HHS and the HIPAA Security Rule: Is the Timing Right for ePHI Protection?

In early January 2025, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) proposed updates to HIPAA’s Security Rule.

This rule (is one of six key rules that make up #HIPAA and) focuses on ePHI (electronic Protected Health Information) — essentially any health information that is created, stored, transmitted, or received in an electronic format that falls under the umbrella of PHI (Protected Health Information).

The proposed updates (while overdue) were prompted by a few major developments:

1. Cybersecurity Threats: Cyberattacks targeting healthcare organizations have been growing both in frequency and sophistication. For instance, the attack on Change Healthcare impacted 85 million healthcare records. In 2024 alone, well over 35 breaches were reported to have occurred, each affecting at least 500,000 records.
2. Attackers’ Evolving (but convergent) Tactics: Seemingly, the tactics used by attackers have two common features. While there is an Evolutionary shift away from brute force approaches, there is Convergence in using compromised credentials for (at) the initial entry (point), followed by lateral movement within the system to increase the attacker's access and control.
3. Gamechanger AI: AI technology has proven to be a gamechanger. The growing accessibility of AI tools makes it easier for cybercriminals to breach systems, increasing risk. Geopolitically, it is needless to say that when access to domestic ingenuity (like #ChatGPT) cannot be controlled, the implications of a foreign challenger (like #DeepSeek) are decidedly disturbing!

So, as of 06 Jan 2025, the HIPAA Security Rule has been updated to demand improved (enhanced?) #security and #protection of epHI…..which is commendable given the evolving landscape of threats. However, the move is somewhat concerning also!

This is because (it seems that) the OCR/HHS is mandating improved ePHI security by providing guidelines (like Multifactor Authentication, Asset Inventory, Risk Analysis etc.) without clearly outlining how the OCR/HHS intend to assist #healthcare organizations in implementing those guidelines (beyond the threat of penalties for non-compliance).

Intentions notwithstanding, it also seems to be a case of bad timing and preferential burdening....

Bad Timing - Case #1: (The Mixed Message) from Regulatory Bodies

The HHS’s push for more robust ePHI protection comes not only against the backdrop of the increasing prowess of AI but a conflicting message from another key regulator - the USFDA!

A short while ago, (one of the talking heads of) the USFDA declared, ".....do not validate AI tools in Healthcare...!"

Unless one looks closely, the USFDA's stance seems at odds with the HHS’ current (subsequent) push to bolster ePHI cybersecurity - is one government body (HHS) expecting healthcare organizations to (mitigate AI tech-based threats to) enhance ePHI Security while another government body (USFDA) distances itself from (does not even validate tools emerging from) the same tech?

It is crucial that the OCR/HHS provide more than just guidelines — they should offer a clarity of their stand, actionable solutions, practical support, and resources to the healthcare organizations, especially considering the scale and complexity of these security demands.

Without that, the current stance might only serve to create unnecessary anxiety and resistance!

Preferential Burdening: (the focus on) Specific stakeholders

The updated rule (seemingly) places a heavy burden on three key groups within the healthcare system: Healthcare Providers (who transmit health information electronically), Health Plans (which offer or pay for Benefits), and Healthcare Clearinghouses (which either process or standardize health data, among other things like “Billing Coding” and “claims scrubbing”).

In other words, these organizations are (seen as) responsible for transmitting, processing, or storing ePHI, and thus (expected to) bear the responsibility for securing it! With Providers facing burnout, Payers (health plans) and Clearinghouses dealing with turbulence (volumes and suspicion), it’s worth questioning the timing of these additional ePHI security demands.

Objectively, given the current business climate where manpower, margins, outcomes, and revenues are consistently dismal, imposing new security requirements could exacerbate existing challenges (on strained resources, at the very least).

Bad Timing - Case #2: (Need for) a More Balanced Approach?

Instead of focusing on heightened ePHI security demands right away, perhaps it would make more sense to focus on relieving #Providers (through AI-based load sharing of their administrative burden), provisioning Plans (through AI-based load sharing of implementation), and adjudicating #Claims (through AI-based load sharing of validation)!

Implementing AI (low-hanging fruits, mostly) to share the load in these areas would ease the pressure on providers and other stakeholders - doing so before (or at the same time as) introducing complex, resource-intensive ePHI security demands might serve to restore (build?) mutual trust across customers, government, and the industry!

In short, it might be more prudent to leverage AI tools (and fair play) for addressing the above-mentioned #transactional issues and #efficiency problems before pursuing ePHI — specific demands!

Right now, OCR/HHS' move almost seems like a case of demanding compliance without enabling resilience!

Why rush to add a new burden before (harnessing AI for) addressing the (fundamental?) issues that are already overwhelming healthcare organizations (and the masses that they set out to serve)?