The U.S. Department of Health and Human Services (HHS) recently submitted a proposed rule to update the HIPAA Security Rule and enhance the protection of electronic protected health information. The changes aim to address the growing number of breaches and cyberattacks in healthcare, as well as common deficiencies identified during Security Rule investigations.
The HIPAA Security Rule currently allows entities to bypass “addressable” implementation specifications, if deemed unreasonable due to factors such as risk or cost. The proposed modifications will require entities to meet all standards and implementation specifications and not allow an entity to avoid an addressable implementation specification. The proposed rules also seek to clarify existing standards and provide detailed guidance on compliance.
The MHA is reviewing the proposed changes and will submit comments to HHS. Public comments are open until March 7, 2025. Members with questions may contact Jim Lee at the MHA.