The organization calls for a new approach to cybersecurity in HIPAA security rule comments.
In public comments Healthcare Information and Management Systems Society (HIMMS) submitted to the US Department of Health and Human Services (HSS), HIMSS called for the HHS Office for Civil Rights to consider different approaches to make security, risk assessment, and documentation requirements more scalable to the security needs of small practices and practices caring for rural and underserved communities and their business associates.
HIMSS comments, made in response to the Office for Civil Rights’ “HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information” proposed rule, recommended that the Office for Civil Rights convene an array of regulated entities—including representation from small clinician practices, critical access hospitals, federally qualified health centers, and Tribal health providers—to receive feedback on appropriate and scalable use of multi-factor authentication, encryption, risk assessments, and other tools to protect electronic protected health information.
HIMSS suggested that the Office for Civil Rights leverage the 2024 HIMSS Healthcare Cybersecurity Survey Report for insights into how regulated entities view security best practices.
HIMSS Outlines Key Recommendations for HIPAA Security Rule Updates
HIMSS also recommended that any updates to the security rule should:
- Leverage the NIST Cybersecurity Framework 2.0 and the HHS Cybersecurity Performance Goals essential goals as guideposts, while noting that the enhanced cybersecurity performance goals were not scalable to small, under-resourced regulated entities
- Be scalable to the risk level and resource capacity of each kind of regulated entity
- Allow larger and well-resourced regulated entities to provide technical support and tools to smaller entities with resource challenges leveraging Physician Self-Referral exception and Anti-Kickback Safe Harbor enacted by Congress in 2023
- Hold business associates more accountable for protecting electronic protected health information while meeting requirements scaled to their unique security needs
- Not go into effect until at least 18 months following the publication of a final rulemaking codifying the new requirements
HIMSS says in a release that it made these recommendations after receiving concerned feedback from members, including security experts, health system leaders, and developers indicating that “the new requirements would create significant additional administrative burden and hardware costs.”
“Requiring encryption of emails indicating a patient had a secure message, documenting failed attempted security breaches, and prescriptive requirements for conducting inventories of technology assets and penetration testing were particularly targeted as adding burden with little additional value in protecting ePHI [electronic Protected Health Information],” HIMSS continues in the release.
