HIPAA/HITECH , Standards, Regulations & Compliance

White House Reviewing Updates to HIPAA Security Rule

Proposal Will Be Open for Public Comment Next, But Will It Go Anywhere?
White House Reviewing Updates to HIPAA Security Rule
Marissa Gordon-Nguyen, HHS OCR senior advisor, tells attendees at a HIPAA summit Wednesday that the agency's proposed updates to the HIPAA security rule are under White House review. (Image: Marianne Kolbasuk McGee)

The Department of Health and Human Service last Friday submitted for White House review long-awaited updates to the 20-year-old HIPAA Security Rule containing modifications aimed at strengthening the cybersecurity of electronic protected health information.

See Also: Using the Netskope HIPAA Mapping Guide

Once reviewed by the White House's Office of Management and Budget, HHS plans to publish a notice of proposed rulemaking by the end of the year and solicit public comment for 60 days, said Marissa Gordon-Nguyen, senior advisor for health information privacy, data, and cybersecurity at the HHS' Office for Civil Rights.

"The draft is not yet public," Nguyen said on Wednesday during a HIPAA summit hosted by HHS OCR and the National Institute of Standards and Technology, declining to discuss details of the proposal.

The main purpose of the proposed modifications is to improve the cybersecurity of HIPAA-regulated organizations, she said. The proposed HIPAA rulemaking also fleshes out a mission that HHS announced last December in a concept paper outlining plans to shore up cybersecurity of the healthcare sector.

Those plans included an update the HIPAA Security Rule, as well as HHS' Centers of Medicare and Medicaid Services potentially proposing new cybersecurity requirements for hospitals and possibly other healthcare providers through Medicare and Medicaid financial incentives and penalties.

In January, HHS released more details in the form of "voluntary" enhanced and essential cybersecurity performance goals that would potentially turn into new cyber mandates (see: HHS Details New Cyber Performance Goals for Health Sector).

So far, HHS CMS has not issued the promised proposed "CPG" regulations for hospitals and potentially others that would possibly be tied to financial incentives and penalties. Some large constituents in the healthcare sector - including the American Hospital Association - have opposed the idea of having new cyber regulations that would only be mandated for hospitals, especially in light of cybersecurity incident frequently involving other types of players, including vendors and health insurers.

Also, current leadership at HHS is facing tight - if not impossible - deadlines to get these proposals - including updates to the HIPAA security rule - turned into final regulations. Regardless of whether Vice President Kamala Harris or former President Donald Trump wins the upcoming presidential election, either new administration could chose to revoke or just ignore the proposals made by HHS under the Biden administration, or change the proposals based on the public comment received, HHS officials admitted.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.asia, you agree to our use of cookies.