In late October, the National Institute for Standards and Technology (NIST) and the Department of Health and Human Services (HHS)hosted a conference called “Safeguarding Health Information: Building Assurance Through HIPAA Security 2024”. Participants received information about the present state of cybersecurity in healthcare and the role of the HIPAA Security Rule in helping HIPAA-covered entities fight cyber threats. They also learned valuable strategies for compliance with HIPAA Security Rule requirements.
On October 24, 2024, OCR Director Melanie Fontes Rainer discussed OCR’s primary priorities. One is to change the HIPAA Security Rule to include additional cybersecurity requirements. OCR has finalized its proposed changes to the HIPAA Security Rule, which is now with the Office of Management and Budget (OMB) for review. Fontes Rainer mentioned that OCR is expecting to publish a Notice of Proposed Rulemaking (NPRM) before the end of 2024.
Fontes Rainer did not mention any specific cybersecurity measures added. He only said that there would be substantive changes because the HIPAA Security Rule has not been updated in two decades. Familiarity with the procedure of rulemaking has enabled OCR to create a more effective HIPAA Security Rule to make the healthcare industry safer. As soon as the NPRM is publicized in December 2024, healthcare sector stakeholders can send their suggestions. Fontes Rainer mentioned that the department is hoping to get the healthcare community involved in the process through public feedback.
Fontes Rainer revealed that OCR has not stopped investigating data breaches and complaints and has issued several financial penalties to fix HIPAA noncompliance problems. The enforcement actions issued by OCR over the last 15 years have revealed similar noncompliance problems again and again. A common issue that results in HIPAA noncompliance and financial penalties is the inability to perform a comprehensive organizational risk analysis. In a lot of investigations, OCR has found the company’s failure is not the inability to carry out a risk analysis to determine risks and threats to ePHI, or unfinished risk analyses. The failure of many companies is the inability to act on the data collected during the risk analysis and to cut down risks to an acceptable level. Compliance in this area of concern is very important so the risk analysis requirement is made into an enforcement initiative.
OCR has received numerous complaints in the past years concerning the inability of healthcare providers to provide their patients with a copy of their requested health data, which is a violation of the HIPAA Right of Access. As a response, in 2019, OCR started a HIPAA Right of Access enforcement initiative. Since then, OCR has imposed 50 financial penalties for not giving patients prompt access to their healthcare information.
Investigation of data breaches and complaints is still the department’s priority but rarely issues financial penalties. Most investigations that have confirmed noncompliance are settled through technical support. OCR helps the HIPAA-covered entities to follow the rules. Compliance problems need to be addressed because it is very important.
Another focus of OCR is to help the healthcare industry deal with cybersecurity issues. However, because the department is rather small, has a big workload, and has minimal funds, OCR’s efforts to help the community must be very targeted and strategic. OCR and the healthcare community must work together to ensure HIPAA compliance and strengthen cybersecurity. OCR has been hosting webinars, creating YouTube videos, and publishing newsletters to be able to help more community members and fight the increasing threat of cyberattacks and security breaches, which impacted over 160 million people in 2023.