The U.S. Department of Health and Human Services (HHS) said it will update the HIPAA Security Rule in 2024 and will ask Congress for new laws and resources to increase civil money penalties for HIPAA violations, increase HIPAA enforcement, and conduct proactive audits.
HHS released a new Healthcare Sector Cybersecurity strategy paper which cited a 93% increase in large breaches from 2018 – 2022 and a 278% increase in large breaches caused by ransomware. It specifically called out hospitals and health systems and said HHS will work with Congress to provide a financial incentive program for hospital cybersecurity and financial assistance for low-resourced healthcare providers.
HHS will work with Congress to obtain additional enforcement authority – critical now that the Supreme Court has ruled that federal agencies may only enforce requirements specifically created by law and is considering further restrictions.
The HHS Office for Civil Rights (OCR) that enforces HIPAA has already requested twice its previous budget to clear the backlog of complaints and incidents going back to before the pandemic and will use the additional money it collects through settlements and penalties to fund even more enforcement.
Generally, proposed rule changes are published as drafts, with a 60 to 90-day public comment period. Then the agency reviews the comments and publishes a final rule which is not enforced for six months. This would indicate that if the proposed Security Rule draft is published in Spring 2024, it will be in effect by the end of the year.
However, a previous HIPAA rule change proposed in January 2021 to better align HIPAA with Substance Use Disorder (SUD) treatment information regulations in Title 42 Part 2, and to ease the sharing of medical information for care coordination, failed to result in OCR publishing a draft rule for comment.
About Mike Semel
Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.
