What higher approach to welcome the brand new 12 months than with proposed new HIPAA Safety Guidelines?
As 2024 got here to an finish, the U.S. Division of Well being and Human Companies introduced new proposed laws to strengthen cybersecurity and safety measures for ePHI. If adopted, this might be the primary replace to the Safety Rule since 2013. HHS states that the updates are needed to deal with adjustments in how well being care is offered (together with through synthetic intelligence and digital and augmented actuality) and the way ePHI is used and disclosed; the alarming rise in cyberattacks and HIPAA breaches involving ePHI; constant failures by coated entities and enterprise associates to implement sure Safety Rule necessities; and misunderstandings of the intent of sure Safety Rule necessities expressed in courtroom selections.
The Proposed Rule is scheduled to be printed within the Federal Register on January 6, 2025, for public remark. An unpublished copy of the Proposed Rule is obtainable right here (390 pages!).
Sampling of key proposed modifications to the HIPAA Safety Rule necessities (particular due to Fox Accomplice Matt Redding for his contributions to this checklist):
- Coated entities/enterprise associates should assessment, check, and replace HIPAA Safety insurance policies and procedures frequently.
- All Safety Rule implementation specs will likely be “required” and now not “addressable” with particular, restricted exceptions.
- Coated entities/enterprise associates should meet new Safety Rule compliance time frames (e.g., patch essential danger inside 15 days).
- Coated entities/enterprise associates should develop a expertise asset stock and a community map that illustrates the motion of ePHI all through the regulated entity’s digital info system(s) on an ongoing foundation, however not less than as soon as each 12 months and in response to a change within the regulated entity’s atmosphere or operations which will have an effect on ePHI.
- The Safety Danger Evaluation that coated entities/enterprise associates are required to carry out should embrace, amongst different issues:
- A assessment of the expertise asset stock and community map;
- Identification of all moderately anticipated threats to the confidentiality, integrity, and availability of ePHI;
- Identification of potential vulnerabilities and predisposing situations to the regulated entity’s “related digital info techniques” (outlined as people who deal with ePHI in addition to people who in any other case have an effect on the confidentiality, integrity, or availability of ePHI);
- An evaluation of the danger stage for every recognized menace and vulnerability, based mostly on the chance that every recognized menace will exploit the recognized vulnerabilities; and
- An evaluation of dangers to ePHI posed by getting into a enterprise affiliate settlement, based mostly on a written verification obtained from the enterprise affiliate.
- Enterprise associates should notify coated entities (and subcontractors should notify enterprise associates) inside 24 hours of (i) a change in or termination of a workforce member’s entry to ePHI or related digital info techniques maintained by the coated entity (or enterprise affiliate); and (ii) activation of a contingency plan.
- Coated entities/enterprise associates should implement new/strengthened necessities for planning for contingencies and responding to safety incidents:
- Set up written procedures to revive the lack of sure related digital info techniques and information inside 72 hours;
- Carry out an evaluation of the relative criticality of their related digital info techniques and expertise property to find out the precedence for restoration;
- Set up written safety incident response plans and procedures documenting how workforce members are to report suspected or recognized safety incidents and the way the regulated entity will reply to suspected or recognized safety incidents; and
- Implement written procedures for testing and revising written safety incident response plans.
- Enterprise associates should confirm in writing not less than as soon as each 12 months that they’ve deployed technical safeguards required by the Safety Rule to guard ePHI via a written evaluation of the enterprise affiliate’s related digital info techniques by an issue knowledgeable and a written certification that the evaluation has been carried out and is correct.
- PHI have to be encrypted at relaxation and in transit, with restricted exceptions.
- Coated entities/enterprise associates should make use of multi-factor authentication (MFA) to entry ePHI.
- Coated entities/enterprise associates should phase digital info techniques to restrict entry to ePHI to licensed workstations.