The Office for Civil Rights at the Department of Health and Human Services has proposed a new measure to amend the Security Rule of the Health Insurance Portability and Accountability Act—or HIPAA—of 1996 to require health plans, healthcare providers and healthcare clearinghouses to better safeguard individuals’ electronic health information from cyberthreats.
“Cyberattacks continue to impact the health care sector, with rampant escalation in ransomware and hacking causing significant increases in the number of large breaches reported to OCR annually,” OCR Director Melanie Fontes Rainer said in a statement published Friday.
According to HHS, large breaches caused by hacking and ransomware have increased 89 percent and 102 percent, respectively, since 2019.
“This proposed rule to upgrade the HIPAA Security Rule addresses current and future cybersecurity threats. It would require updates to existing cybersecurity safeguards to reflect advances in technology and cybersecurity, and help ensure that doctors, health plans, and others providing health care meet their obligations to protect the security of individuals’ protected health information across the nation,” Rainer added.
What Would the Proposed Rule Do?
The proposed measure would provide more specific instructions for covered entities and business associates to better secure electronic health data.
The rule would also require regular testing and updating of policies and procedures and better align the Security Rule with modern cybersecurity best practices.