View Rule

This rule will propose modifications to the Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). These modifications will improve cybersecurity in the health care sector by strengthening requirements for HIPAA regulated entities to safeguard electronic protected health information to prevent, detect, contain, mitigate, and recover from cybersecurity threats.

Statement of Need:

In February 2003, the HIPAA Security Rule established standards for the security of electronic protected health information (ePHI) to be implemented by HIPAA covered entities and, by amendment of the HITECH Act, their business associates (collectively, "regulated entities"). Prior to the HIPAA Security Rule, standard security measures did not exist in the health care industry to address the security of ePHI while stored and exchanged between entities. Since 2003, the Department has received  recommendations from the National Committee on Vital and Health Statistics (NCVHS), an advisory committee to the Secretary of HHS, and the public to update and strengthen security standards to protect ePHI, especially in light of newer threats not previously contemplated in 2003 such as ransomware. Additionally, the Department has reviewed media reports advocating the strengthening of protections provided by the HIPAA Security Rule as well as a report from a U.S. Senator advocating for modernizing HIPAA to increase protections of ePHI in the face of current cyber threats.

Summary of the Legal Basis:

The current HIPAA Security Rule has not been updated to address the recent dramatic increase in cyber-attacks on the health care sector that are undermining the security of individuals’ ePHI. Section 1173(d) of the Social Security Act requires the Secretary of HHS to adopt security standards that take into account the technical capabilities of record systems used to maintain health information, the costs of security measures, the need to train persons who have access to health information, the value of audit trails in computerized record systems, and the needs and capabilities of small health care providers and rural health care providers. Since publication of the HIPAA Security Rule in 2003, there has been an evolution in technical capabilities of record systems used to maintain health information and costs of security measures that support updating the HIPAA Security Rule to help ensure that it can continue to provide a baseline of security standards to meet current and emerging security risks and threats to ePHI.

Alternatives:

HHS considered whether these policy updates could be implemented through guidance. However, the Department determined that this would be insufficient to prevent and address cybersecurity threats and vulnerabilities facing the U.S. health care system. Revisions to the existing HIPAA Security Rule will help ensure the cybersecurity of individuals’ ePHI.

Anticipated Costs and Benefits:

To be determined.

Risks:

To be determined.