The U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), has issued a proposed rule aimed at bolstering cybersecurity protections in the health care sector. This initiative seeks to address the increasing frequency and sophistication of cyberattacks targeting health care systems, which pose significant threats to patient safety and trust. The proposed rule aims to update the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, ensuring stronger safeguards for individuals’ protected health information (PHI).
Why Strengthen Cybersecurity in Health Care?Ā
Cyberattacks on health care entities have surged, with ransomware and hacking incidents leading to record-breaking breaches. OCRās data reveals a staggering 102% increase in large breach reports from 2018 to 2023, while the number of affected individuals has risen by 1002% over the same period. In 2023 alone, over 167 million individuals were impacted by large breaches, highlighting the urgent need for enhanced security measures.Ā
Deputy Secretary Andrea Palm emphasized the grave implications of these attacks, stating, āThe increasing frequency and sophistication of cyberattacks in the health care sector pose a direct and significant threat to patient safety. These attacks degrade patient trust, disrupt care, divert patients, and delay medical procedures.āĀ
OCR Director Melanie Fontes Rainer added, āThis proposed rule addresses current and future cybersecurity threats by requiring updates to existing safeguards to reflect advances in technology and cybersecurity.āĀ
Key Provisions of the Proposed RuleĀ
The proposed rule outlines several critical updates to the HIPAA Security Rule, including:Ā
- Enhanced Safeguards: Health plans, health care clearinghouses, providers, and their business associates must implement more robust protections against both external and internal threats to electronic PHI.Ā
- Detailed Requirements: The rule provides clearer instructions on compliance, ensuring covered entities understand their obligations to secure PHI.Ā
- Regular Review and Updates: Policies and procedures must be documented, reviewed, tested, and updated regularly to reflect evolving cybersecurity threats and best practices.Ā
- Alignment with Modern Standards: The updates aim to align the Security Rule with contemporary cybersecurity methodologies, ensuring relevance in the current digital landscape.Ā
Addressing a Changing Cybersecurity LandscapeĀ
The health care environment has seen significant changes, with increases in breaches and cyberattacks necessitating a proactive approach. The proposed rule also addresses:Ā
- Common deficiencies identified during OCR investigations.Ā
- Court decisions impacting Security Rule enforcement.Ā
- Evolving cybersecurity guidelines and methodologies.Ā
While this rulemaking process is underway, the current HIPAA Security Rule remains in effect. Stakeholders are encouraged to review the proposed changes in detail and provide feedback.Ā
For more information and to view the proposed rule, visit the Federal Register: HIPAA Security Rule Proposed Updates.Ā
Author:Ā Jennifer Evancic
Jennifer.Evancic@ResourceManagement.com
Jennifer Evancic is a third-party auditor valued by creditors and large organizations for her knowledge in call monitoring within the collections industry. With meticulous attention to detail and a firm grasp of regulatory requirements, she ensures compliance with clientsā criteria and state and federal regulations.
Jennifer audits collections calls, ensuring they meet client-specific criteria and comply with regulations, providing valuable insights and maintaining industry standards.
Beyond her auditing responsibilities, Jennifer takes the lead in organizing and facilitating monthly call calibrations. These sessions serve as a collaborative forum where clients and their vendors come together to discuss call monitoring results and address any findings or areas for improvement. Jenniferās guidance fosters open communication and ensures alignment between clients and vendors, driving continuous improvement in collections practices.
Jennifer stays up-to-date with compliance and industry best practices by participating regularly in peer meetings, regulatory updates and industry webinars. This keeps her informed about emerging issues and ensures she remains a knowledgeable leader in collections compliance.
Sign Up for theĀ Twice Monthly Newsletter
Just enter your email address at the top orange bar at:
Collection Compliance Experts ā āThe Power of Expertise: Oversight Perfectedā
Itās that easy!Ā Twice a month ā we provide blog updates and Resources for the Collection and Industry Professional.Ā
Your email is just for this newsletter.Ā We never sell your information.Ā No fee.Ā Opt-out at any time.
