All healthcare organizations, including healthcare providers and medical insurance companies, must follow the Health Insurance Portability and Accountability Act (HIPAA) guidelines. However, because HIPAA is updated on occasion, healthcare organizations also have a responsibility to stay on top of changes and any proposed changes to healthcare data privacy and security laws.
Towards the end of 2024, the United States Department of Human Services issued a Notice of Proposed Rulemaking for HIPAA security rules, so there are some things healthcare organizations should know about these potential changes and what they could mean for compliance practices.
More About the Proposed Rule
One of the main changes included in the proposed HIPAA rule concerns cybersecurity practices and standards. Under the new rule, all healthcare organizations subject to HIPAA would be required to maintain certain technical standards for cybersecurity purposes, including data encryption and multifactor authentication. Likewise, additional security requirements would be implemented for group health plans and business associates.
The proposed HIPAA update would also include formal definitions for certain security terms while removing all “addressable” implementation references. Instead, all specifications listed under HIPAA will be “required” with limited exceptions.
Another major component of this newly proposed update to HIPAA is the incorporation of guidelines for emerging technologies in the field, such as cybersecurity, virtual reality (VR), machine learning, and quantum computing. As these tools become more powerful and accessible, healthcare organizations need to have plans in place to mitigate the risks and liabilities associated with them.
What This Means for Healthcare Organizations
For organizations required to adhere to HIPAA regulations, these changes could significantly impact cybersecurity practices, risk mitigation, and compliance. For starters, because the new rules would significantly increase security requirements for healthcare organizations, many affected entities would need to drastically revamp their own cybersecurity practices. This may mean implementing new security safeguards in the form of multifactor authentication, data encryption, and penetration testing.
From a compliance standard, healthcare organizations must also maintain documentation related to their cybersecurity practices and procedures. Demonstrating that your business is 100% compliant at any time is critical to avoiding potential penalties and legal trouble down the road.
If these new rules are implemented, another important change for many healthcare organizations will be the increased need for risk assessment and mitigation. This is especially true as new technologies like quantum computing and AI have become more readily available and have the potential to create major cybersecurity concerns.
What to Do Next
If your organization meets HIPAA compliance requirements, you may wonder what steps your compliance team should take now to avoid issues if these changes are implemented later.
One of the most important things to do sooner rather than later is to review your own security policies and compare them to the proposed changes in the HIPAA update. How far are your current policies and procedures from the proposed new requirements?
This can give your compliance team a better idea of what to expect and what kinds of changes may need to be made in the coming months. For example, if you know your organization doesn’t already have data encryption in place, now might be a good time to be proactive about this.
Meanwhile, if your security teams aren’t already conducting regular risk assessments, it’s a good idea to start. This can be a great way to proactively identify potential threats and take measures to mitigate them as much as possible.
Finally, as changes and updates occur, ensure you have a plan in place to provide staff with proper training on new rules and policies sooner rather than later. In doing so, you’ll be able to keep your team members up-to-speed on the latest best practices and avoid logistical headaches when new policies are enacted.
Don’t Overlook Cybersecurity Compliance
While only time will tell whether the proposed security rule changes will actually be enacted, healthcare organizations should plan ahead, considering how these changes could affect their security practices and operations. By doing so, they can be prepared for updates to security protocol and best practices while maintaining HIPAA compliance.
If you have any questions or want additional information, please contact DMJPS CPAs + Advisors.
Sarah Hayes, CPB, CPCO
As a member of the DMJPS Healthcare Consulting team, Sarah is responsible for a number of special projects including HRSA Provider Relief Reporting. Sarah is a Certified Professional Biller and a Professional Compliance Officer. Her continuing education and certifications provide clients with an additional resource for HIPAA, human resource needs, and compliance concerns.