In the past five years, the Office for Civil Rights (OCR) has observed a staggering rise in reports of large data breaches (those affecting 500 or more records).
The number of individuals impacted by these breaches has surged largely due to an increase in hacking incidents and an increase in ransomware attacks since 2019.
In 2023 alone, 167 million individuals were affected by healthcare data breaches, and the numbers have continued to climb.
As of November 30, 2024, over 180 million people have had their personal and protected health information exposed or impermissibly disclosed in such breaches.
To combat this alarming trend, a 393-page proposed update to the HIPAA Security Rule, titled “The HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information,” has been introduced. This comprehensive update outlines specific measures that HIPAA-covered entities (including healthcare providers, health plans, and healthcare clearinghouses) and their business associates must implement to bolster cybersecurity protection for individuals’ protected health information.
OCR’s investigations into large healthcare data breaches, along with past audits, have revealed common deficiencies in HIPAA Security Rule compliance, particularly concerning the risk analysis requirement. The proposed rule addresses these areas of noncompliance, reflecting changes in the healthcare environment since the original Security Rule was published, incorporating the latest cybersecurity guidelines, best practices, methodologies, and court decisions that have influenced HIPAA Security Rule enforcement.
Key Requirements of the Proposed HIPAA Security Rule Update:
1. Revised Definitions and Implementation Specifications:
The update revises definitions and implementation specifications to align with changes in technology and terminology. It removes the distinction between required and addressable implementation specifications, making all specifications mandatory, with limited exceptions. All Security Rule policies, procedures, plans, and analyses must be documented by HIPAA-regulated entities, and specific compliance time periods are added for many existing Security Rule requirements.
2. Technology Asset Inventory and Network Map:
HIPAA-regulated entities must develop and revise a technology asset inventory and network map illustrating the movement of electronic protected health information (ePHI) throughout their electronic information systems. This must be done on an ongoing basis, at least every 12 months, and after any significant changes affecting ePHI.
3. Enhanced Risk Analysis:
The proposed rule provides greater specificity for conducting a risk analysis, requiring a review of the technology asset inventory and network map, identification of reasonably anticipated threats to ePHI, potential vulnerabilities, and predisposing conditions. Entities must assess the risk level for each identified threat and vulnerability based on the likelihood of exploitation.
4. Annual Security Rule Compliance Audits:
HIPAA-regulated entities must conduct annual audits to ensure compliance with the HIPAA Security Rule.
5. Contingency Planning and Security Incident Response:
Entities must establish written procedures for restoring electronic information systems and data within 72 hours. This includes analyzing the criticality of systems and assets, creating security incident response plans, and procedures for workforce members to report incidents, and regularly testing and revising these plans.
6. Enhanced Security Measures:
With limited exceptions, HIPAA-regulated entities are required to implement measures such as encryption of all ePHI at rest and in transit, multi-factor authentication, network segmentation, vulnerability scanning every six months, annual penetration tests, anti-malware protection, and more.
7. Notification Requirements:
Entities must notify certain regulated parties within 24 hours when a workforce member’s access to ePHI or information systems is changed or terminated. Business associates must notify covered entities upon the implementation of contingency plans.
8. Annual Verification of Technical Safeguards:
Business associates and their contractors must have a subject matter expert verify the deployment of technical safeguards required by the Security Rule annually.
9. Group Health Plan Requirements:
Group health plans must stipulate that their sponsors implement Security Rule safeguards, ensure agents comply with these safeguards, and notify plans upon activation of contingency plans within 24 hours.
The proposed update to the HIPAA Security Rule aims to significantly strengthen the cybersecurity framework for healthcare entities, ensuring better protection for individuals’ sensitive health information. The updates reflect the evolving threat landscape and incorporate the latest best practices, ultimately benefiting both healthcare companies and their customers by enhancing data security and reducing the risk of breaches.
By implementing these measures, healthcare organizations can better safeguard sensitive information, which in turn, builds trust with patients and customers. Protecting data is not just a regulatory requirement; it’s a critical aspect of providing quality healthcare in an increasingly digital world.
