View Rule
View EO 12866 Meetings | Printer-Friendly Version Download RIN Data in XML |
HHS/OCR | RIN: 0945-AA22 | Publication ID: Fall 2023 |
Title: ●Proposed Modifications to the HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information | |
Abstract:
This rule will propose modifications to the Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). These modifications will improve cybersecurity in the health care sector by strengthening requirements for HIPAA regulated entities to safeguard electronic protected health information to prevent, detect, contain, mitigate, and recover from cybersecurity threats. |
|
Agency: Department of Health and Human Services(HHS) | Priority: Section 3(f)(1) Significant |
RIN Status: First time published in the Unified Agenda | Agenda Stage of Rulemaking: Proposed Rule Stage |
Major: Yes | Unfunded Mandates: Undetermined |
CFR Citation: 45 CFR 160 45 CFR 164 | |
Legal Authority: Health Insurance Portability and Accountability Act of 1996 (HIPAA), sec. 262 (42 U.S.C. 1320d-2) Health Information Technology for Economic and Clinical Health (HITECH) Act, sec. 13401 (42 U.S.C. 17931) |
Legal Deadline:
None |
||||||
Statement of Need: In February 2003, the HIPAA Security Rule established standards for the security of electronic protected health information (ePHI) to be implemented by HIPAA covered entities and, by amendment of the HITECH Act, their business associates (collectively, "regulated entities"). Prior to the HIPAA Security Rule, standard security measures did not exist in the health care industry to address the security of ePHI while stored and exchanged between entities. Since 2003, the Department has received recommendations from the National Committee on Vital and Health Statistics (NCVHS), an advisory committee to the Secretary of HHS, and the public to update and strengthen security standards to protect ePHI, especially in light of newer threats not previously contemplated in 2003 such as ransomware. Additionally, the Department has reviewed media reports advocating the strengthening of protections provided by the HIPAA Security Rule as well as a report from a U.S. Senator advocating for modernizing HIPAA to increase protections of ePHI in the face of current cyber threats. |
||||||
Summary of the Legal Basis: The current HIPAA Security Rule has not been updated to address the recent dramatic increase in cyber-attacks on the health care sector that are undermining the security of individuals’ ePHI. Section 1173(d) of the Social Security Act requires the Secretary of HHS to adopt security standards that take into account the technical capabilities of record systems used to maintain health information, the costs of security measures, the need to train persons who have access to health information, the value of audit trails in computerized record systems, and the needs and capabilities of small health care providers and rural health care providers. Since publication of the HIPAA Security Rule in 2003, there has been an evolution in technical capabilities of record systems used to maintain health information and costs of security measures that support updating the HIPAA Security Rule to help ensure that it can continue to provide a baseline of security standards to meet current and emerging security risks and threats to ePHI. |
||||||
Alternatives: HHS considered whether these policy updates could be implemented through guidance. However, the Department determined that this would be insufficient to prevent and address cybersecurity threats and vulnerabilities facing the U.S. health care system. Revisions to the existing HIPAA Security Rule will help ensure the cybersecurity of individuals’ ePHI. |
||||||
Anticipated Costs and Benefits: To be determined. |
||||||
Risks: To be determined. |
||||||
Timetable:
|
Regulatory Flexibility Analysis Required: Undetermined | Government Levels Affected: Undetermined |
Small Entities Affected: Businesses, Governmental Jurisdictions, Organizations | Federalism: Undetermined |
Included in the Regulatory Plan: Yes | |
International Impacts: This regulatory action will be likely to have international trade and investment effects, or otherwise be of international interest. | |
RIN Data Printed in the FR: No | |
Agency Contact: Marissa Gordon-Nguyen Senior Advisor for Health Information Privacy, Data, and Cybersecurity Policy Department of Health and Human Services Office for Civil Rights 200 Independence Avenue SW, Washington, DC 20201 Phone:800 368-1019 TDD Phone:800 537-7697 Email: ocrprivacy@hhs.gov |