It’s a new year and I figured I’d start the blogs off with something we all love—paperwork!
The new rule, the Notice of Proposed Rulemaking (NPRM), is under consideration as a reaction to the significant increase in cyberattacks and data breaches targeting the healthcare sector under the Biden Administration. HHS Deputy Secretary Andrea Palm noted that these attacks endanger patients by exposing vulnerabilities in the healthcare system, degrading patient trust, disrupting patient care, and delaying medical procedures.
As a Covered Entity under HIPAA, staying informed about potential regulatory changes is crucial for O&P businesses to maintain compliance and protect electronic Protected Health Information (ePHI). The Department of Health and Human Services (HHS) recently proposed significant updates to the HIPAA Security Rule through the NPRM. These changes aim to strengthen cybersecurity measures and address the evolving landscape of digital threats in healthcare. Assuming your organization is already compliant with existing HIPAA requirements, let’s focus on the new elements you’ll need to incorporate into your compliance plan if these proposed changes are finalized.
Enhanced Risk Analysis and Management
The proposed rule emphasizes a more structured and proactive approach to identifying and mitigating potential security risks to ePHI. Covered Entities would be required to:
- Perform and document company-wide risk analyses at least annually
- Implement continuous risk management programs
- Document all risk analysis and management activities in detail
This enhanced focus on risk management underscores the need for a more systematic approach to cybersecurity. While this may seem daunting, solutions are being developed to assist with these requirements. For instance, Quality Outcomes is working on a tool to help streamline this process for Covered Entities.
Timely Security Updates and Vulnerability Management
Recognizing the critical nature of keeping systems secure, the NPRM proposes several measures designed to reduce the window of opportunity for cybercriminals to exploit known vulnerabilities:
- Implementing policies for timely application of security updates
- Establishing processes for identifying and mitigating vulnerabilities
- Setting specific timelines for applying critical updates
These requirements highlight the importance of maintaining robust cyber liability insurance, a topic discussed in previous blog posts.
Strengthened Encryption Requirements
The proposed rule places a strong emphasis on encryption as a critical layer of protection for ePHI. Covered Entities would need to:
- Implement encryption for ePHI both at rest and in transit
- Ensure encryption methods meet current standards developed by the National Institute of Standards and Technology
- Regularly review and update encryption practices
This focus on encryption aims to provide an additional layer of protection for sensitive health information. All ePHI maintained outside of your EMR system is the responsibility of the Covered Entity to manage and protect. Spreadsheets, PDFs, images, emails, and text messages are examples of potential locations for storage of ePHI.
Expanded Security Awareness and Training
Recognizing that human error often represents a weak link in cybersecurity, the proposed rule calls for enhanced staff awareness and preparedness:
- Providing comprehensive security awareness training to all workforce members
- Including specific training on social engineering and phishing attacks
- Conducting regular phishing simulations
By focusing on these areas, Covered Entities can create a more robust first line of defense against cyber threats.
Comprehensive Contingency Planning
The NPRM emphasizes the need for thorough contingency planning to ensure business continuity and data protection in the face of unforeseen events or cyberattacks. This includes:
- Developing and maintaining detailed data backup plans
- Creating comprehensive disaster recovery and emergency mode operation plans
- Regularly testing and updating these plans
These measures aim to ensure business continuity and data protection in the face of unforeseen events or cyberattacks.
Preparing for the Future
The proposed changes to the HIPAA Security Rule represent a significant shift toward more robust cybersecurity practices in healthcare. While they may present challenges, these updates are designed to better protect sensitive health information in an increasingly digital world.
As Covered Entities, it’s crucial that we stay ahead of these changes, not just for compliance reasons, but to ensure we’re providing the best possible protection for the patient information entrusted to us. By starting to prepare now, we can ensure a smoother transition if and when these proposed rules become final.
Remember, protecting patient information is not just a legal obligation, but a fundamental aspect of providing quality healthcare. Let’s embrace these potential changes as an opportunity to strengthen our security postures and better serve our patients in the digital age.
It’s important to note that these are proposed changes, and the final rule may differ. The comment period for the NPRM is open until March 7. Covered Entities should take this opportunity to review the proposed changes in detail and consider submitting comments to HHS.
As we navigate these potential changes, it’s crucial to stay informed and proactive. Consider consulting with legal counsel or a HIPAA compliance expert to ensure your organization is prepared for these potential new requirements. By taking steps now to enhance your cybersecurity practices, you’ll not only be better positioned for compliance but also better equipped to protect your patients’ sensitive information in an increasingly complex digital landscape.
Stay tuned for further updates as we continue to monitor developments in HIPAA regulations and cybersecurity best practices. Together, we can work toward a more secure and resilient healthcare ecosystem.
Scott Williamson, MBA, CAE (ret), is the president of Quality Outcomes and the executive director of education and events for OPIE Software. He can be contacted at scott.williamson@opiesoftware.com.
