HIPAA Cybersecurity Updates Coming Soon: 8 Things to Know

The Department of Health and Human Services has announced plans to update the regulations of the Health Insurance Portability and Accountability Act (HIPAA), a federal law mandating the protection of patient information by insurers and healthcare systems. These revisions are expected later this year and will incorporate measures specifically targeting cybersecurity.  

Additionally, the introduction of fresh cybersecurity stipulations linked to Medicaid and Medicare funding may be coming soon.   

Taken together, these updates mark a significant shift in the regulatory landscape for healthcare cybersecurity. These changes are needed, now more than ever, as the healthcare industry is especially vulnerable to threats due to an attack surface much more sizable than to other industries. Additionally, cyberattacks on hospitals are increasing. Last year, there were a reported 46 cyberattacks on hospitals compared to 25 in 2022, with the average payout being $1.5 million in 2023. 

What’s next? Organizations in the healthcare sector should take proactive steps to understand what changes lie on the horizon, assess what their organization’s current cybersecurity posture looks like, and make necessary adjustments to comply with the new requirements. 

8 Things to Know about HIPAA’s Spring Cybersecurity Updates 

Based on updated guidance, as we approach Spring of 2024, healthcare organizations need to be aware of the following: 

• Revised NIST Guidance for HIPAA Compliance: The National Institute of Standards and Technology (NIST) has released updated guidelines to assist HIPAA-covered entities and business associates in managing cybersecurity risks. These guidelines, developed in collaboration with the Department of Health and Human Services’ Office for Civil Rights (OCR), offer a framework for securing electronic protected health information (ePHI). 

• Upcoming Amendments to the HIPAA Security Rule: Anticipated in Spring 2024, these amendments will align with the strategic objectives outlined in the President’s National Cybersecurity Strategy. The focus will be on shifting the responsibility for cybersecurity from end-users to the technology providers in the healthcare sector. 

• New CMS Cybersecurity Requirements: The Centers for Medicare and Medicaid Services (CMS) are set to propose new cybersecurity requirements for their program participants. This move is expected to bring a significant shift in how healthcare providers and payers manage cybersecurity. 

• Healthcare and Public Health Sector-specific Cybersecurity Performance Goals: While these goals are currently voluntary, they will likely influence future cybersecurity requirements in healthcare. Organizations should not overlook these guidelines as they prepare for regulatory changes. 

• Recognized Security Practices (RSPs) are Crucial: With the amendment to the HITECH Act, organizations that can demonstrate the implementation of RSPs may benefit from reduced fines or termination of HIPAA-related investigations. Organizations may therefore want to have operationalized RSPs for at least the previous twelve months. 

• Review and Update Vendor Contract Requirements: Changes to the HIPAA Security Rule will likely impact terms within various agreements related to ePHI. Organizations should proactively assess and address potential gaps in their contractual terms. 

• Proactive Measures Over a Wait-and-See Approach: Given the scope of the upcoming changes, organizations should start preparing now rather than waiting until the changes are formally enacted. 

• Broadening Enforcement and Compliance Scope: New regulations are expected to cover a wider range of activities and entities involved in healthcare, including manufacturers, sellers, and service providers of healthcare technologies. 

Let’s Start a Conversation 

Interested in learning more about how SAI360 can help you prepare for HIPAA updates. Click here to schedule a demo with one of our healthcare industry experts.