Proposed HIPAA Amendments Will Shut Healthcare Safety Gaps

The U.S. Division of Well being and Human Providers is planning a large overhaul of the Well being Insurance coverage Portability and Accountability Act safety rule to strengthen baseline cybersecurity necessities for safeguarding digital protected well being data (PHI). The proposed amendments, which will probably be printed within the Federal Register on Jan. 6, would require healthcare organizations and different coated entities to implement safety controls corresponding to multi-factor authentication and enhanced encryption necessities.

The proposal describes probably the most substantive adjustments to HIPAA up to now. The safety rule was final revised in 2013. The menace panorama is totally different now than it was over a decade in the past, and breaches towards healthcare organizations have elevated by 102% between 2018 and 2023, the HHS Workplace  for Civil Rights stated in a assertion. In 2023, over 167 million individuals had their well being data compromised, a 1,002% enhance from 2018.

Proposed Modifications to HIPAA

The amendments will apply to well being plans, healthcare clearinghouses, well being suppliers, healthcare services, insurance coverage corporations, and enterprise associates.

All the pieces in Writing: All insurance policies, procedures, plans, and analyses will should be in writing. This additionally applies to growing stronger incident response procedures, corresponding to having written incident response plans and testing plans, in addition to written procedures to have the ability to restore data programs and knowledge inside 72 hours.

Asset Stock: Healthcare organizations might want to develop and common preserve an up-to-date expertise asset stock and community map to trace the motion of protected well being data (PHI) by the assorted programs.

Threat Evaluation: Healthcare organizations will not be all that good at safety threat evaluation. The proposed adjustments embrace extra specifics on methods to conduct safety threat evaluation, corresponding to written assessments that embrace a overview of the expertise asset stock and community map, establish all potential threats to PHI, and assess the chance stage for every menace and vulnerability.

Implement Safety Controls: Healthcare organizations will probably be required to make use of multifactor authentication and community segmentation to make it tougher for healthcare programs to be compromised or knowledge breaches. All PHI will should be encrypted each throughout relaxation and in transit, reflecting the consensus that encryption is not optionally available. For programs that course of PHI, safety groups might want to scan for vulnerabilities each six months, run penetration exams at the least every year, deploy antimalware defenses, and take away extraneous software program from programs. These necessities present how these are shifting from really useful actions to minimal safety baseline each entity should meet.

Organizations might want to conduct a compliance audit at the least as soon as each 12 months to make sure these technical controls are in place, and show the safeguards have been carried out at the least as soon as each 12 months by way of a written certification.

Anne Neuberger, deputy nationwide safety adviser for cyber and rising expertise, stated throughout a Dec. 27 press briefing that the adjustments to the safety rule will price roughly $9 billion within the first 12 months, and $6 billion for years two to 5. “The price of not performing will not be solely excessive, it additionally endangers crucial infrastructure and affected person security, and it carries different dangerous penalties,” Neuberger stated.

Stakeholders have 60 days after the almost 400-page proposal is printed to submit feedback (early March 2025). HHS will situation the ultimate model of the rule afterwards, though a particular date has not but been set adopted by a compliance date of 180 days. It is usually not clear if the work on the adjustments to the safety rule will proceed beneath the brand new presidential administration. Even so, healthcare organizations ought to overview proposed necessities and consider their present safety packages to organize for potential adjustments.