At the start of January, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) proposed extensive updates to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
The Proposed Rule would modify the Security Standards for the Protection of Electronic Protected Health Information (Security Rule).
This rule will work under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).
The Notice of Proposed Rulemaking, which was issued in the Federal Register on January 6, 2025. It outlines to strengthen the protection of electronic protected health information (ePHI)
This proposal aims to strengthen cybersecurity requirements for electronic protected health information (ePHI) for cybersecurity threats.
The HHS Office for Civil Rights (OCR) stated that the proposed rule seeks to “strengthen cybersecurity by updating the Security Rule’s standards to address better ever-increasing cybersecurity threats to the health care sector.”
This is the first update to the Security Rule in more than ten years. Below is an overview of important proposed changes and clarifications.
Significant Proposed Changes
The proposed updates include different key changes that align with current cybersecurity best implementations
Elimination of “Addressable” vs. “Required” Distinction
The proposal removes the uncertainty between “addressable” and “required” implementation specifications. It clarifies that all Security Rule specifications are mandatory.
Asset Inventory & mandatory Technology
All Organizations will be required to develop and maintain a detailed inventory of technology assets and network maps. This will ensure better visibility, transparency, and protection of electronic protected health information ( ePH).
Requirement of Enhanced Risk Analysis
The proposal provides specific guidelines for conducting thorough risk assessments. This includes documentation of risks to systems identified as technology asset inventory.
Disaster Recovery with Incident Response
Covered entities and business associates must implement documented contingency plans. This will ensure the ability to restore critical data within 72 hours of a loss.
Adhering Access Controls
Updated requirements will better regulate workforce access to ePHI. It mandates immediate termination of access for departing employees.
Business Associate Verification Annually
Covered entities need to be required and obtain annual written verification. The business associates will comply with the HIPAA Security Rule.
Mandatory Compliance Audits Annually
Organizations must conduct yearly HIPAA Security Rule compliance audits.
Implementation of Security Controls
The proposal mandates several technical safeguards, including
- Encryption of ePHI at rest and in transit
- Multi-factor authentication
- Regular patch management
- Annual penetration testing
- Bi-annual vulnerability scans
- Network segmentation
- Anti-malware protection
- ePHI backup and recovery procedures
HIPAA Impact on Healthcare Organizations
Organizations that have already adopted the cybersecurity practices proposed by requirements may already be in place. The new administrative requirements including policies and updates may pose challenges.
Organizations still working on achieving compliance with existing HIPAA security rules. The proposed changes will require financial and human resources to meet the new standards of the HIPAA Upgrade Act.
Further Implications
The new rule would require the covered entity to provide patient information and records within 15 days. The timeframe will start from the current 30 days. This change aligns with the efforts to improve access to patient’s health and personal information.
The HHS has opened comments and public feedback for the proposed changes. It’s going to close on March 7th, 2025.
Healthcare providers, business associates, and other stakeholders are encouraged to review the rule. They should be mandatory feedback providers before the implementation.
The proposed HIPAA Security Rule update represents the shift in the cybersecurity regulatory compliance landscape.
As cyber threats continue to evolve health providers and healthcare sectors need to ensure the patient’s data with technological advancements.
Recent News:
Regulatory Landscape in Flux: What Changes Are Coming with Trump’s Come Back?
DeepSeek AI’s Rapid Growth Fuels Debate on National Security Concerns
+ There are no comments
Add yours