Key components of the HHS Security Rule NPRM

© daniel0 - stock.adobe.com

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is coming in like a lion from the start of 2025. For example, three enforcement actions involving either covered entities or business associates related to Privacy Rule and Security Rule violations – ransomware, the lack of an annual risk analysis and deletion protected health information - were announced within the first week of the New Year.

On Jan. 6 the United States Department of Health and Human Services – Office for Civil Rights (HHS-OCR) published the long anticipated HIPAA Security Rule Notice of Proposed Rule Making (NPRM), which strives to strengthen electronic protected health information (ePHI) cybersecurity. The purpose is to ensure that the confidentiality, availability and integrity of the ePHI remains intact in the increasingly pernicious cyber threat environment. The proposed items should come as no surprise in light of the Health and Public Health (HPH) critical infrastructure HPH Cybersecurity Performance Goals, which were issued by HHS in early 2024, as well as the increase in ransomware and other cyber-attacks including United Healthcare.

The HPH “goals” were broken down into “essential goals” to assist in addressing common vulnerabilities to mitigate risk by adopting core prevention, detection and correction items and “enhanced goals” to assist organizations with a mature cybersecurity program and infrastructure elevate their defense strategy to protect against emerging threat vectors. Some of the “essential items” include email security, safe and effective multifactor authentication (MFA), HIPAA and cybersecurity training, and conducting an annual risk analysis to identify gaps in technical, administrative and physical safeguards under the Security Rule and correct them in a comprehensive and timely manner. Ironically, the “enhanced goals” are already required in the Security Rule.

This brings us to the HIPAA Security Rule NPRM (90 Fed. Reg. 898 (Jan. 6)). Public comments are due by March 7. If a covered entity or business associate has been undergoing a valid risk analysis and correcting deficient technical, administrative and physical safeguards since 2005 (or at least since the 2013 Omnibus Rule) or a company’s inception (most have not) then the likelihood of readiness is substantially greater.

In my experience the lack of compliance stems from two key items: (1) corporate culture regardless of the size of the organization; and (2) the unwillingness to spend money on an annual risk analysis and other adequate and required safeguards.

While it is unknown what items or language will ultimately make it into the eventual Final Rule, covered entities and business associates alike should take note that “[t]he Department is concerned by the increasing numbers of breaches and other cybersecurity incidents experienced by regulated entities.” 90 Fed. Reg. at 900. There are key items and areas to consider now. Some examples follow:

• Three key words to notice are “clarifying”, “modifying” and “adding” in relation to CFR §164.304 – Definitions.
• CFR § 164.306 – Security Standards.
• CFR § 164.308 – Administrative Safeguards.
• CFR § 164.310 – Physical Safeguards.
• CFR § 164.312 – Technical Safeguards.
• CFR § 164.314 – Organizational Requirements.
• CFR § 164.316 – Documentation Requirements.
• Emerging and New Technologies including “quantum computing”, artificial intelligence (AI), virtual and augmented reality (VR and AR).

As a reminder, “[t]he Security Rule was initially published in 2003 and most recently revised in 2013.” 90 Fed. Reg. at 899 (citing 68 Fed. Reg. 8334 (Feb. 20, 2003) and 78 Fed. Reg. 5566 (Jan. 25, 2013)). Since that time, technology has evolved from both a preventative, detective, and threat vantage point. One needs to approach defensively and offensively simultaneously. (Think: the football scene in Top Gun Maverick when offensive and defense are being played at the same time.) Quantum computing is something that several agencies have been evaluating for potential benefits and drawbacks of quantum information science (i.e., “the study of ‘the impacts of quantum physics properties on information science’”). One of the drawbacks, which has a direct impact on electronic health information is the adverse impact on encryption because of the impact on security on asymmetric cryptography, which in turn compromises the integrity and confidentiality of communications. The NPRM (not surprisingly) is including this in the annual risk analysis.

Another area of emerging technology is AI. “Section 238(g) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 defined AI to include the following:

• Any artificial system that performs tasks under varying and unpredictable circumstances without significant human oversight, or that can learn from experience and improve performance when exposed to data sets.
• An artificial system developed in computer software, physical hardware, or other context that solves tasks requiring human-like perception, cognition, planning, learning, communication, or physical action.
• An artificial system designed to think or act like a human, including cognitive architectures and neural networks.
• A set of techniques, including machine learning, that is designed to approximate a cognitive task.
• An artificial system designed to act rationally, including an intelligent software agent or embodied robot that achieves goals using perception, planning, reasoning, learning, communicating, decision making, and acting.” 90 Fed. Reg. at 989-990.

The issues around AI, as they relate to the Security Rule are data mining of sensitive information and bad actors using AI to threaten the privacy and security of ePHI through initiating attacks that are more sophisticated, more frequent, and more pernicious. Again, this is an area to include in an annual risk analysis.

In sum, the NPRM builds on existing requirements, modifies others, and places emerging technologies within the scope of an annual risk analysis. As covered entities and business associates alike strive to cultivate a culture of compliance, training and corporate culture are going to be key factors in achieving the goal of ensuring the confidentiality, integrity and availability of ePHI.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.