AMARILLO, TX – The Department of Health and Human Services (HHS) issued a Notice of a Proposed Rule Making (NPR) to strengthen cybersecurity for Electronic Protected Health Information (ePHI) on December 27, 2024. The NPR proposes to strengthen the Security Rule’s standards and implement specifications.
The NPR was published in the Federal Register on January 6, 2025, and is open to comments until March 7, 2025.
The Security Rule, part of the HIPAA rules, protects the privacy and security of individuals’ protected health information (PHI), specifically ePHI, which is individually identifiable health information transmitted or maintained in electronic media. The Security Rule was published in 2003 and revised in 2013, but it needs updates due to the significant changes in healthcare technology and the rise of cybersecurity threats.
Healthcare has transitioned to relying on secure computer and network technologies for various services, including appointment scheduling, telehealth visits, medical devices, patient records, and billing. These essential technologies present opportunities for cyberattacks, malfunctions, and errors that can compromise ePHI. The increase in breaches and cyberattacks that have affected many individuals has raised concerns about the security of ePHI.
The proposed rule introduces new administrative, technical, and physical safeguards and requires regulated entities to do the following:
- Develop and maintain a technology asset inventory and a network map that illustrates ePHI movement throughout the entity’s electronic information system. The inventory and map must be updated at least once every 12 months and in response to changes that may affect ePHI
- Identify all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI, and assess the risk level for each identified threat and vulnerability in a more comprehensive approach.
- Establish written procedures to restore the loss of specific electronic information systems and data within 72 hours.
- Implement written policies and procedures for patch management and review, test, and modify the policies at least once every two months.
- Notify covered entities and business associates within 24 hours when a workforce member’s access to ePHI or specific electronic information systems is changed or terminated.
- Conduct compliance audits at least once every 12 months to ensure adherence to the Security Rule requirements.
In addition to the above requirements, the NPR emphasizes the need for regulated entities to document all Security Rule policies, procedures, plans, and analyses. The documentation must be updated regularly to reflect changes in technology and cybersecurity best practices.
The final rule’s effective date, once the proposed rule is finalized, is 60 days after publishing.
HHS states that most of the modifications proposed would provide regulated entities with greater clarity and specificity regarding how to fulfill their obligations and HHS expectations. HHS proposes adding a provision at 45 C.F.R. 164.318 to give providers a transition period beyond the 180-day compliance period to modify business associate contracts or other written arrangements.
Overall, this proposed rule reflects the importance of cybersecurity in the healthcare sector. The protection of ePHI can ensure the confidentiality, integrity, and availability of sensitive patient information.
Jeffrey S. Baird, Esq., is chairman of the Health Care Group at Brown & Fortunato, PC, a law firm based in Texas with a national healthcare practice. He represents pharmacies, infusion companies, HME companies, manufacturers, and other healthcare providers throughout the United States. Mr. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization and can be reached at (806) 345-6320 or [email protected].
Jacque K. Steelman, Esq., is a member of the Health Care Group at Brown & Fortunato, PC, a law firm with a national healthcare practice based in Texas. She represents pharmacies, infusion companies, HME companies, manufacturers, and other healthcare providers throughout the United States. Ms. Steelman can be reached at (972) 684-5789 or [email protected].