Big Changes Proposed for the HIPAA Security Rule

Feb 18, 2025 at 04:31 pm by kbarrettalley

images of Shannon Hartsfield and Beth Neal Pitman
(left) Shannon Hartsfield (right) Beth Neal Pitman

By Shannon Britton Hartsfield
and Beth Neal Pitman

The U.S. Department of Health and Human Services (HHS) has issued a Notice of Proposed Rulemaking (NPRM) that strengthens the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and, if finalized, will have a significant impact on the healthcare sector.

HHS observed that healthcare breaches can lead to harms far greater than those of breaches in other business sectors. In the announcement regarding the rules, HHS Deputy Secretary Andrea Palm indicated that the changes are designed in part to strengthen cybersecurity and that “[t]hese attacks endanger patients by exposing vulnerabilities in our health care system, degrading patient trust, disrupting patient care, diverting patients, and delaying medical procedures.”

HHS finalized the original Security Rule over two decades ago and has not updated it substantively in more than 10 years. The proposed sweeping changes to the Security Rule address massive leaps in technology and cybersecurity risk over that time period.

HHS indicated that the proposed Security Rule changes are designed to address:

changes in the healthcare environment and technology

significant increases in cyberattacks and data breaches

deficiencies that the HHS Office for Civil Rights (OCR), which enforces HIPAA, has observed when investigating regulated entities’ compliance with the Security Rule

cybersecurity best practices, methodologies, guidelines, processes and procedures

court decisions affecting Security Rule enforcement

Strengthening
Protection of PHI

Protected health information (PHI), unlike an individual’s bank account numbers or passwords, is immutable. Therefore, “PHI can continue to be exploited throughout an individual’s lifetime, making PHI likely to be far more valuable than an individual’s credit card information,” HHS indicated. Harms that could arise from a PHI breach or security incident, according to HHS, include the “potential to adversely affect an individual’s health or quality of life, or even to cost an individual their life.” For example, lives and health may be at risk if a security incident interferes with a medical device’s operations or the administrative or clinical operations of a healthcare provider. Rural health is particularly vulnerable and can result in closures and loss of necessary services for remote communities. Electronic medical records are ubiquitous, and healthcare delivery often requires electronic data storage and transmission.

The number of PHI breaches reported to HHS had a 100 percent increase and the number of people affected by such breaches had a 950 percent increase from 2018 to 2023. Accordingly, to help mitigate these risks, HHS is proposing sweeping changes to the Security Rule intended to address the leaps in technology and cybersecurity risk that have occurred over the past decade.

The Security Rule applies only to electronic protected health information (ePHI) held by “covered entities” and “business associates” (regulated entities). HHS noted that “[a]lmost every stage of modern health care relies on stable and secure computer and network technologies,” and updates are needed to address cybersecurity, which “is a concern that touches nearly every facet of modern health care.”

HHS noted that “[a]lmost every stage of modern health care relies on stable and secure computer and network technologies,” and updates are needed to address cybersecurity, which “is a concern that touches nearly every facet of modern health care.” HHS does not believe that current resources, such as the National Institute of Standards and Technology’s (NIST) cybersecurity framework, provide sufficient instruction to help regulated entities comply with the Security Rule.

Public Comments Accepted

The public is invited to submit comments on all aspects of the NPRM until March 7, 2025 – 60 days after the official publication in the Federal Register on Jan. 6, 2025. Even if the newly installed Trump Administration delays finalizing the regulations or makes significant changes, the proposed revisions offer insight into steps that healthcare entities may take to reduce the risk of a data breach and the associated costs.

If finalized as is, the NPRM will mean big changes for covered entities and business associates, although many of the proposed provisions reflect activities that compliant companies should already be doing. There is also potential regulatory ambiguity. Regulated entities have a limited time to submit comments requesting clarification.

 

Shannon Hartsfield is a partner in Holland & Knight’s Tallahassee, Florida, office. Beth Neal Pitman is a partner in the firm’s Birmingham, Alabama, office.

Sections: Business

Related Articles

Image of the Skin Wellness building on Independence Drive. Corey Hartman, MD Made Real Estate Decisions as his Practice Expanded
On the left is a headshot of Swaid N. Swaid, MD. On the right is an image of Surgical Institute of Alabama. A New Era for Surgical Care at the Surgical Institute of Alabama
Jessie Bekker New Accreditation and Training Requirements Proposed For Physicians Performing Office-Based Surgeries
Brian Cloud Three Legal Tips to Increase Your Practice’s Profits
Alabama Rep. Terri Collins Legislative Bill Introduced to Help Alabama Rural Hospitals
UAB Project to Recruit Rural Medical Students


Cover image of the Birmingham Medical News

February 2025

Feb 18, 2025 at 04:28 pm by kbarrettalley

Your February 2025 Issue of Birmingham Medical News is Here!