Scroll Top

Changes Coming to HIPAA Security Rule

Changes Coming to HIPAA Security Rule
HIPAA
0 0
By Mike Sulmonetti Featured January 9, 2025

Access Controls

On December 27, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This proposed rule aims to enhance cybersecurity protections for electronic protected health information (ePHI).

Brief Background

The HIPAA Security Rule establishes national standards for the protection of individuals’ ePHI by covered entities, such as health plans, health care clearinghouses, and most health care providers, as well as their business associates. The proposed updates are part of a broader effort by the Biden-Harris Administration to improve the cybersecurity of critical infrastructure.

Key Proposals

The NPRM includes several significant changes to strengthen the Security Rule:

  • Uniform Implementation Specifications: All implementation specifications will be required, with specific, limited exceptions.
  • Documentation Requirements: Written documentation of all Security Rule policies, procedures, plans, and analyses will be mandatory.
  • Updated Definitions: Definitions and implementation specifications will be revised to reflect changes in technology and terminology.
  • Compliance Time Periods: Specific compliance time periods will be added for many existing requirements.
  • Technology Asset Inventory and Network Map: Regulated entities must develop and maintain a technology asset inventory and network map, updated at least annually.
  • Risk Analysis Specificity: A more detailed risk analysis will be required, including assessments of threats, vulnerabilities, and risk levels.
  • Access Notification: Regulated entities must notify certain entities within 24 hours when a workforce member’s access to ePHI is changed or terminated.
  • Contingency Planning: Enhanced requirements for contingency planning and incident response, including written procedures and regular testing.
  • Compliance Audits: Annual compliance audits will be required to ensure adherence to the Security Rule.
  • Encryption and Technical Controls: Encryption of ePHI at rest and in transit will be required, along with other technical controls such as anti-malware protection and multi-factor authentication.
  • Vulnerability Scanning and Penetration Testing: Regular vulnerability scanning and penetration testing will be mandated.
  • Network Segmentation: Network segmentation will be required to enhance security.
  • Backup and Recovery: Separate technical controls for backup and recovery of ePHI will be necessary
  • Business Associate Verification: Business associates must verify their compliance with technical safeguards annually.

Public Participation

HHS encourages all stakeholders, including patients, health plans, health care providers, and consumer advocates, to submit comments on the NPRM through regulations.gov. Public comments are due 60 days after the NPRM’s publication in the Federal Register. Additionally, HHS will conduct a consultation meeting soon, with details forthcoming.

For more information, you can view the NPRM here.

https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of.

To read our cybersecurity blog visit.

http://www.topgallant-partners.com

 

0
Mike Sulmonetti / About Author
Account Manager Cybersecurity Sales Consulting. Mike has been in High Technology sales consulting for 30+ years, of which 15 years have been solely focused on cybersecurity consulting. He is very passionate about helping customers bolster their cybersecurity programs. In his spare time Mike likes to Ski, Golf, Mountain Bike and go Boating.
More posts by Mike Sulmonetti

Related Posts

Topgallant Selected as a New York State Certified Service Disabled Veteran Owned Business

Topgallant Partners was recently Certified by New York as a New York State Certified Service-Disabled Veteran Owned Business. Topgallant Received the news in April. The news was received in a letter written by the Executive Director for Division of Service-Disabled Veterans’ Business Development, Kenneth E. Williams.

2
2
20 Jul 2022
ransomware
What to Do Immediately After a Ransomware Attack

Ransomware attacks are a growing threat to businesses of all sizes. In 2021, the average ransomware payment was $170,000. If…

1
1
12 May 2023
VMware Releases Fix for Critical Vulnerabilities

VMware has released fixes for ten vulnerabilities, including CVE-2022-31656 which is an authentication bypass vulnerability affecting VMware Products. VMware considers these updates critical and advises to patch or mitigate immediately. There is an indication that this vulnerability may soon be leveraged by attackers.

0
0
03 Aug 2022
May 2023 News
May Newsletter

May 2023 Newsletter Tim Cook Said Recently “In The World of Cybersecurity The Last Thing You Want Is To Have…

1
1
20 Apr 2023
NIST CSF
CyberSec 101: What is NIST CSF?

Introduction The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF)  provides a comprehensive approach to managing cybersecurity risks….

2
2
16 Sep 2024
NIST
Top 10 Benefits for Adhering to NIST CSF

What Are the Benefits for My Organization You ever wonder what the benefits of the NIST Cybersecurity Framework (CSF) and…

1
1
03 Oct 2024
Access Controls
CyberSec 101: The Importance of Access Controls

We all know what is meant by Access Control. Pretty easy to figure out?  There are all kinds of access…

2
2
09 Sep 2024
ESXi
CISA Provides Recovery Tool for Recent ESXi Arg Ransomware

The Cyber Security and Infrastructure Security Agency (CISA) has come to the rescue for those affected by a Recent Ransomware…

0
0
08 Feb 2023
Healthcare IT Spending Increasing Due to Attacks on HIPAA Data

Healthcare spending in the U.S. — which is the highest among developed countries — accounts for 18 percent of the…

1
1
12 Jan 2023
cyberstalking
“When NIST 800-63B Walked into a Bar: A Lighter Look at Password Standards”

In a universe (not so far away), where passwords like “123456” and “password” reigned supreme, our hero, NIST 800-63B, stepped…

3
3
22 Aug 2023
Updated AT&T Breach Report Affects an estimated 73 Million Customers

April 30, 2024 AT&T has reported a data breach so it’s time to change your AT&T password, and if you…

0
0
30 Apr 2024
SIEM vs. XDR/MDR vs. SOAR: Understanding the Key Differences

Introduction In the quest to strengthen cybersecurity defenses, organizations have turned to various solutions such as SIEM, XDR/MDR, and SOAR….

6
6
01 Jun 2023
Vulnerability Scanning + Penetration Testing = Best Practice

To help businesses uncover and fix the vulnerabilities and misconfigurations affecting their systems, there is an abundance of solutions available….

0
0
18 Jul 2022
Are Pagers HIPAA Compliant for ePHI?

Recently, I was asked my opinion on whether Pagers were compliant to HIPAA. I actually had never thought about it…

1
1
10 Oct 2012
HHS OCR HIPAA Audit Finds Less Than Lackluster Results

Majority were non-compliant for Access, Security Risk Management and Analysis In 2016 and 2017, the Office for Civil Rights (OCR)…

0
0
18 Aug 2021

Leave a comment

Our website uses cookies from third party services to improve your browsing experience. Read more about this and how you can control cookies by clicking "Privacy Preferences".
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.
Privacy Policy
You have read and agreed to our privacy policy
Required