First Look: New HIPAA Security Rules for ePHI

The Office for Civil Rights (OCR), at the U.S. Department of Health and Human Services (HHS), recently issued a Notice of Proposed Rulemaking (NPRM) aimed at updating the HIPAA Security Rule. The changes new HIPAA security rules for ePHI proposed by the OCR, which is responsible for the definition and enforcement of the Security Rule, are designed to strengthen the cybersecurity measures required by healthcare organizations – particularly as they pertain to the handling of electronic protected health information (ePHI). 

As well as combatting the increasing frequency and sophistication of cybersecurity threats (e.g., ransomware), the NPRM aims to enhance the protection of ePHI by ensuring the healthcare industry keeps pace with the increasing number of digital solutions and their associated security challenges.

In this post, we look at the new HIPAA security rules for ePHI, including what the proposal entails, its potential implications, and how healthcare providers, payers, and suppliers can best navigate these new regulatory requirements in the future.

What Do the New HIPAA Security Rules for ePHI Contain?

In essence, the NPRM introduces a more robust framework to enhance the security of the critical infrastructure in which healthcare organizations store and process ePHI.

To this end, under the new proposal, companies must develop, or revise, a technology asset inventory and a network map that conveys the movement of sensitive patient data and ePHI throughout their IT ecosystem. Additionally, this must be implemented on a consistent basis, i.e., at least once annually every 12 months or whenever the healthcare company alters their infrastructure or operations in a manner that may affect ePHI.

Key components of the new HIPAA security rule notice of proposed rulemaking to strengthen cybersecurity for ePHI include:

1. Enhanced Risk Assessments and Management

The NPRM emphasizes comprehensive risk management, requiring organizations to conduct more detailed assessments of potential threats to ePHI. Risk assessments under the newly proposed HIPAA security notice must now:

• Consider emerging cyber risks, through the collection and analysis of up-to-date threat intelligence, to ensure proactive threat mitigation as well as reactive measures.
• Include a written assessment that contains:
• A review of your company’s technology asset inventory and network map
• The identification of potential vulnerabilities within the organization’s IT infrastructure.
• The identification of all reasonably anticipated threats to the confidentiality, integrity, and availability (i.e., the CIA triad) of ePHI.
• The risk level for each identified threat and vulnerability, based on the likelihood of its occurrence and its potential danger to ePHI.

2. Improved Incident Response and Reporting

Regardless of how vigilant healthcare companies are in implementing mitigations against cyber threats, the breadth and depth of malicious actors’ arsenals make security breaches almost inevitable nevertheless. Consequently, under the proposed rulemaking, organizations must develop updated and more comprehensive incident response plans that enable the rapid identification and containment of security breaches, including:

• Identifying a threat
• Containing the threat
• Mitigating or remediating the threat
• Recovering from the event
• Learning from the breach and strengthening your security surrounding ePHI accordingly

3. Regular Testing of Security Measures

To ensure continued HIPAA compliance and protect ePHI from new threats, companies will need to regularly test and evaluate their cybersecurity measures. This not only aligns with the need for companies to carry out periodic risk assessments but also shortens the windows, i.e., time between tests,  in which malicious actors can infiltrate your infrastructure.

You can read the full details of the HHS announcement of the new HIPAA security notice for ePHI here.

The Implications of the New HIPAA security Rules for ePHI

One of the core implications of the NRPM is that the OCR is removing the distinction between “required” and “addressable” implementation specifications – making them all required, aside from a few specific, limited exceptions.

To maintain HIPAA compliance, healthcare companies will have to, at the very least, conduct fresh risk assessments to determine if their current IT infrastructure meets the standards of the new HIPAA security notice for ePHI. In most cases, companies will have to invest in additional infrastructure, digital solutions, and training (with the addition of skilled personnel also being a possibility) to enhance their cybersecurity posture.

Naturally, healthcare companies will incur additional costs, both in monetary terms and technology and resources needed, to enhance their cybersecurity posture in accordance with the NRPM. However, these costs pale in comparison to those associated with non-compliance, which include financial penalties and compromised trust from your patients and customers.

How LuxSci Can Help Prepare Your Organization for the New HIPAA Security Notice for ePHI

With over 25 years of experience in delivering best-in-class secure healthcare communication solutions, LuxSci is a trusted partner for organizations looking to best navigate the often complex HIPAA compliance landscape. Our suite of HIPAA-compliant solutions includes:

• Secure Email: Automated encryption for secure communication with patients and customers – including ePHI.
• Secure Forms: Tools for securely collecting and storing ePHI without compromising security to collect data and speed workflows.
• Secure Marketing: Advanced features for creating engaging, HIPAA-compliant email marketing campaigns with 95% deliverability and trigger automation to improve engagement.
• Secure Text Messaging: Connect with patients and customers over text message with secure access to ePHI and sensitive data.

Our solutions are not only fully HIPAA compliant but also highly scalable – millions of emails per mont – and can be tailored to meet your organization’s specific encryption needs, volume requirements, and patient engagement objectives.

Real-World Examples: LuxSci in Action

Here are a few specific examples of how LuxSci’s suite of HIPAA-compliant solutions can help you achieve your outreach and marketing goals while keeping ePHI secure.

Case Study 1

Challenge: A leading nationwide healthcare EHR system provider needed secure, HIPAA-compliant email to support its growth in communications volume and broadening customer base. Required support for high volumes of time-sensitive emails containing ePHI to support its customers.

Solution: LuxSci HIPPA-compliant email for patient and customer outreach with multiple sending priorities for improved experiences. Automatic encryption for every email sent with 97% deliverability rate. Support for 10 of millions of secure emails per month.

Case Study 2

Challenge: A healthcare supplier required a scalable, HIPAA-compliant email system to send millions of transactional emails containing sensitive data.

Solution: LuxSci implemented its Secure High Volume Email solution, which enabled the supplier to send encrypted emails securely, achieve a 99% deliverability rate, and scale operations while addressing their security and compliance concerns.

Case Study 3

Challenge: A multi-location healthcare provider faced challenges with securely collecting patient intake forms that often-contained sensitive ePHI. Paper-based processes, meanwhile, were inefficient, error-prone, wasteful, and, above all, a significant security risk.

Solution: LuxSci introduced its Secure Forms solution, enabling the provider to digitize patient intake processes with HIPAA-compliant online forms. Patients could securely submit forms from any device, with the system automatically encrypting and securely storing the data. This not only improved efficiency and reduced manual work, but also reduced security risks and compliance concerns.

Why Partner with LuxSci?

As opposed to being another regulatory overhead, the newly proposed rulemaking for ePHI presents an opportunity to strengthen your cybersecurity defenses and better safeguard the ePHI held by your company.

We’ll keep a close eye on the security notice and continue to share insights and advice on the new HIPAA security rules for ePHI. LuxSci is here to help you interpret the NPRM, implement the necessary enhancements to your IT ecosystem, and stay on the right side of HIPAA’s regulatory guidelines.

Contact us today to schedule a consultation with our experts, who can help address any of your concerns about the new HIPAA security notice for ePHI and guide you towards a solution that will best enable you to protect your sensitive patient and customer data – and securely grow your business.