HHS issues HIPAA Security Rule Update Notice

The Department of Health and Human Services and the Office for Civil Rights announced that they will solicit comment on a proposal to change the security standards for protecting electronic protected health information under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Act. Technology for Economic and Clinical Health Act of 2009.

To strengthen healthcare cybersecurity and address concerns about the alarming growth in breaches reported to OCR, the proposed changes – which will be published in the Federal Register on January 6, 2025 – aim to address of significant changes in technology, breach trends, enforcement, best practices and methodologies for protecting ePHI, and court decisions that impact security enforcement.

WHY IT’S IMPORTANT

Now that the White House’s review of the proposed changes to the HIPAA Security Rule has been completed, HHS will issue a… Notice of Proposed Rulemaking that includes several new proposals and clarifications, such as removing the distinction between “required” and “addressable” specifications and making all specifications mandatory, with limited exceptions.

According to an agency fact sheet The proposed regulations, released Friday, support the Biden-Harris administration’s 2023 National Cybersecurity Strategy and the implementation plan released earlier this year. The proposals are also consistent with the agency’s Healthcare Sector Cybersecurity draft document published last year.

The plans include the publication of voluntary cybersecurity best practices and a strategy for increased cybersecurity enforcement and accountability, the agency said.

“Cyber ​​attacks continue to impact the healthcare industry, with the rampant escalation of ransomware and hacking causing a significant increase in the number of major breaches reported to OCR annually,” OCR Director Melanie Fontes Rainer said in a statement.

“The number of people affected has increased exponentially each year, a number that we expect will increase this year with the Change Healthcare breach, the largest breach of our healthcare system in U.S. history.”

HHS Assistant Secretary Andrea Palm added that the proposed rule is critical “to ensure that healthcare providers, patients and communities are not only better prepared for a cyberattack, but also more secure and resilient.”

THE BIG TREND

OCR said that between 2018 and 2023, reports of major breaches increased by 102%, while the number of affected individuals increased by 1,002%. Last year, more than 167 million people were affected by major breaches, setting a new record.

The agency said that because it has identified common deficiencies in its security compliance investigations, it is proposing stricter documentation requirements for all involved entities.

“The risks and deficiencies that OCR has observed in its enforcement experience convince us that we should consider adding an express requirement for a regulated entity to conduct an accurate and thorough written inventory of its technology assets and a network map,” HHS said in the NPRM. .

A better understanding of physical and technical security safeguards can help the agency strengthen its HIPAA audits, a sentiment echoed in a review of OCR’s HIPAA audit program from January 2016 through December 2020.

The Office of the Inspector General said last month that OCR was largely ineffective at preventing health information breaches.

ON THE RECORD

“The increasing frequency and complexity of cyberattacks in healthcare pose a direct and significant threat to patient safety,” Palm said in a statement.

“These attacks endanger patients by exposing vulnerabilities in our healthcare system, eroding patient trust, disrupting patient care, distracting patients and delaying medical procedures.”

Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.