The US Department of Health and Human Services (HSS) is considering what many regard as a long overdue change to HIPAA. Because in modern medicine, cybersecurity procedures have become a critical part of protecting patient data. But the rules governing those procedures haven’t been keeping pace with technology – the official HIPAA stance on text messaging was modernized as recently as 2024.
But what kind of HIPAA changes are we talking about? Recent coverage of this story by Forbes touched on some of the new potential requirements, proposed rules for vulnerability management, incident response, and contingency plans.
The First Proposed HIPAA Change
The proposal can be broken into two primary components. The first relates to documentation. The HHS is considering a requirement that all regulated entities, including all those under HIPAA, need to maintain a tech inventory and network map. The network map is there to track how protected information moves through your digital systems, and may require annual review.
Organizations may also be required to keep written procedures on how to restore electronic information within three days of losing it. Having a plan isn’t enough – you may need to test and validate that plan at regular intervals.
In principle, all of that sounds reasonable! However, implementation may prove challenging for some smaller organizations. Keeping inventory and doing accurate system mapping will typically require technical and security resources. If you don’t have an in-house tech team, bringing in a consultant could be a smart move.
The Second Proposed Change
The second big component of the proposed changes is purely technical. The HHS is considering a mandate to strengthen the protection of electronic protected health information (ePHI). They’re considering a requirement for multi-factor authentication, and mandatory vulnerability scanning and penetration testing at regular bi-annual and annual intervals.
Most of those practices are considered industry standard for securing sensitive data. In fact, many are nothing you have to worry about when you use FormDr, which already utilizes encryption, two factor authentication, and much more.
Finally, network segmentation may become a requirement. By breaking a network into smaller pieces, a potential breach compromises a smaller piece of the whole.
Though it’s not yet clear how big of small a segment should be or how those guidelines would be drawn, like all HIPAA changes, it will be important to watch this story develop as this proposal becomes law or not.
