Regulatory Initiatives

HIPAA Security Rule NPRM

On December 27, 2024, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), issued a proposed rule to improve cybersecurity and better protect the U.S health care system from a growing number of cyberattacks. The proposed rule would modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to require health plans, health care clearinghouses (an organization that enables the exchange of health care data between a provider and a payer (insurance company)), and most health care providers, and their business associates, to strengthen cybersecurity protections for individuals’ protected health information. This proposed rule is the latest step taken by OCR to address more frequent cyberattacks targeting the U.S. health care system, consistent with the HHS Healthcare and Public Health critical infrastructure sector Cybersecurity Performance Goals.

OCR has seen a substantial increase in reports of large breach reports received over the last five years. From 2018-2023, reports of large breaches increased by 102 percent, and the number of individuals affected by such breaches increased by 1002 percent, primarily because of increases in hacking and ransomware attacks. In 2023, over 167 million individuals were affected by large breaches—a new record. Since 2019, large breaches caused by hacking and ransomware have increased 89 percent and 102 percent.

Accordingly, the proposed rule would modify the HIPAA Security Rule to require health plans, health care clearinghouses, and most health care providers, and their business associates to better protect individuals’ electronic protected health information against both external and internal threats. It would clarify and provide more specific instruction about what covered entities and their business associates must do to protect the security of electronic protected health information. The proposed rule also would require that policies and procedures be in writing, reviewed, tested, and updated on a regular basis. Additionally, it would better align the Security Rule with modern best practices in cybersecurity.

• Read the Press Release
• Read the Fact Sheet
• Read the NPRMlinks to an external website

HIPAA Privacy Rule and Reproductive Health Care

On April 12, 2023, OCR issued a Notice of Proposed Rulemaking (NPRM) to strengthen the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule protections by prohibiting the use or disclosure of protected health information (PHI) to identify, investigate, prosecute, or sue patients, providers and others involved in the provision of legal reproductive health care, including abortion. HHS has heard from patients, providers, and organizations representing thousands of individuals that this change was needed to protect patient-provider confidentiality and prevent private medical records from being used against them merely for seeking, obtaining, providing, or facilitating lawful reproductive health care. Today’s announcement coincides with the convening of President Biden’s Task Force on Reproductive Health Care, aimed at protecting reproductive rights, including access to abortion care, following the Supreme Court’s decision overturning Roe v. Wade.

Protecting patient health information and privacy has taken on critical importance, and in the wake of unprecedented attacks against women’s reproductive rights. Following the Supreme Court decision, President Biden signed Executive Order 14076, directing HHS to consider ways to strengthen the protection of sensitive information related to reproductive health care services and bolster patient-provider confidentiality. This proposed rule is a result of that directive:

• Read the Press Release
• Read the Fact Sheet
• Lea la hoja informativa en español
• Read the NPRMlinks to an external website

HITECH RFI

On April 6, OCR published a Request for Information (RFI) seeking input from the public on two requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), as amended in 2021. These two requirements are:

• Recognized Security Practices. Section 13412 of the HITECH Act requires HHS to take into consideration certain recognized security practices of covered entities (health plans, health care clearinghouses, and most health care providers) and business associates when determining potential fines, audit results, or other remedies for resolving potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule pursuant to an investigation, compliance review, or audit.
• Civil Money Penalty (CMP) and Settlement Sharing. Section 13410(c)(3) of the HITECH Act requires HHS to establish by regulation a methodology under which an individual harmed by a potential violation of the HIPAA Privacy, Security, and/or Breach Notification Rules may receive a percentage of any CMP or monetary settlement collected with respect to such offense.

For more information on the HITECH RFI and how to submit a public comment, visit here

Privacy Rule NPRM

On January 21, 2021, OCR published a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to support individuals' engagement in their health care, remove barriers to coordinated care, and decrease regulatory burdens on the health care industry, while continuing to protect individuals' health information privacy interests.

For more information on the Privacy Rule NPRM, visit here