HIPAA Security Rule Overhaul: Key Highlights from the 2024 NPRM You Need to Know

It Happened! On Friday, December 27, 2024, the Department of Health and Human Services released the long-awaited Notice of Proposed Rule Making (NPRM) for the HIPAA Security Rule.  At first glance of the NPRM, it is signaling significant changes coming to the HIPAA regulations.  A few highlights of the new regulations that show the importance of security and privacy of patient information include:

• One of the biggest changes is the removal of the addressable standards that are seen in the current HIPAA Security Rule. With this change, all the requirements of the HIPAA Security Rule are required for compliance, with a few exceptions.
• The changes to the HIPAA Security Rule provide specific timelines for different parts of the regulations such as
  • Conduct and/or review of the risk analysis every 12 months
  • Update critical risk vulnerabilities when a patch is available within 15 days and high-risk vulnerabilities when a patch is available within 30 days
  • Train all new workforce members no later than 30 days after gaining access to electronic information systems and at least once every 12 months
  • Termination of access to electronic information systems no later than one hour after employment of a workforce member or contractor is terminate
• Written policies and procedures are more clearly defined through the regulations. In many of the standards, there is a specific section call “Policies and Procedures” that specifically states a Covered Entity of Business Associate needs to have written policies and procedures for the specific standard.
• Specifics are added to the areas that were vague before. For example, the HIPAA Risk Analysis must contain a written assessment of the following:
  • Review of technology asset inventory
  • Review of network map
  • Identification of all anticipated threats
  • Identification of potential vulnerabilities and predisposing conditions
  • Assessment and documentation of current security measures implemented
  • Determination of the likelihood of each threat
  • Determination of potential impact of each threat
  • Assessment of risk level for each threat
  • Assessment of the risks to electronic protected health information in relation to business associate contracts
• The addition of a maintenance section to the standards, which states how often the standard needs to be reviewed or updated
• Defined exceptions, alternate measures, and compensating controls for specific standards.
• Specific testing required such as vulnerability scans conducted at a minimum of every 6 months and penetration testing at a minimum of every 12 months.

While this is just a small preview of the changes, there are a lot of new additional to the regulations such as the requirement to create a network map and have a technology asset inventory.

Planet HIPAA will be hosting a 4-part series on the specifics about the NPRM for the HIPAA Security Rule and steps to take today to prepare for the legislative changes.  Space is limited so sign up now!

Cheers!

Dr. Danika