Understanding the New Proposal The U.S. Department of Health and Human Services (HHS) has announced major changes to strengthen healthcare information security standards through its Office for Civil Rights (OCR). This proposal aims to modify the HIPAA Security Rule, with comments due by March 7, 2025.
Key Changes in Healthcare Security The proposed modifications address several critical areas including evolving healthcare environments, rising cybersecurity threats, and compliance issues observed by OCR. While maintaining core Security Rule obligations, the proposal emphasizes clearer guidelines for protected health information (ePHI).
Impact on Healthcare Organizations According to cybersecurity expert Jonathan Goldberger, these changes align HIPAA security rules with Federal Trade Commission’s Safeguards Rule and PCI 4.0 standards, requiring organizations to implement robust security programs led by qualified practitioners.
Comment Submission Guidelines Organizations can submit comments through:
- Federal eRulemaking Portal (Docket ID: 0945-AA22)
- Mail submissions to HHS Office for Civil Rights
- Microsoft Word or PDF format attachments
Implementation Timeline The final rule would take effect 60 days after Federal Register publication, with regulated entities given a compliance period to implement necessary changes.
Available Resources and Support The ACA Cybersecurity Collective offers:
- Expert networking opportunities
- Private LinkedIn group access
- Partnership with Coalition for cyber risk management
- Access to Coalition Control platform
- Comprehensive scanning technology
Cybersecurity & Risk Forum ACA members can attend the upcoming in-person forum for actionable strategies in cyber threat management.
