0945-AA22 202410 The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions 0945 Office for Civil Rights OCR 0900 Department of Health and Human Services HHS Proposed Modifications to the HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information

This rule will propose modifications to the Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). These modifications will improve cybersecurity in the health care sector by strengthening requirements for HIPAA regulated entities to safeguard electronic protected health information to prevent, detect, contain, mitigate, and recover from cybersecurity threats.

]]> Section 3(f)(1) Significant Previously Published in The Unified Agenda Proposed Rule Stage Yes Undetermined 45 CFR 160 45 CFR 164 Health Insurance Portability and Accountability Act of 1996 (HIPAA), sec. 262 (42 U.S.C. 1320d-2) Health Information Technology for Economic and Clinical Health (HITECH) Act, sec. 13401 (42 U.S.C. 17931) Yes

In February 2003, the HIPAA Security Rule established standards for the security of electronic protected health information (ePHI) to be implemented by HIPAA covered entities and, by amendment of the HITECH Act, their business associates (collectively, "regulated entities"). Prior to the HIPAA Security Rule, standard security measures did not exist in the health care industry to address the security of ePHI while stored and exchanged between entities. Since 2003, the Department has received recommendations from the National Committee on Vital and Health Statistics (NCVHS), an advisory committee to the Secretary of HHS, and the public to update and strengthen security standards to protect ePHI, especially in light of newer threats not previously contemplated in 2003 such as ransomware. Additionally, the Department has reviewed media reports advocating the strengthening of protections provided by the HIPAA Security Rule as well as a report from a U.S. Senator advocating for modernizing HIPAA to increase protections of ePHI in the face of current cyber threats.

]]>

The current HIPAA Security Rule has not been updated to address the recent dramatic increase in cyber-attacks on the health care sector that are undermining the security of individuals’ ePHI. Section 1173(d) of the Social Security Act requires the Secretary of HHS to adopt security standards that take into account the technical capabilities of record systems used to maintain health information, the costs of security measures, the need to train persons who have access to health information, the value of audit trails in computerized record systems, and the needs and capabilities of small health care providers and rural health care providers. Since publication of the HIPAA Security Rule in 2003, there has been an evolution in technical capabilities of record systems used to maintain health information and costs of security measures that support updating the HIPAA Security Rule to help ensure that it can continue to provide a baseline of security standards to meet current and emerging security risks and threats to ePHI.

]]>

HHS considered whether these policy updates could be implemented through guidance. However, the Department determined that this would be insufficient to prevent and address cybersecurity threats and vulnerabilities facing the U.S. health care system. Revisions to the existing HIPAA Security Rule will help ensure the cybersecurity of  individuals’ ePHI.

]]>

The Department expects that this rule will be significant under section 3(f)(1) of E.O. 12866. New costs attributable to this proposed rule would be associated with regulated entities’ obligations to comply with updated requirements to safeguard the confidentiality, integrity, and availability of ePHI. The Department believes that implementing the proposed changes would reduce the incidence of breaches in health care and the costs of mitigating breaches when they occur, resulting in substantial savings and increased protection of ePHI.

]]>

None.

]]> NPRM 12/00/2024 Undetermined Businesses Governmental Jurisdictions Organizations Undetermined Undetermined Undetermined No Yes Marissa Gordon-Nguyen Senior Advisor for Health Information Privacy, Data, and Cybersecurity Policy 0945 Office for Civil Rights OCR 800 368-1019 800 537-7697 ocrprivacy@hhs.gov 200 Independence Avenue SW, Washington DC 20201