As new threats to the security of information and patient data appear, the healthcare industry must adapt. Unfortunately, this requires regular investments of money, time, and attention from key staff members. As technology continues to develop rapidly, so do cybersecurity threats, which means a good security plan requires consistent revision and updates. Healthcare providers must make difficult resource allocation decisions when it comes to protecting electronically stored patient health information.

The federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the keystone for healthcare information privacy protection. Currently, HIPAA regulations concerning the security of electronic health information contain two types of controls:

1. “Required” or mandatory controls that must be to be put in place, and

2. “Addressable” controls that may or may not be implemented following a reasonable and documented risk analysis process for the provider.

The way a provider puts a control into place can be tailored to fit the entity’s size and capabilities, the cost of the measure, the effectiveness of current protections, and assessed security risks. The flexibility in the regulations allows small providers to adjust security measures to fit their needs and resources but also creates a grey area of discretion that can make oversight and enforcement difficult.

Proposed New HHS Rule Tightens Requirements

On January 6, 2025, the Cabinet of Health and Human Services (HHS) issued notice of proposed rulemaking to tighten these security requirements. According to the notice, the discretion afforded under existing regulations has created vulnerabilities for providers with fewer resources, particularly small and rural healthcare providers.

Based on revenue, HHS estimates that 90 percent of regulated healthcare providers are considered “small” and seven to eight percent are “rural.” Small and rural providers are targets for cyberattacks because they have limited resources and are more likely to decide against expensive and stringent security measures. The HHS notice proposes extensive regulatory changes to the HIPAA Security Regulations, including removing some of the discretion that has been afforded to providers when it comes to implementation.

Small and rural healthcare providers may be the most significantly impacted by these changes. The notice explicitly recognizes that these entities are the most likely to have difficulty finding and attracting qualified security experts and have tougher decisions regarding whether to invest in cyber security or other parts of their practice. It cites a study finding these providers are less likely to have personnel they can appoint to lead compliance and may not regularly update technology with security patches to ensure that programs are protected from newly discovered vulnerabilities.

HHS states that these providers are most susceptible to cyberattacks and may be those most in need of stronger protection. The notice contains several examples of rural providers whose practices were hamstrung or had to be closed altogether due to cybersecurity incidents. One provider could not submit health insurance claims due to a cybersecurity incident. Another needed to allocate a single worker for a year to mitigate and remedy the impacts of a successful cyberattack.

The proposed rulemaking expressly states that small and rural healthcare providers must comply with more stringent security requirements. The new proposed regulations would remove the distinction between “required” and “addressable” protections. While providers would still be able to choose how to meet the specifications, the regulations add explicit details regarding what must be put into place and the documentation providers must maintain. Moreover, the proposal would require providers to continue to test and review their security measures on a regular basis, with modifications as appropriate.

The express requirements include the following:

• Maintaining an up-to-date written inventory of technology (e.g., hardware and software) and a “network map” of the electronic information systems that could affect how patient information is stored;

• A more detailed and robust written risk analysis of potential threats and vulnerabilities;

• Timely implementation of patches, updates, and upgrades consistent with cybersecurity alerts;

• A written risk management plan reviewed every 12 months;

• Standardized review of information system activity to identify ongoing inappropriate access to patient information;

• Implementing a written plan to address security incidents; and

• Performing a self-audit at least once a year.

This proposed rulemaking acknowledges that this process may require small and rural providers to hire outside consultants to assist with compliance. It identifies several existing resources that have been published through the National Institute of Standards and Technology (NIST), including Cybersecurity Framework 2.0, HHS guidance and its Security Risk Assessment Tool, and a February 2024 NIST guide on risk analysis under the HIPAA Security Rule. None of these are definitive, but they are available to and may assist small and rural providers in this process.

The notice of proposed rulemaking is only a proposal; comments to the rule are open through March 7, 2025. Likely, any final changes to the regulation would not be adopted until 2026; with the change in the administration, the approach taken by HHS may also change. However, providers should take this opportunity to review their security measures now. These changes would require significant time and analysis if adopted; moreover, cybersecurity vulnerabilities are already present for providers and will continue to evolve. Addressing these issues now will keep providers of all sizes healthier in the long run.

Jamie Wilhite Dittert is Member Attorney practicing in torts, insurance, and medical negligence defense at Sturgill Turner. She can be reached at jdittert@sturgillturner.com or (859) 255-8581. This article is intended as a summary of state and/or federal law and does not constitute legal advice.

This article originally appeared in the February 2025 issue of MD Update.