The U.S. Division of Well being and Human Providers (“HHS”) issued a Discover of Proposed Rulemaking (the “Proposed Rule”) on December 27, 2024, to considerably amend HIPAA’s Safety Rule, which units forth the safety requirements for the safety of protected well being info by coated entities and their enterprise associates. The Proposed Rule’s issuance was anticipated, particularly in gentle of the rising variety of well being information breaches and disclosures of enormous scale international cyberattacks.
The Proposed Rule takes goal at a number of key areas of the Safety Rule, together with updates to:
- Requirements for Assessing Adequacy of Safeguards – The Proposed Rule seeks to take away the excellence between “required” and “addressable” safeguards, which has the sensible impact of usually rendering all implementation specs to be required. The Proposed Rule would get rid of this distinction by requiring that regulated events implement the entire requirements and specs, however would proceed to afford regulated events with a measure of flexibility in how they go about satisfying the requirements and specs.
- Administrative Safeguard Necessities – The Safety Rule requires regulated events to implement plenty of written insurance policies and procedures that are tailor-made to defending ePHI. The Proposed Rule requires adoption of a number of new insurance policies and procedures, and even requires that these insurance policies and procedures be examined on a yearly foundation in addition to after sure operational modifications.
- Technical Safeguard Necessities – The Proposed Rule seeks so as to add a big variety of new customary necessities, corresponding to multi-factor authentication, contingency planning, vulnerability scans, and quite a few others.
- Requirements for Enterprise Affiliate Agreements – The Proposed Rule makes plenty of revisions to the necessities relevant to Enterprise Affiliate Agreements, together with: (1) requiring enterprise associates to inform coated entities upon activation of their contingency plans no later than 24 hours after activation (which might be required to be ready underneath the Proposed Rule); and (2) requiring that coated entities receive written verification from their enterprise associates, no less than as soon as per 12 months, that such enterprise associates have deployed technical safeguards required by the Safety Rule.
- Encryption – The Proposed Rule clarifies that regulated events should encrypt ePHI each in transit and at relaxation, topic to sure exceptions. This requirement may have an incredible impression to the extent regulated events have relied on non-encrypted autos for communication (e.g., textual content messaging) to facilitate care.
You will need to be aware that the present Safety Rule stays in impact till HHS publishes a Ultimate Rule. Following publication within the Federal Register, a 60 day window for submission of public feedback ensues. We anticipate that HHS will obtain many feedback to work via given the potential impression of the Proposed Rule. Because of the change in administration, the Proposed Rule will seemingly obtain elevated scrutiny and due to this fact, it could be a while earlier than a Ultimate Rule is revealed. Nonetheless, given the significance of mitigating cybersecurity dangers within the healthcare business, we anticipate the Proposed Rule shall be finalized in some kind.
Along with federal developments such because the Proposed Rule, the state panorama continues to evolve with states passing shopper well being info legal guidelines. We’ll proceed to watch these developments.
