HHS Proposes Modifying HIPAA Security Rule to Strengthen the Cybersecurity of Electronic PHI; Comments Due March 7
Published January 06, 2025
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a proposed rule to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to require health plans, health care clearinghouses (an organization that enables the exchange of health care data between a provider and a payer (insurance company)), and most health care providers, and their business associates, to strengthen cybersecurity protections for individuals’ protected health information (PHI).
The proposed rule would:
- Modify the HIPAA Security Rule to require health plans, health care clearinghouses, and most health care providers, and their business associates to better protect individuals’ electronic PHI against both external and internal threats;
- Clarify and provide more specific instruction about what covered entities and their business associates must do to protect the security of electronic PHI;
- Require that policies and procedures be in writing, reviewed, tested, and updated on a regular basis; and
- Better align the Security Rule with modern best practices in cybersecurity.
The proposals address:
- Changes in the environment in which health care is provided;
- Significant increases in breaches and cyberattacks;
- Common deficiencies OCR has observed in investigations into Security Rule compliance by covered entities and their business associates;
- Other cybersecurity guidelines, best practices, methodologies, procedures, and processes; and
- Court decisions that affect enforcement of the Security Rule.
While HHS is undertaking this rulemaking, the current Security Rule remains in effect.
Comments are due March 7, 2025.