HHS Office for Civil Rights Proposes Measures to Strengthen Cybersecurity in Health Care Under HIPAA

The Department’s Office for Civil Rights seeks to update HIPAA Security Rule for the first time since 2013

Today, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), issued a proposed rule to improve cybersecurity and better protect the U.S health care system from a growing number of cyberattacks. The proposed rule would modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to require health plans, health care clearinghouses (an organization that enables the exchange of health care data between a provider and a payer (insurance company)), and most health care providers, and their business associates, to strengthen cybersecurity protections for individuals’ protected health information. This proposed rule is the latest step taken by OCR to address more frequent cyberattacks targeting the U.S. health care system, consistent with the HHS Healthcare and Public Health critical infrastructure sector Cybersecurity Performance Goals.

“The increasing frequency and sophistication of cyberattacks in the health care sector pose a direct and significant threat to patient safety,” said Deputy Secretary Andrea Palm. “These attacks endanger patients by exposing vulnerabilities in our health care system, degrading patient trust, disrupting patient care, diverting patients, and delaying medical procedures. This proposed rule is a vital step to ensuring that health care providers, patients, and communities are not only better prepared to face a cyberattack, but are also more secure and resilient.”

“Cyberattacks continue to impact the health care sector, with rampant escalation in ransomware and hacking causing significant increases in the number of large breaches reported to OCR annually. The number of people affected every year has skyrocketed exponentially, a number we expect to grow even bigger this year with the Change Healthcare breach, the largest breach in our health care system in U.S. history,” said OCR Director Melanie Fontes Rainer. “This proposed rule to upgrade the HIPAA Security Rule addresses current and future cybersecurity threats. It would require updates to existing cybersecurity safeguards to reflect advances in technology and cybersecurity, and help ensure that doctors, health plans, and others providing health care meet their obligations to protect the security of individuals’ protected health information across the nation.”

OCR has seen a substantial increase in reports of large breach reports received over the last five years. From 2018-2023, reports of large breaches increased by 102 percent, and the number of individuals affected by such breaches increased by 1002 percent, primarily because of increases in hacking and ransomware attacks. In 2023, over 167 million individuals were affected by large breaches—a new record. Since 2019, large breaches caused by hacking and ransomware have increased 89 percent and 102 percent.

Accordingly, the proposed rule would modify the HIPAA Security Rule to require health plans, health care clearinghouses, and most health care providers, and their business associates to better protect individuals’ electronic protected health information against both external and internal threats. It would clarify and provide more specific instruction about what covered entities and their business associates must do to protect the security of electronic protected health information. The proposed rule also would require that policies and procedures be in writing, reviewed, tested, and updated on a regular basis. Additionally, it would better align the Security Rule with modern best practices in cybersecurity. These proposals address:

• Changes in the environment in which health care is provided.
• Significant increases in breaches and cyberattacks.
• Common deficiencies OCR has observed in investigations into Security Rule compliance by covered entities and their business associates.
• Other cybersecurity guidelines, best practices, methodologies, procedures, and processes.
• Court decisions that affect enforcement of the Security Rule.

While the Department is undertaking this rulemaking, the current Security Rule remains in effect.

The HIPAA Security Rule NPRM can be viewed at the Federal Register at: https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of.

A fact sheet on the HIPAA Security Rule NPRM is available in English at: https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet.

OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of individuals’ health information. If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at: https://www.hhs.gov/ocr/complaints/index.html.