In light of ongoing cybersecurity concerns related to HIPAA protected information and the Department of Labor’s guidance, which reiterated its focus on cybersecurity, the Department of Health and Human Services Office for Civil Rights (OCR) issued a notice of proposed rulemaking (NPRM) to the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) in an effort to mitigate risks facing group health plans.
The proposed updates would include changes to the general rules and requirements, as well as modernizing definitions under the Rule. Specifically, among other changes, the updates include the following:
- More stringent review requirements for regulated entities
- Multifactor authentication, encryption, and decryption obligations for ePHI and relevant electronic information systems
- Verification obligations for business associates
- Annual compliance audits
Over 4,000 comments were received during the comment period, which ended March 7, 2025. Additional information will be provided in the coming months as the comments are reviewed by OCR.
