Although details are scant and scattered in various federal documents and on websites, a picture is emerging that indicates the health care community could see a proposed regulation revising the HIPAA Security Rule in September. In addition, a rule finalizing changes proposed to the Privacy Rule in 2021 may be issued before the end of this year.
Some information about plans for the Security Rule is found in a “concept paper” HHS issued on Dec. 6 that outlines its cybersecurity strategy for the health care sector.[1] These include establishing “voluntary” cybersecurity performance goals (CPGs) the agency said would “help health care institutions plan and prioritize implementation of high-impact cybersecurity practices.”[2] These goals would become somewhat less voluntary over time, as HHS said it also plans to “propose new enforceable cybersecurity standards, informed by the…CPGs, that would be incorporated into existing programs, including Medicare and Medicaid and the HIPAA Security Rules.”
The paper says little about the goals other than that they “will include both ‘essential’ goals to outline minimum foundational practices for cybersecurity performance and ‘enhanced’ goals to encourage adoption of more advanced practices.” Regarding the Security Rule, the paper states that HHS Office for Civil Rights (OCR) will begin to update the Security Rule “in the spring, to include new cybersecurity requirements.” That’s a more ambitious schedule than indicated by OCR.