Security Rule

On January 6, 2025, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued a notice of proposed rulemaking (the “proposed rule”), which proposes a number of significant updates to the HIPAA Security Rule.  According to OCR’s announcement, the proposed rule seeks to “improve cybersecurity and better protect the U.S. health care system from a growing number of cyberattacks” and “better align the Security Rule with modern best practices in cybersecurity.” The preamble states that the proposed rule seeks to address common areas of non-compliance with the Security Rule identified by OCR in its recent investigations, as well as build on recommendations from the National Committee on Vital Health Statistics and guidelines and best practices recommended by other parts of the government, such as the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST).

Below, we provide a brief summary of the proposed changes. The proposed rule is open for comment until March 7, 2025.Continue Reading HHS Issues Notice of Proposed Rulemaking to Update the HIPAA Security Rule

Recent news reports indicate that the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) is planning to move ahead with its plan to begin proactive HIPAA audits of business associates and covered entities.

In the past, OCR has relied primarily on self-reports of breaches
Continue Reading OCR Plans to Move Ahead with HIPAA Audits, Reports Say

A recent HIPAA enforcement action highlights the risk of health care providers using unsecured applications to store and share patient data. HHS reached a $218,499 settlement with St. Elizabeth’s Medical Center in Brighton, Massachusetts, a tertiary care hospital that offers both inpatient and outpatient services. The enforcement action followed allegations
Continue Reading Hospital Fined for Using Unsecured File Sharing Application