What higher strategy to welcome the brand new yr than with proposed new HIPAA Safety Guidelines?
As 2024 got here to an finish, the U.S. Division of Well being and Human Providers introduced new proposed laws to strengthen cybersecurity and safety measures for ePHI. If adopted, this could be the primary replace to the Safety Rule since 2013. HHS states that the updates are obligatory to deal with adjustments in how well being care is supplied (together with through synthetic intelligence and digital and augmented actuality) and the way ePHI is used and disclosed; the alarming rise in cyberattacks and HIPAA breaches involving ePHI; constant failures by lined entities and enterprise associates to implement sure Safety Rule necessities; and misunderstandings of the intent of sure Safety Rule necessities expressed in court docket choices.
The Proposed Rule is scheduled to be printed within the Federal Register on January 6, 2025, for public remark. An unpublished copy of the Proposed Rule is out there right here (390 pages!).
Sampling of key proposed modifications to the HIPAA Safety Rule necessities (particular due to Fox Companion Matt Redding for his contributions to this listing):
- Lined entities/enterprise associates should assessment, take a look at, and replace HIPAA Safety insurance policies and procedures regularly.
- All Safety Rule implementation specs shall be “required” and not “addressable” with particular, restricted exceptions.
- Lined entities/enterprise associates should meet new Safety Rule compliance time frames (e.g., patch important threat inside 15 days).
- Lined entities/enterprise associates should develop a expertise asset stock and a community map that illustrates the motion of ePHI all through the regulated entity’s digital info system(s) on an ongoing foundation, however no less than as soon as each 12 months and in response to a change within the regulated entity’s atmosphere or operations that will have an effect on ePHI.
- The Safety Danger Evaluation that lined entities/enterprise associates are required to carry out should embrace, amongst different issues:
- A assessment of the expertise asset stock and community map;
- Identification of all fairly anticipated threats to the confidentiality, integrity, and availability of ePHI;
- Identification of potential vulnerabilities and predisposing circumstances to the regulated entity’s “related digital info techniques” (outlined as people who deal with ePHI in addition to people who in any other case have an effect on the confidentiality, integrity, or availability of ePHI);
- An evaluation of the danger degree for every recognized risk and vulnerability, primarily based on the chance that every recognized risk will exploit the recognized vulnerabilities; and
- An evaluation of dangers to ePHI posed by coming into a enterprise affiliate settlement, primarily based on a written verification obtained from the enterprise affiliate.
- Enterprise associates should notify lined entities (and subcontractors should notify enterprise associates) inside 24 hours of (i) a change in or termination of a workforce member’s entry to ePHI or related digital info techniques maintained by the lined entity (or enterprise affiliate); and (ii) activation of a contingency plan.
- Lined entities/enterprise associates should implement new/strengthened necessities for planning for contingencies and responding to safety incidents:
- Set up written procedures to revive the lack of sure related digital info techniques and knowledge inside 72 hours;
- Carry out an evaluation of the relative criticality of their related digital info techniques and expertise belongings to find out the precedence for restoration;
- Set up written safety incident response plans and procedures documenting how workforce members are to report suspected or recognized safety incidents and the way the regulated entity will reply to suspected or recognized safety incidents; and
- Implement written procedures for testing and revising written safety incident response plans.
- Enterprise associates should confirm in writing no less than as soon as each 12 months that they’ve deployed technical safeguards required by the Safety Rule to guard ePHI by way of a written evaluation of the enterprise affiliate’s related digital info techniques by a subject professional and a written certification that the evaluation has been carried out and is correct.
- PHI should be encrypted at relaxation and in transit, with restricted exceptions.
- Lined entities/enterprise associates should make use of multi-factor authentication (MFA) to entry ePHI.
- Lined entities/enterprise associates should section digital info techniques to restrict entry to ePHI to approved workstations.
