{"id":100115,"date":"2025-01-13T08:03:38","date_gmt":"2025-01-13T16:03:38","guid":{"rendered":"https:\/\/xira.com\/p\/2025\/01\/13\/hhs-proposed-hipaa-changes-are-a-step-in-the-right-direction-but-some-providers-may-struggle-to-comply\/"},"modified":"2025-01-13T08:03:38","modified_gmt":"2025-01-13T16:03:38","slug":"hhs-proposed-hipaa-changes-are-a-step-in-the-right-direction-but-some-providers-may-struggle-to-comply","status":"publish","type":"post","link":"https:\/\/xira.com\/p\/2025\/01\/13\/hhs-proposed-hipaa-changes-are-a-step-in-the-right-direction-but-some-providers-may-struggle-to-comply\/","title":{"rendered":"HHS\u2019 Proposed HIPAA Changes Are A Step In The Right Direction, But Some Providers May Struggle To Comply"},"content":{"rendered":"<p>HHS is proposing major changes to HIPAA for the first time in more than a decade, aiming to strengthen cybersecurity protocols for electronic health data. Healthcare cybersecurity leaders are mainly in favor of the proposal \u2014 though there are some concerns that smaller providers will struggle with the financial and operational burdens of compliance.<br \/>\nThe post HHS\u2019 Proposed HIPAA Changes Are A Step In The Right Direction, But Some Providers May Struggle To Comply appeared first on Above the Law.<\/p>\n<p>Among myriad acronyms in the healthcare industry, <a href=\"https:\/\/medcitynews.com\/tag\/hipaa\/\" rel=\"nofollow noopener\" target=\"_blank\">HIPAA<\/a> is one of the most referenced.\u00a0<\/p>\n<p>At the end of last year, the Department of Health and Human Services <a href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/security\/hipaa-security-rule-nprm\/factsheet\/index.html\" rel=\"nofollow noopener\" target=\"_blank\">proposed<\/a> major updates to this law \u2014 named the Health Insurance Portability and Accountability Act \u2014 for the first time in more than a decade.\u00a0<\/p>\n<p>HHS said its proposal is designed to \u201cbetter protect the U.S. healthcare system from a growing number of cyberattacks.\u201d The announcement was made at the end of a year in which several high-profile cybersecurity incidents occurred in healthcare, such as the ransomware attacks <a href=\"https:\/\/medcitynews.com\/2024\/04\/medical-providers-still-grappling-with-unitedhealth-cyberattack-more-devastating-than-covid\/\" rel=\"nofollow noopener\" target=\"_blank\">Change Healthcare<\/a> and <a href=\"https:\/\/medcitynews.com\/2024\/12\/ascension-cyberattack-cybersecurity-healthcare\/\" rel=\"nofollow noopener\" target=\"_blank\">Ascension<\/a> \u2014 the former exposed more than 100 million patient records, and the latter exposed more than 5 million.<\/p>\n<p>These proposed changes seek to strengthen cybersecurity protocols for electronic health data by standardizing certain security processes among providers. HHS is accepting comments on its proposal until March 7.<\/p>\n<p>Healthcare cybersecurity leaders are mainly in favor of the proposed changes, as the regulation will force providers to address longstanding gaps in their data infrastructure and security preparedness. However, the experts interviewed for this article noted that smaller providers may struggle with the financial and operational burdens of compliance.<\/p>\n<p>HHS\u2019 proposal seeks to make several changes to the way providers manage health data under HIPAA, with a key change being the elimination of the distinction between \u201crequired\u201d and \u201caddressable\u201d implementation specifications.<\/p>\n<p>Currently, HIPAA has two types of security rules for protecting sensitive health information \u2014 \u201crequired\u201d rules that must be followed and \u201caddressable\u201d rules that providers can choose not to obey.<\/p>\n<p>By getting rid of these two categories, HHS is aiming to make all cybersecurity rules mandatory for healthcare organizations, as well as emphasizing the need for comprehensive security measures across all health data. This means several cybersecurity protocols will be required for all providers, such as two-factor authentication, data encryption and network segmentation.<\/p>\n<p>If instated, these changes would help providers get on the same page and follow shared cybersecurity standards, pointed out Aaron Neiderhiser, CEO of open-source healthcare data platform <a href=\"https:\/\/medcitynews.com\/tag\/tuva-health\/\" rel=\"nofollow noopener\" target=\"_blank\">Tuva Health<\/a>.<\/p>\n<p>This standardization will be beneficial for the healthcare industry \u2014 because any provider that isn\u2019t using protocols like multi-factor authentication and data encryption is \u201cnot protecting data to the extent that they should be,\u201d Neiderhiser said.<\/p>\n<p>But other changes are \u201cmore esoteric\u201d and will be more difficult for some providers to implement, he noted.<\/p>\n<p>For instance, the proposed changes to HIPAA would also require providers to maintain detailed written documentation for all of their cybersecurity policies and procedures. HHS wants providers to continually maintain documents for asset inventory, network mapping and risk analyses.<\/p>\n<p>The main goal behind these new documentation requirements is to ensure providers can effectively map out the way their data is being stored and transferred, noted Mitesh Rao, CEO of <a href=\"https:\/\/medcitynews.com\/tag\/omny-health\/\" rel=\"nofollow noopener\" target=\"_blank\">OMNY Health<\/a>, a national data ecosystem that facilitates medical research.<\/p>\n<p>\u201cThat goes beyond cybersecurity \u2014 that\u2019s almost into the infrastructure space,\u201d he said. \u201c[HHS] is saying, \u2018Look, you guys are sitting on a lot of data, you need to really have your hands wrapped around it. You need to know where it is, know how it\u2019s moving, know how everything is set up.\u2019\u201d<\/p>\n<p>The changes reflect the fact that data \u201cis now driving everything\u201d in healthcare, but many organizations lack a comprehensive understanding of where all their data sits and how it can best be leveraged, Rao explained.<\/p>\n<p>Gaining this understanding is no easy task, he pointed out. Health systems house massive amounts of data that sprawls across various systems and divisions, such as inpatient services, surgery, pharmacy, imaging and clinical trials.<\/p>\n<p>Still, having a strong grasp on data mapping is crucial, Rao declared.<\/p>\n<p>Once a provider knows exactly where all of its information sits and how that data can best be leveraged, data \u201cbecomes more of an asset and less of a liability,\u201d he said.\u00a0<\/p>\n<p>Last year was the sector\u2019s <a href=\"https:\/\/www.hipaajournal.com\/biggest-healthcare-data-breaches-2024\/\" rel=\"nofollow noopener\" target=\"_blank\">worst year in history<\/a> in terms of breached healthcare records, with more than 200 million patient records exposed. Healthcare providers are well aware of what a problem data breaches have become in the past few years, and most organizations realize that they need to work on shoring up their defenses, Rao noted.<\/p>\n<p>In order to do this, providers have to partner with tech companies, he said.<\/p>\n<p>\u201cThe infrastructure that exists right now across the provider world isn\u2019t really designed to meet a lot of these capabilities \u2014 but there are a lot of great platforms that are designed to do this. So it\u2019s a question of who to partner with,\u201d Rao remarked.<\/p>\n<p>Neiderhiser of Tuva Health also highlighted the fact that providers aren\u2019t tech-savvy enough to meet new cybersecurity regulations on their own.These responsibilities sit outside providers\u2019 core competency.<\/p>\n<p>\u201cSome organizations that we work with will say things like, \u2018We don\u2019t know how to log into AWS.\u2019 They\u2019re provider organizations \u2014 their business is not technology, it\u2019s care delivery,\u201d Neiderhiser stated.<\/p>\n<p>Larger organizations can easily strike partnerships with tech companies that have expertise in data management and security. For smaller healthcare organizations that may not have deeply established relationships with tech partners, there could be a longer adjustment period, Neiderhiser said.<\/p>\n<p>A large health system may have already had its IT personnel preparing for a potential change in HIPAA for months \u2014 but a small rural hospital probably didn\u2019t have the resources or staff to account for this, he noted. In his view, smaller providers will certainly face a bigger burden when it comes to complying with these new regulations.<\/p>\n<p>The smaller provider organizations that Neiderhiser mentioned <a href=\"https:\/\/www.kff.org\/health-costs\/issue-brief\/hospital-margins-rebounded-in-2023-but-rural-hospitals-and-those-with-high-medicaid-shares-were-struggling-more-than-others\/\" rel=\"nofollow noopener\" target=\"_blank\">often operate on tight margins<\/a> \u2014 meaning it might be a struggle to come up with the cash to pay a tech company to manage their cybersecurity compliance functions.<\/p>\n<p>Another cybersecurity expert \u2014 Sean Kelly, chief medical officer at health IT security company <a href=\"https:\/\/medcitynews.com\/tag\/imprivata\/\" rel=\"nofollow noopener\" target=\"_blank\">Imprivata<\/a> \u2014 noted that he is worried about the cost of compliance.<\/p>\n<p>\u201cIt\u2019s difficult just to put forth unfunded mandates \u2014 and it\u2019s really difficult, without any kind of funding or incentivization, to just put penalties in front of hospital systems that already have limited budgets, particularly when you look at critical care access hospitals and rural practices,\u201d Kelly declared.<\/p>\n<p>If the proposed changes to HIPAA are instated, Kelly said he hopes the federal government establishes a system in which hospitals with fewer resources can qualify for grant money or \u201csome sort of incentivization\u201d for compliance. For instance, perhaps these hospitals could obtain Medicare payments more quickly as an incentive, he stated.<\/p>\n<p>He also pointed out that if Congress conducted an analysis of the cost of cybersecurity breaches versus the cost of a pool of money going toward preventive cybersecurity measures at hospitals, it would find that the breaches are much more expensive.<\/p>\n<p>\u201cThe cost of these breaches is enormous \u2014 not just for the hospitals and the patients that go through it, but even for the local hospitals around it. When a hospital shuts down, then the ambulances go elsewhere, and patients get seen elsewhere. There\u2019s unnecessary tests, there\u2019s morbidity, mortality, lawsuits, and costs associated with the local area around a hospital that goes down,\u201d Kelly explained.<\/p>\n<p>In 2024, the average cost of a healthcare data breach was $9.77 million, according to <a href=\"https:\/\/newsroom.ibm.com\/2024-07-30-ibm-report-escalating-data-breach-disruption-pushes-costs-to-new-highs\" rel=\"nofollow noopener\" target=\"_blank\">research<\/a> from IBM.<\/p>\n<p>HHS\u2019 proposed changes to HIPAA may adversely affect clinicians\u2019 workflows at times, Kelly pointed out.\u00a0<\/p>\n<p>If a provider doesn\u2019t execute its staff cybersecurity training flawlessly, employees might fail multi-factor authentication tests or run into other mishaps that lock them out of their systems, he noted. In other words, if any small aspect of the training is inadequate, such as the training not happening quickly enough for new employees or not being detailed enough, there are risks that staff members won\u2019t be able to access critical information.<\/p>\n<p>\u201cThat means they can\u2019t access systems to do things like look up medical records, and they don\u2019t have the interoperability between different record sets to properly diagnose and treat patients,\u201d Kelly added.<\/p>\n<p>Getting locked out of an account due to cybersecurity protocols can be annoying as a consumer, but it\u2019s a whole different situation as a clinician, he explained.<\/p>\n<p>\u201cIf I\u2019m locked out as an ER doctor, then I can\u2019t see your records. I don\u2019t know that you\u2019re on a blood thinner, and I can\u2019t order the CT to show me that you have an intracranial hemorrhage. I can\u2019t treat you properly for a stroke or for whatever your symptoms are \u2014 so there are very real consequences for the workflow aspects of security,\u201d Kelly declared.<\/p>\n<p>He also highlighted that it\u2019s quite difficult to ensure all employees across an entire health system receive adequate cybersecurity training. Hospitals are complex environments with thousands of workers spanning various roles, and sometimes staff members aren\u2019t even directly employed by the provider, Kelly said.<\/p>\n<p>There are potential ways to address this, such as single sign-on methods, he stated.<\/p>\n<p>Single sign-on is an authentication method that allows people to access multiple applications or systems with a single set of credentials, like a username and password. For instance, a hospital may give clinicians a badge they can tap as a single sign-on token to make log-ins easier, Kelly explained.<\/p>\n<p>\u201cYou can use two factors once in the day, but then for the rest of the day, you can tap in and out. There are ways to automate the workflow so it\u2019s faster to get into the medical records,\u201d he remarked.<\/p>\n<p>Hospitals may also be able to use facial recognition as a daily single sign-on key for clinicians, Kelly added.<\/p>\n<p>Through its proposal, HHS is seeking to ensure providers have a good grasp on all the different ways their data is being used and transferred \u2014 and having this clear view will likely influence providers\u2019 vendor selection for their various tools and devices, Kelly noted.<\/p>\n<p>The concept of third-party risk shot to the forefront of many healthcare leaders\u2019 minds last year amid the Change Healthcare data breach, he said. Change Healthcare may have been the only entity hit by a ransomware attack, but its thousands of customers suffered the operational and financial consequences of the incident <a href=\"https:\/\/medcitynews.com\/2024\/08\/cyberattack-healthcare\/\" rel=\"nofollow noopener\" target=\"_blank\">for months<\/a>.<\/p>\n<p>This disaster underscored the risks healthcare providers face by relying on external partners. Healthcare providers won\u2019t ever be able to maintain their daily operations without their network of vendor partners, so it\u2019s imperative that they master their vendor management and data protection strategies, Kelly remarked. HHS\u2019 proposed legislation injects some urgency into these efforts, he said.<\/p>\n<p>\u201cThere needs to be a risk assessment before providers even select vendors. Beyond that, providers need to be making sure that [vendors] stay compliant and that every action taken by those third parties is secure,\u201d Kelly stated.<\/p>\n<p>This increased emphasis on vendor management may ultimately lead to fewer breached records down the road, he noted.<\/p>\n<p>Kelly \u2014 along with Neiderhiser and Rao \u2014 believes that despite the potential cost and workflow concerns, HHS\u2019 proposal is a step in the right direction, as the changes seek to underscore the importance of third-party vendor management and comprehensive cybersecurity staff training. All three experts agree that the proposed changes will likely become finalized in the near future.<\/p>\n<p><em>Photo: traffic_analyzer, Getty Images<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>HHS is proposing major changes to HIPAA for the first time in more than a decade, aiming to strengthen cybersecurity protocols for electronic health data. Healthcare cybersecurity leaders are mainly in favor of the proposal \u2014 though there are some concerns that smaller providers will struggle with the financial and operational burdens of compliance. The [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":100116,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[16,17],"tags":[],"class_list":["post-100115","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-above_the_law","category-legal_matters"],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/xira.com\/p\/wp-content\/uploads\/2025\/01\/s_Web_Security_Concept_with_Digital_Padlock-m9H1kj.jpeg?fit=640%2C418&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/posts\/100115","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/comments?post=100115"}],"version-history":[{"count":0,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/posts\/100115\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/media\/100116"}],"wp:attachment":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/media?parent=100115"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/categories?post=100115"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/tags?post=100115"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}