Proposed HIPAA Security Rule Update: What It Means for Cybersecurity in Health Care

6 minute read | January.27.2025

Recently, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued a notice of proposed rulemaking (NPRM) to update the Health Insurance Portability and Accountability Act (HIPAA) Security Rule—the first update to the rule since 2013. OCR’s NPRM was closely followed by six enforcement settlements this month, which further serve to highlight OCR’s goal to enhance cybersecurity protections for health data. All but one of the January settlements was rooted in security failures.

The NPRM seeks to better align the Security Rule with industry standards and best practices, and to guide HIPAA-regulated entities in their development of stronger and more structured cybersecurity programs.

The NPRM arrives after the health sector has experienced a series of high-profile cyberattacks and amid congressional proposals to increase security, including the Health Infrastructure Security and Accountability Act. OCR has recently focused on ransomware and hacking as the “primary cyberthreats in health care.” While this flurry of activity may have been driven by the impending change in Administration, OCR noted in its announcement of the NPRM that the Security Rule update is long overdue given the exponential rise, complexity and severity of cybersecurity events affecting the healthcare ecosystem.

Key Takeaways

While the NPRM is not yet effective, OCR’s growing list of enforcement actions indicates it will continue to scrutinize regulated entities’ compliance with what it sees as industry standard cybersecurity controls.
Many of the proposed safeguards are consistent with OCR’s current security expectations. Businesses should review and align their security programs with existing OCR guidance, including HHS’s 2024 guidance published with NIST.
HIPAA-regulated entities using Artificial Intelligence (AI) to process protected health information (PHI) should review policies and procedures to align with commentary in the NPRM.

The preamble’s discussion of AI implies that the use of such technology is ripe for regulatory scrutiny.
Notably, OCR highlighted the importance of understanding and regulating AI’s use in health care, especially when used for diagnosis and treatment.
Referencing Executive Order 14110 from 2023, the agency said the proposed updates to the Security Rule were aligned with a White House goal of making AI “safe and secure” while navigating its “opacity and complexity.” OCR stated that “regulated entities must be prepared to identify, mitigate, and remediate such risks and vulnerabilities” related to AI.

Noteworthy Updates: Five Things the Proposed Update Would Require

While a more complete list of the proposed changes can be found on OCR’s Fact Sheet, we have put together a list of new or updated requirements to help guide your business’s review of its security processes, policies and procedures.

Here are five things the proposed update would require regulated entities to do:

Develop a technology asset inventory and network map. The proposed rule would require regulated entities to conduct and maintain an accurate and thorough written technology asset inventory and network map of all assets that may affect the confidentiality, integrity, or availability of electronic protected health information (ePHI).

Regulated entities would have to review and update the asset inventory and network at least once every 12 months. While having an inventory and map is not an explicit requirement of the current Security Rule, OCR noted it is a “fundamental component of conducting a risk analysis and many other existing requirements” under the Security Rule. Any technology assets a regulated entity uses to create, receive, maintain or transmit ePHI to a business associate would also need to be accounted for in the entity’s technology asset inventory and network map.
Enhance existing safeguards. One of the main goals of the proposed update is to clarify the safeguards regulated entities are expected to have in place. The proposed rule includes several new, explicit cybersecurity program requirements, including:

Instituting vulnerability scanning at least every six months and penetration testing at least once every 12 months.
Implementing or strengthening network segmentation.
Reviewing and testing the effectiveness of certain security measures, such as physical and technical access controls, at least once every 12 months.

Conduct an updated risk analysis. OCR noted that regulated entities often do not perform compliant risk analyses. As a result, it proposes requiring a regulated entity to meet eight specific implementation specifications when conducting a risk analysis. Regulated entities would be required to review, verify and update the analysis at least once every 12 months.
Establish procedures to restore critical information systems and data with 72 hours. The proposed rule would require regulated entities to establish (and implement as needed) written procedures to restore its critical relevant electronic information systems and data within 72 hours of a loss. Other relevant information systems and data would have to be restored in accordance with the regulated entity’s criticality analysis.
Ensure additional reporting from business associates. The proposed update would impose additional requirements on business associates:

Business associates would have 24 hours to notify covered entity of contingency plan activation. The proposed rule would require a regulated entity to activate its contingency plan to respond to an emergency or other occurrence that adversely affects relevant electronic information systems. In addition, business associate agreements would have to include provisions requiring the business associate to report the activation of its own contingency plan to a covered entity within 24 hours.
Annual Audit Verification. Covered entities already must obtain satisfactory assurances that its business associate would comply with the Security Rule. Now, under the proposed rule, covered entities must also obtain written verification that its business associate has deployed the required technical safeguards at least once every 12 months. The written analysis would be performed by a person with knowledge of and experience with generally accepted cybersecurity principles and methods for ensuring the confidentiality, integrity and availability of ePHI. It also would have to include a written certification by a person who has the authority to act on behalf of the business associate that the analysis has been performed and is accurate.

What’s Next

The OCR is seeking comments on the proposed changes until March 7. After that, the OCR may address and incorporate such comments when it issues a final rule.

While the proposed rule is not yet final, many proposed updates align with existing guidance that HHS has published in recent years. Notably, businesses should focus on reviewing the existing Security Rule, the NIST Cybersecurity Framework and HHS’ Cybersecurity Performance Goals.

While there are no guarantees, and the requirements could change, we believe it is likely the new administration will look favorably on the efforts to increase cybersecurity in health care.

The Orrick team is available to support your organization’s cybersecurity needs. We can help build or enhance a cybersecurity program and respond to and manage an incident, from discovery through notification and post-incident regulatory inquiries tailored to businesses in the healthcare space. If you have questions, reach out to our authors (Thora Johnson, Alyssa Wolfington, and Michaela Frai) or other members of the Orrick team.

Authors

Thora Johnson Partner, Life Sciences & HealthTech, Cyber, Privacy & Data Innovation

Washington, D.C.

See my bio

Practice:

Technology & Innovation Sector
Life Sciences & HealthTech
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Thora Johnson Partner

Washington, D.C.

Thora works with medical device, pharmaceutical, biotech and digital health companies, helping them navigate the increasingly complex patchwork of state and federal health privacy laws. One client described her to the Legal 500 as a “very practical” advisor providing “exceptional guidance” on health information privacy and HIPAA compliance matters.

Her breadth and depth of experience enable Thora to assist clients in harnessing the power of artificial intelligence and executing data-sharing arrangements, all while protecting health data. As a result, Thora spends much of her time counseling pioneering startups and high-growth companies on responsible innovation in healthcare and life sciences.

Thora brings extensive experience counseling clients, including Fortune 500 companies and brick and mortar providers, on the Health Insurance Portability and Accountability Act (HIPAA) and other state and federal health privacy and regulatory compliance regimes including:

Office of the National Coordinator for Health Information Technology’s interoperability and information blocking regulations
Centers for Medicare & Medicaid Service’s (CMS’s) interoperability and patient access regulations
Part 2 confidentiality requirements applicable to substance abuse records
State health information privacy laws
State consumer privacy laws with special controls for health data
Medicare/Medicaid compliance
Mental Health Parity and Addiction Equity Act (MHPAEA)
Genetic Information Nondiscrimination Act (GINA)
Affordable Care Act (ACA) compliance
Regulatory requirements of the Employer Retirement Income Security Act (ERISA), the Internal Revenue Code, HIPAA, and the ACA as they apply to employer health and wellness plans

Thora routinely helps companies and large employers prepare for and respond to privacy and security incidents involving health information. She also defends clients in government investigations initiated by the OCR, OIG, DOJ, FTC and State AGs, among others.

Alyssa Wolfington Managing Associate, Cyber, Privacy & Data Innovation, Strategic Advisory & Government Enforcement (SAGE)

New York

See my bio

D:+1 212 506 5000
E: awolfington@orrick.com

Practice:

Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Alyssa Wolfington Managing Associate

New York

Alyssa navigates clients through privacy programs and policy creation, and provides guidance on compliance with federal, state and international laws and regulations, including the U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states, the General Data Protection Regulation (GDPR), the Federal Trade Commission Act (FTC Act), the Health Insurance Portability and Accountability Act (HIPAA) and state data breach notification laws. She advises clients on security incident response and federal and state investigations related to privacy and data security. She also provides assessments of privacy and security practices for companies carrying out due diligence in the context of corporate transactions.

Michaela Frai Managing Associate, Cyber, Privacy & Data Innovation, Strategic Advisory & Government Enforcement (SAGE)

New York

See my bio

D:+1 617 880 2248
E: mfrai@orrick.com

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Michaela Frai Managing Associate

New York

Michaela helps clients build global privacy programs and advises on United States (U.S.) state and federal consumer privacy laws, including the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), and the Colorado Privacy Act. Her work also includes counseling on compliance with the General Data Protection Regulation (GDPR).