What to Know About the Proposed New HIPAA Rules

If approved, the proposed new HIPAA rules will reshape the landscape of healthcare cybersecurity, partially addressing the recent OIG report’s findings on the ineffectiveness of current HIPAA audits. For CISOs, these changes present both opportunities and challenges as they work to enhance their organizations’ cybersecurity practices. The updated compliance requirements for electronic protected health information promise significant benefits but also come with associated costs. As these rules are open for public comment over the next sixty days, healthcare CISOs have a window to provide their insights and influence the final regulations, ensuring they align with the practical realities of safeguarding sensitive health data.

Wondering how to obtain HIPAA compliance? Check out our guide ->

A brief overview

The new rules represent a significant shift in how healthcare organizations approach the security of electronic protected health information (ePHI). These changes are designed to help address the shortcomings identified in the OIG report, which highlighted the ineffectiveness of current HIPAA audits in improving cybersecurity.

The proposed rules introduce updated definitions and requirements, such as multi-factor authentication and enhanced technical safeguards, to better protect ePHI against threats. By aligning with the three basic elements of security — confidentiality, integrity, and availability — the rules aim to provide a more comprehensive framework for safeguarding sensitive health data. The rules also propose clarifying the compliance obligations of regulated entities, ensuring that security measures are not just a ceiling but a baseline for protection.

Addressing audit gaps

Last year’s OIG report highlighted significant shortcomings in the current HIPAA audit program, pointing out that the audits were too narrow in scope to assess and improve cybersecurity practices effectively. The audits reviewed only a small fraction of the HIPAA requirements, focusing primarily on administrative safeguards while neglecting critical physical and technical security measures.

This limited approach failed to identify and address vulnerabilities, leaving healthcare organizations exposed to cyber threats. The report also criticized the lack of follow-up on identified deficiencies, as audited entities were not required to implement corrective actions, and additional reviews were rarely initiated even when serious issues were found. These gaps in the audit process underscore the need for a more comprehensive and proactive approach to ensure that healthcare entities adequately protect electronic protected health information.

The new HIPAA rules aim to improve audit effectiveness by expanding the scope and depth of the assessments to cover a broader range of security measures. By incorporating more comprehensive definitions and requirements, such as those for multi-factor authentication and technical safeguards, the rules ensure audits will evaluate the full spectrum of security practices necessary to protect electronic protected health information.

The proposed changes also emphasize the need for regulated entities to address any identified deficiencies promptly, with the potential for compliance reviews and civil penalties if corrective actions are not taken. This approach not only holds organizations accountable but also encourages a proactive stance in maintaining robust security measures.

Enhancing cybersecurity practices

The proposed HIPAA rules introduce several key changes in cybersecurity requirements, focusing on strengthening the protection of electronic protected health information (ePHI). One significant update is the emphasis on multi-factor authentication, which adds an extra layer of security by requiring multiple forms of verification before granting access to sensitive data.

The rules also propose clearer definitions for terms like “access” and “security incident,” ensuring that organizations have a precise understanding of their obligations. Additionally, the introduction of technical safeguards, such as enhanced encryption standards and the requirement for regular security assessments, aims to mitigate risks associated with cyber threats.

The predicted impact on healthcare organizations

The new compliance requirements under the proposed HIPAA rules are expected to bring about significant costs of $34 billion over five years for healthcare organizations, as they will need to invest in updated technologies and processes to meet the enhanced standards. Introducing multi-factor authentication and advanced encryption protocols will probably require the purchase of new software and hardware, as well as the hiring of additional IT staff or consultants to implement these changes effectively.

Training programs will also need to be updated to ensure that all employees are aware of and can adhere to the additional security measures, adding to the overall expenditure. The requirement for regular security assessments and audits will incur ongoing costs, as organizations must continually evaluate and improve their cybersecurity posture. While these investments are substantial, they will help with reducing the risk of costly data breaches.

Make your voice heard during the 60-day comment period

The 60-day comment period for the proposed HIPAA rules provides an opportunity for regulated entities to voice their perspectives and influence the final regulations. Healthcare CISOs play a pivotal role in shaping the future of healthcare cybersecurity by actively taking part in the 60-day comment period for the proposed HIPAA rules. By reviewing the proposed regulations and submitting thoughtful feedback, CISOs can help ensure that the final rules are both practical and effective in enhancing data protection. They can also provide insights by submitting detailed feedback on how the new regulations might impact their organizations’ security costs and compliance strategies.

To participate, CISOs should review the proposed rules, identify specific areas of concern or support, and prepare comments that reflect their professional experiences and challenges. By contributing their expertise, CISOs help ensure that the final regulations are both effective and workable.

Building a more resilient healthcare infrastructure

The proposed HIPAA changes represent a potential improvement in strengthening the security of electronic protected health information (ePHI) amid persistent cyber threats. By addressing some shortcomings highlighted in the OIG report, these updates aim to establish a more comprehensive framework for healthcare cybersecurity.

Introducing multi-factor authentication, improved encryption standards, and clearer compliance requirements reflects a proactive stance in protecting sensitive data. These measures are designed to safeguard patient privacy and enhance trust in healthcare systems by equipping organizations to better prevent data breaches. The focus on regular security assessments and the opportunity for stakeholder feedback during the 60-day comment period highlight the collaborative nature of this regulatory update.

The new HIPAA rules further highlight the need for healthcare organizations to address challenges in compliance and cybersecurity, suggesting that software solutions automating compliance controls and reporting can be instrumental. By automating these processes, organizations can efficiently manage the increased complexity of compliance requirements, as outlined in the proposed rules. This approach allows for continuous monitoring and real-time reporting, reducing the burden on staff and minimizing the risk of non-compliance.

Automation can also facilitate the implementation of enhanced cybersecurity practices, ensuring that organizations meet the updated standards for protecting electronic protected health information. By leveraging such technology, healthcare entities can better navigate the regulatory landscape, manage costs, and focus on maintaining the security and privacy of patient data. Together, these changes signify a crucial step in building a resilient healthcare infrastructure that prioritizes the confidentiality, integrity, and availability of ePHI.