Ep. 47 – Make Your HIPAA Security Program Dynamic

“Almost every stage of modern healthcare relies on stable and secure computer and network technologies.”

The above is a direct quote from the Office of Civil Rights for Health & Human Services (“OCR”) in its proposed updates to the HIPAA Security Rule it unveiled last month. You probably already innately know what it claims, but how often do you really consider the reality of that statement and how your organization and the patients you serve would be impacted if something catastrophic happened to your network?

If you let out an audible groan when you heard OCR released proposed updates to the HIPAA Security Rule, you’re probably not alone.

The past year has been a busy one for healthcare compliance, including revamped OIG compliance guidance, broad Section 1557 non-discrimination rules, staffing and disclosure requirements for long term care facilities, and new protections for substance abuse and reproductive healthcare information. It is likely the last thing many compliance professionals want right now, changes to long-standing security requirements applicable to almost every healthcare provider and the organizations they do business with. But, when you consider that the first HIPAA Security Rule was finalized in 2003—over 20 years ago—and except for some updates in 2013 in response to the HITECH Act, these requirements have not changed, you quickly realize updates to the HIPAA Security Rule are probably overdue.

Think about the technology you were using in 2003—if you can even remember that far back. We were still using flip phones, fax machines, and dial-up Internet. The word “cloud,” had one meaning to most people and it had nothing to do with technology. If we’re honest with ourselves, the HIPAA Security Rule is due for a reboot, or at least a refresh. 

On the one hand, the HIPAA Security Rule was designed to be flexible. Unlike the HIPAA Privacy Rule which has very proscribed, specific requirements for when you can and cannot use or disclose someone’s protected health information, the HIPAA Security Rule is flexible. It sets broad standards and, in many cases, allows the regulated entity to decide how to meet that standard to safeguard protected health information. It needs to be flexible since technology is rapidly evolving. 

On the other hand, that flexible approach only works well if regulated entities proactively evolve their policies and compliance strategies as technology evolves. The problem? According to OCR, many healthcare providers aren’t keeping pace or at least aren’t documenting their efforts. The result? Healthcare providers and the data they maintain are increasingly vulnerable and the risk has only grown in recent years as the number of bad actors seeking to exploit these vulnerabilities grows.

None of this should come as a surprise. One of the most frequently cited violations of the HIPAA Security Rule is failing to have an adequate risk analysis – one requirement from which many other HIPAA Security requirements flow. Because so much of the HIPAA Security Rule is flexible, the risk analysis is what informs how a healthcare provider implements the HIPAA Security Rule and protects its data. Yet routinely OCR cites healthcare providers for not doing an adequate risk analysis or failing to do one at all. Since a regulated entity’s risk analysis is supposed to inform how it implements the HIPAA Security Rule’s requirements and ultimately protects its data, an inadequate risk analysis leads to inadequate safeguards which leads to compromised data.

While much is unknown about whether and when OCR will finalize changes to the HIPAA Security Rule, one thing is for certain – the risk to healthcare providers of a security breach continues to grow. Cybersecurity is one of the biggest risks facing healthcare providers and the organizations they share data with. For that reason, all healthcare providers should be looking for ways to boost their HIPAA Security Program in 2025.

On this week’s podcast, we discuss what providers can and should be doing now to bolster their security programs; provide greater protection for their health data; and increase their readiness for new regulations. 

Check out this week’s free resource here.