HHS Proposed Rule May Enhance HIPAA Security but Leaves AI Questions Open

January 24, 2025

In response to increased cybersecurity threats and significant regulatory enforcement actions, on Dec. 27, 2024, the Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking seeking to enhance cybersecurity protections under the Security Rule implemented pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). While the proposed rule is an important component of HHS’ ongoing effort to enhance cybersecurity requirements, many of the proposals raise significant new questions regarding HHS’ expectations. If adopted, the sweeping changes could have a significant impact on the way covered entities and business associates conduct business, including with each other.

Many of the proposed changes are unlikely to be controversial, such as the conversion of many “addressable” security implementation specifications to “required.” Since the rules were first finalized in 2003, over 20 years ago, many addressable specifications have become industry standard and expected, including by the Office for Civil Rights (OCR). For example, many covered entities and business associates use multifactor authentication for login security because it is the industry standard, even though it is classified under the Security Rule as addressable, not required. For mid-to-large-sized and sophisticated entities, many implementation requirements will not have a material effect other than to make failure to comply a technical breach. For smaller and less sophisticated entities, or entities that sign a business associate agreement as a condition of doing business with a covered entity customer despite not having access to protected health information (PHI), these new requirements may be burdensome. Though there are some proposed flexibilities for smaller entities, HHS is concerned about the lax security practices of small and rural hospitals, which have been prime cybersecurity targets over the past few years. If the proposals are adopted as drafted, most regulated entities will be required to comply in full.

Some proposals could disproportionately impact business associates, including requirements to:

  • notify covered entity customers within 24 hours of activation of a business associate’s (newly required) contingency plan even if the situation resolved itself with no adverse findings;
  • notify covered entities when there is a “suspected” security incident, which could include currently excluded “unsuccessful security incidents” such as pings, port scans and routine unsuccessful access attempts and bad login attempts;
  • notify customers within 24 hours when a workforce member has been terminated and their system access was disabled; and
  • provide an annual attestation to covered entity customers that the business associate is fully compliant with the Security Rule.

To comply with these enhanced measures, business associates will need to allocate resources and likely will incur significant additional expense.

While OCR had the opportunity to set new ground rules for the use of artificial intelligence and machine learning (AI/ML) in the proposed rule, the agency instead chose to request additional input on their use. The agency acknowledged that the risks and benefits of healthcare AI/ML could be significant, and that businesses are “expected to” use electronic PHI in accordance with the current HIPAA privacy and security requirements. However, OCR stopped short of proposing updates or strengthening protections for that data in the proposed rule. It remains to be seen whether the HHS AI Task Force, AI Council, or other newly created AI-focused departments or subdivisions will remain as the new administration sets the AI agenda. On Jan. 21, 2025, President Donald Trump announced the creation of a $500 billion private sector AI infrastructure investment partnership, which could alter the course of AI in healthcare.

Regulated entities would need to implement a process and likely allocate additional resources for meeting the 24-hour notice obligation when a contingency plan is activated (e.g., weekends and holidays). For those events impacting a significant number of covered entities, providing notification to all impacted parties within 24 hours may require a substantial operational lift and process changes.

Stakeholders should continue to monitor developments and updates to the proposed rule and explore the real-world impact on their operations.

For information on submitting public comments to the proposed rule by the March 7 deadline, information related to HIPAA and data privacy developments, or to discuss the implications for regulated entities, please consult one of the authors.

Subscribe