Big Changes Proposed for the HIPAA Security Rule

The U.S. Department of Health and Human Services (HHS) has issued an unpublished Notice of Proposed Rulemaking (NPRM)¹ that strengthens the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and, if finalized, will have a significant impact on the healthcare sector.

HHS observed that healthcare breaches can lead to harms far greater than those of breaches in other business sectors. In the announcement regarding the rules,² HHS Deputy Secretary Andrea Palm indicated that the changes are designed in part to strengthen cybersecurity and that "[t]hese attacks endanger patients by exposing vulnerabilities in our health care system, degrading patient trust, disrupting patient care, diverting patients, and delaying medical procedures." HHS Office for Civil Rights (OCR) Director Melanie Fontes Rainer stated, "This proposed rule to upgrade the HIPAA Security Rule addresses current and future cybersecurity threats."

HHS finalized the original Security Rule over two decades ago and has not updated it substantively in more than 10 years. HHS's proposed sweeping changes to the Security Rule address massive leaps in technology and cybersecurity risk over that time period. The Security Rule applies only to electronic protected health information (ePHI) held by "covered entities" and "business associates" (regulated entities). HHS noted that "[a]lmost every stage of modern health care relies on stable and secure computer and network technologies," and updates are needed to address cybersecurity, which "is a concern that touches nearly every facet of modern health care."

HHS indicated that the NPRM's proposals are designed to address:

• changes in the healthcare environment and technology
• significant increases in cyberattacks and data breaches
• deficiencies that OCR, which enforces HIPAA, has observed when investigating regulated entities' compliance with the Security Rule
• cybersecurity best practices, methodologies, guidelines, processes and procedures
• court decisions affecting Security Rule enforcement

If finalized as is, the NPRM will mean big changes for regulated entities. Public comments will be accepted until early March, i.e., 60 days following publication of the rule in the Federal Register. Holland & Knight will publish a detailed analysis of the changes, specifically examining how the new security standards will impact covered entities and business associates alike.

Notes

¹ Federal Register: "Public Inspection: Health Insurance Portability and Accountability Act Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information."

² HHS: "HHS Office for Civil Rights Proposes Measures to Strengthen Cybersecurity in Health Care Under HIPAA Available."