Credit: ABCreative/Adobe Stock

Federal regulators want every organization that holds people's health information to work a lot harder to protect the information intruders.

The U.S. Department of Health and Human Services Office for Civil Rights has proposed a 393-page package of upgrades to the current Health Insurance Portability and Accountability Act data security requirements. Adopting the changes could cost the affected organizations about $9 billion in the first year and $6 billion per year after that, officials estimate.

Recommended For You

The new HIPAA cybersecurity requirements would apply to all "regulated entities." That includes both "covered entities" — hospitals and health insurers — and the covered entities' "business associates," such as lawyers, accountants, billing services, benefits brokers, benefits consultants and any other individuals or organizations that touch patients' health information.

The proposal would also create new cybersecurity requirements for employers that sponsor health plans and get protected health information from the plans.

Related: Regulators plan to restart HIPAA health data privacy and security audits

Regulation mechanics: The HHS Office for Civil Rights unveiled a preliminary version of the draft regulations last week. The office plans to make Monday the official Federal Register date. Comments will be due 60 days after the official publication date.

Proposal details: The draft regulations for a regulated entity to:

  • Create lists of technology assets and maps showing how health information flows through the entity's electronic systems.
  • Update the technology lists and network maps at least once every 12 months.
  • Create written analyses of the network vulnerabilities.
  • Require vulnerability scanning at least once every six months and penetration testing at least once every 12 months.
  • Develop written procedures to restore the loss of some key systems and data within 72 hours.
  • Warn other regulated entities when workers who have access to protected health information leave. ("A workforce member's access must be terminated... no later than one hour after the employment of, or other arrangement with, a workforce member ends," according to the introduction to the proposed regulations.)
  • Require business associates to verify at least every 12 months that they're meeting the new cybersecurity standards.
  • Go through data security audits at least once every 12 months.
Multifactor authentication: The proposed regulations would also create an official definition of "multifactor authentication" and require people to use MFA to get access to people's health information in most cases.

Require workers to use multifactor authentication to get into networks carrying protected health information.

Regulated entities would have to check to see whether users are who they say they are by verifying "at least two of three categories of factors of information about the user."

The three categories would be:

  • Information known by the user, such as a password or personal identification number.
  • An item possessed by the user, such as physical token or a card.
  • The personal characteristics of the user, such as a user's fingerprint, face, gait or typing cadence.
"Authentication that relies on multiple instances of the same factor, such as a requiring a password and PIN, is not MFA, because both factors are 'something you know,'" officials say in the introduction to the proposed regulations.

Cybercriminals will have a much more difficult time getting access to protected health information if they have to provide a token or get through a fingerprint check as well as providing a password, officials say.
users'

Employer plan impact: Officials note that the HIPAA statute and HIPAA data Security Rule already require employers to "reasonably and appropriately safeguard ePHI ([electronic protected health information]) created, received, maintained, or transmitted."

But plan sponsors are not directly liable for compliance with the HIPAA data security regulations because they are not covered entities or business associates under HIPAA, and some group health plans may not be doing enough to make plan sponsors keep electronic health information safe, officials say.

The HHS Office for Civil Rights hopes to change that by requiring that the plan documents of the group health plan "obligate a plan sponsor or any agent to whom it provides ePHI to implement the administrative, physical, and technical safeguards of the Security Rule."

When an employer helps administer a group health plan or perform similar functions, "we believe that such information must be protected by plan sponsors in the same manner in which it is protected by group health plans and other regulated entities," officials say.

The thinking: Aggressive action is needed because cyberattacks on health care organizations are causing terrible harm, officials say.

"in 2019, a ransomware attack may have contributed to a baby's death at an Alabama hospital," according to the introduction to the regulations. "A change in the baby's fetal heart rate went unnoticed because the large digital display that normally would have displayed the information was affected by the attack. The baby, born with her umbilical cord wrapped around her neck, suffered severe brain damage and died nine months later."

In 2020, a worker at a big academic health care system opened one dangerous email attachment.

The resulting attack affected about 5,000 computers and phones and led to $63 million in revenue losses, officials say.

They estimate that the benefits of reducing the number of people affected by health data breaches by 7% to 16% per year would offset the ongoing compliance costs.

The future: The idea of improving U.S. data security has been a bipartisan issue, but health policy lawyers at Nixon Peabody predict in a commentary that the proposed health cybersecurity regulations will face challenges when President-elect Donald Trump returns to the White House.

"With the new administration's focus on cutting health care costs, the content and timing of a final rule related to these proposed measures is uncertain," the lawyers write.

NOT FOR REPRINT

© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Allison Bell

Allison Bell, a senior reporter at ThinkAdvisor and BenefitsPRO, previously was an associate editor at National Underwriter Life & Health. She has a bachelor's degree in economics from Washington University in St. Louis and a master's degree in journalism from the Medill School of Journalism at Northwestern University. She can be reached through X at @Think_Allison.