The Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act of 2009, both the Department of Health and Human Services and the Office for Civil Rights, have announced they are seeking feedback on a proposal to change the security requirements for the safety of electric protected health information. The proposed changes, which will be published in the Federal Register on January 6, 2025, aim to address major changes in technology, breach trends, police, best practices, and methodologies for protecting ePHI, and take into account judge decisions that affect Security Rule protection in order to strengthen security. WHY IT MATTERSWith the White House assessment of the proposed changes to the HIPAA Security Rule full, HHS may issue a Notice of Proposed Rulemaking that includes several new ideas and clarifications, such as removing the difference between “required” and “addressable” specifications and making all of them required, with limited exceptions. According to an organization point plate released Friday, the proposed rulemaking supports the Biden-Harris Administration’s 2023 National Cybersecurity Strategy, and its implementation plan released earlier this year. The proposals also conform to the organization’s idea papers on security for the healthcare sector, which was released last season. According to the organization, the plans include the release of volunteer security best practices and a plan for increased cybersecurity police and accountability. The healthcare industry is still being negatively impacted by ransomware and hacking, which is responsible for major increases in the number of significant breaches that are reported to OCR every year, according to OCR Director Melanie Fontes Rainer in a statement. According to HHS Deputy Secretary Andrea Palm, the number of people affected by the Change Healthcare breach, which is the largest breach in our healthcare system in U.S. history, has increased by 102 %, with the number of people affected increasing by 1,002 %. Last month, more than 167 million people were affected by huge breaches, which set a new report. The organization stated that it is proposing more stringent documentation requirements for all filled entities because it has noticed popular flaws in its Security Rule conformity investigations. According to HHS in the NPRM,” The risks and deficiencies OCR has observed in its enforcement practice persuade us that we must consider adding an articulate requirement for a restricted entity to perform an accurate and thorough written inventory of its technology assets and build a network map.” A better understanding of physical and technical security measures might be able to aid the organization in strengthening its HIPAA audits, which was echoed in an OCR review of the program from January 2016 to December 2020. The Office of Inspector General stated last month that OCR’s audit program was largely ineffective in preventing health data breaches. The rising frequency and sophistication of cyberattacks in the healthcare industry pose a direct and significant threat to patient safety, according to Palm in a statement. These attacks “endanger patients by exposing vulnerabilities in our healthcare system, degrading patient trust, disrupting patient care, diverting patients, and halting medical procedures,” said Andrea Fox, senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.