Background

In 1996, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to ensure health insurance coverage would remain continuous for covered participants and to simplify the process for health insurance transaction administration. In 1999, the HIPAA Privacy Rule was developed, which set the stage for the definition of Protected Health Information (PHI) and established certain standards related to the use and disclosure of PHI by covered entities (defined as health plans, data clearinghouses, and healthcare providers). In 2003, the Privacy Rule became effective, and the HIPAA Security Rule was adopted (which is one of several rules collectively referred to as “the Security Rule” or “the HIPAA Security Rule” throughout this document). The Security Rule required covered entities (and later, business associates) to implement administrative, physical, and technical safeguards to protect ePHI. The Security Rule defines ePHI as “individually identifiable health information (IIHI) transmitted or maintained in electronic media.” Specifically, the Security Rule requires covered entities (and later business associates) to “ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit; protect against reasonably anticipated threats or hazards to the security or integrity of the information and reasonably anticipated impermissible uses or disclosures; and ensure compliance by their workforce.”

In 2009, the Health Information Technology and Economic and Clinical Health (HITECH) Act was enacted to strengthen the HIPAA Privacy and Security Rules and promote the transition to ePHI. In 2013, the HIPAA Omnibus Rule was introduced, which revised the HIPAA Rules, implemented several provisions of the HITECH Act, extended the HIPAA requirements to business associates (defined as “a person or entity that performs activities for a covered entity that involves the use or disclosure of PHI”) and increased penalties for HIPAA non-compliance. In 2019, the Office of Civil Rights (OCR) turned its focus to individuals’ rights as it relates to their health records under the Patient Right of Access Initiative. Final rules were later adopted to support and protect reproductive health rights and privacy, effective December 23, 2024.

Proposed Changes to the HIPAA Security Rule

In January of 2025, the proposed rules titled “Health Insurance Portability and Accountability Act Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information” (hereinafter referred to as the “proposed rules”) were published, which are intended to address the current need for more cybersecurity protection surrounding ePHI under the HIPAA Security Rule. Due to the widespread use of computers and network technologies in health care, the Office of Civil Rights (hereinafter referred to as “the Department”) believes that due to the risks of bad actors (e.g., hackers implementing ransomware attacks on health care information), covered entities and business associates (collectively referred to as “regulated entities”) should implement further protections to ePHI that may not have been necessarily clear or applied under the previous HIPAA Security Rule. The Department is attempting to take proactive measures to adapt current regulations (and adopt new regulations) to address technology advances in the last decade since the HIPAA Security Rule was last revised. The Department also released revisions to the HIPAA Security Rule because it found significant inconsistencies between the enforcement and implementation of the HIPAA Security Rule among many regulated entities.

The proposed rules include significant changes and additions to the current definitions and terms sections of the HIPAA Rules (including the adoption of terms such as Artificial Intelligence (AI), Augmented Reality (AR), Virtual Reality (VR), Multi-factor Authentication (MFA), Electronic Information System, Risk, Technical Controls, Security Measures, Vulnerability) and update the current definition of the following terms: Access, Authentication, Confidentiality, Malicious Software, Physical Safeguards and Security/ Security Measures. In addition, the Department sought the advice of other agencies and organizations (e.g., the National Committee on Vital and Health Statistics, National Institute of Standards and Technology, and Office of the National Coordinator for Health Information Technology) to assist it in shaping the policy for a more effective process in protecting ePHI, while still providing flexibility to regulated entities when implementing these cybersecurity rules.

One significant change in the proposed rules is the removal of the word “addressable” under the HIPAA Security Rule and replacing it with the term “required,” no longer allowing regulated entities to subjectively adhere to the HIPAA Security Rule. As an example, under the existing Security Rule a regulated entity’s encryption of ePHI is an “addressable implementation specification under the standard for access control,” allowing a regulated entity a choice to not encrypt ePHI if it is not reasonable and appropriate. However, in the proposed rules, encryption of ePHI would be required. In addition, the proposed rules seek to replace the term “reasonable and appropriate security measures” that is currently used in the HIPAA Security Rule to assess whether a regulated entity would need to implement any security as it related to ePHI (i.e., some regulated entities interpreted this language to mean that the HIPAA Security Rule was optional due to the rule’s previous language) and replace that language with much more stringent language that states “reasonable and appropriate security measures to implement the standards and implementation specifications under the Security Rule.” The proposed changes in language seem to indicate that many parts of the HIPAA Security Rule implementation process will be explicitly required of regulated entities and plan sponsors of group health plans (if these rules are adopted in the final regulations) as a part of the Security Rule, with only limited exceptions.

Regulatory and Legislative Strategy Group