The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has unveiled a Notice of Proposed Rulemaking (NPRM) to modify the HIPAA Security Rule in an effort to bolster cybersecurity protections for electronic protected health information (ePHI).
The proposed changes aim to address the growing cybersecurity threats facing the healthcare sector by updating and strengthening compliance standards.
The HIPAA Security Rule, first established in 1996, sets national requirements for safeguarding ePHI, applying to covered entities such as health plans, healthcare clearinghouses, most healthcare providers, and their business associates.
Building on the Biden Administration’s commitment to protecting critical infrastructure, this proposal introduces significant revisions to improve the healthcare industry’s resilience against cyberattacks.
The proposed rule aligns with broader federal efforts, including the National Cybersecurity Strategy, initially launched by the Biden-Harris Administration in 2023 and updated in May 2024.
HHS also released the Healthcare Sector Cybersecurity Concept Paper in 2023, outlining voluntary best practices for cybersecurity and a strategy for enhanced enforcement. Today’s NPRM continues these efforts by integrating cybersecurity improvements directly into the HIPAA Security Rule.
Key Proposed Updates to the HIPAA Security Rule
HHS’s proposed changes aim to modernize the Security Rule by eliminating outdated provisions, enhancing clarity, and introducing stronger safeguards. Among the most notable updates, the NPRM proposes the following:
Streamlined and Standardized Requirements
- Eliminate the distinction between “required” and “addressable” implementation specifications, mandating compliance with all specifications (with limited exceptions).
- Require all Security Rule policies, procedures, plans, and analyses to be documented in writing.
Enhanced Risk Management and Compliance Measures
- Introduce explicit compliance deadlines for existing requirements.
- Require regulated entities to maintain a technology asset inventory and a network map tracking the movement of ePHI, updated at least annually or after any significant operational changes.
- Require a more detailed risk analysis, including a written assessment of potential threats, vulnerabilities, and their likelihood of exploitation for each electronic information system handling ePHI.
Stronger Incident Response Protocols
- Mandate that regulated entities notify certain workforce members within 24 hours when their access to ePHI is changed or terminated.
- Require entities to establish written contingency plans to restore lost electronic systems and data within 72 hours of an incident.
- Develop and test detailed security incident response plans to manage suspected or known cybersecurity breaches.
Technical Safeguards for ePHI
- Mandatory encryption: ePHI must be encrypted both at rest and in transit, with limited exceptions.
- Introduce measures such as multi-factor authentication, vulnerability scanning every six months, and annual penetration testing.
- Require network segmentation to limit the impact of potential threats.
- Deploy security-enhancing technical controls like anti-malware software, removal of extraneous software, and disabling unused network ports.
Audits and Accountability
- Regulated entities must conduct annual compliance audits to ensure adherence to the Security Rule.
- Business associates and their subcontractors must certify, in writing, that they have implemented technical safeguards as required by the Security Rule. These certifications must be completed at least once every 12 months.
- Group health plans must revise plan documents to ensure sponsors comply with administrative, physical, and technical safeguards.
Additional New Requirements
- Backup and recovery systems for ePHI must include separate technical controls.
- Regulated entities must regularly test the effectiveness of their cybersecurity measures at least once per year.
- Business associates and subcontractors must notify covered entities of contingency plan activations within 24 hours.
Public Input Encouraged
While the current HIPAA Security Rule remains in effect, the proposed updates represent a significant step toward strengthening cybersecurity practices in healthcare.
HHS is inviting feedback from all stakeholders, including healthcare providers, health plans, patients, professional associations, and consumer advocates.
Comments can be submitted through regulations.gov during the 60-day public comment period following publication of the NPRM in the Federal Register. HHS has also announced plans for a Tribal consultation meeting, with details forthcoming.
This NPRM underscores the federal government’s growing emphasis on healthcare cybersecurity, balancing the need for robust data protection with operational feasibility for regulated entities. If adopted, these measures will significantly raise the cybersecurity baseline across the healthcare industry.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!