HIPAA Safety: Ready For the Last Rule Is Not an Choice

By Erik Eisen, CEO, CTI Technical Companies.

Few within the healthcare trade query the necessity to modernize the HIPAA Safety Rule, the proposed overhaul of which is anticipated to be finalized in 2026. However even when the ultimate rule is modified to cut back necessities or lengthen timeframes, compliance shall be a heavy raise for a lot of doctor practices, hospitals, and well being methods.

That actuality, coupled with the common sense want for sturdy safety round protected well being data (PHI) and different affected person knowledge, makes procrastination a compliance technique that’s doomed to fail.

Cyberattacks have reached unprecedented ranges within the twenty years because the HIPAA Safety Rule was handed. The primary, and final, main replace to the rule came about in 2013, a yr when healthcare organizations skilled simply 269 knowledge breaches. By 2024, that quantity had skyrocketed to 734 incidents involving greater than 500 data every. Based mostly on present developments, 2025 might expertise 750–800 massive breaches and analysts warn that greater than 300 million data might be compromised if mega breaches proceed.

A Proposed Overhaul

Within the HIPAA Safety Rule To Strengthen the Cybersecurity of Digital Protected Well being Data proposed rule, the Workplace of Civil Rights (OCR) famous that the overhaul was prompted by the truth that cybersecurity issues now contact almost each side of healthcare because of the trade’s reliance on secure and safe pc networks and applied sciences.

Additionally at play are coated entities (CEs) and enterprise associates (BAs), which elevate healthcare’s threat profile with the specter of unintentional and nefarious occasions that may endanger digital PHI and different delicate knowledge.

Thus, OCR decided that it was time to replace the rule to deal with technological developments and evolving breaches and cyberattacks. The proposed rule additionally acknowledges OCR’s higher enforcement expertise, improved tips, finest practices, methodologies, procedures, and processes for safeguarding ePHI, and numerous authorized selections which have impacted enforcement.

It additionally re-addresses one in all OCR’s most important challenges in terms of regulating safety: the fast development of each well being IT and the strategies employed by malicious actors.

Too-prescriptive mandates would necessitate updating the rule extra often than is lifelike. Earlier iterations of the HIPAA Safety Rule tried to deal with this by being versatile with compliance and classifying many safety measures as “addressable implementations,” that means they had been strongly really helpful however not explicitly required.

For instance, the present rule requires any group touching ePHI to conduct a safety threat evaluation to judge potential dangers and vulnerabilities, resolve any recognized vulnerabilities, and doc the steps taken. OCR even gives a device to be used in conducting the analysis. However past that, there is no such thing as a prescriptive steerage. In consequence, many healthcare organizations that lacked the sources or technical data to conduct a complete threat evaluation wound up taking shortcuts.

Whereas trade assist for the HIPAA Safety Rule overhaul is broad, so are issues that the compliance burden shall be too excessive for a lot of organizations it impacts. There was a consensus all through the almost 4,750 letters submitted throughout the proposed rule’s public remark interval that many necessities can be virtually inconceivable for some organizations to fulfill with out help.

Moreover, the proposed rule converts many addressable implementation specs to required, eliminating a core flexibility side of the rule. Lastly, for a lot of, compliance with the up to date HIPAA Safety Rule won’t be possible with their current technical infrastructure. It might necessitate vital investments in new applied sciences able to defending ePHI as mandated by the rule.

Lessening the Burden

The excellent news is that compliance doesn’t have to come back at the price of monetary wreck. Small steps towards anticipated mandates may be taken now to reduce the compliance burden—lots of that are common sense protecting measures that ought to be applied with or with out regulatory dictates. For instance:

• Multifactor authentication (MFA) is a extremely efficient but fairly priced safety in opposition to phishing and different types of infiltration.
• Usually backing up knowledge ensures steady entry to data within the occasion of a system outage.
• Ransomware or exfiltration safety that goes past encryption can stop dangerous actors from exploiting weak entry factors as soon as they’re inside a system.

Different actions that ought to be taken now embody conducting a safety threat evaluation and drafting a mitigation and remediation plan. Doing so permits for the prioritization of restricted sources.

It’s also probably that even well-resourced healthcare organizations would require third-party assist to take these early actions or obtain compliance throughout the timeframes outlined within the ultimate safety rule. As such, now could be the time to establish the correct trusted IT administration agency to help with enhanced safety and, ultimately, regulatory compliance.

Search for companies with a deep understanding of healthcare-specific compliance necessities. Potential companions also needs to provide complete companies to make sure they will deal with the great wants associated to compliance with the HIPAA Safety Rule and different points which will come up, together with the power to future-proof safety. They need to additionally possess superior experience and the willingness and skill to leverage cutting-edge instruments and processes that may outperform older or much less adaptive applied sciences.

Search for a associate that emphasizes long-term relationships and presents customized buyer assist. Different must-haves embody flexibility and scale of their method to companies, clear worth buildings, and easy contracts with clear and honest service phrases. Lastly, throughout the analysis course of, you should definitely ask prospects about response instances and catastrophe restoration capabilities and procure—and verify—references.

Ending Procrastination

Whereas the ultimate necessities could differ from what has been proposed, there may be little chance that OCR will retract its resolution to overtake the HIPAA Safety Rule. It’s an motion that’s lengthy overdue and will function a reminder that strengthening knowledge safety is the correct factor to do, whether or not mandated by OCR or not.

Taking steps now will considerably ease compliance burdens and shield one in all healthcare’s most precious property. For supplier organizations with restricted sources, taking small steps in the direction of compliance now will go a great distance towards defending affected person knowledge.