In December 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to strengthen cybersecurity protections for electronic protected health information (ePHI). OCR administers and enforces the Security Rule, which establishes national standards for the protection of individuals’ ePHI by covered entities (health plans, health care clearinghouses, and most health care providers), and their business associates (together, regulated entities). The proposed rule seeks to strengthen cybersecurity by updating the Security Rule’s standards to better address ever-increasing cybersecurity threats to the health care sector.
Public comments were due by March 7, 2025. If finalized, organizations will have 240 days to comply (60 days after the final rule is published, plus an additional 180 days). Business associate agreements must be updated within one year of the final rule’s effective date.
The recent change in administration has resulted in uncertainty about whether the rule will be finalized under the new administration. With cybersecurity being the greatest threat to the healthcare sector, it is likely that we could see some, if not most, of these implementations occur. It was reported that seven industry groups co-signed a letter to President Trump and HHS Secretary Robert F. Kennedy, Jr., requesting they rescind the proposed Rule.
Should the Rule go into effect, covered entities will have to implement several administrative measures, including increased documentation and compliance requirements. In addition to administrative responsibilities, healthcare organizations will also have to ensure compliance with enhanced security measures.
While the OCR has not made any announcements at this time, healthcare organizations should consider adopting several of the following security measures, if they are not yet in place:
- Multifactor Authentication
- Network Segmentation
- Data Encryption
- Vulnerability scanning and penetration testing
- Technical controls for backup and recovery of ePHI and relevant electronic information systems
- Deploying anti-malware protection
- Removing extraneous software from relevant electronic information systems
- Disabling network ports in accordance with the regulated entity’s risk analysis
- Encryption of ePHI at rest and in transit, with limited exceptions
A full list of proposed changes can be reviewed in the fact sheet, “HIPAA Security Rule Notice of Proposed Rulemaking to Strengthen Cybersecurity for Electronic Protected Health Information” found on the OCR’s website.
Did you know?
Did you know The van Halem Group offers a HIPAA Compliance Solution that meets the current HIPAA Security Rule requirements, and even some of those listed on the enhanced measures in the proposed rule? Our HIPAAwise software gives small to medium providers access to customizable HIPAA policies and procedures, Security Risk Analyses, Inventory Tracking, HIPAA training, and more! Contact us today to learn more about HIPAAwise!