04:01 GMT - Saturday, 15 March, 2025

Navigating the 2024 proposed HIPAA security rule amendments

Home - Fitness & Health - Navigating the 2024 proposed HIPAA security rule amendments

Share Now:

Posted 4 hours ago by inuno.ai

Category:


Editor’s note: Steven W. Teppler is a partner and chair of the Cybersecurity and Data Privacy practice group at Mandelbaum Barrett PC in Roseland, New Jersey. Carly Rothstein is an associate in the Cybersecurity and Data Privacy practice group at Mandelbaum Barrett PC.

The HHS’ Office for Civil Rights has issued a proposed rule that, if adopted, would significantly amend the HIPAA Security Rule.

The updates aim to fortify the confidentiality, integrity and availability of electronic protected health information, or ePHI, amid escalating cybersecurity threats in healthcare. Once the proposed amendments are finalized and published in the Federal Register, entities will have 180 days within which to comply.

On Jan. 20, however, President Donald Trump issued an executive order imposing a “Regulatory Freeze Pending Review.” While the executive order places into question the status of the proposed rule (as well as all other proposed federal regulations), the imposition of enhanced cybersecurity requirements for healthcare providers should be considered a near certainty.

The proposed amendments to the HIPAA Security Rule represent a crucial step forward in addressing the cybersecurity challenges faced by the healthcare sector. While these changes demand significant effort and investment, they are necessary to protect sensitive patient information and bolster the security of healthcare as a component of critical infrastructure.

The need for enhanced cybersecurity in healthcare

The HIPAA Security Rule has gone untouched for more than a decade, during which the healthcare industry has rapidly transformed with respect to how ePHI is created, maintained, received and transmitted.

The law, however, has not kept up with these changes. Patient data and health IT system security practices have been relegated in part to suggestions, resulting in system vulnerability to cyberattacks and network breaches.

With each passing year, the number of both cyberattacks targeting the healthcare sector and individuals affected by such attacks has grown dramatically. Large breaches, defined as those affecting 500 or more individuals, involving protected health information, or PHI, affected a record 160 million individuals in 2023, according to the proposed rule. The government expects that 2024 surpassed that record given the gravity of the Change Healthcare breach — which alone impacted more than half of the U.S. population.

Recognizing the healthcare sector’s designation as critical infrastructure, these proposed updates are essential to adapt the HIPAA Security Rule to today’s complex threat environment.

Key proposals in the enhanced security rule

1. Uniformity across implementation specifications

The proposed rule eliminates the distinction between “required” and “addressable” implementation specifications. All specifications will now be mandatory, with specific exceptions.

2. Comprehensive documentation

Covered entities and business associates must maintain written documentation of all Security Rule policies, procedures, plans and analyses.

3. Updated definitions and specifications

Key definitions and implementation specifications will be updated to reflect technological advances and modern terminology.

4. Technology asset inventory and network mapping

Entities must maintain an ongoing technology asset inventory and a network map illustrating the movement of ePHI. These must be updated annually or when significant changes occur.

5. Enhanced risk analysis

The new rule requires a periodic written risk assessment detailing technology asset review, threat identification, vulnerability assessments and risk level evaluations.

6. Access management

Regulated entities must notify designated parties within 24 hours when a workforce member’s access to ePHI or relevant systems is changed or terminated.

7. Incident response and contingency planning

Entities must establish detailed written procedures for incident response, including restoration within 72 hours and prioritized system recovery plans.

8. Auditing and business associate oversight

Entities must conduct annual compliance audits and ensure business associates verify technical safeguards annually through assessments which would now be certified in writing by the BA’s “subject matter expert.” What are considered “compliance audits” and who qualifies as an “auditor” under the proposed rule remains to be seen.

9. Encryption and authentication

Encryption of ePHI at rest and in transit, alongside multi-factor authentication, will be mandatory.

Highlighted Articles

Subscribe
Notify of
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments

You may also like

Stay Connected

Please enable JavaScript in your browser to complete this form.