The U.S. Division of Well being and Human Companies (“HHS”) issued a Discover of Proposed Rulemaking (the “Proposed Rule”) on December 27, 2024, to considerably amend HIPAA’s Safety Rule, which units forth the safety requirements for the safety of protected well being data by coated entities and their enterprise associates. The Proposed Rule’s issuance was anticipated, particularly in gentle of the rising variety of well being information breaches and disclosures of enormous scale international cyberattacks.
The Proposed Rule takes goal at a number of key areas of the Safety Rule, together with updates to:
- Requirements for Assessing Adequacy of Safeguards – The Proposed Rule seeks to take away the excellence between “required” and “addressable” safeguards, which has the sensible impact of usually rendering all implementation specs to be required. The Proposed Rule would remove this distinction by requiring that regulated events implement all the requirements and specs, however would proceed to afford regulated events with a measure of flexibility in how they go about satisfying the requirements and specs.
- Administrative Safeguard Necessities – The Safety Rule requires regulated events to implement quite a lot of written insurance policies and procedures that are tailor-made to defending ePHI. The Proposed Rule requires adoption of a number of new insurance policies and procedures, and even requires that these insurance policies and procedures be examined on a yearly foundation in addition to after sure operational adjustments.
- Technical Safeguard Necessities – The Proposed Rule seeks so as to add a major variety of new commonplace necessities, equivalent to multi-factor authentication, contingency planning, vulnerability scans, and quite a few others.
- Requirements for Enterprise Affiliate Agreements – The Proposed Rule makes quite a lot of revisions to the necessities relevant to Enterprise Affiliate Agreements, together with: (1) requiring enterprise associates to inform coated entities upon activation of their contingency plans no later than 24 hours after activation (which might be required to be ready underneath the Proposed Rule); and (2) requiring that coated entities receive written verification from their enterprise associates, a minimum of as soon as per 12 months, that such enterprise associates have deployed technical safeguards required by the Safety Rule.
- Encryption – The Proposed Rule clarifies that regulated events should encrypt ePHI each in transit and at relaxation, topic to sure exceptions. This requirement might have an amazing affect to the extent regulated events have relied on non-encrypted automobiles for communication (e.g., textual content messaging) to facilitate care.
It is very important observe that the present Safety Rule stays in impact till HHS publishes a Remaining Rule. Following publication within the Federal Register, a 60 day window for submission of public feedback ensues. We anticipate that HHS will obtain many feedback to work via given the potential affect of the Proposed Rule. As a result of change in administration, the Proposed Rule will possible obtain elevated scrutiny and subsequently, it could be a while earlier than a Remaining Rule is revealed. Nevertheless, given the significance of mitigating cybersecurity dangers within the healthcare trade, we anticipate the Proposed Rule might be finalized in some type.
Along with federal developments such because the Proposed Rule, the state panorama continues to evolve with states passing shopper well being data legal guidelines. We are going to proceed to observe these developments.