The White House has approved the proposed HIPAA Security Rule update by the U.S. Department of Health and Human Services. A Notice of Proposed Rulemaking (NMPR) draft was published and will be included in the Federal Register by January 6, 2025. The HHS wants feedback from HIPAA-covered entities, healthcare sector stakeholders, and the community about the proposed rule. The comment will be accepted 60 days after the NMPR is published in the Federal Register.
This is the first major HIPAA Security Rule change in about ten years after the HHS Healthcare and Public Health Sector Cybersecurity Performance Goals were published in January 2023. The voluntary goals aim to urge healthcare providers to improve cybersecurity. However, the voluntary goals would be insufficient to get the behavioral improvements required throughout the industry to improve cybersecurity.
The objective of the original HIPAA Security Law was to make healthcare providers enforce security guidelines, procedures, and safety measures to protect the integrity, confidentiality, and availability of electronic health data. The Security Rule was created in a way that would stay applicable for years without the need for regular revisions to take into account technological developments. The Security Law was likewise created to be adaptable to make sure it was relevant to companies of various types and sizes. Therefore, the HIPAA Security Law doesn’t indicate the technologies that ought to be utilized to protect ePHI, and most of the implementation requirements in the original Security Rule are addressable instead of required components.
Since the enactment of the HIPAA Security Rule, there have been significant improvements in technology and cybersecurity. Now, it is necessary to enhance cybersecurity because of the substantial rise in cyberattacks in the HPH sector. The proposed HIPAA Security Rule upgrade addresses present and potential cybersecurity threats. Updates to present cybersecurity procedures must reflect developments in technology and cybersecurity, and make sure that physicians, health plans, and other healthcare providers satisfy their responsibilities to secure patients’ protected health information (PHI).
The proposed HIPAA Security Rule update has 393 pages that specify the measures that should be put in place by HIPAA-regulated entities and their business associates to reinforce cybersecurity protection for individuals’ PHI. In the last 5 years, reports of big data breaches involving 500 and up records increased by 102%, and the number of people affected by data breaches increased by 1002%. The increase in data breach victims is because hacking incidents increased by 89% and ransomware attacks increased by 102% since 2019. 2023 had 167 million people impacted by healthcare data breaches, while over 180 million people had been impacted by healthcare data breaches as of 30 November 2024.
The proposed rule tackles areas of HIPAA Security Rule noncompliance and modifications to the environment where medical care is given. The most recent cybersecurity guidelines, recommendations, techniques, and processes enhance protections against internal and external threats, and court judgments that have impacted the observance of the HIPAA Security Law.
Important Requirements of the Proposed HIPAA Security Law Update
The proposed HIPAA Security Law update changes definitions and enforcement requirements to address developments in technology and terminology and minimizes the difference between essential and addressable enforcement requirements. All Security Rule guidelines, procedures, strategies, and analyses should be recorded by HIPAA-covered entities, including the update’s specific compliance schedules for current Security Rule specifications.
The improvement and changes of a technology asset inventory and network map show the flow of ePHI across the covered entity’s electronic data systems continuously every 12 months and when there is a change to the covered entity’s operations or environment that may impact ePHI.
Conducting risk analysis with greater specificity means including an assessment of the technology asset inventory and network map, the recognition of all anticipated risks to the integrity, availability, and confidentiality of ePHI, the recognition of possible vulnerabilities and conditions relevant to the covered entity’s electronic data systems, and an evaluation of the risk level for every known threat and vulnerability, depending on the likelihood that every known threat will take advantage of the vulnerabilities.
HIPAA-covered entities need to undergo yearly audits of HIPAA compliance.
HIPAA-covered entities must prepare backup planning and security incident response that include procedures for re-establishing electronic data systems and data in 72 hours; procedures for employees to report potential or identified security incidents; and procedures for testing and changing incident response plans.
Improved security procedures with restricted exceptions, HIPAA-covered entities need to employ these security procedures:
- ePHI at rest and in transit must be encrypted
- Network segmentation
- Multi-factor authentication
- Vulnerability scanning two times a year
- Penetration tests every year
- Anti-malware protection
- Removal of external software programs from pertinent electronic data systems
- Deactivate network ports according to the covered entity’s risk analysis.
- Individual technical settings for backup and restoration of ePHI and electronic data systems.
- Evaluate and test the efficiency of some security measures every year
Certain covered entities must be notified within 24 hours when an employee’s access to ePHI or electronic data systems is modified or terminated. Covered entities must be notified without undue delay by business associates upon the implementation of contingency plans and not later than one day after the implementation.
Business associates and contractors must present yearly confirmation of their technical safety measures as verified by a subject matter expert in compliance with the Security Rule.
Before President Trump’s inauguration, the proposed Security Rule update will be included in the Federal Register; nevertheless, it is the Trump-Vance administration who will decide to move ahead with the Security Rule update. There is strong support for greater cybersecurity requirements for the healthcare industry though. According to Deputy National Security Advisor for Cyber and Emerging Technologies, Anne Neuberger, the projected cost of implementing the Security Rule update is $9 billion for the first year and $6 billion for the next four years.