HHS Best Practices for ePHI Protection: What We Can Learn from the Proposed Modifications to the HIPAA Security Rule—Regardless of Whether It Becomes Final
In an effort to strengthen cybersecurity protections for electronic protected health information (ePHI), at the end of last year the Department of Health and Human Services (HHS) ₋₋ through its Office of Civil Rights (OCR) ₋₋ issued a Notice of Proposed Rulemaking (NPRM) to modify the Security Standards for the Protection of Electronic Protected Health Information (“Security Rule”) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). The NPRM has received over 4,000 comments from HIPAA-regulated entities, healthcare industry stakeholders and the public. As discussed in this article, while it is unclear whether this proposed rule will be finalized (and if so, in what form), the NPRM contains helpful guidance for plan sponsors on what OCR considers to be best practices as it relates to the protection of ePHI. Background The HIPAA Security