Yesterday OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking from HHS’s Office for Civil Rights (OCR) on “Proposed Modifications to the HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information”. This NPRM was sent to OIRA on October 18th, 2024.
According to the Fall 2024 Unified Agenda entry for this rulemaking:
“This rule will propose modifications to the Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). These modifications will improve cybersecurity in the health care sector by strengthening requirements for HIPAA regulated entities to safeguard electronic protected health information to prevent, detect, contain, mitigate, and recover from cybersecurity threats.”
The Fall 2024 Unified Agenda has included expanded supporting information on rulemakings, including entries for ‘Statement of Need’, “Summary of the Legal Basis”, and ‘Alternatives’. The ‘Statement of Need’ comment for this rulemaking is of potential interest:
“In February 2003, the HIPAA Security Rule established standards for the security of electronic protected health information (ePHI) to be implemented by HIPAA covered entities and, by amendment of the HITECH Act, their business associates (collectively, "regulated entities"). Prior to the HIPAA Security Rule, standard security measures did not exist in the health care industry to address the security of ePHI while stored and exchanged between entities. Since 2003, the Department has received recommendations from the National Committee on Vital and Health Statistics (NCVHS), an advisory committee to the Secretary of HHS, and the public to update and strengthen security standards to protect ePHI, especially in light of newer threats not previously contemplated in 2003 such as ransomware. Additionally, the Department has reviewed media reports advocating the strengthening of protections provided by the HIPAA Security Rule as well as a report from a U.S. Senator advocating for modernizing HIPAA to increase protections of ePHI in the face of current cyber threats.”
It will be interesting to see if this NPRM specifically
addresses security requirements for medical devices that store or transmit
ePHI.
Posts
No comments:
Post a Comment