ARTICLE
19 March 2025

HHS Office For Civil Rights Proposes Measures To Strengthen Cybersecurity In Health Care Under HIPAA

FH
Foley Hoag LLP

Contributor

Foley Hoag provides innovative, strategic legal services to public, private and government clients. We have premier capabilities in the life sciences, healthcare, technology, energy, professional services and private funds fields, and in cross-border disputes. The diverse experiences of our lawyers contribute to the exceptional senior-level service we deliver to clients.
The Department of Health and Human Services (HHS) has proposed significant modifications to the HIPAA Security Rule and the HITECH Act in an attempt to strengthen...
United States Food, Drugs, Healthcare, Life Sciences

The Department of Health and Human Services (HHS) has proposed significant modifications to the HIPAA Security Rule and the HITECH Act in an attempt to strengthen cybersecurity protections for electronic protected health information (ePHI). This proposed rulemaking represents a significant update to HIPAA cybersecurity standards, aiming to address modern threats and technological advancements in healthcare. According to HHS, the proposed rule, for which HHS is accepting comments until early March, would clarify and provide more specific instruction about what entities and their business associates would have to do to protect health information. Key aspects of the proposed regulations include:

Proposed Changes

  • Updating Definitions: The proposal clarifies and adds new definitions for terms like "access," "authentication," "multi-factor authentication," and "vulnerability" to reflect current cybersecurity concepts.
  • Strengthening Administrative Safeguards: HHS aims to enhance requirements for risk analysis, risk management, and workforce security measures.
  • Enhancing Physical Safeguards: The proposal includes updates to physical security measures for protecting ePHI and associated systems.
  • Improving Technical Safeguards: New provisions focus on strengthening access controls, audit controls, and transmission security.
  • Organizational Requirements: The proposal updates standards for business associate contracts and group health plan requirements.

Rationale and Context

  • Evolving Healthcare Environment: HHS cites significant changes in healthcare delivery and technology since the Security Rule was last revised in 2013.
  • Increasing Cybersecurity Threats: The proposal responds to alarming growth in data breaches and cyberattacks affecting the healthcare sector.
  • Critical Infrastructure Protection: The changes align with the designation of healthcare as a critical infrastructure sector by the President.

A fact sheet on the HIPAA Security Rule NPRM is available at: https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet.

Originally published 30 December 2024

To view Foley Hoag's Security, Privacy and The Law Blog please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More