New Proposed HIPAA Security Rule Changes

The Office for Civil Rights (OCR) at the U.S. Department of Health and Services (HHS) has a HIPAA holiday present – new proposed HIPAA Security Rule changes. These are not minor changes but a big revision. This new proposed rule is due in part to the fact that the healthcare industry has been brutally attacked by ransomware hackers and others for years.

The proposed rulemaking is here.

Here are a few key changes, quoted from the HHS press release:. Note that this is not the complete list from the press release, just some things I found notable:

• Remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required with specific, limited exceptions.
• Require written documentation of all Security Rule policies, procedures, plans, and analyses.
• Add specific compliance time periods for many existing requirements.
• Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
• Require greater specificity for conducting a risk analysis.
• Strengthen requirements for planning for contingencies and responding to security incidents. Specifically, regulated entities would be required to, for example:
  • Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.
  • Perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration.
  • Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents.
  • Implement written procedures for testing and revising written security incident response plans.
• Require regulated entities to conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements.
• Require that business associates verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate.
• Require encryption of ePHI at rest and in transit, with limited exceptions.
• Require the use of multi-factor authentication, with limited exceptions.
• Require vulnerability scanning at least every six months and penetration testing at least once every 12 months.
• Require network segmentation.
• Require separate technical controls for backup and recovery of ePHI and relevant electronic information systems.

The proposed HIPAA Security Rule mentions training countless times, including this key sentence: “Many regulated entities have determined that twice-annual training and monthly security updates are necessary, given their risks analyses.”

* * * *

Professor Daniel J. Solove is a law professor at George Washington University Law School. Through his company, TeachPrivacy, he has created the largest library of computer-based privacy and data security training, with more than 150 courses. 

Subscribe to Solove’s Free Newsletter

HIPAA Training