HIPAA Security Rule notice of proposed rulemaking

OCR and HHS are proposing this significant change to the regulation due to numerous long-overdue factors.

• Technological evolution: Updates are necessary to address the significant technological advancements since the 2013 HIPAA Omnibus Rule. As digital health tools, telemedicine, and cloud computing evolve, the law must be updated to account for new methods of storing, transmitting, and securing electronic Protected Health Information (ePHI), ensuring the Security Rule remains relevant and effective in safeguarding sensitive data. 
   
• Cybersecurity threats: The healthcare sector is increasingly targeted by cyberattacks, including ransomware, phishing, and data breaches. These attacks have become more sophisticated, highlighting the urgent need for stronger security measures to protect ePHI. The rise in data breaches underscores the importance of robust cybersecurity strategies, such as advanced encryption, multi-factor authentication, and continuous monitoring, to prevent unauthorized access and minimize the impact of cyber threats. 
   
• HHS and NIST guidelines: To ensure comprehensive protection of ePHI, healthcare organizations must align with best practices outlined by the Department of Health and Human Services (HHS) and the National Institute of Standards and Technology (NIST). While both organizations have published materials, it is apparent that a change in legislation is required to enforce the adoption of standard security best practices. By using these guidelines, healthcare entities can bolster their security frameworks, address emerging risks, and implement technical safeguards that mitigate vulnerabilities, ensuring the confidentiality and integrity of patient data.  
   
• Legislative intent: The proposed updates aim to clarify HIPAA's original purpose, ensuring that the law is interpreted with a focus on safeguarding patient privacy and security in an ever-changing technological landscape. This ensures that courts and regulators uphold the spirit of the law, not just the specific language. By focusing on the underlying intent of the law, these updates promote more effective enforcement and protection of ePHI in today’s dynamic healthcare environment.  
   
• Enforcement insights: The Office for Civil Rights (OCR) has identified recurring gaps and weaknesses in healthcare security practices, which continue to pose risks to ePHI. These findings emphasize the need for continuous monitoring, regular risk analyses, and proactive remediation to address vulnerabilities before they can be exploited. By addressing these weaknesses, healthcare organizations can improve their security posture, ensuring compliance with HIPAA regulations and protecting patient data from emerging threats. 

The Notice of Proposed Rulemaking for the HIPAA Security Rule introduces significant changes to the framework protecting electronic protected health information, requiring regulated entities to implement comprehensive security measures, conducting annual penetration testing, performing automated vulnerability scans every six months, and mandating multi-factor authentication across all systems accessing ePHI. All these measures must be documented and periodically reviewed. With the removal of addressable standards, all safeguards are now mandatory, demanding a stricter compliance approach. Healthcare organizations must adapt to these updated requirements while managing risk in a complex and dynamic healthcare environment. Throughout the NPRM, the Department of HHS emphasized that a thorough risk analysis should drive the implementation of technical controls to ensure they are reasonable and appropriate for the size and complexity of the organization. This highlights the critical importance of conducting a risk analysis, as it helps entities tailor security measures based on their unique risks and operational environment. 

To effectively manage the new requirements and reduce the risks posed by the complex healthcare environment, organizations must adopt a Governance, Risk, and Compliance (GRC) program. Coalfire assists clients with constructing and refining well-structured GRC programs that offer a balanced, structured, and scalable approach to building organizational processes to manage risk and comply with regulatory requirements while achieving business operational goals and objectives. This type of program ensures that organizations meet current legal and regulatory obligations and establish sustainable processes for addressing future challenges. By integrating risk management practices with operational goals, a GRC program helps healthcare organizations balance compliance with achieving broader business objectives, fostering a culture of security and compliance. 

Due to the extensiveness of the changes to the Security Rule, Coalfire has developed a series of six white papers that divide the changes into the subsections of the HIPAA Security Rule NPRM: definitions, general rules, administrative safeguards, physical safeguards, security safeguards, organizational requirements, documentation requirements, and emerging issues: hot topics. The series will go into depth with the proposed changes to the Security Rule as outlined in the NPRM.