HIPAA Changes Ahead
In January of 2021, we reported on an amendment to the HITECH act by congress that intended to advance HIPAA compliance and enforcement. The idea was to incentivize Covered Entities to adopt best practices for cybersecurity by reducing the penalty structure for those who did so, and still suffered a breach or were out of compliance elsewhere. To further define what constituted "best practices" in healthcare, HHS's Office for Civil Rights issued a Request For Information to identify what those best practices are.
With those responses now in, we can expect HHS to compile a list of recommendations for healthcare organizations wishing to improve their cybersecurity profiles. But we don't expect it to end there.
The reality is HIPAA is dramatically outdated. While it's still an effective body of code, it's woefully deficient in addressing today's cybersecurity concerns. To be fair, in 1986 when HIPAA was initially drafted, no one anticipated what we have now in the cyber world. To drive this point further, the word "firewall" doesn't even exist in the Privacy or Security Rules.
This will be changing soon. We can expect OCR to adopt, and incorporate into code, specific practices and technologies into the requirements to achieve HIPAA compliance. This guidance is sorely needed, as healthcare organizations of all sizes continue to suffer from attacks. Also, as the industry becomes more interconnected, Covered Entities and Business Associates who aren't maintaining best-in-class cybersecurity practices weaken the entire ecosystem for everyone. Imagine a house with impenetrable defenses, but there's an open corridor connecting the house to their neighbors' house, who happens to have no locks on their doors. This is the current state of our healthcare community. Expect these pending HIPAA changes to address this.
The side effect of these increased and improved compliance requirements is going to be the cost and that may deal yet another blow to smaller medical facilities struggling to exist in the post-Covid climate.
As always Acentec is here to help. We offer best-in-class cybersecurity solutions, HIPAA compliance, and IT management at prices even the smallest clients can afford. Contact us for a free consultation.