HIPAA Safety: Ready For the Remaining Rule Is Not an Choice

By Erik Eisen, CEO, CTI Technical Companies.

Few within the healthcare business query the necessity to modernize the HIPAA Safety Rule, the proposed overhaul of which is anticipated to be finalized in 2026. However even when the ultimate rule is modified to reduce necessities or lengthen timeframes, compliance shall be a heavy carry for a lot of doctor practices, hospitals, and well being programs.

That actuality, coupled with the common sense want for strong safety round protected well being info (PHI) and different affected person information, makes procrastination a compliance technique that’s doomed to fail.

Cyberattacks have reached unprecedented ranges within the 20 years because the HIPAA Safety Rule was handed. The primary, and final, main replace to the rule happened in 2013, a 12 months when healthcare organizations skilled simply 269 information breaches. By 2024, that quantity had skyrocketed to 734 incidents involving greater than 500 data every. Primarily based on present traits, 2025 may expertise 750–800 massive breaches and analysts warn that greater than 300 million data might be compromised if mega breaches proceed.

A Proposed Overhaul

Within the HIPAA Safety Rule To Strengthen the Cybersecurity of Digital Protected Well being Data proposed rule, the Workplace of Civil Rights (OCR) famous that the overhaul was prompted by the truth that cybersecurity considerations now contact practically each side of healthcare because of the business’s reliance on secure and safe laptop networks and applied sciences.

Additionally at play are coated entities (CEs) and enterprise associates (BAs), which increase healthcare’s danger profile with the specter of unintentional and nefarious occasions that may endanger digital PHI and different delicate information.

Thus, OCR decided that it was time to replace the rule to deal with technological developments and evolving breaches and cyberattacks. The proposed rule additionally acknowledges OCR’s better enforcement expertise, improved pointers, finest practices, methodologies, procedures, and processes for safeguarding ePHI, and varied authorized choices which have impacted enforcement.

It additionally re-addresses considered one of OCR’s most important challenges in terms of regulating safety: the fast development of each well being IT and the strategies employed by malicious actors.

Too-prescriptive mandates would necessitate updating the rule extra often than is sensible. Earlier iterations of the HIPAA Safety Rule tried to deal with this by being versatile with compliance and classifying many safety measures as “addressable implementations,” which means they have been strongly really helpful however not explicitly required.

For instance, the present rule requires any group touching ePHI to conduct a safety danger evaluation to judge potential dangers and vulnerabilities, resolve any recognized vulnerabilities, and doc the steps taken. OCR even supplies a instrument to be used in conducting the analysis. However past that, there isn’t a prescriptive steering. Consequently, many healthcare organizations that lacked the sources or technical data to conduct a complete danger evaluation wound up taking shortcuts.

Whereas business assist for the HIPAA Safety Rule overhaul is broad, so are considerations that the compliance burden shall be too excessive for a lot of organizations it impacts. There was a consensus all through the practically 4,750 letters submitted throughout the proposed rule’s public remark interval that many necessities could be nearly unattainable for some organizations to fulfill with out help.

Moreover, the proposed rule converts many addressable implementation specs to required, eliminating a core flexibility facet of the rule. Lastly, for a lot of, compliance with the up to date HIPAA Safety Rule won’t be possible with their present technical infrastructure. It might necessitate vital investments in new applied sciences able to defending ePHI as mandated by the rule.

Lessening the Burden

The excellent news is that compliance doesn’t have to return at the price of monetary wreck. Small steps towards anticipated mandates will be taken now to minimize the compliance burden—a lot of that are commonsense protecting measures that must be carried out with or with out regulatory dictates. For instance:

• Multifactor authentication (MFA) is a extremely efficient but fairly priced safety in opposition to phishing and different types of infiltration.
• Frequently backing up information ensures steady entry to info within the occasion of a system outage.
• Ransomware or exfiltration safety that goes past encryption can forestall dangerous actors from exploiting weak entry factors as soon as they’re inside a system.

Different actions that must be taken now embrace conducting a safety danger evaluation and drafting a mitigation and remediation plan. Doing so permits for the prioritization of restricted sources.

Additionally it is probably that even well-resourced healthcare organizations would require third-party assist to take these early actions or obtain compliance inside the timeframes outlined within the remaining safety rule. As such, now’s the time to determine the best trusted IT administration agency to help with enhanced safety and, ultimately, regulatory compliance.

Search for corporations with a deep understanding of healthcare-specific compliance necessities. Potential companions must also supply complete companies to make sure they’ll tackle the excellent wants associated to compliance with the HIPAA Safety Rule and different points that will come up, together with the flexibility to future-proof safety. They need to additionally possess superior experience and the willingness and talent to leverage cutting-edge instruments and processes that may outperform older or much less adaptive applied sciences.

Search for a companion that emphasizes long-term relationships and presents customized buyer assist. Different must-haves embrace flexibility and scale of their strategy to companies, clear worth constructions, and easy contracts with clear and honest service phrases. Lastly, throughout the analysis course of, make sure you ask prospects about response occasions and catastrophe restoration capabilities and procure—and verify—references.

Ending Procrastination

Whereas the ultimate necessities could differ from what has been proposed, there’s little probability that OCR will retract its choice to overtake the HIPAA Safety Rule. It’s an motion that’s lengthy overdue and will function a reminder that strengthening information safety is the best factor to do, whether or not mandated by OCR or not.

Taking steps now will considerably ease compliance burdens and shield considered one of healthcare’s most useful property. For supplier organizations with restricted sources, taking small steps in the direction of compliance now will go a good distance towards defending affected person information.