Regulatory Updates
Regulatory Updates provide quick access to employee benefit regulations, rulings and other guidance released by governmental agencies in the U.S. and Canada.
New updates to this page may be included in Today’s Headlines which is emailed to International Foundation members each business day. Inquiries regarding these updates should be directed to the Benefits Knowledge Center at the International Foundation at (888) 334-3327, option 5 or [email protected].
Search Regulatory Updates
HHS Proposes Modifying HIPAA Security Rule to Strengthen the Cybersecurity of Electronic PHI; Comments Due March 7
Jan 6, 2025, 06:00
by
Amanda Wilke
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a proposed rule to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to require health plans, health care clearinghouses (an organization that enables the exchange of health care data between a provider and a payer (insurance company)), and most health care providers, and their business associates, to strengthen cybersecurity protections for individuals’ protected health information (PHI).
The proposed rule would:
- Modify the HIPAA Security Rule to require health plans, health care clearinghouses, and most health care providers, and their business associates to better protect individuals’ electronic PHI against both external and internal threats;
- Clarify and provide more specific instruction about what covered entities and their business associates must do to protect the security of electronic PHI;
- Require that policies and procedures be in writing, reviewed, tested, and updated on a regular basis; and
- Better align the Security Rule with modern best practices in cybersecurity.
The proposals address:
- Changes in the environment in which health care is provided;
- Significant increases in breaches and cyberattacks;
- Common deficiencies OCR has observed in investigations into Security Rule compliance by covered entities and their business associates;
- Other cybersecurity guidelines, best practices, methodologies, procedures, and processes; and
- Court decisions that affect enforcement of the Security Rule.
While HHS is undertaking this rulemaking, the current Security Rule remains in effect.
Comments are due March 7, 2025.