Publication
Insurance regulation in Asia Pacific
Ten things to know about insurance regulation in 19 countries.
HHS proposes Security Rule amendments – including new deadlines
United States | Publication | February 2025
On December 27, 2024, the United States Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), issued a proposed rule to improve data protection measures in the healthcare sector.
This proposed rule would modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to require health plans, healthcare clearinghouses, as well as most healthcare providers and their business associates to strengthen cybersecurity protections for individuals’ protected health information. Comments to the proposed rules are due by March 7, 2025.
The Notice of Proposed Rulemaking is 125 Federal Register pages long, and covers a large number of proposed changes. The following chart provides new timing and associated requirement for many changes to the Rule.
The key deadline is 180 days. After the final Security Rule is issued, covered entities and business associates will have 180 days to comply with all changes (with an exception for amending some business associate agreements (BAAs)). Organizations conducting risk assessments and gap analyses should consider the potential impact and effort these proposed changes would have on their operations and watch for developments as the final rule takes shape and budget accordingly.
| 1 hour | To terminate workforce member access to electronic information systems after employment (engagement) ends |
| 24 hours | To notify another covered entity or business associate of a change in/termination of access of a workforce member’s access to ePHI or electronic information system of that covered entity/business associate |
| For business associates to report activation of contingency plan to the covered entity (must be in the BAA) | |
| For plan sponsors to report the activation of its contingency plan (required to be in the group health plan documents) | |
| 48 hours | Backups of retrievable copies of ePHI cannot be more than 48 hours old |
| 72 hours | To restore loss of the covered entity’s/business associate’s critical relevant information systems and data, in accordance with the disaster recovery plan |
|
Frequently (and at least every 12 months) – when there is a change in the regulated entity’s environment or operations that may affect ePHI, such as:
|
Update the written inventory of technology assets |
| Update the written assessment of risks to ePHI | |
| 15 calendar days | To apply an available patch after identifying the need to patch/update/upgrade the configuration of relevant electronic information systems to address a critical risk |
| 30 calendar days | To apply an available patch after identifying the need to patch/update/upgrade the configuration of relevant electronic information systems to address a high risk |
| To train new members of the workforce that have access to relevant electronic information systems | |
| To distribute to affected workforce members the revised policies and procedures after material changes | |
| 180 calendar days | After final Security Rule issued, comply with all changes (exception for amending some BAAs) |
| Conduct automated vulnerability scans | |
| Review and test effectiveness of information system backup and recovery technical controls | |
| Annually | Conduct security awareness training for each member of its workforce |
| Perform and document an audit of compliance with each standard and implementation specification | |
| Obtain a written verification for each business associate that it has deployed technical safeguards, including (a) a written analysis of the business associate’s relevant electronic information systems to verify compliance, signed by a qualified individual; and (b) a written certification that the analysis was performed and is accurate, signed by an authorized individual | |
| Perform penetration testing | |
| Annually review and test | Written policies and procedures for identifying, prioritizing, acquiring, installing, evaluating and verifying timely installation of patches, updates and upgrades |
| Written policies and procedures for retaining and reviewing records of activity in relevant electronic information systems | |
| Written policies and procedures on workforce access to ePHI, authorization, supervision, clearance, modification or termination of access and notification | |
| Written policies and procedures for access authorization, authentication management, access detection and modification and network segmentation | |
| Security incident response plan | |
| Disaster recovery plan and emergency mode operation plan | |
| For each facility, the written policies and procedures for contingency plans, facility security plans, access management and validation procedures and physical maintenance records | |
| Written policies and procedures of the functions for which workstations may be used, the manner in which a workstation may be used to perform those functions and physical attributes of surroundings | |
| Written policies and procedures for disposal of ePHI and technical assets on which ePHI is maintained, and removal of ePHI from electronic media | |
| Effectiveness of procedures and technical controls for unique IDs, administrative and increasing access privileges, emergency access, automatic logoff, login attempts, network segmentation and data access controls | |
| Effectiveness of anti-malware protection, removal of extraneous software, configuration and security of operating systems and software and disable unnecessary network ports | |
| Effectiveness of technical assets and/or controls to monitor and identify activity on relevant electronic information systems, and record such activity in real-time | |
| Effectiveness of technical controls to protect ePHI from improper alteration or destruction (both at rest and in transit) | |
| Effectiveness of multi-factor authentication | |
| Effectiveness of transmission security to guard against unauthorized access to ePHI transmitted over an electronic communications network | |
| Effectiveness of technical assets that conduct automated vulnerability scans | |
| Annually review and update (if not done during the year) | Written inventory of technology assets and network map |
| Written risk assessment | |
| Required documentation | |
| Annually review, document and sign | By the designated security official, any compensating controls |
| Annually review and document | Effectiveness of any compensating controls for MFA |
| Annually review | Written risk management plan |
| Written sanction policies and procedures | |
| 6 years | Retain documentation required under the HIPAA rules for six years from the date of creation or date it was last in effect |
HHS has proposed to remove the difference between “addressable” and “required” implementation specifications as laid out in 45 CFR 164.306(c) and (d). Currently, a regulated entity must assess “addressable” implementation specifications and determine if they are reasonable and appropriate in its environment. HHS expressed concern that regulated entities have misunderstood “addressable” to mean “optional,” which is not correct. If adopted, the proposal will require all regulated entities to implement all implementation specifications, regardless of individual assessment. Among the many proposed changes are the following:
Additional rules and safeguards governing workforce members
The proposed rule would require a regulated entity to test that technical controls work as designed and that workforce members know how to implement them. Regulated entities would also be required to create written policies and procedures related to workforce members’ access to ePHI, including limitation or termination of such access where appropriate. Specifically, a workforce member’s access to ePHI would need to be terminated as soon as possible, but no later than one hour after the workforce member’s employment ends.
Further, the proposed rule would require a regulated entity to maintain written policies and procedures for sanctioning workforce members who fail to comply with a regulated entity’s security policies and procedures. Entities would also have to document instances of and the circumstances leading up to the imposition of sanctions on workforce members.
Strengthened incident response requirements
The proposed rule seeks to strengthen and clarify the requirements for incident response. Specifically, regulated entities would be required to (1) establish written procedures to restore critical electronic information systems and data within 72 hours of the loss; (2) establish written procedures to create and maintain backups of relevant electronic information systems and verify the success of such backups; (3) maintain written procedure for emergency mode operation planning; (4) maintain written procedures for testing and revising required contingency plans; (5) review and implement procedures for testing contingency plans once every 12 months; and (6) document the results of such testing.
Additional requirements business associates’ agreements and safety practices
HHS conducted audits of 166 covered entities and 41 business associates for HIPAA compliance and found that only 17 percent of business associates were substantially fulfilling their regulatory responsibilities to safeguard ePHI. To address the lack of appropriate safeguards, HHS proposed a requirement for regulated entities to obtain written verification from their business associates that the business associates have deployed the required technical safeguards. Regulated entities would have to obtain such verification at least once every 12 months, and the verification must include a written analysis of the business associates’ relevant electronic information systems.
HHS also seeks to require a BAA to include a provision for the business associate to report to the covered entity activation of its contingency plan without unreasonable delay, but no later than 24 hours after activation. This would not affect the business associate’s breach reporting obligations within 60 days. HHS recognizes that updating BAAs will likely be a lengthy process, and has proposed a transition period where regulated entities can continue to operate under existing agreements (1) until the contract is renewed on or after the compliance date of the final rule or (2) a year after the effective date of the final rule.
HHS has also proposed to require both business associates and covered entities to create network maps and technology asset inventories that include any technology assets used by the business associate to create, receive, maintain or transmit ePHI that affects the confidentiality, integrity or availability of ePHI.
Takeaways
Both regulated entities and business associates should monitor industry feedback on the proposed rule to anticipate what changes may come. Health plans, healthcare clearinghouses and healthcare providers should continue to assess and enhance their current information security policies and procedures in order to combat the ever-evolving threat to individuals’ personal information.
Head of Cybersecurity, United States
Email
will.daugherty@nortonrosefulbright.com
Global Head of eDiscovery and Information Governance Head of Privacy, US
Email
david.kessler@nortonrosefulbright.com
Senior Counsel
Email
sarah.knight@nortonrosefulbright.com
Senior Counsel
Email
susan.ross@nortonrosefulbright.com
Recent publications
Subscribe and stay up to date with the latest legal news, information and events . . .