As a Covered Entity under HIPAA, it's crucial to stay informed about potential changes to the regulations that govern how we protect electronic Protected Health Information (ePHI). The Department of Health and Human Services (HHS) has recently proposed significant updates to the HIPAA Security Rule through a Notice of Proposed Rulemaking (NPRM). These changes aim to strengthen cybersecurity measures and address the evolving landscape of digital threats in healthcare. 

I will assume (yes, I know how that breaks down) that you are already compliant with existing HIPAA requirements and spend my time here focusing on the new things you will need to incorporate into your compliance plan. 

Enhanced Risk Analysis and Management 

Under the proposed rule, Covered Entities would be required to conduct more comprehensive and frequent risk analyses. This means:

• Performing and documenting company-wide risk analyses at least annually

• Implementing continuous risk management programs

• Documenting all risk analysis and management activities in detail 

With these requirements, CMS is emphasizing the need for a structured, proactive approach to identifying and mitigating potential security risks to ePHI. Don’t worry…I’m working on a solution through Quality Outcomes to help you with this! 

Timely Security Updates and Vulnerability Management 

Recognizing the critical nature of keeping systems secure, the NPRM proposes: 

• Implementing policies for timely application of security updates 

• Establishing processes for identifying and mitigating vulnerabilities 

• Setting specific timelines for applying critical updates 

These measures are designed to reduce the window of opportunity for cybercriminals to exploit known vulnerabilities. I have blogged about this a few times and we have talked about the importance of maintaining your cyber liability insurance. 

Strengthened Encryption Requirements 

The proposed rule emphasizes the importance of encryption in protecting ePHI. Covered Entities would need to: 

• Implement encryption for ePHI both at rest and in transit 

• Ensure encryption methods meet current NIST standards 

• Regularly review and update encryption practices 

This focus on encryption aims to provide an additional layer of protection for sensitive health information. OPIE Manages this for you if you are an OPIE Plus customer but any ePHI you maintain outside of OPIE would be your responsibility to manage. 

Expanded Security Awareness and Training 

Recognizing that human error is often a weak link in cybersecurity, the proposed rule calls for: 

• Providing comprehensive security awareness training to all workforce members 

• Including specific training on social engineering and phishing attacks 

• Conducting regular phishing simulations 

By enhancing staff awareness and preparedness, Covered Entities can create a more robust first line of defense against cyber threats. 

Comprehensive Contingency Planning 

The NPRM emphasizes the need for thorough contingency planning, including: 

• Developing and maintaining detailed data backup plans 

• Creating comprehensive disaster recovery and emergency mode operation plans 

• Regularly testing and updating these plans 

These measures aim to ensure business continuity and data protection in the face of unforeseen events or cyberattacks. 

The proposed changes to the HIPAA Security Rule represent a significant shift toward more robust cybersecurity practices in healthcare. While they may present challenges, these updates are designed to better protect sensitive health information in an increasingly digital world. 

As Covered Entities, it's crucial that we stay ahead of these changes, not just for compliance reasons, but to ensure we're providing the best possible protection for the patient information entrusted to us. By starting to prepare now, we can ensure a smoother transition if and when these proposed rules become final. 

Remember, protecting patient information is not just a legal obligation, but a fundamental aspect of providing quality healthcare. Let's embrace these potential changes as an opportunity to strengthen our security postures and better serve our patients in the digital age.

It's important to note that these are proposed changes, and the final rule may differ. The comment period for the NPRM is open until March 7, 2025. Covered Entities should take this opportunity to review the proposed changes in detail and consider submitting comments to HHS.

As we navigate these potential changes, it's crucial to stay informed and proactive. Consider consulting with legal counsel or HIPAA compliance experts to ensure your organization is prepared for these potential new requirements. By taking steps now to enhance your cybersecurity practices, you'll not only be better positioned for compliance but also better equipped to protect your patients' sensitive information in an increasingly complex digital landscape.

Stay tuned for further updates as we continue to monitor developments in HIPAA regulations and cybersecurity best practices. Together, we can work toward a more secure and resilient healthcare ecosystem.