DHHS Proposes Modifications to HIPAA Security Rule
Citing a dramatic increase in large health data breaches, DHHS has issued a notice of proposed rulemaking for modifications to the HIPAA Security Rule to enhance cyber security protections for electronic protected health information (ePHI). Some of the major proposed changes include:
- new definition for “electronic information system“
- new definition for “multi-factor authentication” and adding an MFA mandate
- new standards for updating technology asset inventories and network maps illustrating movement of ePHI
- for physical safeguards, removing the distinction between “required“ and “addressable“ implementation specifications
The rule updates are intended to bolster the resilience of healthcare providers against ongoing cyber attacks. The proposed rule is open for comment until March 7, 2025.
