Proposed Rulemaking to Strengthen HIPAA Security and Cybersecurity Protections

The Office for Civil Rights at the U.S. Department of Health and Human Services (“HHS”), which administers and enforces the HIPAA Security Rule (“Security Rule”), recently issued a Notice of Proposed Rulemaking (NPRM) to strengthen cybersecurity protections for electronic protected health information (ePHI).

The proposed rule introduces several new requirements and clarifications that will have a significant impact on health plans’ operations and cybersecurity protocols. Below, we outline the key changes of which health plans need to be aware.

DOCUMENTATION REQUIREMENTS

  • Policy and Procedure Updates: Require written documentation of all security rule policies, procedures, plans, and analyses. Including updates to definitions and revised implementation specifications to reflect changes in technology and terminology.
  • Compliance Time Periods: Add specific compliance time periods for existing requirements.
  • Technology Asset Inventory: Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
  • Plan Documents: Require group health plans to include in their plan documents requirements for plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

HEALTH PLAN OPERATIONS

  • Notification of Access Change: Require notification of certain regulated entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.
  • Contingency Planning and Security Incident Response: Strengthen requirements for planning for contingencies and responding to security incidents. Specifically, regulated entities would be required to, for example:
    • Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.
    • Perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration.
    • Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents.
    • Implement written procedures for testing and revising written security incident response plans.
  • Encryption: Require encryption of ePHI at rest and in transit, with limited exceptions.
  • Technical Safeguards: Require regulated entities to establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner. New express requirements would include:
    • Deploying anti-malware protection.
    • Removing extraneous software from relevant electronic information systems.
    • Disabling network ports in accordance with the regulated entity’s risk analysis.
  • Multi-Factor Authentication: Require the use of multi-factor authentication, with limited exceptions.
  • Network Segmentation and Backup: require network segmentation and require separate technical controls for backup and recovery of ePHI and relevant electronic information systems.
  • Business Associate Notifications: Require business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

COMPLIANCE AUDIT

  • Annual Compliance Audits: Require regulated entities to conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements.
  • Risk Analysis: Require greater specificity for conducting a risk analysis. New express requirements would include a written assessment that contains, among other things:
    • A review of the technology asset inventory and network map.
    • Identification of all anticipated threats to the confidentiality, integrity, and availability of ePHI.
    • Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems.
    • An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
  • Business Associate Oversight: Require that business associates verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate.
  • Vulnerability Scanning and Penetration Testing: Require vulnerability scanning at least every six months and penetration testing at least once every 12 months.
  • Effectiveness of Security Measures: Require regulated entities to review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures.

The current Security Rule remains in effect while HHS is undertaking this rulemaking. HHS encourages all stakeholders, including patients and their families, health plans, health care providers, health care professional associations, consumer advocates, and government entities, to submit comments through regulations.gov.

Public comments on the NPRM are due March 7, 2025, 60 days after the NPRM was published in the Federal Register on January 6, 2025.

The Fact Sheet is available for viewing and downloading HERE.

The NPRM may be viewed or downloaded HERE.

Please continue to follow regulatory updates and other important compliance information.

Contact the 6 Degrees Health compliance team today for more information.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

503.640.9933
3439 NE SANDY BLVD., SUITE 384, PORTLAND, OR 97232
INFO@6DEGREESHEALTH.COM

PAYMENT INTEGRITY

Clean Claim Review
Data Mining & Recovery
Custom Out-of-Network

EMPLOYER SOLUTIONS

Reference-based Pricing
Out-of-Network
Transplant and Specialty
Client Portal Login

RESOURCE CENTER

Fireside Chat Webinars
Industry Updates
MediVI

COMPANY

About Us
New Case Submission
Careers
Contact Us

Copyright © 2024  6 Degrees Health Dx, LLC. All Rights Reserved..

Privacy Policy   Terms of Use

Brokers and TPAs Need to be Aware: The December 31, 2024 Gag Clause Attestation...