HHS Plans HIPAA Security Rule Updates for Spring
Are you ready for HIPAA Security Rule updates? The U.S. Department of Health and Human Services (HHS) plans to begin the updates this spring. In December 2023, HHS released a concept paper that highlights ongoing and planned steps to improve cyber resiliency and protect patient safety by introducing “new cybersecurity requirements” to the HIPAA Security Rule.
There is no time like now for covered entities and business associates (BA) to prepare for the updates, which will include the return of random HIPAA audits.
Steps to prepare for HIPAA Security Rule Updates
While a start date for the updates has not been announced, a recent article highlights the following three ways covered entities and BAs can prepare for the impending changes.
1. Address Known Security Gaps to Thwart Cyberattacks
In 2023, more than 540 organizations reported large healthcare data breaches to the HHS Office for Civil Rights (OCR). In the first three months of 2024, several large healthcare organizations, including Change Healthcare, fell victim to cyberattacks. “HHS takes these threats very seriously, and we are taking steps that will ensure our hospitals, patients, and communities impacted by cyberattacks are better prepared and more secure,” said HHS Deputy Secretary Andrea Palm.
Read our recent blog, Lessons from the Change Healthcare Cyberattack Incident, for tips on addressing security gaps and protecting data.
2. Understand and Implement the HHS Cybersecurity Performance Goals (CPGs)
The HHS CPGs are designed to ensure layered protection at different stages of the attack chain or points in digital systems that can be exploited. This is crucial to mitigating the impacts of cybersecurity incidents if and when they occur. They are divided into two categories of goals:
Essential Goals
- Mitigate Known Vulnerabilities
- Email Security
- Multifactor Authentication
- Basic Cybersecurity Training
- Strong Encryption
- Revoke Credentials for Departing Workforce Members, Including Employees, Contractors, Affiliates, and Volunteers
- Basic Incident Planning and Preparedness
- Unique Credentials
- Separate User and Privileged Accounts
- Vendor/Supplier Cybersecurity Requirements
Enhanced Goals
- Asset Inventory
- Third-Party Vulnerability Disclosure
- Third-Party Incident Reporting
- Cybersecurity Testing
- Cybersecurity Mitigation
- Detect and Respond to Relevant Threats and Tactics, Techniques, and Procedures (TTP)
- Network Segmentation
- Centralized Log Collection
- Centralized Incident Planning and Preparedness:
- Configuration Management
3. Document Everything and Be Ready for Random Audits
In its concept paper, HHS stated it would prioritize conducting audits later in the year and evaluate compliance with potential HIPAA security rule changes. A February 2024 notice in the Federal Register confirmed that HHS intends to revive the practice of random HIPAA audits last used in 2017.
HHS OCR also plans to conduct an online survey of covered entities and business associates that were audited in 2016–2017 to assess the effectiveness of past audits and the entities’ post-audit compliance actions.
HIPAA Security Rule Updates Reflect Urgency
“Our commitment to this work reflects that urgency and importance,” said HHS Secretary Xavier Becerra. “We are taking necessary actions that will make a big difference for the hospitals, patients, and communities who are being impacted.”
PrivaPlan can help you prepare for the changes and enhance your organization’s cybersecurity posture. With over 20 years of HIPAA consulting experience, we know how to protect data privacy and enforce data security. Reach out today, and let’s safeguard your healthcare organization together: info@privaplan.com or 877-218-7707.
