Final Rule Implementing HIPAA Security Rule Updates Edges Closer
The HIPAA Security Rule update proposed by OCR in the final days of the Biden administration is only two months away from a final rule, should OCR stick to the proposed timescale for release. OCR has yet to confirm when a final rule will be released or if the proposed rule will actually progress to a final rule.
OCR issued its Notice of Proposed Rulemaking (NPRM) on December 27, 2024, to strengthen cybersecurity protections for electronic protected health information (ePHI). The proposed update, the first significant update to the HIPAA Security Rule in more than two decades, introduced significant new security requirements to ensure the confidentiality, integrity, and availability of ePHI, taking into account changes to business practices and technology since the original rule was enacted.
Several months earlier, in January 2024, OCR published its voluntary Health Care and Public Health Cybersecurity Performance Goals (HPH CPGs) – two sets of voluntary goals (essential and enhanced) that HPH sector organizations were encouraged to adopt to improve resilience to cyber threats, and ensure the fastest possible recovery in the event of a successful cyber incident. Both sets of goals consisted of high impact measures for quickly improving resilience.
The HPH CPGs were the first step in the HHS’s Healthcare Sector Cybersecurity strategy concept paper, published in December 2023. The second step was the provision of incentives to encourage adoption of the HPH CPGs. HHS said at the time that it would work with Congress to establish an upfront investment program to help low-resource healthcare providers adopt the essential goals and an incentives program to encourage the adoption of the enhanced goals. Those programs are key to improving adoption of the HPH CPGs, especially at low-resource hospitals that simply do not have the necessary funds to make significant improvements to cybersecurity.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The voluntary goals were welcomed by HIPAA-regulated entities and industry groups, but they were only a starting point, and OCR explained that the goals would advise future rulemaking. Initially, the measures would be voluntary, but further rulemaking would make some of the cybersecurity requirements mandatory, which was what we saw with the proposed HIPAA Security Rule update.
The HIPAA Security Rule update was poorly received by HIPAA-regulated entities and industry groups and attracted considerable criticism. A coalition of more than 100 hospital systems and provider associations called for the HHS to withdraw the proposed updates to the HIPAA Security Rule, which they said “runs counter to President Trump’s robust deregulatory agenda.”
In its proposed form, the Security Rule update was criticized for placing substantial new financial burdens on HIPAA-regulated entities, and there was an unreasonable timeline for implementation. Instead, the authoring healthcare providers and industry groups called for “a collaborative outreach initiative with our organizations and other regulated entities that are impacted to develop practical and actionable cybersecurity standards for more robust protections of individuals’ health information, without the extreme and unnecessary regulatory burden that health care providers and other stakeholders would face under the crushing and unprecedented provisions of this Proposed Rule.”
During a session at the recent HIMSS conference in Las Vegas, OCR Director Paula M. Stannard said OCR had received more than 4,700 comments in response to the NPRM and is still parsing those comments. Stannard did not confirm whether the proposed Security Rule update will progress to a final rule per OCR’s schedule, nor did she confirm whether the proposed rule will actually progress to a final rule. “After we review the comments, the Trump administration may have a different view on the burdens and benefits of some of the proposed changes,” Stannard said.
Stannard did state that the core requirements of the proposed rule are sound cybersecurity best practices for healthcare organizations. She also acknowledged the criticisms of the proposed rule. Rather than view the requirements of the proposed rule as inflexible and costly to implement, Stannard suggested that viewing things differently, as “there is a high cost of doing nothing.” The proposed changes, if implemented correctly, will improve resilience to cyber threats and reduce the likelihood of costly breaches.
“A successful cyberattack can cost far more in terms of reputation, potentially paying a ransom, remediation of information systems, protection for those whose PHI was accessed, potential civil lawsuits from harm to individuals, and not to mention my investigators coming and knocking on your door and asking for information and talking about penalties,” Stannard said.
It remains to be seen whether the Trump administration will view the benefits of the proposed rule as worth the short term financial and administrative pain of implementation. Based on the feedback received, the proposed rule could be slimmed down to reduce the compliance burden, although doing that would water down the protections. If the final rule is released, OCR could extend the timeframe for compliance to ease the burden on HIPAA-regulated entities, extending the compliance deadline from the standard 180 days following publication in the Federal Register.
Even if the proposed rule does not make it to a final rule, Stannard said there have already been benefits from the proposed rule. “The proposal to modify the Security Rule, I think, helped put a spotlight on information security in the healthcare system and drew attention to the need for better compliance and to take cybersecurity seriously. And that alone is an advantage.”
