it). Thus some of these revisions are not necessarily “new”. 

Key Takeaways

• Public Comments: HHS seeks public comments by March 7, 2025. ​

  
  

• Effective Date: The final rule would be effective 60 days after publication, with a standard compliance period of 180 days.

  ​

• IT as a Priority in 2025: If IT strategy was not on your list or at the top of it in 2025, consider making that number 1. 

  
  

• Cost Considerations: Although the costs to develop, enhance and implement your IT strategy will be high, the costs in dealing with a breach and/or enforcement action will be much more. 

  
  

Because the Proposed Rule reads like a foreign language for many, I’m happy to discuss your current compliance status and help you identify next steps, including partnering with you along that journey. Please contact me for more information.

This information has been provided as a general guide for educational purposes by Vanguard Health Law, LLC. It is not legal advice, which is always given by an engaged attorney who understands the particular facts of your situation and can provide the most appropriate advice.