HIPAA/HITECH , Standards, Regulations & Compliance
White House Reviewing Updates to HIPAA Security Rule
Proposal Will Be Open for Public Comment Next, But Will It Go Anywhere?The Department of Health and Human Service last Friday submitted for White House review long-awaited updates to the 20-year-old HIPAA Security Rule containing modifications aimed at strengthening the cybersecurity of electronic protected health information.
See Also: Using the Netskope HIPAA Mapping Guide
Once reviewed by the White House's Office of Management and Budget, HHS plans to publish a notice of proposed rulemaking by the end of the year and solicit public comment for 60 days, said Marissa Gordon-Nguyen, senior advisor for health information privacy, data, and cybersecurity at the HHS' Office for Civil Rights.
"The draft is not yet public," Nguyen said on Wednesday during a HIPAA summit hosted by HHS OCR and the National Institute of Standards and Technology, declining to discuss details of the proposal.
The main purpose of the proposed modifications is to improve the cybersecurity of HIPAA-regulated organizations, she said. The proposed HIPAA rulemaking also fleshes out a mission that HHS announced last December in a concept paper outlining plans to shore up cybersecurity of the healthcare sector.
Those plans included an update the HIPAA Security Rule, as well as HHS' Centers of Medicare and Medicaid Services potentially proposing new cybersecurity requirements for hospitals and possibly other healthcare providers through Medicare and Medicaid financial incentives and penalties.
In January, HHS released more details in the form of "voluntary" enhanced and essential cybersecurity performance goals that would potentially turn into new cyber mandates (see: HHS Details New Cyber Performance Goals for Health Sector).
So far, HHS CMS has not issued the promised proposed "CPG" regulations for hospitals and potentially others that would possibly be tied to financial incentives and penalties. Some large constituents in the healthcare sector - including the American Hospital Association - have opposed the idea of having new cyber regulations that would only be mandated for hospitals, especially in light of cybersecurity incident frequently involving other types of players, including vendors and health insurers.
Also, current leadership at HHS is facing tight - if not impossible - deadlines to get these proposals - including updates to the HIPAA security rule - turned into final regulations. Regardless of whether Vice President Kamala Harris or former President Donald Trump wins the upcoming presidential election, either new administration could chose to revoke or just ignore the proposals made by HHS under the Biden administration, or change the proposals based on the public comment received, HHS officials admitted.