New in 2025: Counties Should Prepare Now for the Upcoming HIPAA Security Rule Update

Key Takeaways

From Our Partners

This post is sponsored by our Partners at Sectri.

On December 27, 2024, the Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) filed a proposal to modify the Security Standards for the Protection of Electronic Protected Health Information (“Security Rule”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”). This Security Rule was initially published in 2003 and most recently revised in 2013. Based on the dates shown in the proposal, HHS plans to publish the final rule in 2025, requiring regulated entities, including counties with access to Electronic Public Health Information (“ePHI”), to establish and implement policies, procedures, and practices to achieve compliance within 180 days of the effective date. The proposed Security Rule would require regulated entities to perform and document an audit of compliance at least once every 12 months. 

The quotations contained within this article have been taken directly from OCR’s Notice of Proposed Rulemaking (“NPRM”).

Which Counties are Impacted

Counties that are designated as HIPAA covered entities and HIPAA hybrid entities are required to comply with the Security Rule to ensure the confidentiality, integrity, and availability of ePHI. Since most counties create, receive, maintain, or transmit ePHI while delivering health and human services, most counties are required to comply. 

Entity size does not matter when it comes to compliance requirements in the updated Security Rule. OCR makes it clear in their proposal that they believe that “it is just as important for small and rural health care providers to implement strong security measures as it is for larger health care providers and other categories of regulated entities.” 

Why the Security Rule Update Should Not Be Ignored

Counties that are not actively managing HIPAA Security Rule compliance could be fined up to $1.5 million per violation category and county staff showing willful neglect could be personally fined up to $250,000 and face imprisonment for up to 10 years.

There are three primary ways non-compliance is discovered by OCR:

1.    Someone files a complaint (e.g., staff, patients, business associates)
2.    A breach occurs which results in an investigation by OCR
3.    OCR randomly selects entities to audit every year

Regulated entities are required to protect ePHI from “reasonably anticipated” threats and hazards. Ignorance is not an acceptable defense when it comes to why an organization has committed a HIPAA violation. The good news is that penalties enforced by OCR are typically based on efforts that have been made to protect ePHI. This means that if a county commits a HIPAA violation while demonstrating a good-faith effort to comply, it will likely face more lenient treatment compared to counties that disregard their compliance obligations. 

How Much Time, Resources and Effort Will Be Required to Comply 

While HSS claims that most of the existing Security Rule’s obligations for regulated entities would not be substantially changed by the proposed modifications, they’re simultaneously estimating that the proposed rule will result in first-year costs of approximately $9 billion and annualized costs of $6.8 billion there-after. 

The reality is that this will require a substantial investment of time, resources, and effort for most HIPAA regulated counties. This is because OCR is estimating cost and effort based on the assumption that most regulated entities are already compliant with the current Security Rule. However, this is not the case. The updated Security Rule proposal itself states that while conducting an audit of regulated entities against the current Security Rule, OCR found that “94 percent failed to implement appropriate risk management activities sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.” This means that most counties likely still have a lot of work to do when it comes to catching up to existing Security Rule requirements, let alone the additional effort that will be required to come up to speed with the updated requirements. 

What to Know About the Proposed Security Rule Updates

The NPRM (i.e., the proposal to update the Security Rule) is nearly 400 pages long. The associated Fact Sheet highlights 30 new proposals and clarifications. Instead of simply listing the long list of new and updated cybersecurity control requirements, this section will center on two key focus areas in the updated Security Rule: (1) Risk Analysis and (2) Audits & Testing.

(1) Risk Analysis

In the proposal, OCR states that “regulated entities are already required to conduct an accurate and thorough risk analysis. While not specified in the regulatory text of the Security Rule, an accurate and thorough risk analysis requires a regulated entity to perform an inventory of its technology assets, determine how ePHI moves through its information systems, and identify the locations within its information systems (or components thereof) where ePHI may be created, received, maintained, or transmitted. Applying such an approach protects ePHI across all phases of the data lifecycle consistent with the purpose of the Security Rule.”
To address the fact that most regulated entities today are not performing a thorough risk analysis, the proposed updates to the Security Rule include a new requirement to document a written assessment that contains, among other things:

• A review of the technology asset inventory 
• A network map that illustrates the movement of ePHI throughout its electronic information systems, including but not limited to how ePHI enters and exits such information systems, and is accessed from outside of such information systems
• Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI
• Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems
• An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities

Additionally, regulated entities will be required to “review, verify, and update the written assessment on an ongoing basis, but in any event no less frequently than at least once every 12 months, and in response to a change in the regulated entity’s environment or operations that may affect ePHI.”

(2) Audits & Testing

The proposed Security Rule requires the following audits and tests:

• Perform and document an audit of compliance at least once every 12 months.
• Review and test the effectiveness of security measures at least once every 12 months
• Perform vulnerability scanning at least every 6 months
• Conduct penetration testing at least once every 12 months.
• Require business associates to certify technical safeguards at least once every 12 months

The OCR does not “propose to specify” whether the compliance audit or testing should be performed by the regulated entity or an external party. However, they do specify that testing should be conducted by “qualified person(s)” with “appropriate knowledge of and experience with generally accepted cybersecurity principles and methods for ensuring the confidentiality, integrity, and availability of ePHI.”
For counties, which often operate with constrained budgets and limited resources, the OCR’s decision not to mandate that auditing and testing be conducted by an external party is welcome news. While occasionally using an external party to validate compliance and control effectiveness is a recommended best practice, such services carry a significant cost. Rather than being forced to pay for overpriced single point in time assessments every year, counties will now have an opportunity to invest in:

1. Security education for its employees to perform auditing and testing tasks themselves.
2. Internal security tools that the counties can leverage continuously 365 days a year. 

How Counties Can Achieve HIPAA Compliance Now and After the 2025/2026 Updates

According to a National Committee on Vital and Health Statistics (“NCVHS”) survey referenced in the updated Security Rule proposal, “the majority of health care entities have failed to maintain a comprehensive security program.” Specifically, HHS has found that “most regulated entities failed to implement the Security Rule requirements for risk analysis and risk management, requirements that are fundamental to protecting the confidentiality, integrity, and availability of ePHI.”

Focusing on implementing an effective cybersecurity risk management program is the perfect place for counties to begin when considering how to comply with the current HIPAA Security Rule and the proposed updates. 

Sectri’s cybersecurity risk management platform is helping counties across the country to govern their cybersecurity programs and successfully achieve HIPAA compliance. In fact, the risk analysis process described in OCR’s proposal is already built into the Sectri Platform. This means that counties using the platform can not only achieve HIPAA Security Rule compliance as it stands today, but they will also be positioned to quickly achieve compliance with the updated rules once they’ve been finalized. 

To learn more about how other counties are leveraging the platform to achieve HIPAA compliance and audit readiness, visit www.sectri.com, email info@sectri.co, or schedule a time to meet with our team. 

References 

HIPAA Administrative Simplification

HIPAA Compliance and Enforcement

HIPAA Security Rule Notice of Propose Rulemaking (NPRM)

HIPAA Security Rule NPRM Fact Sheet