Proposed HIPAA Amendments Will Shut Healthcare Safety Gaps

The U.S. Division of Well being and Human Companies is planning a large overhaul of the Well being Insurance coverage Portability and Accountability Act safety rule to strengthen baseline cybersecurity necessities for shielding digital protected well being data (PHI). The proposed amendments, which will probably be printed within the Federal Register on Jan. 6, would require healthcare organizations and different lined entities to implement safety controls reminiscent of multi-factor authentication and enhanced encryption necessities.

The proposal describes probably the most substantive modifications to HIPAA so far. The safety rule was final revised in 2013. The menace panorama is completely different now than it was over a decade in the past, and breaches towards healthcare organizations have elevated by 102% between 2018 and 2023, the HHS Workplace  for Civil Rights mentioned in a assertion. In 2023, over 167 million folks had their well being data compromised, a 1,002% improve from 2018.

Proposed Adjustments to HIPAA

The amendments will apply to well being plans, healthcare clearinghouses, well being suppliers, healthcare services, insurance coverage corporations, and enterprise associates.

Every thing in Writing: All insurance policies, procedures, plans, and analyses will should be in writing. This additionally applies to growing stronger incident response procedures, reminiscent of having written incident response plans and testing plans, in addition to written procedures to have the ability to restore data programs and information inside 72 hours.

Asset Stock: Healthcare organizations might want to develop and common keep an up-to-date expertise asset stock and community map to trace the motion of protected well being data (PHI) by way of the assorted programs.

Threat Evaluation: Healthcare organizations should not all that good at safety threat evaluation. The proposed modifications embody extra specifics on how one can conduct safety threat evaluation, reminiscent of written assessments that embody a overview of the expertise asset stock and community map, determine all potential threats to PHI, and assess the danger degree for every menace and vulnerability.

Implement Safety Controls: Healthcare organizations will probably be required to make use of multifactor authentication and community segmentation to make it tougher for healthcare programs to be compromised or information breaches. All PHI will should be encrypted each throughout relaxation and in transit, reflecting the consensus that encryption is not elective. For programs that course of PHI, safety groups might want to scan for vulnerabilities each six months, run penetration assessments at the least every year, deploy antimalware defenses, and take away extraneous software program from programs. These necessities present how these are shifting from advisable actions to minimal safety baseline each entity should meet.

Organizations might want to conduct a compliance audit at the least as soon as each 12 months to make sure these technical controls are in place, and show the safeguards have been applied at the least as soon as each 12 months by way of a written certification.

Anne Neuberger, deputy nationwide safety adviser for cyber and rising expertise, mentioned throughout a Dec. 27 press briefing that the modifications to the safety rule will value roughly $9 billion within the first yr, and $6 billion for years two to 5. “The price of not performing is just not solely excessive, it additionally endangers vital infrastructure and affected person security, and it carries different dangerous penalties,” Neuberger mentioned.

Stakeholders have 60 days after the almost 400-page proposal is printed to submit feedback (early March 2025). HHS will concern the ultimate model of the rule afterwards, though a particular date has not but been set adopted by a compliance date of 180 days. It is usually not clear if the work on the modifications to the safety rule will proceed below the brand new presidential administration. Even so, healthcare organizations ought to overview proposed necessities and consider their present safety applications to organize for potential modifications.