Measures to Strengthen Cybersecurity in Healthcare under HIPAA
The Department of Health and Human Services (HHS) issued a proposed rule to improve cybersecurity and better protect the U.S. healthcare system from a growing number of cyberattacks which was published on January 6, 2025. The proposed rule would be the first HIPAA Security Rule update since 2023. This update would modify the HIPAA Security Rule to require health plans, healthcare clearinghouses, and most healthcare providers (and their business associates) to better protect individuals’ electronic protected health information against both external and internal threats. It would clarify and provide more specific instruction about what covered entities and their business associates must do to protect the security of electronic protected health information. The proposed rule would also require that policies and procedures be in writing, reviewed, tested, and updated on a regular basis. Additionally, it would better align the Security Rule with modern best practices in cybersecurity.
While the Department is undertaking this rulemaking, the current Security Rule remains in effect.
Reminder about Reproductive Healthcare Privacy
The Office of Civil Rights (OCR) issued a Final Rule to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to support reproductive healthcare privacy on April 26, 2024, which became effective last year on June 25, 2024. This action was taken to protect access to and privacy of reproductive healthcare and foster patient-provider confidentiality.
Individuals are increasingly concerned about the confidentiality of discussions with their healthcare providers, and as a result, there is an increasing risk that their healthcare records will not be complete and accurate, leading to decreases in healthcare quality and safety.
The Final Rule prohibits the use of disclosure of Protected Health Information (PHI) when it is sought to investigate or impose liability on individuals, healthcare providers, or others who seek, obtain, provide, or facilitate reproductive healthcare that is lawful under the circumstances in which it is provided, or to identify persons for such activities.
The Final Rule requires a covered entity or business associate to obtain a signed attestation that certain requests for PHI potentially related to reproductive healthcare are not for prohibited purposes. Attestation is needed when the request for PHI is for health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures to coroners and medical examiners. A regulated entity is subject to potential civil penalties for failure to obtain a valid attestation before disclosing PHI, where an attestation is required. Covered entities are also required to modify their Notice of Privacy Practices to support reproductive healthcare privacy and reflect that all requests for information must have an attestation.
If you are not currently insured with OUM, take a moment to see how we protect our chiropractors. Fill out our online form to receive a free, no-obligation quote.
Sources:
HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy: Fact Sheet
HHS Office for Civil Rights Proposes Measures to Strengthen Cybersecurity in Health Care Under HIPAA
HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information
Disclaimer: “OUM” and “OUM Chiropractor Program” do not refer to a legal entity or insurance company but to a program or symbol of a program underwritten, insured, and administered by ProAssurance Insurance Company of America. The information contained on the OUM Chiropractor Blog does not establish a standard of care, nor does it constitute legal advice. The information is for general informational purposes only. We encourage all blog visitors to consult with their personal attorneys for legal advice, as specific legal requirements may vary from state to state. Links or references to organizations, websites, or other information is for reference use only and do not constitute the rendering of legal, financial, or other professional advice or recommendations. In the event any of the information presented conflicts with the terms and conditions of any policy of insurance offered by ProAssurance Insurance Company of America, the terms and conditions of the actual policy will apply. All information contained on the blog is subject to change.