The Department of Health and Human Services and the Office for Civil Rights have announced they will be soliciting comments on a proposal to modify the Security Standards for the Protection of Electronic Protected Health Information under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act of 2009.

To strengthen healthcare cybersecurity and address concerns over the alarming growth in the number of breaches reported to OCR, the proposed modifications – to be published in the Federal Register on January 6, 2025 – aim to address significant changes in technology, breach trends, enforcement, best practices and methodologies for protecting ePHI and take into account court decisions that affect Security Rule enforcement. 

WHY IT MATTERS

With the White House review of the proposed modifications to the HIPAA Security Rule complete, HHS will issue a Notice of Proposed Rulemaking that includes several new proposals and clarifications, such as removing the distinction between "required" and "addressable" specifications and making all of them mandatory, with limited exceptions.

According to an agency fact sheet released Friday, the proposed rulemaking supports the Biden-Harris Administration's 2023 National Cybersecurity Strategy, and its implementation plan released earlier this year. The proposals also align with the agency's Healthcare Sector Cybersecurity concept paper released last year. 

The plans include the publication of voluntary cybersecurity best practices and a strategy for greater cybersecurity enforcement and accountability, the agency said.

"Cyberattacks continue to impact the healthcare sector, with rampant escalation in ransomware and hacking causing significant increases in the number of large breaches reported to OCR annually," OCR Director Melanie Fontes Rainer said in a statement.

"The number of people affected every year has skyrocketed exponentially, a number we expect to grow even bigger this year with the Change Healthcare breach, the largest breach in our healthcare system in U.S. history."

HHS Deputy Secretary Andrea Palm added that the proposed rule is vital "to ensuring that healthcare providers, patients and communities are not only better prepared to face a cyberattack, but are also more secure and resilient."

THE LARGER TREND

OCR said that from 2018-2023, reports of large breaches increased by 102%, with the number of individuals affected increasing by 1,002%. Last year, more than 167 million individuals were affected by large breaches, which set a new record. 

The agency said that, because it has observed common deficiencies in its Security Rule compliance investigations, it is proposing increased documentation requirements on all covered entities.

"The risks and deficiencies OCR has observed in its enforcement experience persuades us that we must consider adding an express requirement for a regulated entity to conduct an accurate and thorough written inventory of its technology assets and create a network map," HHS said in the NPRM.

A better understanding of physical and technical security safeguards may help the agency strengthen its HIPAA audits – a sentiment echoed in a review of OCR's HIPAA audit program from January 2016 through December 2020.

The Office of Inspector General said last month that OCR's audit program was largely ineffective in preventing health data breaches. 

ON THE RECORD

"The increasing frequency and sophistication of cyberattacks in the healthcare sector pose a direct and significant threat to patient safety," Palm said in a statement.

"These attacks endanger patients by exposing vulnerabilities in our healthcare system, degrading patient trust, disrupting patient care, diverting patients and delaying medical procedures."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.