Listen to this post

In this final blog post in the Bradley series on the HIPAA Security Rule notice of proposed rulemaking (NPRM), we examine how the U.S. Department of Health and Human Services (HHS) Office for Civil Rights interprets the application of the HIPAA Security Rule to artificial intelligence (AI) and other emerging technologies. While the HIPAA Security Rule has traditionally been technology agnostic, HHS explicitly addresses security measures for these evolving technology advances. The NPRM provides guidance to incorporate AI considerations into compliance strategies and risk assessments.

AI Risk Assessments

In the NPRM, HHS would require a comprehensive, up-to-date inventory of all technology assets that identifies AI technologies interacting with ePHI. HHS clarifies that the Security Rule governs ePHI used in both AI training data and the algorithms developed or used by regulated entities. As such, HHS emphasizes that regulated entities must incorporate AI into their risk analysis and management processes and regularly update their analysis to address changes in technology or operations. Entities must assess how the AI system interacts with ePHI considering the type and the amount of data accessed, how the AI uses or discloses ePHI, and who the recipients are of AI-generated outputs.

HHS expects entities to identify, track, and assess reasonably anticipated risks associated with AI models, including risks related to data access, processing, and output. Flowing from the proposed data mapping safeguards discussed in previous blog posts, regulated entities would document where and how the AI software interacts with or processes ePHI to support risk assessments. HHS would also require regulated entities to monitor authoritative sources for known vulnerabilities to the AI system and promptly remediate them according to their patch management program. This lifecycle approach to risk analysis aims to ensure the confidentiality, integrity, and availability of ePHI as technology evolves.

Integration of AI developers into the Security Risk Analysis

More mature entities typically have built out third-party vendor risk management diligence. If finalized, the NPRM would require all regulated entities contracting with AI developers to formally incorporate Business Associate Agreement (BAA) risk assessments into their security risk analysis. Entities also would need to evaluate BAs based on written security verifications that the AI vendor has documented security controls. Regulated entities should collaborate with their AI vendors to review technology assets, including AI software that interacts with ePHI. This partnership will allow entities to identify and track reasonably anticipated threats and vulnerabilities, evaluate their likelihood and potential impact, and document security measures and risk management.

Getting Started with Current Requirements

Clinicians are increasingly integrating AI into clinical workflows to analyze health records, identify risk factors, assist in disease detection, and draft real-time patient summaries for review as the “human in the loop.” According to the most recent HIMSS cybersecurity survey, most health care organizations permit the use of generative AI with varied approaches to AI governance and risk management. Nearly half the organizations surveyed did not have an approval process for AI, and only 31% report that they are actively monitoring AI systems. As a result, the majority of respondents are concerned about data breaches and bias in AI systems. 

The NPRM enhances specificity in the risk analysis process by incorporating informal HHS guidance, security assessment tools, and frameworks for more detailed specifications. Entities need to update their procurement process to confirm that their AI vendors align with the Security Rule and industry best practices, such as the NIST AI Risk Management Framework, for managing AI-related risks, including privacy, security, unfair bias, and ethical use of ePHI.

The proposed HHS requirements are not the only concerns clinicians must consider when evaluating AI vendors. HHS also has finalized a rule under Section 1557 of the Affordable Care Act requiring covered healthcare providers to identify and mitigate discrimination risks from patient care decision support tools. Regulated entities must mitigate AI-related security risks and strengthen vendor oversight in contracts involving AI software that processes ePHI to meet these new demands.

Thank you for tuning into this series of analyzing the Security Rule updates. Please contact us if there are any questions or we can assist with any steps moving forward.

Please visit the HIPAA Security Rule NPRM and the HHS Fact Sheet for additional resources.

Listen to this post

In this week’s installment of our blog series on the U.S. Department of Health and Human Services’ (HHS) HIPAA Security Rule updates in its January 6 Notice of Proposed Rulemaking (NPRM), we are exploring the justifications for the proposed updates to the Security Rule. Last week’s post on the updates related to Vulnerability Management, Incident Response & Contingency Plans can be found here.

Background

Throughout this series, we have discussed updates to various aspects of the Security Rule and explored how HHS seeks to implement new security requirements and implementation specifications for regulated entities. This week, we discuss the justifications behind HHS’s move and the challenges entities face in complying with the existing rule.

Justifications

HHS discussed multiple reasons for this Security Rule update, and a few are discussed below:

  • Importance of Strong Security Posture of Regulated Entities – The preamble to the NPRM posits that the increase in use of certified electronic health records (80% of physicians’ offices and 96% of hospitals as of 2021) fundamentally shifted the landscape of healthcare delivery. As a result, the security posture of regulated entities must be updated to accommodate such advancement. As treatment is increasingly provided electronically, the additional volume of sensitive patient information to protect continues to grow.
  • Increase Cybersecurity Incident Risks – HHS cites the heightened risk to patient safety during cybersecurity incidents and ransomware attacks as a key reason for these updates. The current state of the healthcare delivery system is propelled by deep digital connectivity as prompted by the HITECH and 21st Century Cures Act. If this system is connected but insecure, the connectivity could compromise patient safety, subjecting patients to unnecessary risk and forcing them to bear unaffordable personal costs. During a cybersecurity incident, patients’ health, and potentially their lives, may be at risk where such an incident creates impediments to the provision of healthcare. Serious consequences can result from interference with the operations of a critical medical device or obstructions to the administrative or clinical operations of a regulated entity, such as preventing the scheduling of appointments or viewing of an individual’s health history.
  • The Healthcare Industry Could Benefit from Centralized Security Standards Due to Inconsistent Implementation of Current Voluntary Standards – Despite the proliferation of voluntary cybersecurity standards, industry guidelines, and best practices, HHS found that many regulated entities have been slow to strengthen their security measures to protect ePHI and their information systems. HHS also noted that recent case law, including University of Texas M.D. Anderson Cancer Center v. HHS, has not accurately set forth the steps regulated entities must take to adequately protect the confidentiality, integrity, and availability of ePHI, as required by the statute. In that case, the Fifth Circuit vacated HIPAA penalties against MD Anderson, ruling that HHS acted arbitrarily and capriciously under the Administrative Procedure Act. The court found that MD Anderson met its obligations by implementing an encryption mechanism for ePHI. HHS disagrees with whether the encryption mechanism was sufficient and asserted its authority under HIPAA to mandate strengthened security standards for ePHI. This ruling and lack of adoption of the voluntary cybersecurity standards by regulated entities has led to inconsistencies in the implementation of the Security Rule at regulated entities and providing clearer and mandatory standards were noted justifications for these revisions.

Takeaways

In 2021, Congress amended the HITECH Act, requiring HHS to assess whether an entity followed recognized cybersecurity practices in line with HHS guidance over the prior 12 months to qualify for HIPAA penalty reductions. In response to this requirement, HHS could have taken the approach of acknowledging recognized frameworks that offer robust safeguards to clarify expectations, enhance the overall security posture of covered entities, and reduce compliance gaps. While HHS refers to NIST frameworks in discussions on security, it has not formally recognized any specific frameworks to qualify for this so called “safe harbor” incentive. Instead, HHS uses this NPRM to embark on a more prescriptive approach to the substantive rule based on its evaluation of various frameworks.

HHS maintains that these Security Rule updates still allow for flexibility and scalability in its implementation. However, the revisions would limit the flexibility and raise the standards for protection beyond what was deemed acceptable in the past Security Rule iterations. Given that the Security Rule’s standard of “reasonable and appropriate” safeguards must account for cost, size, complexity, and capabilities, the more prescriptive proposals in the NPRM and lack of addressable requirements present a heavy burden — especially on smaller providers.

Whether these Security Rule revisions become finalized in the current form, a revised form, or at all remains an open item for the healthcare industry. Notably, the NPRM was published under the Xavier Becerra administration at HHS and prior to the confirmation of Robert F. Kennedy, Jr. as the new secretary of HHS. The current administration has not provided comment on its plans related to this NPRM, but we will continue to watch this as the March 7, 2025, deadline for public comment is inching closer.

Stay tuned to this series as our next and final blogpost on the NPRM will consider how HHS views the application of artificial intelligence and other emerging technologies under the HHS Security Rule.

Please visit the HIPAA Security Rule NPRM and the HHS Fact Sheet for additional resources.

Listen to this post

In this week’s installment of our blog series on the U.S. Department of Health and Human Services’ (HHS) HIPAA Security Rule updates in its January 6 Notice of Proposed Rulemaking (NPRM), we discuss HHS’s proposed rules for vulnerability management, incident response, and contingency plans (45 C.F.R. §§ 164.308, 164.312). Last week’s post on the updated administrative safeguards is available here.

Existing Requirements

HIPAA currently requires regulated entities to implement policies and procedures to (1) plan for contingencies and (2) respond to security incidents. A contingency plan applies to responses to emergencies and other major occurrences, such as system failures and natural disasters. When needed, the plan must include a data backup plan, disaster recovery plan, and an emergency mode operation plan to account for the continuation of critical business processes. A security incident plan must be implemented to ensure the regulated entity can identify and respond to known or suspected incidents, as well as mitigate and resolve such incidents.

Existing entities — especially those who have unfortunately experienced a security incident — are familiar with the above requirements and their implementation specifications, some of which are “required” and others only “addressable.” As discussed throughout this series, HHS is proposing to remove the “addressability” distinction making all implementation specifications that support the security standards mandatory.

What Are the New Technical Safeguard Requirements?

The NPRM substantially modifies how a regulated entity should implement a contingency plan and respond to security incidents. HHS proposes a new “vulnerability management” standard that would require regulated entities to establish technical controls to identify and address certain vulnerabilities in their respective relevant electronic information systems. We summarize these new standards and protocols below:

Contingency Plan – The NPRM would add additional implementation standards for contingency plans. HHS is proposing a new “criticality analysis” implementation specification, requiring regulated entities to analyze their relevant electronic information systems and technology assets to determine priority for restoration. The NPRM also adds new or specifying language to the existing implementation standards, such as requiring entities to (1) ensure that procedures are in place to create and maintain “exact” backup copies of electronic protected health information (ePHI) during an applicable event; (2) restore critical relevant electronic information systems and data within 72 hours of an event; and (3) require business associates to notify covered entities within 24 hours of activating their contingency plans.

Incident Response Procedures – The NPRM would require written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents, as well as how the regulated entity should identify, mitigate, remediate, and eradicate any suspected or known security incidents.

Vulnerability Management – HHS discussed in the NPRM that its proposal to add a new “vulnerability management” standard was to address the potential for bad actors to exploit publicly known vulnerabilities. With that in mind, this standard would require a regulated entity to deploy technical controls to identify and address technical vulnerabilities in its relevant electronic information systems, which includes (1) automated vulnerability scanning at least every six months, (2) monitoring “authoritative sources” (e.g., CISA’s Known Exploited Vulnerabilities Catalog) for known vulnerabilities on an ongoing basis and remediate where applicable, (3) conducting penetration testing every 12 months, and (4) ensuring timely installation of reasonable software patches and critical updates.

Stay Tuned

Next week, we will continue Bradley’s weekly NPRM series by analyzing justifications for HHS’s proposed Security Rule updates, how the proposals may change, and areas where HHS offers its perspective on new technologies. The NPRM public comment period ends on March 7, 2025.

Please visit HIPAA Security Rule NPRM and the HHS Fact Sheet for additional resources.

Listen to this post

In this week’s installment of our blog series on the U.S. Department of Health and Human Services’ (HHS) HIPAA Security Rule updates in its January 6 Notice of Proposed Rulemaking (NPRM), we are exploring the proposed updates to the HIPAA Security Rule’s administrative safeguards requirement (45 C.F.R. § 164.308). Last week’s post on the updated technical safeguards is available here.

Background

Currently, HIPAA regulated entities must generally implement nine standards for administrative safeguards protecting electronic protected health information (ePHI):

  1. Security Management Process
  2. Assigned Security Responsibility
  3. Workforce Security
  4. Information Access Management
  5. Security Awareness and Training
  6. Security Incident Procedures
  7. Contingency Plan
  8. Evaluation
  9. Business Associate Contracts and Other Arrangements

Entities are already familiar with these requirements and their implementation specifications. The existing requirements either do not identify the specific control methods or technologies to implement or are otherwise “addressable” as opposed to “required” in some circumstances for regulated entities. As noted throughout this series, HHS has proposed removing the distinction between “required” and “addressable” implementation specifications, providing for specific guidelines for implementation with limited exceptions for certain safeguards, as well as introducing new safeguards.

New Administrative Safeguard Requirements

The NPRM proposes updates to the following administrative safeguards: risk analyses, workforce security, and information access management. HHS also introduced a new administrative safeguard, technology inventory management and mapping. These updated or new administrative requirements are summarized here:

  • Asset Inventory Management –  The HIPAA Security Rule does not explicitly mandate a formal asset inventory, but HHS informal guidance and audits suggest that inventorying assets that create, receive, maintain, or transmit ePHI is a critical step in evaluating security risks. The NPRM proposes a new administrative safeguard provision requiring regulated entities to conduct and maintain written inventories of any technological assets (e.g., hardware, software, electronic media, data, etc.) capable of creating, receiving, maintaining, or transmitting ePHI, and to illustrate a network map showing the movement of ePHI throughout the organization. HHS would require these inventories and maps to be periodically reviewed and updated at least once every 12 months andwhen certain events prompt changes in how regulated entities protect ePHI, such as new, or updates to, technological assets; new threats to ePHI; transactions that impact all or part of regulated entities; security incidents; or changes in laws.
  • Risk Analysis – While conducting a risk analysis has always been a required administrative safeguard, the NPRM proposes more-detailed content specifications around items that need to be addressed in the written risk assessment, including reviewing the technology asset inventory; identifying reasonably anticipated threats and vulnerabilities; documenting security measures, policies and procedures for documenting risks and vulnerabilities to ePHI systems; and making documented “reasonable determinations” of the likelihood and potential impact of each threat and vulnerability identified.
  • Workforce Security and Information Access Management – The NPRM proposes that, with respect to its ePHI or relevant electronic information systems, regulated entities would need to establish and implement written procedures that (1) determine whether access is appropriate based on a workforce member’s role; (2) authorize access consistent with the Minimum Necessary Rule; and (3) grant and revise access consistent with role-based access policies. Under the NPRM, these administrative safeguard specifications would no longer be “addressable,” as previously classified, meaning these policies and procedures would now be mandatory for regulated entities. In addition, the NPRM develops specific standards for the content and timing for training workforce members of Security Rule compliance beyond the previous general requirements.

Next Time

Up next in our weekly NPRM series, we will dive into the HIPAA Security Rule’s updates to the Vulnerability Management, Incident Response, and Contingency Plans

Please visit the HIPAA Security Rule NPRM and the HHS Fact Sheet for additional resources.

Listen to this post

In this week’s installment of our blog series on the U.S. Department of Health and Human Services’ (HHS) HIPAA Security Rule updates in its January 6 Notice of Proposed Rulemaking (NPRM), we are tackling the proposed updates to the HIPAA Security Rule’s technical safeguard requirements (45 C.F.R. § 164.312). Last week’s post on group health plan and sponsor practices is available here.

Existing Requirements

Under the existing regulations, HIPAA-covered entities and business associates must generally implement the following five standard technical safeguards for electronic protected health information (ePHI):

  1. Access Controls – Implementing technical policies and procedures for its electronic information systems that maintain ePHI to allow only authorized persons to access ePHI.
  2. Audit Controls – Implement hardware, software, and/or procedural mechanisms to record and examine activity in information systems that contain or use ePHI.
  3. Integrity – Implementing policies and procedures to ensure that ePHI is not improperly altered or destroyed.
  4. Authentication – Implementing procedures to verify that a person seeking access to ePHI is who they say they are.
  5. Transmission Security – Implementing technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic network.

The existing requirements either do not identify the specific control methods or technologies to implement or are otherwise “addressable” as opposed to “required” in some circumstances for regulated entities — until now.

What Are the New Technical Safeguard Requirements?

The NPRM substantially modifies and specifies the particular technical safeguards needed for compliance. In particular, the NPRM restructured and recategorized existing requirements and added stringent standard and implementation specifications, and HHS has proposed removing the distinction between “required” and “addressable” implementation specifications, making all implementation specifications required with specific, limited exceptions.

A handful of the new or updated standards are summarized below:

  • Access Controls – New implementation specifications to require technical controls to ensure access are limited to individuals and technology assets that need access. Two of the controls that will be required are network segmentation and account suspension/disabling capabilities for multiple log-in failures.
  • Encryption and Decryption – Formerly an addressable implementation specification, the NPRM would make encryption of ePHI at-rest and in-transit mandatory, with a handful of limited exceptions, such as when the individual requests to receive their ePHI in an unencrypted manner.
  • Configuration Management – This new standard would require a regulated entity to establish and deploy technical controls for securing relevant electronic information systems and the technology assets in its relevant electronic information systems, including workstations, in a consistent manner. A regulated entity also would be required to establish and maintain a minimum level of security for its information systems and technology assets.
  • Audit Trail and System Log Controls – Identified as “crucial” in the NPRM, this reorganized standard formerly identified as the “audit control” would require covered entities to monitor in real-time all activity in its electronic information systems for indications of unauthorized access and activity. This standard would require the entity to perform and document an audit at least once every 12 months.
  • Authentication – This standard enhances the implementation specifications needed to ensure ePHI is properly protected from improper alteration or destruction. Of note, the NPRM would require all regulated entities to deploy multi-factor authentication (MFA) on all technology assets, subject to limited exceptions with compensating controls, such as during an emergency when MFA is infeasible. One exemption is where the regulated entity’s existing technology does not support MFA. However, the entity would need to implement a transition plan to have the ePHI transferred to another technology asset that does support MFA within a reasonable time. Medical devices authorized for marketing by the FDA before March 2023 would be exempt from MFA if the entity deployed all recommended updates and after that date if the manufacturer supports the device or the entity deployed any manufacturer-recommended updates or patches.
  • Other Notable Standards – In addition to the above, the NPRM would add standards for integrity, transmission security, vulnerability management, data backup and recovery, and information systems backup and recovery. These new standards would prescribe new or updated implementation specifications, such as conducting vulnerability scanning for technical vulnerabilities, including annual penetration testing and implementing a patch management program.

Next Time

Up next on our weekly NPRM series, we will dive into the HIPAA Security Rule’s updates to the Administrative Standards requirements.

Please visit HIPAA Security Rule NPRM and the HHS Fact Sheet for additional resources.

Listen to this post

In 2024, the government and whistleblowers were party to 558 settlements and judgments collecting over $2.9 billion. The government continued its effort to combat cybersecurity threats through its Civil Cyber-Fraud Initiative, which is dedicated to using the FCA to ensure that federal contractors and grantees are compliant with cybersecurity requirements. Settlements in 2024 included allegations against companies for their failure to provide secure systems to customers, failure to provide secure hosting of personal information, and failing to properly maintain, patch, and update the software systems. The Justice Department has made clear that cybersecurity is one of its key enforcement priorities in 2025 and moving forward, meaning all federal contractors must be particularly mindful of federal cybersecurity requirements. To keep you apprised of the current enforcement trends and the status of the law, Bradley’s Government Enforcement & Investigations Practice Group is pleased to present the False Claims Act: 2024 Year in Review, our 13th  annual review of significant FCA cases, developments, and trends.

Listen to this post

The landscape of prior express written consent under the Telephone Consumer Protection Act (TCPA) has undergone a significant shift over the past 13 months. In a December 2023 order, the Federal Communications Commission (FCC) introduced two key consent requirements to alter the TCPA, with these changes set to take effect on January 27, 2025. First, the proposed rule limited consent to a single identified seller, prohibiting the common practice of asking a consumer to provide a single form of consent to receive communications from multiple sellers. Second, the proposed rule required that calls be “logically and topically” associated with the original consent interaction. However, just a single business day before these new requirements were set to be enforced, the FCC postponed the effective date of the one-to-one consent, and a three-judge panel of circuit judges unanimously ruled that the FCC exceeded its statutory authority under the TCPA.

A Sudden Change in Course

On the afternoon of January 24, 2025, the FCC issued an order delaying the implementation of these new requirements to January 26, 2026, or until further notice following a ruling from the United States Court of Appeals for the Eleventh Circuit. The latter date referenced the fact that the Eleventh Circuit was in the process of reviewing a legal challenge to the new requirements at the time the postponement order was issued.

That decision from the Eleventh Circuit, though, arrived much sooner than expected. Just after the FCC’s order, the Eleventh Circuit issued its ruling in Insurance Marketing Coalition v. FCC, No. 24-10277, striking down both of the FCC’s proposed requirements. The court found that the new rules were inconsistent with the statutory definition of “prior express consent” under the TCPA. More specifically, the court held “the FCC exceeded its statutory authority under the TCPA because the 2023 Order’s ‘prior express consent’ restrictions impermissibly conflict with the ordinary statutory meaning of ‘prior express consent.’”

The critical takeaway from Insurance Marketing Coalition is that the TCPA’s “prior written consent” verbiage was irreconcilable with the FCC’s one-to-one consent and “logically and topically related” requirements. Under this ruling, businesses may continue to obtain consent for multiple sellers to call or text consumers through the use of a single consent form. The court clarified that “all consumers must do to give ‘prior express consent’ to receive a robocall is clearly and unmistakably state, before receiving a robocall, that they are willing to receive the robocall.” According to the ruling, the FCC’s rulemaking exceeded the statutory text and created duties that Congress did not establish.

The FCC could seek further review by the full Eleventh Circuit or appeal to the Supreme Court, but the agency’s decision to delay the effective date of the new requirements suggests it may abandon this regulatory effort. The ruling reinforces a broader judicial trend after the Supreme Court’s 2024 decision overturning Chevron deference – and curbing expansive regulatory interpretations.

What This Means for Businesses

With the Eleventh Circuit’s decision, the TCPA’s consent requirements revert to their previous state. Prior express written consent consists of an agreement in writing, signed by the recipient, that explicitly authorizes a seller to deliver, or cause to be delivered, advertisements or telemarketing messages via call or text message using an automatic telephone dialing system or artificial or prerecorded voice. The agreement must specify the authorized telephone number and cannot be a condition of purchasing goods or services.

This ruling is particularly impactful for businesses engaged in lead generation and comparison-shopping services. Companies may obtain consent that applies to multiple parties rather than being restricted to one-to-one consent. As a result, consent agreements may once again include language that covers the seller “and its affiliates” or “and its marketing partners” that hyperlinks to a list of relevant partners covered under the consent agreement.

A Costly Compliance Dilemma

Many businesses have spent the past year modifying their compliance processes, disclosures, and technology to prepare for the now-defunct one-to-one consent and logical-association requirements. These companies must now decide whether to revert to their previous consent framework or proceed with the newly developed compliance measures. The decision will depend on various factors, including the potential impact of the scrapped regulations on lead generation and conversion rates. In the comparison-shopping and lead generation sectors, businesses may be quick to abandon the stricter consent requirements. However, those companies that have already implemented changes to meet the one-to-one consent rule may be able to differentiate the leads they sell as the disclosure itself will include the ultimate seller purchasing the lead, which provides the caller with a documented record of consent in the event of future litigation.

What’s Next for TCPA Compliance?

An unresolved issue after the Eleventh Circuit’s ruling is whether additional restrictions on marketing calls — such as the requirement for prior express written consent rather than just prior express consent — could face similar legal challenges. Prior express consent can be established when a consumer voluntarily provides their phone number in a transaction-related interaction, whereas prior express written consent requires a separate signed agreement. If future litigation targets these distinctions, it is possible that the courts may further reshape the TCPA’s regulatory landscape.

The TCPA remains one of the most litigated consumer protection statutes, with statutory damages ranging from $500 to $1,500 per violation. This high-stakes enforcement environment has made compliance a major concern for businesses seeking to engage with consumers through telemarketing and automated calls. The Eleventh Circuit’s ruling provides a temporary reprieve for businesses, but ongoing legal battles could continue to influence the regulatory landscape.

For now, businesses must carefully consider their approach to consent management, balancing compliance risks with operational efficiency. Whether this ruling marks the end of the FCC’s push for stricter TCPA consent requirements remains to be seen.

Listen to this post

Proposed regulations may require employers to invest additional resources to safeguard group health plan participants’ protected health information.

In this installment of our blog series on the U.S. Department of Health and Human Services’ (HHS) HIPAA Security Rule updates in its January 6 Notice of Proposed Rulemaking (NPRM), we will explore the impact the NPRM could have for sponsors of group health plans.  

As HIPAA-covered entities, group health plans that share protected health information (PHI) with employer plan sponsors must already include provisions in the plan documents reflecting the plan sponsors’ obligations to:

  • Establish and maintain administrative, physical, and technical safeguards to ensure ePHI confidentiality, integrity, and availability;
  • Limit access to ePHI to only authorized members of the plan sponsor’s workforce;
  • Require agents of the plan to establish reasonable and adequate security measures to protect ePHI; and
  • Report to the group health plan any security incident.

What’s New for Group Health Plans and Plan Sponsors?

So, what’s new in the NPRM? First, HHS proposes that group health plan documents tie the establishment of safeguards by plan sponsors and plan agents expressly to the corresponding provisions that apply to covered entities and business associates. In addition, new plan document language would specifically refer to the kind of contingency plan that is required to be established and maintained by covered entities and to report to the group health plan when the contingency plan is activated by a security incident. The NPRM would require plan documents to provide that plan sponsors will report to plans “without unreasonable delay” but not later than 24 hours after activation of its contingency plan in response to a real or suspected data security incident. (This specific reference to contingency plans is in addition to the existing requirement to report to the group health plan any security incident of which the plan sponsor becomes aware.)

While the NPRM may ignore the reality that plan sponsors are already largely responsible for the HIPAA compliance of their group health plans, including maintaining adequate policies and procedures, the proposed provisions would require existing plan documents to be amended to reflect the new language and references embedded in the applicable NPRM provisions. As a practical matter, however, it remains to be seen whether, if finalized, the NPRM would require new policies and procedures that diligent plan sponsors do not already have in place as part of an effective HIPAA compliance framework on behalf of its group health plans.

HHS has requested comments as to an appropriate deadline for group health plan documents to be amended as described by the NPRM and whether to permit a transition period for existing plan documents (such a transition period is proposed in the NPRM for business associate agreement changes that are required by the NPRM). Group health plan sponsors should also be aware of the proposed changes to business associate agreements described in our earlier post in the series.

Next Time

In our next two posts in this series, we will summarize what to expect from the NPRM’s proposed changes to the HIPAA Security Rule’s technical and administrative safeguards­. In particular, we will discuss the revised rule’s provisions concerning encryption and multi-factor authentication (MFA), as well as administrative controls such as asset inventory, workforce clearance, access management, and more.

Listen to this post

Bradley has launched a multipart blog series on the U.S. Department of Health and Human Services’ (HHS) proposed changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, beginning last week with an overview. The Notice of Proposed Rulemaking (NPRM) published on January 6, 2025. This marks the first update since the HIPAA Security Rule’s original publication in 2003 and its last revision in 2013. In this weekly series, we will continue to explore the key changes and their implications and provide insights and takeaways for covered entities and their business associates under HIPAA.

What’s New for BAs and BAAs?

This week’s installment is on the proposed changes specifically affecting business associates (BAs) and business associate agreements (BAAs) and responsibilities for covered entities related to business associates who serve as the HIPAA Security Official.

Revisions to BAAs

The NPRM requires regulated entities to include within their BAAs the following new provisions:

  • Notification to the covered entity (and downstream BAs to the business associate) within 24 hours of activating its contingency plan;
  • Written verification that the BA (and the downstream BA to the business associate) has deployed technical safeguards as required by HIPAA; and
  • Requirements to provide written assurances at least once every 12 months that the BA has implemented technical safeguards validated by cybersecurity subject matter experts and certified by a person of authority at the BA. 

In addition, as part of the required security risk assessment process, regulated entities must assess the risks of entering a BAA with a current or prospective BA based on this written verification.

The revisions will require updates to BAAs both in effect now and any new BAAs entered after the Final Rule is published. Similar to the HITECH rule implementation in 2013, these required revisions will have an on ramp for regulated entities to become compliant. Notably, the transition provisions of the NPRM state that BAAs will be deemed in compliance if the following circumstances exists: (1) if the BAA contains the required provisions applicable at the time the Final Rule is published, and (2) the BAA is not renewed or modified within 60 to 240 days after the Final Rule is published. However, all BAAs must be in compliance within a year plus 60 days after the Final Rule is published.

These revisions may create a significant administrative load for regulated entities small and large. In preparation for the Final Rule publication, regulated entities should review their current BAAs to confirm these agreements are up to date with current requirements in effect at the time of execution to take advantage of the on ramp for compliance. Even under current law, regulated entities also may benefit from updating their vendor management programs to request written verification of technical safeguards based on the level of risk associated with their business associate’s handling of PHI.

 Covered Entity Delegation of Security Officials

The NPRM also confirms the possibility for a covered entity to appoint a business associate as the Security Officer. Importantly, the HHS clarifies its view that the covered entity still remains liable for ultimate compliance with the Security Rule even if the service is contracted to a business associate.

The HHS Office for Civil Rights (OCR) will accept comments through March 7, 2025.

In our upcoming posts in this series, we will delve into changes to the HIPAA Security Rule affecting group health plans and current thinking related to AI technologies.

Please visit HIPAA Security Rule NPRM and the HHS Fact Sheet for additional resources.

Listen to this post

Bradley is launching a multipart blog series on the U.S. Department of Health and Human Services’ (HHS) proposed changes to strengthen cybersecurity protections for electronic protected health information (ePHI) regulated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Notice of Proposed Rulemaking (NPRM) was published on January 6, 2025 and applies to covered entities and their business associates under HIPAA. This proposal marks the first update since the HIPAA Security Rule’s original publication in 2003 and its last revision in 2013. The HHS Office for Civil Rights (OCR) will accept comments through March 7, 2025.

In this weekly series, we will explore the key changes and their implications and provide insights and takeaways on the following items:

  • Implementation Specifications and Compliance Grace Period
    • OCR has identified gaps and ambiguities in current law that require clarification or the introduction of new standards. OCR revises and adds definitions and implementation specifications to address these and emerging challenges as well as to reflect advancements in technology.
    • Implementation specifications would become required, not addressable, with limited exceptions.
    • OCR interprets security requirements for artificial intelligence (AI) and provides guidance to incorporate AI considerations into compliance and risk assessments.
    • Regulated entities would have a total time frame for compliance of 240 days from the date of publication of the final rule and would be provided deeming provisions for contracts that are not renewed or modified.
  • Administrative Safeguards
    • Annual and ongoing technology asset inventory and network mapping would become a discrete part of the administrative safeguards.
    • OCR leverages its informal guidance documents and tools on security risk analyses along with the NIST Cybersecurity Framework and recent guides for greater specificity in implementing the risk assessment standard.
    • Regulated entities would need to annually perform and document audits that cover compliance with each standard and implementation specification.
    • Workforce clearance, access management, and patch management processes would be specified.
  • Incident and Vulnerability Management 
    • Security incident procedures and response plans would be enhanced.
    • Contingency planning requirements would be strengthened to mandate system restoration within 72 hours and annual testing of the contingency plan for its effectiveness.
    • OCR provides specifics for the enhanced data backup and recovery requirement.
  • Technical Safeguards 
    • Encryption and MFA would become mandatory, with limited exceptions.
    • Annual penetration testing and semi-annual vulnerability scanning would be required.
    • Network segmentation protocols are specified.
  • Business Associate (BA) Issues 
    • Regulated entities must assess the risks of entering a downstream BA Agreement based on the written verifications from the BA. Entities also must obtain written verification of technical safeguards validated by cybersecurity subject matter experts and certified by a person of authority at the BA. 
    • BAs and their subcontractors must notify clients within 24 hours when activating contingency plans.
    • OCR would maintain a grace period allowing entities to update their BA Agreements while remaining compliant with previous requirements, similar to the transitional process implemented after the HITECH Rule was finalized in 2013.
  • Group Health Plan Compliance
    • Group health plans and sponsors would have expanded compliance obligations.
    • OCR is considering transition provisions for compliance.

Stay tuned as Bradley’s Health Information Technology, Privacy & Security team dives into the implications of these proposals for the healthcare industry as interested stakeholders submit comments to HHS during the comment period that ends on March 7, 2025. We will provide summaries and analyses of these significant regulatory changes, offer insights and perspectives, and consider broader industry implications. Please visit HIPAA Security Rule NPRM and the HHS Fact Sheet for additional resources.