With cybersecurity threats escalating, particularly within healthcare, the Department of Health and Human Services (HHS) has proposed substantial updates to HIPAA’s Security Rule to align with today’s technological landscape. The changes, currently under review by Office of Management and Budget (OMB), would require healthcare entities to adopt advanced safeguards, placing stronger emphasis on protecting electronic protected health information (ePHI) against threats like ransomware. Once approved by OMB, the proposed changes will be released for public comment.
What’s Driving the Change?
The evolving threat landscape has exposed vulnerabilities in healthcare cybersecurity frameworks, with data breaches often including sensitive patient information. HHS’s proposed updates aim to address these vulnerabilities by mandating more robust cybersecurity protocols.
Key Considerations for Healthcare Entities
- Enhanced Technical Safeguards: Expect new baseline requirements for encrypting and securing ePHI, including updated standards for data access and storage across healthcare systems and third-party vendors.
- Vendor and Business Associate Due Diligence: Healthcare organizations should get ready to ensure that their third-party vendors comply with these revised security standards once released. Legal and compliance teams should revisit existing business associate agreements.
- Proactive Risk Assessments: Increased scrutiny on risk assessments may lead to mandated, regular evaluations of an organization’s technical environment to identify potential vulnerabilities.
- Documentation and Policy Updates: To meet anticipated regulations, healthcare organizations should prioritize revising data security policies and thoroughly documenting all cybersecurity efforts, particularly those tied to incident response protocols.
- Public Comment Period: Healthcare entities will soon have the opportunity to provide feedback on these changes during the Notice of Proposed Rulemaking, expected later this year. Participating in this process can help shape requirements to better align with organizational capacities and needs.
Practical Next Steps
Healthcare entities should start evaluating existing cybersecurity policies and practices, particularly those around ePHI encryption, incident response planning, and vendor relationships. Early engagement with legal and compliance advisors will ensure readiness as the new requirements take shape, and proactive adjustments now can mitigate disruption when regulations go into effect.
For guidance on these upcoming changes and HIPAA compliance, contact David Dirr at DBL Law.