What higher method to welcome the brand new yr than with proposed new HIPAA Safety Guidelines?
As 2024 got here to an finish, the U.S. Division of Well being and Human Providers introduced new proposed laws to strengthen cybersecurity and safety measures for ePHI. If adopted, this is able to be the primary replace to the Safety Rule since 2013. HHS states that the updates are vital to deal with modifications in how well being care is offered (together with through synthetic intelligence and digital and augmented actuality) and the way ePHI is used and disclosed; the alarming rise in cyberattacks and HIPAA breaches involving ePHI; constant failures by coated entities and enterprise associates to implement sure Safety Rule necessities; and misunderstandings of the intent of sure Safety Rule necessities expressed in court docket choices.
The Proposed Rule was revealed within the Federal Register on January 6, 2025, for public remark. A replica of the Proposed Rule is out there right here.
Sampling of key proposed modifications to the HIPAA Safety Rule necessities (particular because of Fox Accomplice Matt Redding for his contributions to this checklist):
- Coated entities/enterprise associates should evaluation, take a look at, and replace HIPAA Safety insurance policies and procedures regularly.
- All Safety Rule implementation specs might be “required” and now not “addressable” with particular, restricted exceptions.
- Coated entities/enterprise associates should meet new Safety Rule compliance time frames (e.g., patch important danger inside 15 days).
- Coated entities/enterprise associates should develop a expertise asset stock and a community map that illustrates the motion of ePHI all through the regulated entity’s digital info system(s) on an ongoing foundation, however at the least as soon as each 12 months and in response to a change within the regulated entity’s setting or operations that will have an effect on ePHI.
- The Safety Threat Evaluation that coated entities/enterprise associates are required to carry out should embody, amongst different issues:
- A evaluation of the expertise asset stock and community map;
- Identification of all fairly anticipated threats to the confidentiality, integrity, and availability of ePHI;
- Identification of potential vulnerabilities and predisposing situations to the regulated entity’s “related digital info techniques” (outlined as those who deal with ePHI in addition to those who in any other case have an effect on the confidentiality, integrity, or availability of ePHI);
- An evaluation of the chance degree for every recognized risk and vulnerability, based mostly on the probability that every recognized risk will exploit the recognized vulnerabilities; and
- An evaluation of dangers to ePHI posed by getting into a enterprise affiliate settlement, based mostly on a written verification obtained from the enterprise affiliate.
- Enterprise associates should notify coated entities (and subcontractors should notify enterprise associates) inside 24 hours of (i) a change in or termination of a workforce member’s entry to ePHI or related digital info techniques maintained by the coated entity (or enterprise affiliate); and (ii) activation of a contingency plan.
- Coated entities/enterprise associates should implement new/strengthened necessities for planning for contingencies and responding to safety incidents:
- Set up written procedures to revive the lack of sure related digital info techniques and knowledge inside 72 hours;
- Carry out an evaluation of the relative criticality of their related digital info techniques and expertise property to find out the precedence for restoration;
- Set up written safety incident response plans and procedures documenting how workforce members are to report suspected or identified safety incidents and the way the regulated entity will reply to suspected or identified safety incidents; and
- Implement written procedures for testing and revising written safety incident response plans.
- Enterprise associates should confirm in writing at the least as soon as each 12 months that they’ve deployed technical safeguards required by the Safety Rule to guard ePHI via a written evaluation of the enterprise affiliate’s related digital info techniques by a topic professional and a written certification that the evaluation has been carried out and is correct.
- PHI should be encrypted at relaxation and in transit, with restricted exceptions.
- Coated entities/enterprise associates should make use of multi-factor authentication (MFA) to entry ePHI.
- Coated entities/enterprise associates should phase digital info techniques to restrict entry to ePHI to licensed workstations.
