What’s happening: The U.S. Department of Health and Human Services’ (HHS) proposed revisions to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule aim to strengthen cybersecurity protections for electronic protected health information (ePHI).
What else to know: Comments on the proposed rule are due by March 7.
On Jan. 6, the HHS Office of Civil Rights published this proposed rule, which would update security standards to protect ePHI and require HIPAA-covered entities to take specific steps to do so, including to:
- Encrypt ePHI
- Implement multifactor authentication with limited exceptions
- Deploy anti-malware software
- Establish written procedures to restore electronic health record systems and data within 72 hours of a cyberattack
- Develop written documentation of the security rule policies and procedures to be updated annually
The proposed rule would also eliminate the distinction between “required” and “addressable” HIPAA Security Rule implementation specifications, removing some of the flexibility that currently exists under the regulations.