White House Reviewing Proposed HIPAA Security Rule Update
In December 2023, the Department of Health and Human Services published its Healthcare Sector Cybersecurity Strategy which outlined the steps that the HHS was planning to take to improve cybersecurity across the healthcare sector. The strategy included voluntary cybersecurity performance goals, which were published in January 2024, but voluntary goals alone were not believed to be sufficient to drive the cyber-related behavioral change that is needed across the healthcare sector.
Consequently, HHS also planned an update to the Security Standards for the Protection of Electronic Protected Health Information (HIPAA Security Rule) to incorporate new cybersecurity requirements for HIPAA-regulated entities. The update was expected to be completed by Spring 2024; however, it was delayed. OCR Director Melanie Fontes Rainer confirmed earlier this year that work was underway on the update and that it should be released before the end of the year.
The proposed update to the HIPAA Security Rule has now been completed and was passed to the Office of Information and Regulatory Affairs at the Office of Management and Budget (OMB) for review on October 18, 2024. The updated HIPAA Security Rule strengthens the requirements for HIPAA-regulated entities to ensure they safeguard electronic protected health information to prevent, detect, contain, mitigate, and recover from cybersecurity threats.
The HIPAA Security Rule was written to be technology agnostic to account for advances in technology; however, a lot has changed in the 20 years since the Security Rule was enacted and an update is long overdue. The contents of the updated rule have not yet been made public; however regulated entities will not have to wait long to discover the new cybersecurity requirements. The HHS anticipates issuing a Notice of Proposed Rulemaking (NMPR) before the end of December 2024, and healthcare industry stakeholders will have the opportunity to comment on the proposed update for 60 days following publication in the Federal Register.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Since OCR has previously stated its intention to incorporate the voluntary cybersecurity performance goals into existing legislation, The HIPAA Journal expects, at a minimum, that the Essential Cybersecurity Performance Goals will become mandatory. The update has been made under the Biden Administration; however, a new administration will be responsible for setting a timeframe for implementing the updated rule, if it is implemented at all.
“We’ve seen tremendous increases in the use of ransomware and hacking to obtain unauthorized access to ePHI, and since 2003 there’s been an evolution in technical capabilities of record systems that are used to maintain health information, and there have been changes in the costs of variety of security measures,” said Marissa Gordon Nguyen, HHS OCR senior advisor for health information privacy, data and cybersecurity at the Safeguarding Health Information: Building Assurance through HIPAA Security 2024 conference. “The changes we think support updating the Security Rule to help ensure that it can continue to provide a baseline of security standards to meet current and emerging security risks and threats to ePHI.” Nguyen added.
January 6, 2025: OCR Published Proposed HIPAA Security Rule Update
OCR published the proposed HIPAA Security Rule update in the Federal Register on January 6, 2025, and is accepting comments on the proposed rule for 60 days.
