Rachel has been promoted to HIPAA Compliance Manager and wants to learn where to invest her time and resources to get up to speed. The healthcare provider where she works has policies, but the compliance program has been on the back burner. Her goal is to review and refresh everything before the end of the year. She seeks the most current information on cybersecurity and HIPAA enforcement trends.
HIPAA doesn’t stand still. It has been updated, modernized, and changed since it was first enacted in 1996. The Privacy Rule was modified this year, and the Security Rule is now being updated.
Rachel is wise to look for current trends.
NIST and OCR Host Cybersecurity Conference
Last week, the Office for Civil Rights (OCR) and the National Institute for Standards and Technology (NIST) co-hosted a conference titled Safeguarding Health Information: Building Assurance through HIPAA Security 2024.
Cybersecurity threats in healthcare have been growing exponentially in recent years. Data breaches, ransomware demands, and service interruptions reached an all-time high in 2024 with the Change Healthcare ransomware attack that affected 1 in 3 Americans, or 100 million individuals.
According to a recent report from Microsoft, the healthcare sector has become one of the most targeted industries by ransomware criminals, with attacks tripling since 2015.
OCR’s HIPAA Breach Reporting Tool website reveals 562 major breaches affecting nearly 167 million individuals so far this year (less than 10 months). Compare that to 2023, when about 163 million people were affected by the 745 major breaches reported for the entire year.
The OCR/NIST conference explored the current healthcare cybersecurity landscape and the HIPAA Security Rule. Speakers also discussed the present state of healthcare cybersecurity and strategies and techniques for complying with the Security Rule.
Melanie Fontes Ranier, the director of OCR, which oversees HIPAA, said OCR’s three priorities are:
- Updating the HIPAA Security Rule,
- Investigating HIPAA complaints, and
- Engaging more with the industry on healthcare cybersecurity.
Security Rule Updates
Director Rainer highlighted updates to the HIPAA Security Rule, which OCR submitted to the Office of Management and Budget (OMB) at the White House on October 18, 2024. The draft has yet to be public, but the changes are expected to be significant.
The proposed rule has a 60-day comment period, so the agency plans to publish a notice of proposed rulemaking sometime in December.
During the keynote session, Director Fontes Rainer said:
“The HIPAA Security Rule will be updated for the first time in nearly 20 years — substantive updates. We expect that process to be robust. We are looking forward to the opportunity to engage with folks on that through the public comment process.”
NIST and OCR Have a Larger Strategy to Improve Cybersecurity in Healthcare
OCR and NIST have been collaborating for over a year to improve cybersecurity in the healthcare sector. Updates to the Security Rule are part of a broader strategy aimed at helping the healthcare industry modernize and adopt the most effective cyber defenses against emerging threats.
Federal officials are concerned not only about the loss of protected health information (PHI) due to breaches but also about the potential impact on healthcare services. Service interruptions and downtime compromise the quality of care and pose risks to patients’ health.
HIPAA Risk Analysis is an Enforcement Priority
Although OCR officials did not discuss details of the proposed Security Rule updates at the conference, they have signaled that risk analysis is a top priority in the past. The risk analysis has been incomplete or missing in nearly all the HIPAA enforcement actions brought by OCR against regulated entities.
In February 2024, Director Fontes Rainer said that OCR plans to begin HIPAA audits soon. This will be the third phase of audits since 2011.
NIST and OCR Will Engage with Healthcare to Provide Guidance
In addition to enforcement actions, OCR plans to continue offering guidance to the industry to help it better prepare. In March, OCR published the voluntary Cybersecurity Performance Goals (CPGs) and its fiscal 2025 budget proposal. The CPGs include ‘essential’ goals to outline minimum foundational practices for cybersecurity performance and ‘enhanced’ goals to encourage the adoption of more advanced practices.
Some believe the CPGs contain the framework for OCR’s proposed Security Rule updates.
Will HIPAA Enforcement Change After the Election?
Staff changes are usually made at the federal agencies whenever the administration changes. However, whether there is a shift in enforcement priorities and policy direction depends on whether Kamala Harris or Donald Trump becomes the next President.
In the past, we have argued that HIPAA is not political. For example, OCR Director Roger Severino, under President Trump (from 2017 through 2020), actively pursued HIPAA enforcement actions and began the Right of Access initiative in 2019
The climate today, however, has shifted. The platforms of the two major parties differ, for example, regarding reproductive health policies. The recent Privacy Rule change, implemented this year to safeguard reproductive health patients and providers, may be rolled back under a Republican administration. In contrast, a Democratic administration will likely keep it in place.
There are no noticeable policy differences regarding the HIPAA Security Rule, which is designed to protect patients’ electronic data and keep healthcare organizations free from ransomware criminals. Director Fontes Rainer doubts that the Security Rule updates are at risk since cybersecurity is a national security risk across the Department of Health and Human Services (HHS) and its federal partners like the FBI, CISA, and NIST.
Get a Head Start on Improving HIPAA Compliance
Rachel, the new HIPAA compliance manager, would do well to review the Cybersecurity Performance Goals to ensure the IT team is aware of the latest guidance and implementing its voluntary recommendations.
The second step is to review and update the practice’s HIPAA risk analysis. OCR recommends that a risk analysis be done at least once a year.
The third step is to provide staff with updated HIPAA training. Help them understand their role in maintaining the privacy and security of protected health information. Provide them with cybersecurity awareness training and be open to their questions. Staff can be both the strongest defense and weakest link in maintaining security. By creating a culture of compliance around privacy, Rachel will have a team of supporters.
Finally, review the Four Keys to Success for HIPAA Compliance. There is no one-size-fits-all answer. Take it a step at a time and focus on improvements, not perfection.
