Google partners
Capline Healthcare Management
Menu
Schedule a call

New HIPAA Security Rule Introduced to Enhance Protection of Electronic Healthcare Data

In the approaching months, count on an extravagant thought from the Office for Civil Rights within the U.S. Department of Health and Human Services concerning amendments to the HIPAA security rules’ legal responsibility. This amendment will make the ePHI-electronic private fitness information stronger from any possible threats thanks to any cyber activities.

These revisions act as counter measures to the never ending attack of amplified cyber security threats against the health care device and update regulations for businesses to implement and adhere to accordingly.

The HIPAA Security Rule is the US national standard for electronic health information protection established back in 1996. The rule applies to health plans, healthcare clearinghouses, most healthcare providers, and their agents.

This proposal further steps in that direction for supporting some of the important infrastructure that the Biden Administration considers important. An enormous advance for the hospital industry in self-defense against cyber attacks is being provided under this proposal.

It is a part of the larger package devised by the federal government such as the National Cyber Security Strategy first announced by the Biden-Harris Administration in 2023 and subsequently updated in May 2024.

Thus, in 2023, HHS also published the Healthcare Sector Cybersecurity Concept Paper which includes both voluntary guidelines in cybersecurity as well as a plan to make enforcement even more stringent. Today’s proposed rule (NPRM) expands these efforts by incorporating additions to the HIPAA Security Rule to address cybersecurity enhancements.

Key Proposed Updates to the HIPAA Security Rule

HHS’s proposed updates aim to make the Security Rule more modern by removing old rules, making things clearer, and adding stronger protections. Some of the most important changes in the NPRM include:

Simplified and Consistent Rules

  • Remove the difference between “required” and “addressable” rules, making it mandatory to follow all rules (with a few exceptions).
  • Make sure all Security Rule policies, procedures, plans, and analyses are written down.

Improved Risk Management and Compliance Steps

  • Set clear deadlines for meeting existing requirements.
  • Require organizations to keep a list of their technology assets and a map of their network that shows how electronic protected health information (ePHI) moves. This must be updated at least once a year or after any major changes.
  • Require a more thorough risk analysis, including a written evaluation of possible threats, weaknesses, and how likely they are to be exploited for each system handling ePHI.

Stronger Incident Response Rules

  • Require organizations to inform certain employees within 24 hours if their access to ePHI is changed or removed.
  • Require organizations to have written plans to recover lost systems and data within 72 hours of an incident.
  • Create and test clear plans for responding to security incidents to handle suspected or confirmed cybersecurity breaches.

Technical Safeguards for ePHI

  •  Encryption is required: ePHI must be encrypted when stored and when being sent, with very few exceptions.
  • Add extra security steps like multi-factor authentication, checking for vulnerabilities every six months, and testing for weaknesses once a year.
  • Use network segmentation to reduce the damage from possible threats.
  • Use tools like anti-malware software, remove unnecessary programs, and close unused network ports to improve security.

Audits and Accountability

  • Organizations must perform yearly audits to make sure they are following the Security Rule.
  • Business partners and their subcontractors must provide written proof that they have put the required technical protections in place. This proof must be updated at least once every 12 months.
  • Group health plans need to update their documents to make sure they follow rules for protecting information in three ways: administrative, physical, and technical.

Additional New Requirements

  • Systems that back up and recover electronic health information (ePHI) must have extra technical protections.
  • Testing cyber security standards has to be done if good functioning is expected at least annually by such organizations.
  • An emergency plan activated by a business partner or a subcontractor must be notified to the main company within 24 hours.

Public Input Encouraged

The proposed changes will still allow for the implementation of the current HIPAA Security Rule while increasing cybersecurity in health care.

The Department of Health and Human Services (HHS) would like there to be input on the proposed modifications from healthcare professionals, health payers, patients, experts in the field, and advocates for patients.

A comment period will extend for 60 days following the publication of a proposed rule in the Federal Register for comments at regulations.gov. There will also be Tribal consultations by HHS, details of which will be provided soon.

This NPRM underscores the federal government’s developing emphasis on healthcare cybersecurity, balancing the want for sturdy data protection with operational feasibility for regulated entities. If adopted, these measures will extensively raise the cybersecurity baseline across the healthcare enterprise.

 


Powered by


No, thank you. I do not want.
100% secure your website.