Just in time to kick off the new year with a bang, HHS has proposed a major overhaul of the HIPAA Security Rule.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a notice of proposed rulemaking (NPRM) modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The proposed rule, the HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information, would require that HIPAA covered entities (i.e., health plans, health care clearinghouses, and health care providers) and their business associates (collectively, “regulated entities”) strengthen cybersecurity protections for protected health information (PHI).
The 390-page NPRM marks the first time OCR has updated the HIPAA Security Rule since 2013 in the wake of a substantial increase in breaches of PHI due to the rise of hacking and ransomware attacks. In 2023 alone, the HHS shared that a record-setting number of over 167 million individuals were impacted by large breaches. The proposed rule aims to address the following issues:
In response to the NPRM, OCR Director Melanie Fontes Rainer commented: “This proposed rule to upgrade the HIPAA Security Rule addresses current and future cybersecurity threats. It would require updates to existing cybersecurity safeguards to reflect advances in technology and cybersecurity, and help ensure that doctors, health plans, and others providing health care meet their obligations to protect the security of individuals’ protected health information across the nation.”
The proposed rule is scheduled to be published in the Federal Register on January 6, 2025.
MoFo will publish a comprehensive analysis delving into the key changes of the proposed rule and discussing the impact on regulated entities.
Katherine Wang, an associate in our Boston office, contributed to the writing of this article.