New update to HIPAA ushers in potential for additional cybersecurity rules

On December 27, 2024, the Health and Human Services (HHS) Office for Civil Rights (OCR) announced plans to update the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in an effort to improve the cybersecurity practices of covered entities and business associates, as the number of targeted cyberattacks, particularly those targeting the healthcare system, continues to skyrocket. OCR’s focus on cybersecurity comes on the back of findings of a 102% increase in reports of large health data breaches, that over 167 million individuals were affected by large breaches in 2023, and that hacking and ransomware attacks on healthcare entities has increased by 89% and 102%, respectively, since 2019. These trends recorded through 2023 inspired HHS to initiate the Healthcare and Public Health Critical Infrastructure Sector Cybersecurity Performance Goals.  

Additionally, OCR has observed, in 2024 alone, two of the most notable breaches of health data in U.S. history with the Change Healthcare and Ascension Hospital Network incidents on February 21, 2024, and May 8, 2024, respectively. With this setting in mind, OCR aims to enhance the security of covered entities and business associates in the event of an attack, preventing patient data from exposure, and hopes that the new rules will provide, according to the Deputy National Security Adviser for Cyber and Emerging Technology Anne Neuberger, “clarity and specificity” to the existing HIPAA obligations.

The update would introduce new proposed cybersecurity rules, in conjunction with the existing HIPAA Security Rule, that would require, among other delignated protections, healthcare entities to encrypt the health data in their stewardship, monitor their networks for threats or suspicious activity, and conduct regular compliance checks to ensure adherence to the new HIPAA Security rules.

The publication date of the proposed rulemaking is not known as of right now, but healthcare entities and their affiliates should anticipate such changes coming soon, as cybersecurity reforms focused on healthcare has been largely supported at a bipartisan level with many policy-makers frustrated by the mass exposure of patient data. In the meantime, however, while OCR moves forward with the proposed rulemaking and commences with the public comment period that will follow, the current iteration of the HIPAA Security Rule remains effectual.

If you have any questions about your company’s compliance with cyber regulations, concerns about vulnerability to attacks or other breaches, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkins’ national data privacy and cybersecurity team.

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.