HIPAA Safety: Ready For the Last Rule Is Not an Choice

By Erik Eisen, CEO, CTI Technical Providers.

Few within the healthcare trade query the necessity to modernize the HIPAA Safety Rule, the proposed overhaul of which is predicted to be finalized in 2026. However even when the ultimate rule is modified to cut back necessities or lengthen timeframes, compliance will likely be a heavy raise for a lot of doctor practices, hospitals, and well being techniques.

That actuality, coupled with the commonsense want for strong safety round protected well being data (PHI) and different affected person knowledge, makes procrastination a compliance technique that’s doomed to fail.

Cyberattacks have reached unprecedented ranges within the 20 years because the HIPAA Safety Rule was handed. The primary, and final, main replace to the rule occurred in 2013, a yr when healthcare organizations skilled simply 269 knowledge breaches. By 2024, that quantity had skyrocketed to 734 incidents involving greater than 500 data every. Based mostly on present tendencies, 2025 might expertise 750–800 giant breaches and analysts warn that greater than 300 million data might be compromised if mega breaches proceed.

A Proposed Overhaul

Within the HIPAA Safety Rule To Strengthen the Cybersecurity of Digital Protected Well being Data proposed rule, the Workplace of Civil Rights (OCR) famous that the overhaul was prompted by the truth that cybersecurity considerations now contact practically each side of healthcare as a result of trade’s reliance on steady and safe laptop networks and applied sciences.

Additionally at play are lined entities (CEs) and enterprise associates (BAs), which elevate healthcare’s threat profile with the specter of unintentional and nefarious occasions that may endanger digital PHI and different delicate knowledge.

Thus, OCR decided that it was time to replace the rule to deal with technological developments and evolving breaches and cyberattacks. The proposed rule additionally acknowledges OCR’s higher enforcement expertise, improved tips, greatest practices, methodologies, procedures, and processes for safeguarding ePHI, and varied authorized selections which have impacted enforcement.

It additionally re-addresses one in all OCR’s most vital challenges relating to regulating safety: the fast development of each well being IT and the strategies employed by malicious actors.

Too-prescriptive mandates would necessitate updating the rule extra incessantly than is real looking. Earlier iterations of the HIPAA Safety Rule tried to deal with this by being versatile with compliance and classifying many safety measures as “addressable implementations,” which means they have been strongly really useful however not explicitly required.

For instance, the present rule requires any group touching ePHI to conduct a safety threat evaluation to guage potential dangers and vulnerabilities, resolve any recognized vulnerabilities, and doc the steps taken. OCR even supplies a device to be used in conducting the analysis. However past that, there isn’t any prescriptive steering. Consequently, many healthcare organizations that lacked the sources or technical data to conduct a complete threat evaluation wound up taking shortcuts.

Whereas trade help for the HIPAA Safety Rule overhaul is broad, so are considerations that the compliance burden will likely be too excessive for a lot of organizations it impacts. There was a consensus all through the practically 4,750 letters submitted throughout the proposed rule’s public remark interval that many necessities can be virtually not possible for some organizations to fulfill with out help.

Moreover, the proposed rule converts many addressable implementation specs to required, eliminating a core flexibility side of the rule. Lastly, for a lot of, compliance with the up to date HIPAA Safety Rule won’t be possible with their present technical infrastructure. It will necessitate important investments in new applied sciences able to defending ePHI as mandated by the rule.

Lessening the Burden

The excellent news is that compliance doesn’t have to return at the price of monetary damage. Small steps towards anticipated mandates may be taken now to minimize the compliance burden—lots of that are common sense protecting measures that needs to be carried out with or with out regulatory dictates. For instance:

• Multifactor authentication (MFA) is a extremely efficient but fairly priced safety towards phishing and different types of infiltration.
• Often backing up knowledge ensures steady entry to data within the occasion of a system outage.
• Ransomware or exfiltration safety that goes past encryption can stop dangerous actors from exploiting weak entry factors as soon as they’re inside a system.

Different actions that needs to be taken now embody conducting a safety threat evaluation and drafting a mitigation and remediation plan. Doing so permits for the prioritization of restricted sources.

Additionally it is doubtless that even well-resourced healthcare organizations would require third-party help to take these early actions or obtain compliance throughout the timeframes outlined within the remaining safety rule. As such, now could be the time to determine the suitable trusted IT administration agency to help with enhanced safety and, finally, regulatory compliance.

Search for companies with a deep understanding of healthcare-specific compliance necessities. Potential companions must also supply complete providers to make sure they will tackle the great wants associated to compliance with the HIPAA Safety Rule and different points which will come up, together with the power to future-proof safety. They need to additionally possess superior experience and the willingness and talent to leverage cutting-edge instruments and processes that may outperform older or much less adaptive applied sciences.

Search for a companion that emphasizes long-term relationships and provides personalised buyer help. Different must-haves embody flexibility and scale of their strategy to providers, clear worth buildings, and easy contracts with clear and truthful service phrases. Lastly, throughout the analysis course of, remember to ask prospects about response instances and catastrophe restoration capabilities and acquire—and examine—references.

Ending Procrastination

Whereas the ultimate necessities could differ from what has been proposed, there’s little chance that OCR will retract its determination to overtake the HIPAA Safety Rule. It’s an motion that’s lengthy overdue and will function a reminder that strengthening knowledge safety is the suitable factor to do, whether or not mandated by OCR or not.

Taking steps now will considerably ease compliance burdens and shield one in all healthcare’s most respected belongings. For supplier organizations with restricted sources, taking small steps in the direction of compliance now will go a great distance towards defending affected person knowledge.