Skip to content

[REVIEW] hipaa-review: separate NPRM readiness from current rule scoring #218

Description

@mlodygbelmondo

Skill Being Reviewed

Skill name: hipaa-review
Skill path: skills/compliance/hipaa-review/

False Positive Analysis

Benign current-rule HIPAA finding that can be over-reported if proposed requirements are mixed into enforceable CFR scoring:

Technical Safeguards:
  164.312(a)(2)(iv) Encryption and decryption: Addressable
  Encryption at rest: documented risk decision and compensating controls
  MFA: deployed for remote access and admins, rollout in progress for all ePHI-touching users
  Vulnerability scanning: annual external scan, no six-month cadence yet
  Penetration testing: performed every 18 months

Why this can be misleading:

HHS/OCR issued a HIPAA Security Rule Notice of Proposed Rulemaking (NPRM) in December 2024/January 2025 that would require stronger controls such as encryption of ePHI at rest and in transit, MFA, vulnerability scanning at least every six months, annual penetration testing, network segmentation, and removal of the required/addressable distinction with limited exceptions. HHS's fact sheet also states that while rulemaking is underway, the current Security Rule remains in effect.

The skill currently has no NPRM/current-rule boundary. It correctly treats addressable specifications as not optional under the current rule, but it does not give reviewers a way to record proposed-rule readiness without scoring proposed requirements as current enforceable CFR failures.

Coverage Gaps

Missed variant 1: proposed MFA/encryption/scanning requirements are not tracked as proposed

Finding: MFA is not required for every user accessing ePHI
Mapped as: current HIPAA Security Rule failure
Missing: proposed-rule readiness status and current-rule citation boundary

The current Security Rule requires access controls and addressable encryption mechanisms, while the NPRM proposes more specific requirements. Review output should separate:

  • current enforceable CFR requirement;
  • current OCR enforcement expectation or strong recommendation;
  • proposed NPRM requirement;
  • readiness gap for expected future rule; and
  • not applicable / exception evidence.

Missed variant 2: compliance scoring can conflate current and future controls

Overall HIPAA compliance: Non-compliant
Reasons:
  - no universal MFA
  - no six-month vulnerability scanning
  - no annual penetration test

Those may be important readiness gaps, but the report should not use proposed cadence/control requirements as the sole basis for a current-law non-compliance rating unless there is a current Security Rule citation and evidence rationale.

Missed variant 3: business associate readiness evidence is not versioned

BAA review:
  annual technical safeguard certification: missing
  24-hour contingency-plan activation notice: missing

The NPRM proposes additional business-associate verification and notification requirements. The skill should capture them in an NPRM readiness section with source/date and final-rule status, rather than treating missing NPRM terms as current BAA defects.

Edge Cases

  • An organization may voluntarily adopt NPRM-aligned controls before finalization. The report should mark that as readiness maturity, not confuse it with current CFR pass/fail.
  • OCR can still consider encryption, MFA, patching, and scanning under current risk analysis/risk management expectations. The output should allow current-rule findings when the evidence supports them, but the citation boundary must be explicit.
  • If a final rule is later published, the skill should require a source-date check so the proposed-rule readiness section can be retired or converted to current requirements.
  • Some regulated entities may rely on limited exceptions or compensating controls. The review should require documented exception rationale and affected-system scope.

Remediation Quality

  • Fix resolves the vulnerability
  • Fix doesn't introduce new security issues
  • Fix doesn't break functionality
  • Issues found: Add a HIPAA regulatory-status preflight and separate output sections for current Security Rule compliance, OCR enforcement/readiness recommendations, and NPRM/future-rule readiness. Add source-date/final-rule-status fields for proposed controls before using them in scoring.

Comparison to Other Tools

Tool Catches this? Notes
HHS HIPAA Security Rule NPRM fact sheet Yes Lists proposed controls and states the current Security Rule remains in effect during rulemaking.
Current HIPAA Security Rule text Partial Defines current CFR requirements but does not cover proposed future controls.
Current skill output No Has no regulatory-status/source-date boundary for NPRM requirements.

Overall Assessment

Strengths:

  • Strong CFR citation discipline and required/addressable distinction.
  • Good scope model across covered entities, business associates, hybrid entities, ePHI inventory, and safeguard categories.
  • Useful enforcement-oriented guidance around risk analysis, encryption, contingency planning, and documentation.

Needs improvement:

  • Add regulatory-status tracking for the HIPAA Security Rule NPRM.
  • Separate current enforceable findings from proposed-rule readiness gaps.
  • Add source-date and final-rule-status fields so future rule changes do not silently alter scoring.
  • Add proposed-rule readiness fields for MFA, encryption, vulnerability scanning, penetration testing, network segmentation, asset inventory/network maps, BA certification, and contingency-plan activation notice.

Priority recommendations:

  1. Add a preflight section: current_rule_source, nprm_source, nprm_status, assessment_date, and final_rule_checked.
  2. Split output into Current Security Rule Compliance Findings and NPRM/Future-Rule Readiness Gaps.
  3. Require every finding to include citation_type: current CFR, OCR guidance/enforcement expectation, proposed NPRM requirement, or voluntary readiness recommendation.
  4. Prevent proposed requirements from driving current compliance percentages unless a current-rule citation and rationale are also supplied.

References

Bounty Info

  • I have read and agree to the CONTRIBUTING.md bounty terms.
  • Preferred payment method: To be provided privately after acceptance.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions