Preparing for HIPAA security updates

At the recent HIPAA conference, HHS OCR senior advisor for health information privacy, Marissa Gordon Nguyen, announced that the HHS has submitted proposed modifications to the HIPAA Security Rule for review by the White House. This announcement signals an impending shift in how healthcare organizations approach data security and patient privacy. As these proposed updates are under consideration, healthcare organizations should be proactive in their preparations. 

The announcement

During the conference, Marissa Gordon Nguyen, the senior advisor for health information privacy at the HHS Office for Civil Rights (OCR), announced that the Department of Health and Human Services had submitted proposed modifications to the HIPAA Security Rule for review by the White House. The announcement marks a critical step toward potentially updating the Security Rule, which has remained largely unchanged since its inception in 1996. The proposed modifications aim to enhance the protection of electronic health information by addressing contemporary cybersecurity threats. “We’ve seen tremendous increases in the use of ransomware and hacking to obtain unauthorized access to ePHI, and since 2003 there’s been an evolution in technical capabilities of record systems that are used to maintain health information, and there have been changes in the costs of variety of security measures,” she said.  

This announcement comes after the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) released a video with guidelines on ransomware prevention and compliance with the HIPAA Security Rule. 

Focus areas of the update rule include increasing requirements for risk assessments, improving access controls, and expanding reporting obligations for data breaches. The proposed changes emphasize the importance of adopting security best practices and technologies, reinforcing the commitment of healthcare organizations to safeguarding patient data. As these modifications progress through the review process, healthcare stakeholders are encouraged to stay informed and prepare for the adjustments that may come with the updated regulations.

See also: OCR releases ransomware prevention guidance

Preparing for the updates

Healthcare organizations can prepare for potential updates to HIPAA’s Security Rule by proactively strengthening their security programs and keeping current with best practices. Here are some key strategies:

• Perform a comprehensive risk assessment: Conduct regular risk assessments to identify vulnerabilities in systems and processes. 
• Update security policies and procedures: Regularly review and update security policies to align with current threats and regulatory expectations. 
• Enhance cybersecurity training: Provide ongoing training to staff about cybersecurity best practices and potential threats like phishing. 
• Implement strong access controls: Review and refine access controls, ensuring only authorized personnel can access sensitive data. 
• Invest in advanced security technology: Consider upgrading to advanced security measures, such as encryption, intrusion detection systems, and endpoint protection.
• Monitor regulatory changes: Stay informed about any proposed updates to HIPAA by following the U.S. Department of Health and Human Services (HHS) and other relevant agencies. 
• Prepare for incident response: Update and test incident response plans regularly to ensure a swift and effective response to breaches. 

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

What role does the White House play in this process?

The White House reviews proposed modifications to federal regulations, including those submitted by HHS. Their review process ensures any changes align with broader governmental priorities and policies. After review, the proposed modifications may be finalized and implemented, which will affect compliance requirements for healthcare organizations.

How can organizations stay informed about the progress of the proposed modifications?

Healthcare organizations should monitor updates from the HHS Office for Civil Rights and other relevant regulatory bodies. Engaging with industry associations and participating in conferences can also provide valuable insights into ongoing regulatory developments and best practices.