Review - HHS Publishes HIPAA Cybersecurity NPRM – Medical Devices

On Monday the Department of Health and Human Services (HHS) published a notice of proposed rulemaking (NPRM) in the Federal Register (90 FR 898-1022) on “HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information”. HHS is proposing to modify the Security Standards for the Protection of Electronic Protected Health Information (“Security Rule”) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).

With its emphasis on Protected Health Information (PHI) the main focus of this proposed rule is on information technology, and generally falls outside the scope of this blog. Having said that, there are 52 mentions of the term ‘medical device’ in this NPRM, starting with the realization that:

“Almost every stage of modern health care relies on stable and secure computer and network technologies, including, but not limited to, the following: appointment scheduling, prescription orders, telehealth visits, medical devices, patient records, medical and pharmacy claims submissions and billing, insurance coverage verifications, payroll, facilities access and management, internal and external communications, and clinician resources. These tools and technologies are an integral part of the modern health care system, but they also present opportunities for bad actors to cause harm through hacking, ransomware, and other means.”

NOTE: A large number of those reference to ‘medical device’ are found in the footnotes, providing links to informational documents relating to medical device cybersecurity issues.

This means that personnel interested in the cybersecurity of medical devices, facility access controls, and building maintenance controls are going to have to pay attention to these proposed HIPPA cybersecurity rules.

Soliciting Comments

HHS is soliciting comments on this NPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket #HHS-OCR-0945-AA22). Comments should be submitted by March 7^th, 2025.

 

For more information on the medical device involvement in this proposed rule, including comments on additional areas that should be further clarified, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hhs-publishes-hipaa-cybersecurity - subscription required.