The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) delivered a late-December surprise: a draft overhaul of the Health Insurance Portability and Accountability Act of 1996’s (HIPAA) Security Rule. [The official Notice of Proposed Rulemaking (NPRM) drops January 6.] OCR is proposing to drag the rule into modernity by creating a more prescriptive framework that aligns the rule—which hasn’t been updated since 2013—with industry norms on topics such as encryption, data mapping, and multifactor authentication (MFA). Those changes do not come cheap ($9 billion in estimated compliance costs for year one), but they would come fast (240 days after the rule is finalized).

Background

OCR adopted the Security Rule in 2003 to implement’s HIPAA’s requirement that covered entities maintain appropriate safeguards for electronic protected health information (ePHI). OCR then updated the rule in 2013 to, among other things, require business associates to comply with the rule’s security framework. The framework is presented as a series of standards and implementation specifications. [Check out OCR’s primer on the current rule.] A regulated entity must satisfy the standards, while the specifications are categorized as required (must be implemented) and addressable (must be implemented if doing so is reasonable/appropriate). This system was purposefully designed to maximize flexibility.

OCR now believes their current approach is not the answer. Change, OCR contends, is needed because of the new landscape: records are increasingly digital and cybersecurity has evolved, while regulated entities largely have not kept up. The NPRM dives into the (1) increased impact and frequency of cyberattacks in the health care space affecting patients, (2) failure of regulated entities to adequately invest in cybersecurity, and (3) findings of pervasive noncompliance with (and confusion about) the current rule. OCR also explains that its proposal is shaped by the belief that regulated entities would benefit from greater specificity. These considerations pushed OCR to strengthen protections through more granular requirements that come at the expense of some, but not all, flexibility for regulated entities.

Proposed Changes

OCR is pushing a more prescriptive cybersecurity framework that generally tracks industry standards. [The updates bear more than a passing resemblance to the New York Department of Financial Services Cybersecurity Regulations.] The changes fall into three general camps: making implementation specifications mandatory, enhancing existing requirements, and adding new obligations. First, OCR eliminated the “addressable” vs. “required” distinction for implementation specifications: All the specifications would be required, unless an exception applies. Second, OCR added more details to issues covered in the current rule. For example, OCR is requiring written policies/documents on existing topics (e.g., sanctions and risk management), adding timing requirements (e.g., annual tests of incident-response plan), and expanding existing obligations (e.g., requiring that a risk analysis address elements such as the asset inventory and security measures). Third, OCR proposed new requirements, including:

Administrative Measures

• Asset Inventory. Create inventory of technology assets (hardware, software, and data)
• Network Map. Create network map showing the flow of ePHI through the entity’s systems
• Patch Management. Establish procedures for timely applying patches/updates (and OCR says the general rule is to act within 15 days for “critical risks” and 30 days for “high risks”)
• Termination Procedures. Terminate employee access within one hour of their employment ending and notify other regulated entities about the change in privileges within 24 hours
• Network Segmentation. Ensure only authorized workstations have access to ePHI
• Disaster Recovery. Develop process to restore critical data/systems within 72 hours (and have a plan to restore non-critical data/systems)
• Compliance Audit. Conduct an audit of entity’s compliance with the Security Rule’s standards and implementation specifications at least once every 12 months
• Business Associate Verification. Require business associate to provide an expert’s analysis verifying their compliance with each standard and implementation specification

Some of the above requirements are framed as obligations to develop written policies and procedures to accomplish the specified objectives.

Physical Safeguards

• Access Restrictions. Maintain procedures to limit physical access to information systems
• Disposal/Sanitation. Ensure process for removing PHI from media or disposing of ePHI (and assets containing such data) is aligned with current standards

Technical Safeguards

• Administrator Accounts. Separate user identities from those used for increased privileges
• Login Protections. Disable user access after an appropriate number of failed login attempts
• Network Segmentation. Use technical controls to segment information systems
• Encryption. Encrypt ePHI at rest and in transit, unless an exception applies
• Secure Baseline. Establish and maintain secure baseline for information systems and technology assets (e.g., remove extraneous software and deploy anti-ransomware measures)
• Real-Time Logging. Use assets/controls to monitor activity in real time, record that activity, spot suspicious activity, and alert workforce members to potential issues
• Multifactor Authentication. Use MFA for accessing certain information systems or changing user privileges in situations affecting their ability to alter/access PHI, unless an exception applies
• Automated Scanning. Conduct automated vulnerability scans at least once every six months
• Penetration Testing. Perform penetration testing at least once every 12 months
• Data Backups. Create retrievable copies of ePHI at least once every 48 hours, use controls to flag backup failures, and test the recovery process at least once per month
• System Backup/Recovery. Create backups of relevant information systems and test that process at least once every six months

Organizational Measures

• Contracts. A business associate agreement must require the business associate to notify the covered entity within 24 hours of activating its contingency plan  

For most of the above changes, OCR also added a review element: a regulated entity must review (and sometimes test) the safeguard at least once every 12 months.

Next Steps

OCR will publish the NPRM in the Federal Register on January 6. That kicks off a 60-day notice-and-comment period. OCR will then review the comments and decide whether to (1) withdraw the proposed rule, (2) issue a final rule with no (or minor) modifications, or (3) make material modifications and kick off a new notice-and-comment period.

For those of you doing some back-of-the-envelope math, you may have spotted the elephant in the room: The 60-day period will end in a new administration. It’s fair to wonder if the proposal will survive that change in administration, but the proposal stands a fighting chance of making it through because there is bipartisan support for strengthening HIPAA’s security framework. In fact, a bipartisan group just introduced a bill to strengthen HIPAA’s security requirements along the lines (at least in part) of what OCR is proposing here.

Possible Effective Dates

Assuming we get a final rule, the turnaround time for compliance is short: OCR is proposing regulated entities must comply within 240 days after publication of the final rule. But there is a small (less than a year) extension for updating business associate agreements that predate the final rule’s publication date and are not modified after the rule’s effective date (60 days after publication).