top of page

Upcoming Changes to HIPAA Security Rule


A cartoon-style illustration of a sneaky cybersecurity thief dressed in a black hoodie and mask, holding a laptop with glowing code on the screen.

In response to the growing cybersecurity threats facing the healthcare sector, the Department of Health and Human Services (HHS) has recently issued a Notice of Proposed Rulemaking (NPRM) that aims to strengthen the HIPAA Security Rule and improve the security measures protecting electronic protected health information (ePHI). This NPRM, scheduled for publication in January 6, 2025, represents the latest step in the ongoing effort to update the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, which have long been foundational to data security and privacy protections in healthcare.


Overview of the NPRM for HIPAA and HITECH


The NPRM aims to modernize the HIPAA Security Rule to address changes in the healthcare environment, including the rapid advancement of technology and the rise in cyberattacks targeting sensitive health data. The proposed modifications reflect the department's commitment to maintaining the confidentiality, integrity, and availability of ePHI in a landscape increasingly shaped by sophisticated cyber threats, technological advancements, and evolving healthcare practices.


The proposed changes to the Security Rule would impact how healthcare providers, insurers, and their business associates handle ePHI, requiring enhanced measures to mitigate emerging risks. Key proposals in the NPRM include:


  1. Updated Definitions and Clarifications: The NPRM aims to update the definitions related to ePHI, access controls, encryption, and multi-factor authentication (MFA), among others. These updates seek to provide clarity on how healthcare entities should apply these concepts to ensure compliance with modern cybersecurity best practices.

  2. Cybersecurity Enhancements: The rule introduces new requirements for regulated entities to conduct regular vulnerability assessments, apply robust encryption practices for ePHI, and implement stronger access controls for system users. These measures are designed to combat the growing number of breaches and cyberattacks in the healthcare sector, which continue to threaten patient data and organizational operations.

  3. Incident Response and Recovery: Healthcare entities would also be required to implement more effective incident response and recovery processes. The aim is to ensure that, in the event of a data breach or security incident, entities can quickly contain the breach and restore normal operations while minimizing the impact on patient care and data security.

  4. Risk Analysis and Asset Management: As part of the new rules, entities would need to conduct thorough risk analyses and maintain an inventory of their technology assets. This proactive approach helps identify vulnerabilities in systems that handle ePHI and implement measures to protect those systems from potential attacks.


These proposed updates reflect the HHS's goal to adapt the HIPAA and HITECH regulations to the challenges of modern healthcare IT systems while providing greater clarity and support to healthcare organizations striving to comply with these critical security standards.


The HIPAA and HITECH Regulatory Landscape


The HIPAA Security Rule was first established in 2003 and revised in 2013, but the rapid growth of cybercrime and the increasing reliance on electronic healthcare records and digital systems necessitate continuous updates to these rules. The HITECH Act of 2009, which expanded HIPAA's reach, particularly emphasized the need for stricter security measures for electronic health records (EHRs) and introduced penalties for violations. The current proposed rule would extend these frameworks, emphasizing that healthcare organizations must evolve their cybersecurity practices in line with these legislative mandates.


The HITECH Act has been instrumental in pushing for stronger protections around ePHI through the expansion of the HIPAA regulations, particularly by requiring business associates to adhere to the same security standards as healthcare providers. This was a significant shift in responsibility, reflecting the broader role that third-party service providers now play in healthcare technology ecosystems.


A Look Back: The Privacy Rulemaking in 2021


In 2021, a significant Privacy Rulemaking took place under HIPAA in response to feedback and evolving privacy concerns. This rulemaking aimed to refine and modernize the HIPAA Privacy Rule, which governs the use and disclosure of protected health information (PHI). The 2021 rulemaking process was a crucial step in improving privacy protections, particularly in an era where healthcare data is increasingly shared across platforms, and individuals are more concerned about how their personal health information is used and disclosed.


Key aspects of the 2021 Privacy Rulemaking included:


  1. Modifications to Health Data Sharing: One of the major changes in the 2021 Privacy Rule was an effort to improve data sharing between healthcare providers, insurers, and patients. The rule facilitated easier access to PHI for individuals while ensuring that healthcare entities could still share necessary information for treatment and healthcare operations, all while maintaining strong privacy safeguards.


  2. Patient Access to Information: The 2021 changes emphasized increasing patient access to their health data, allowing individuals to request their health records more easily from providers. It also addressed issues surrounding data blocking, ensuring that entities could not unduly restrict patients' ability to access their own health data.


  3. Accountability and Enforcement: The Privacy Rule was updated to strengthen enforcement provisions and improve accountability for healthcare organizations. This includes stricter penalties for violations, particularly concerning the improper use or disclosure of PHI, and the increased ability for patients to file complaints directly with the Office for Civil Rights (OCR).


  4. Streamlining Communications: The 2021 rulemaking also sought to streamline communication between healthcare organizations and patients, enabling faster and more efficient exchange of necessary healthcare data while reducing administrative burdens. These efforts were aimed at improving overall healthcare delivery by removing friction points in the sharing of critical health information.


  5. Telehealth and Remote Care: Given the accelerated shift to telehealth services, especially during the COVID-19 pandemic, the 2021 Privacy Rule provided clearer guidelines for the privacy and security of telehealth interactions. This included ensuring that healthcare providers followed proper protocols when delivering services remotely, maintaining privacy and data security during virtual consultations.


While the 2021 Privacy Rulemaking focused on enhancing privacy protections and streamlining data-sharing processes, the 2024 HIPAA Security Rule NPRM focuses on improving the security of electronic health information, particularly in response to the increasing cybersecurity risks the healthcare industry faces today.


The Path Forward: Ensuring Robust Security and Privacy


The NPRM for HIPAA and HITECH represents a timely and necessary update to the healthcare sector’s approach to data security and privacy. As healthcare organizations continue to adopt new technologies and digital health tools, it is essential that HIPAA and HITECH evolve to ensure these entities can meet the growing cybersecurity challenges.

This NPRM will likely influence healthcare compliance strategies for years to come, pushing organizations to adopt more comprehensive cybersecurity practices, maintain stronger controls on ePHI, and ensure more robust incident response mechanisms.


As the public comment period for the proposed changes is set to begin, healthcare professionals, organizations, and stakeholders are encouraged to review the proposed rule and provide feedback. This process ensures that the final regulations reflect the evolving needs of the healthcare sector while maintaining strong protections for sensitive health data.



Disclosures


The content provided in this article is intended for informational purposes only and should not be construed as legal advice or a substitute for consulting with a licensed attorney. While we strive to provide accurate and current information, laws and regulations are subject to change, and there is no guarantee that the information contained herein is up to date or applicable to your specific situation. We recommend seeking professional legal counsel for any legal matters. This article does not create an attorney-client relationship between the reader and the law firm. For personalized advice, please contact our office directly: info@omnianlegal.com

5 views
bottom of page