The US Department of Health and Human Services (HHS) is planning a massive overhaul of the Health Insurance Portability and Accountability Act (HIPAA) security rule to strengthen baseline cybersecurity requirements for protecting electronic protected health information (PHI). The proposed amendments, which will be published in the Federal Register on Jan. 6, would require healthcare organizations and other covered entities to implement security controls, such as multifactor authentication (MFA) and enhanced encryption requirements.
The proposal describes the most substantive changes to HIPAA to date. The security rule was last revised in 2013. The threat landscape is different now than it was over a decade ago, and breaches against healthcare organizations have increased by 102% between 2018 and 2023, the HHS Office for Civil Rights said in a statement. In 2023, over 167 million people had their health information compromised, a 1,002% increase from 2018.
Proposed Changes to HIPAA
The amendments will apply to health plans, healthcare clearinghouses, health providers, healthcare facilities, insurance companies, and business associates.
Everything in writing: All policies,…
