CyberSecurity Standards for HIPAA Entities Expected in Upcoming Rule

CyberSecurity Standards for HIPAA Entities Expected in Upcoming Rule

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reported that a total of 11 health data breaches have each affected over one million people this year, bringing the total number of people affected by data breaches in 2024 to about 140 million Americans.

Those 11 health data breaches include one that occurred at the Centers for Medicare & Medicaid Services (CMS) itself, affecting over 3 million people. A significant majority of these breaches were caused by cyberattacks, and a recent study found that these cyberattacks, by shutting down whole hospital systems, have a direct impact on patient health.

It’s not surprising then, that last week, OCR sent a proposed rule on cybersecurity to the White House for final review. OCR says the intent of the rule is to improve “cybersecurity in the health care sector by strengthening requirements for HIPAA (Health Insurance Portability and Accountability Act) regulated entities.”

Although little is known about the specific requirements in the proposed rule, by reading the tea leaves, we can venture some guesses on what it will generally include, based on comments by D.C. lawmakers and HHS itself in numerous forums.

We’ll give you two new terms – each with their own implicitly required government acronym – that we’re probably going to hear a lot more about when this rule is published as early as next month:

  • Systemically Important Entities (SIEs); and
  • Cybersecurity Performance Goals (CPGs).

Let’s start with CPGs. These were published about a year ago by CMS, with not much fanfare. That’s because they were voluntary best business practices that healthcare entities could implement – or not.

Now, the government has or will publish these CPGs for nearly every industry through the respective federal agencies, but since healthcare has become the number-one target for cybercriminals, the healthcare CPGs will likely be the first that will be required through these upcoming regulations.

The healthcare CPGs are split into two categories: Essential and Enhanced. The Essential category is intended to encompass business practices that are really a baseline for what the industry calls “good cybersecurity hygiene.” These include technological protections like multifactor authentication and strong encryption protections, as well as more behavioral practices like workforce trainings and revoking credentials for employees who leave the workforce.

The Enhanced CPGs are best practices that healthcare entities should employ as their organization’s technology matures. These include network segmentation and conducting attack simulations.

HHS has telegraphed that the Essential CPGs may make up the basis for required cybersecurity standards that could be imposed on healthcare entities in the upcoming rule.

Now, not all healthcare entities may be required to comply with all of the Essential CPGs. HHS has also focused much of its attention on the aforementioned  SIEs: entities that are identified based on their potential to affect national critical functions.

In English, SIEs are healthcare entities – let’s call them chokepoints in the industry – of which, should they be attacked or impacted, the consequences would be more widespread than just that that one entity and its customers.

In summary, we expect this rule will likely require at least some HIPAA entities, including plans, providers, and clearinghouses, to implement specific security standards, and these SIEs may be given more requirements because of their reach and impact.

Will this cost healthcare entities money? Certainly.

Healthcare is famously behind other U.S. industries in terms of technology – that is why cybercriminals focus on healthcare instead of other industries – and it will cost both individual organizations and the industry at large to address that.

The proposed healthcare cybersecurity rule is expected to be published in November.

Given the possible costs, let’s hope it also offers some resources and help for the industry in the fortification of its cyber defenses.

Facebook
Twitter
LinkedIn

Matthew Albright

Matthew Albright is the chief legislative affairs officer at Zelis Healthcare. Previously, Albright was senior manager at CAQH CORE, and earlier, he was the acting deputy director of the Office of E-Health and Services for the Centers for Medicare & Medicaid Services.

Related Stories

Leave a Reply

Please log in to your account to comment on this article.

Featured Webcasts

Comprehensive Inpatient Clinical Documentation Integrity: From Foundations to Advanced Strategies

Comprehensive Outpatient Clinical Documentation Integrity: From Foundations to Advanced Strategies

Optimize your outpatient clinical documentation and gain comprehensive knowledge from foundational practices to advanced technologies, ensuring improved patient care and organizational and financial success. This webcast bundle provides a holistic approach to outpatient CDI, empowering you to implement best practices from the ground up and leverage advanced strategies for superior results. You will gain actionable insights to improve documentation quality, patient care, compliance, and financial outcomes.

September 5, 2024
Advanced Outpatient Clinical Documentation Integrity: Mastering Complex Narratives and Compliance

Advanced Outpatient Clinical Documentation Integrity: Mastering Complex Narratives and Compliance

Enhancing outpatient clinical documentation is crucial for maintaining accuracy, compliance, and proper reimbursement in today’s complex healthcare environment. This webcast, presented by industry expert Angela Comfort, DBA, RHIA, CDIP, CCS, CCS-P, will provide you with actionable strategies to tackle complex challenges in outpatient documentation. You’ll learn how to craft detailed clinical narratives, utilize advanced EHR features, and implement accurate risk adjustment and HCC coding. The session also covers essential regulatory updates to keep your documentation practices compliant. Join us to gain the tools you need to improve documentation quality, support better patient care, and ensure financial integrity.

September 12, 2024

Foundations of Outpatient Clinical Documentation Integrity: Best Practices for Accurate Coding and Compliance

This webcast, presented by Angela Comfort, DBA, RHIA, CDIP, CCS, CCS-P, a recognized expert with over 30 years of experience, offers essential strategies to improve outpatient clinical documentation integrity. You will learn how to enhance the accuracy and completeness of patient records by adopting best practices in coding and incorporating Social Determinants of Health (SDOH). The session also highlights the role of technology, such as EHRs and CDI software, in improving documentation quality. By attending, you will gain practical insights into ensuring precise and compliant documentation, supporting patient care, and optimizing reimbursement. This webcast is crucial for those looking to address documentation gaps and elevate their coding practices.

September 5, 2024
Preventing Sepsis Denials: From Recognition to Clinical Validation

Preventing Sepsis Denials: From Recognition to Clinical Validation

ICD10monitor has teamed up with renowned CDI expert Dr. Erica Remer to bring you an exclusive webcast on how to recognize sepsis, how to get providers to give documentation that will support sepsis, and how to educate to avert sepsis denials. Register now and become a crucial piece of the solution to standardizing sepsis clinical practice, documentation, and coding at your facility.

August 22, 2024

Trending News

Featured Webcasts

Post Operative Pain Blocks: Guidelines, Documentation, and Billing to Protect Your Facility

Post Operative Pain Blocks: Guidelines, Documentation, and Billing to Protect Your Facility

Protect your facility from unwanted audits! Join Becky Jacobsen, BSN, RN, MBS, CCS-P, CPC, CPEDC, CBCS, CEMC, and take a deep dive into both the CMS and AMA guidelines for reporting post operative pain blocks. You’ll learn how to determine if the nerve block is separately codable with real life examples for better understanding. Becky will also cover how to evaluate whether documentation supports medical necessity, offer recommendations for stronger documentation practices, and provide guidance on educating providers about documentation requirements. She’ll include a discussion of appropriate modifier and diagnosis coding assignment so that you can be confident that your billing of post operative pain blocks is fully supported and compliant.

October 24, 2024
The OIG Update: Targets and Tools to Stay in Compliance

The OIG Update: Targets and Tools to Stay in Compliance

During this RACmonitor webcast Dr. Ronald Hirsch spotlights the areas of the OIG’s Work Plan and the findings of their most recent audits that impact utilization review, case management, and audit staff. He also provides his common-sense interpretation of the prevailing regulations related to those target issues. You’ll walk away better equipped with strategies to put in place immediately to reduce your risk of paybacks, increased scrutiny, and criminal penalties.

September 19, 2024
Pediatric SDoH: An Essential Guide to Accurate Coding and Reporting

Pediatric SDoH: An Essential Guide to Accurate Coding and Reporting

This webcast, presented by Tiffany Ferguson, LMSW, CMAC, ACM, addresses the critical gap in Social Determinants of Health (SDoH) reporting for pediatric populations. While SDoH efforts often focus on adults, this session emphasizes the unique needs of children. Attendees will gain insights into the current state of SDoH, new pediatric Z-codes, and the importance of interdisciplinary collaboration. By understanding and applying pediatric-specific SDoH factors, healthcare professionals can improve data capture, compliance, and care outcomes. This webcast is essential for those looking to enhance their approach to pediatric SDoH reporting and coding.

August 8, 2024
Oncology and E/M Services: Compliance, Medical Necessity, and Reimbursement

Oncology and E/M Services: Compliance, Medical Necessity, and Reimbursement

Join Becky Jacobsen, BSN, RN, MBS, CCS-P, CPC, CPEDC, CBCS, CEMC, VP of CDM, for a webcast addressing oncology service coding challenges. Learn to navigate coding for infusions and injections alongside Evaluation and Management (E/M) services, ensuring compliance and accurate reimbursement. Gain insights into documenting E/M services for oncology patients and determining medical necessity. This webcast is essential to optimize coding practices, maintain compliance, and maximize revenue in oncology care.

July 30, 2024

Trending News

Happy National Doctor’s Day! Learn how to get a complimentary webcast on ‘Decoding Social Admissions’ as a token of our heartfelt appreciation! Click here to learn more →

👻Spooky Sale is Back!👻 Get 31% off all three Medlearn brands, using code SPOOKY24.