HIPAA Security Changes Are Here: We Saw This Coming – Ep 492 

Hold onto your compliance hats—big changes are brewing for HIPAA’s Security Rule! The Notice of Proposed Rulemaking (NPRM) is officially out for public comment, and it’s clear HHA and OCR are on a mission to modernize and tighten the safeguards for electronic protected health information (ePHI). From clarifying risk analysis expectations to making security requirements less, well, “vague,” these updates aim to bolster patient safety and data protection while keeping pace with today’s tech-driven world. But with great updates come great responsibilities for covered entities and business associates alike, so now’s the perfect time to weigh in and help shape the final rule before it’s set in stone.

In this episode:

HIPAA Security Changes Are Here: We Saw This Coming – Ep 492

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

HIPAA Security Changes Are Here: We Saw This Coming

HIPAA Security Rule Notice of Proposed Rulemaking to Strengthen Cybersecurity for Electronic Protected Health Information | HHS.gov

Federal Register :: HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information

This is the first round called the NPRM. Anyone can submit comments on or before March 7, 2025. Grab your copy of the riveting read and submit your comments on sections in the federal register. Submitting comments is your chance to influence the final rule. Otherwise, we get what we get. The comments will be reviewed and a final rule will be published based on the review of the comments. Sometimes they do make significant changes like they did with the breach notification rule assessment requirement way back in 2013.

How long do we have to get this stuff done? The “effective date” would be 60 days after the date of the final rule’s release. The “compliance period” would be 180 days after the effective date where you are supposed to get the changes done. You can comment on the timing of those things too.

They do suggest extending that time frame but only for business associate agreement (BAA) changes just like they did with the HITECH Final Rule. It is feasible you would need to address most of these changes in the next 12-18 months.

As for how the chaos of our government could impact this – who knows! But, this topic is not one many will argue about. It is not just bi-partisan it is non-partisan or as close as you can get to that these days.

The best news is if you have done what we have been telling you to do by implementing HICP and HPH CPGs with solid documentation of activities with written policies and procedures you have the vast majority of the work already done! We’re talking like at least 75% or even more.

Why make the changes

As the Executive Summary states based on everything that has changed and how hard the industry has been hit with attacks the feel it is “appropriate to consider modifying the Security Rule to address the following:

• Significant changes in technology.
• Changes in breach trends and cyberattacks.
• HHS’ Office for Civil Rights’ (OCR’s) enforcement experience.
• Other guidelines, best practices, methodologies, procedures, and processes for protecting ePHI.
• Court decisions that affect enforcement of the Security Rule.”

These changes are not substantial revisions to the regulations. The rule requirements are basically the same: the changes are made to codify specific activities “that are critical to protecting the security of ePHI as requirements and provide greater detail for such requirements in the regulatory text”. There are a lot of details included in the discussion about why the changes are needed which I encourage you to read if you have any interest in the topic at all. There is even a direct link to where that begins in our show notes: III. Justification for This Proposed Rulemaking

They use as an example the SRA is already required and always has been. All they have done is add specific things that should be done as part of the SRA. Those things should have already been done but now they are adding it specifically in the regulations.

This should make some folks happy, the ones who say it is too vague will have more specifics. Of course, you could have just listened to our episodes on adopting HICP and CPGs, doing documentation, SRAs, encryption and pretty much everything in here.

Now that we’ve covered the big picture, let’s dive into the specifics. In this episode, we’ll review the key points outlined in the NPRM fact sheet. For those in the Kardon Club and HIPAA for MSPs, keep an eye out for exclusive deep-dive sessions tailored for our members. And don’t forget—both groups enjoy significant discounts on our PRISEC Bootcamp! With these upcoming changes, there’s never been a better time to prepare and strengthen your compliance strategy. Spaces are filling up fast, so act now!

List of Changes: Our First Pass

The PDF with all the details from the Federal Register is almost 400 pages. No way we got through that yet! We will rely on the fact sheet list for this episode. Directly from the fact sheet from HHS:

The NPRM proposes to strengthen the Security Rule’s standards and implementation specifications with new proposals and clarifications, including:

1. Remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required with specific, limited exceptions.
2. Require written documentation of all Security Rule policies, procedures, plans, and analyses.
3. Update definitions and revise implementation specifications to reflect changes in technology and terminology.
4. Add specific compliance time periods for many existing requirements.
5. Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
6. Require greater specificity for conducting a risk analysis. New express requirements would include a written assessment that contains, among other things:
   1. A review of the technology asset inventory and network map.
   2. Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI.
   3. Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems
   4. An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
7. [24:39] Require notification of certain regulated entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.
8. Strengthen requirements for planning for contingencies and responding to security incidents. Specifically, regulated entities would be required to, for example:
   1. Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.
   2. Perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration.
   3. Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents.
   4. Implement written procedures for testing and revising written security incident response plans.
9. Require regulated entities to conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements.
10. [32:09] Require that business associates verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate. (someone with appropriate knowledge and experience in generally accepted cybersecurity principles and methods)
11. Require encryption of ePHI at rest and in transit, with limited exceptions.
12. Require regulated entities to establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner. New express requirements would include:
    1. Deploying anti-malware protection.
    2. Removing extraneous software from relevant electronic information systems.
    3. Disabling network ports in accordance with the regulated entity’s risk analysis.
13. Require the use of multi-factor authentication, with limited exceptions.
14. [45:08] Require vulnerability scanning at least every six months and penetration testing at least once every 12 months.
15. Require network segmentation.
16. Require separate technical controls for backup and recovery of ePHI and relevant electronic information systems.
17. Require regulated entities to review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures.
18. Require business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.
19. (This is particularly relevant for self-funded plans or employers with access to ePHI.) Require group health plans to include in their plan documents requirements for their group health plan sponsors to:
    1. comply with the administrative, physical, and technical safeguards of the Security Rule;
    2. ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and
    3. notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

Stay informed and ready with us as the NPRM evolves and the final rule takes shape. Whether it’s updates, insights, or support, we’ve got you covered through this podcast, the Kardon Club, HIPAA for MSPs and our PriSec Boot Camp. When the changes drop, don’t face them alone—reach out to ensure you’re prepared and protected from scams. That’s what we’re here for!

The NPRM is more than just a to-do list for healthcare organizations—it’s a wake-up call. These proposed updates to the Security Rule are about more than checking boxes; they’re about protecting lives through better data security. So as the comment period ticks on, now’s your chance to weigh in, make your voice heard, and ensure your organization is prepared for what’s to come. Remember, staying ahead of the curve today will make tomorrow’s compliance challenges a whole lot easier to handle.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.