HHS Announces Strengthening Cybersecurity Measures with HIPAA Security Rule

Three key points:

1. HHS issued a proposed rule aimed to improve HIPAA cybersecurity.
2. HITRUST certified organizations are positioned to meet over 90% of proposed requirements.
3. Documentation requirements, security and incident response, and technical security measures are covered with HITRUST certification.

In late 2024, the Department of Health and Human Services (HHS) issued a proposed HIPAA security rule to improve cybersecurity by modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. It would require health plans, healthcare clearinghouses (organizations that enable the exchange of healthcare data between providers and payers), and most healthcare providers and their business associates, to strengthen cybersecurity protections for individuals’ protected health information (PHI) from both external and internal threats.

Protecting your patients’ PHI is not something to take lightly. Read on to learn more about the proposed HIPAA security rule and how working with a partner that is committed to data security by being HITRUST certified can have you well on your way to meeting these and future requirements.

HIPAA Security Rule

In a press release, HHS and the Office of Civil Rights (OCR) noted the rise of cyberattacks as one of the reasons for the proposed HIPAA security rule. HSS Deputy Secretary Andrea Palm said, “The increasing frequency and sophistication of cyberattacks in the health care sector pose a direct and significant threat to patient safety. These attacks endanger patients by exposing vulnerabilities in our health care system, degrading patient trust, disrupting patient care, diverting patients, and delaying medical procedures. This proposed rule is a vital step to ensuring that health care providers, patients, and communities are not only better prepared to face a cyberattack but are also more secure and resilient.”

The proposed HIPAA security rule aims to address several areas, including:

• Changes in the environment in which health care is provided.
• Significant increases in breaches and cyberattacks.
• Common deficiencies OCR has observed in investigations into Security Rule compliance by covered entities and their business associates.
• Other cybersecurity guidelines, best practices, methodologies, procedures, and processes.
• Court decisions that affect enforcement of the Security Rule.

Getting Ready for Change

The comment period for the proposed changes ends in early March 2025, which means it’s not too early to start preparing to meet potential new requirements for the HIPAA security rule. Ensuring your early out and bad debt collections partner is prepared for any changes is vital for your success, but how do you do that? The easiest way is to ask your early out or bad debt collections partner if they are HITRUST certified. Passing the stringent requirements that are being proposed will be a daunting task for those that are unprepared. HITRUST certified companies like Americollect are already well on the way to being prepared. In fact, HITRUST certified companies are positioned to meet well over 90-percent of the proposed requirements.

There are three main areas where partnering with a HITRUST certified partner helps your facility. Documentation, security and incident response, and technical security measures can make or break your partners being prepared. Smaller agencies may not be able to properly support your needs.

Documentation Requirements

Maintaining written documentation of all security rule policies, procedures, plans, and analyses is a vital part of meeting the proposed new criteria. It is also important to develop a technology asset inventory and network map that shows how ePHI moves through your system and update it at least annually or sooner if there are any relevant operational changes.

Security and Incident Response

Implementing incident response protocols is essential preparation for potential catastrophic events. The four main points that need to be covered with your plan are:

• Document – Ensure your staff knows the procedures to follow when reporting suspected or known security incidents.
• Establish Plans – Having a written incident response allows staff to quickly and efficiently follow your response plan. It is also important to conduct regular tests to allow procedure revisions when needed.
• Restore – The ability to have critical systems and data back up and running within 72 hours of an incident minimizes the impact on your facility.
• Notify – When activating a contingency plan, covered entities must be notified within 24 hours.

Technical Security Measures

The proposed HIPAA security rule works to strengthen overall security through technical measures. It calls for encrypting ePHI both at rest and in transit, use of multifactor authentication, and establishing standardized system configuration controls, including:

• Anti-malware protection
• Removal of unnecessary software
• Network port management based on risk analysis

HIPAA Security Rule Conclusion

With the comment period for the HHS proposed HIPAA security rule ending in early March 2025, it’s time to make sure your early out and bad debt collections partner is prepared for these changes. Currently, only 18.2-percent of healthcare organizations and 10-percent of finance and insurance groups are HITRUST certified. Companies that are HITRUST certified – like Americollect – are more than 90-percent ready for the new rule and quickly working towards complete coverage. If you are concerned your current early out or bad debt collector isn’t prepared, Americollect’s Ridiculously Nice sales team is ready to help you ensure you are covered!