On January 6, 2025, the Department of Health and Human Services (HHS) published proposed regulations, which if finalized, will significantly update and expand the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The proposed rules aim to “strengthen cybersecurity by updating the Security Rule’s standards to better address ever-increasing cybersecurity threats to the health care sector”, explained further in the fact sheet issued by HHS.

Background

The HIPAA Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (PHI). For more information on the Security Rule, see the HHS article, Summary of the HIPAA Security Rule.

Although employers are not considered covered entities under HIPAA, their self-insured health plans including medical plans, health reimbursement arrangements (HRAs), and flexible spending accounts (FSA) are subject to the law. In addition, employers with access to their employees’ PHI must comply with the HIPAA security rule when handling employee PHI.

Proposed Rule

The proposed rule intends to increase cybersecurity for electronic PHI by addressing the changing healthcare environment, increased breaches and cyberattacks, common compliance errors and identified best practices, among other matters. Highlights include (not exhaustive):

  • New and updated definitions.
  • Clarification that the Security Rule’s general requirements apply to all electronic PHI that a covered entity creates, receives, maintains or transmits, and such, covered entities and business associates must ensure their workforces comply with the Security Rule.
  • Explanation and clarification that all implementation specifications of the Security Rule are required unless an exception applies and elaborates on what is “required” vs. “addressable”.
  • Requirement to maintain (and annually update) inventory of technology assets and a network map of electronic information systems.
  • Requirement to adopt several written policies and procedures, with an emphasis on ongoing maintenance, including a written contingency plan related to a cybersecurity attack.
  • Addition of specific compliance time periods for many existing requirements.
  • Requirements specific to business associates, which would require covered entities to obtain written verifications (annually) from business associates that the business associates have complied with HIPAA technical safeguards (business associates would also be expected to obtain such verification from any subcontractors); and updated business associate agreements (BAAs).
  • Additional details and requirements when performing the risk analysis and security management process, including requiring artificial intelligence (AI) tools (if utilized by a covered entity) to be included in any risk analysis and management process.

Employer Takeaways

If finalized as proposed, the HIPAA Security Rule would be substantially changed, requiring certain employer plan sponsors to review and update current processes and policies. In light of the numerous potential changes and new requirements, covered entities (as explained above) should familiarize themselves with the proposed rules. It is unknown how the Trump administration may respond to the proposed rules (i.e., whether the administration would provide changes to the proposed rules or choose not to finalize them). Comments are currently permitted through March 7, 2025 (60 days after the proposed rules were published) and Sequoia will continue to monitor and communicate updates.

Additional Resources

Connect with a Sequoia consultant to learn how Sequoia’s compliance services are integrated in our benefits services and tailored solutions. And if you’re already a Sequoia client, stay on top of your employer obligations with your Compliance Checklist that highlights important compliance dates, action items, and resources.  

The information and materials on this blog are provided for informational purposes only and are not intended to constitute legal or tax advice. Information provided in this blog may not reflect the most current legal developments and may vary by jurisdiction. The content on this blog is for general informational purposes only and does not apply to any particular facts or circumstances. The use of this blog does not in any way establish an attorney-client relationship, nor should any such relationship be implied, and the contents do not constitute legal or tax advice. If you require legal or tax advice, please consult with a licensed attorney or tax professional in your jurisdiction. The contributing authors expressly disclaim all liability to any persons or entities with respect to any action or inaction based on the contents of this blog. © 2025 Sequoia Consulting Group. All Rights Reserved. 

Diane Cross — Diane is a Client Compliance Consultant for Sequoia, where she works with our clients to optimize and streamline benefits compliance. In her free time, Diane enjoys spending time with her family, live music, and cycling.