The Department of Health and Human Services (HHS) has proposed significant modifications to the HIPAA Security Rule and the HITECH Act in an attempt to strengthen cybersecurity protections for electronic protected health information (ePHI). This proposed rulemaking represents a significant update to HIPAA cybersecurity standards, aiming to address modern threats and technological advancements in healthcare. According to HHS, the proposed rule, for which HHS is accepting comments until early March, would clarify and provide more specific instruction about what entities and their business associates would have to do to protect health information. Key aspects of the proposed regulations include:
Proposed Changes
- Updating Definitions: The proposal clarifies and adds new definitions for terms like "access," "authentication," "multi-factor authentication," and "vulnerability" to reflect current cybersecurity concepts.
- Strengthening Administrative Safeguards: HHS aims to enhance requirements for risk analysis, risk management, and workforce security measures.
- Enhancing Physical Safeguards: The proposal includes updates to physical security measures for protecting ePHI and associated systems.
- Improving Technical Safeguards: New provisions focus on strengthening access controls, audit controls, and transmission security.
- Organizational Requirements: The proposal updates standards for business associate contracts and group health plan requirements.
Rationale and Context
- Evolving Healthcare Environment: HHS cites significant changes in healthcare delivery and technology since the Security Rule was last revised in 2013.
- Increasing Cybersecurity Threats: The proposal responds to alarming growth in data breaches and cyberattacks affecting the healthcare sector.
- Critical Infrastructure Protection: The changes align with the designation of healthcare as a critical infrastructure sector by the President.
A fact sheet on the HIPAA Security Rule NPRM is available at: https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet.
Originally published 30 December 2024
To view Foley Hoag's Security, Privacy and The Law Blog please click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.