HHS proposes major overhaul of HIPAA security rule

Happy New Year. Just before the ball dropped, on 30 Dec. 2024, the U.S. Department of Health and Human Services issued a notice of proposed rulemaking to update the Security Rule under the Health Insurance Portability and Accountability Act. The proposal, which will be open for comment until early March, represents a major undertaking with significant consequences for the health care providers, insurance companies and data processors, or business associates, covered by HIPAA — and for every American.

The Security Rule was initially published in 2003 and much of it has not been touched since. Elements of it are woefully outdated. For example, as adopted over 20 years ago, the current rule says the encryption of electronic personal health information is an "addressable" implementation specification, meaning, or misunderstood to mean in HHS's view, that it is optional.

Under the existing Security Rule, a regulated entity must assess whether encryption is a reasonable and appropriate safeguard in its environment, but the conclusion of a hospital or insurance company that it did not need to encrypt sensitive data is effectively unreviewable. The proposed rule would finally modernize that to be consistent with the widely held recognition in other sectors that encryption should be required with only limited exceptions.

Likewise, under the current rule, the adoption of procedures for guarding against, detecting and reporting malicious software and procedures for creating, changing and safeguarding passwords are "addressable." By now, any serious cybersecurity program would treat them as mandatory, which is what the proposed rule would do.