January 14, 2025
On January 6, 2025, HHS published proposed regulations relating to HIPAA’s Security Rule requiring numerous additional policies and procedures, imposing substantial ongoing maintenance efforts, and addressing common compliance shortfalls identified by HHS in several recent enforcement investigations. According to the proposed rules, HHS wanted to address the significant technology changes and developments since the Security Rule was published and updated (last revised in 2013), including the increase in cybersecurity attacks involving electronic protected health information (ePHI) and recent technological advancements in artificial intelligence (AI). The proposed regulations are dense and lengthy; below is a high-level overview of some of the key changes the regulations address.
On modernizing the Security Rule, the proposed regulations require covered entities, which include group health plans and insurers, to maintain a thorough and accurate inventory of technology assets and network map of electronic information systems — both of which must be updated annually.
In addition to an annual risk analysis, the regulations require covered entities to run and document an annual compliance audit on each standard and implementation specification outlined in the Security Rule. Specifically, the proposed regulations state that a covered entity must conduct vulnerability scanning at least every six months and penetration testing at least annually. In addition, a covered entity would be required to verify every 12 months that a business associate (BA) or subcontractor has in place appropriate technical safeguards as part of the business associate agreement (BAA) contracting process; this would include a written analysis of the BA’s information systems and a certification (from an authorized individual at the BA entity).
Lastly, a covered entity would have to establish and implement a written contingency plan relating to a cybersecurity attack, including data backup procedures, disaster recovery, and emergency mode operations. The regulations specify that a disaster recovery plan must outline a procedure for critical system restoration within 72 hours of a loss.
With respect to AI, according to the proposed regulations, HIPAA applies to ePHI in AI training data, algorithm data, and prediction models that a covered entity maintains for covered functions. Specifically, if a covered entity’s AI model uses patients' or participants' data, there could be unauthorized uses and disclosures of ePHI in violation of HIPAA’s rules. Thus, a covered entity that engages AI tools would be required to include those tools as part of its risk analysis and risk management compliance activities. The regulations state that the risk analysis would need to consider: the amount and types of ePHI accessed by the AI tool, the party to whom this data is disclosed, and which party receives the AI tool’s reports.
As far as timing, under the proposed regulations, a transition period would allow regulated entities time to comply with the new requirements. Entities will be expected to comply with the new requirements within 180 days of the effective date of the final rule (assuming it is finalized). Entities will also have additional time to update their business associate agreements, which will be by the earlier of the contract renewal date or within one year of a final rule’s effective date. Public comments on the proposed regulations must be submitted within 60 days of January 6, 2025 (the date the proposed regulations were published in the Federal Register).
For employers, if finalized, the HHS regulations create a substantial change to the HIPAA Security Rule, requiring additional (and significant) employer compliance hurdles. Some challenges for employers would include upgrading existing cybersecurity practices, drafting and implementing new policies and procedures, and implementing additional training programs relating to the changes. It remains to be seen how the incoming Trump administration will handle the proposed regulations — it’s possible the incoming administration will choose not to finalize the regulations or otherwise modify them. Employers and their information technology support teams should be aware of the significant changes outlined in the proposed regulations and should monitor the developments relating to the incoming administration.
FederalRegister.gov, Proposed Regulations
PPI Benefit Solutions does not provide legal or tax advice. Compliance, regulatory and related content is for general informational purposes and is not guaranteed to be accurate or complete. You should consult an attorney or tax professional regarding the application or potential implications of laws, regulations or policies to your specific circumstances.
Sign up to have it delivered straight to your inbox.
Sign up