Proposed Changes to the HIPAA Security Rule May Require Significant Changes to Business Associate Agreements
On December 27, 2024, over ten years since the last significant revision1 of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the United States Department of Health and Human Services Office for Civil Rights (“OCR”) released a Notice of Proposed Rulemaking (the “proposed rule”) which would, if finalized and implemented as is, dramatically heighten requirements under the HIPAA Security Rule.2 The Security Rule sets forth various administrative, physical, technical, organizational, and documentation3 requirements meant to protect electronic protected health information (“ePHI”). Most standards created by the Security Rule are accompanied by implementation specifications which facilitate compliance with the standard, with some specifications being required and others being “addressable.”4 Among the reasons cited for updating the Security Rule is concern for the increase in breaches and cybersecurity incidents in recent years.5 Accordingly, the proposed rule aims to modify the Security Rule to address significant changes in technology, changes in breach trends and cyberattacks, OCR observations from enforcement investigations, guidelines and methods for protecting ePHI, and relevant court decisions…