Return to the list of client alerts

Feds Release New Proposed HIPAA Rule

The feds are about to publish new HIPAA cybersecurity rules in the federal register. Of course, the new administration may decide to throw the rules in the trash can and let the 60+ percent of the healthcare industry who were breached this year try to figure it out by themselves. Or not. Or just wait for the class action attorneys to go wild on them. Stay tuned on this one. Timing seems a bit odd – why didn’t they do this in six months ago. Of course Congress is not happy about all of the breaches, so who knows.

Anyway, *IF* these new rules are allowed to become effective, it will be the first update to HIPAA in a decade. The White House says these new rules will cost the industry about $9 billion in the first year and $6 billion a year after that.

It is unclear what the cost of the next Change Healthcare breach will be and whether a number of healthcare organizations would even survive the next one. Change Healthcare is currently estimating the cost of that one breach at $850 million – sure to go up.

Since the federal rulemaking process moves like a dinosaur, HHS floated the idea of adding cybersecurity rules to HIPAA about a year ago. This included increasing the penalties for HIPAA violations as part of this.

HHS published the new guide a year ago and they are finally publishing the regulation in the federal register just before the administration change.

So what is in it? An entire laundry list. Below is a summary of what is new.

BUT BEFORE YOU DELETE THIS EMAIL, DO YOU HAVE TO COMPLY WITH THIS? MANY CIOs HAVE SAID NO, BUT ONCE WE DIG INTO THINGS A BIT, THE ANSWER IS ACTUALLY YES. NOT COMPLYING CAN GET YOU A SERIOUS FINE, ESPECIALLY IF YOU HAVE A BREACH. IF YOU ARE NOT SURE IF YOU HAVE TO COMPLY, PLEASE REACH OUT TO US.

Here are some of the changes:

Key Changes in Revision 2:

1. Modernized Security Approaches

• Updated to reflect modern cybersecurity threats and practices
• Added emphasis on zero trust architecture principles
• Incorporated risk management frameworks aligned with current NIST guidance
• Updated security controls to address cloud computing and mobile devices

2. HIPAA Integration

• Enhanced mapping between HIPAA Security Rule requirements and NIST cybersecurity framework
• Provided more detailed guidance on implementing security requirements for protected health information (PHI)
• Added clarity on how security measures relate to HIPAA compliance obligations

3. Risk Assessment

• Expanded guidance on conducting risk assessments
• Added new methodologies for identifying and evaluating security risks
• Included more detailed guidance on documenting risk assessment findings

4. Implementation Specifications

• Provided more detailed implementation guidance for each security control
• Added practical examples and use cases
• Enhanced guidance on selecting and implementing appropriate security measures

5. Supply Chain Security

• Added new sections addressing supply chain risk management
• Included guidance on managing third-party security risks
• Enhanced focus on vendor management and assessment

6. Incident Response

• Updated incident response procedures to reflect current threats
• Added guidance on ransomware and other modern cyber threats
• Enhanced breach notification guidance

7. Remote Work Considerations

• Added new sections addressing telework security
• Included guidance for securing remote access to PHI
• Updated guidance on mobile device security

8. Documentation Requirements

• Enhanced guidance on maintaining security documentation
• Added templates and examples for security policies and procedures
• Provided clearer direction on compliance documentation

Here is a link to the final HIPAA implementation guide from NIST.

If this is something that does apply to you and you need assistance in implementing it, please contact us.