Table of Contents
HIPAA compliance is a federal law that was enforced by the Office of Civil Rights of the U.S. Department (HHS). The idea behind it was to protect the privacy and security of health data. The law was passed in 1996 under the technological advancements that persisted during that time frame. It was finalized in 2003 to establish national standards for physical, administrative, and technical safeguards for the safety and confidentiality of the information.
The HIPAA Security Rule ensures the protection of a patient’s protected health information (ePHI) by physicians, which is electronically stored. With the rapid evolution of technology, there has been an emergence of a vast number of cyber threats. The Security Rule mentions device and media controls which were existent during the time the rule was framed. These policies and procedures, however, lag mostly in technological updates, thereby failing to meet its purpose.
Addressed terms that have turned vague with time
The HIPAA Security rule addresses “device and media controls” but does not mention anything about mobile devices or electronic systems. Over time, mobile phones and other devices have come into view and have become apart of our daily lives. These types of cyber threats and security breaches have entirely changed with time and are not mentioned in the compliance.
It mentions login monitoring while the entire systems and sub-systems have turned into a client-server base. It was suitable for a time when the systems required mainframes, but as of now, it is irrelevant. Similarly, it mentions the mandating of integrity controls in the era of reliable protocol transmissions. All of these addressed terms do not fit into the current scenario and make these policies unclear and irrelevant.
Why It’s Time To Update The HIPAA Security Rule
The HIPAA security rule needs to recognize modern technology and best practices.
The HIPAA Security Rule only covers electronic PHI rather than the modern tools and devices that are widely in use these days. The world today is switching to newer and more advanced technologies such as cloud-based and client-server-based technologies—also, new threats are emerging each day. Therefore, HIPAA must update its rule from time to time to keep up with the pace of technological advancements. It should address cyber-threats and security issues that currently dominate and wreak havoc in the industry.
The HIPAA security rule should be made flexible and adaptable to meet the purpose it was initially framed for. It must recognize the best practices for HIPAA security, such as:
- Doing a PHI Inventory
- Conducting a complete HIPAA security evaluation
- Conducting of HIPAA risk analysis
- Enforcing a mitigation plan
- Creating an Incident Response Plan and updating it regularly
These can assure meeting the required security procedures to implement a secure, compatible, and updated Security Rule.
Why It's Time To Update The HIPAA Security Rule
HIPAA security rule needs clarity about risk analysis, policies, and incidents
While the current HIPAA security is vague and irrelevant in particular areas, it also requires proper clarification in risk analysis, policies, and incidents. Implying security controls that meet the modern requirements by addressing them clearly can help make it better.
Risk Analysis: With a coexisting reference of “risk analysis” with “risk assessment” as mentioned by NIST, there is a constant confusion regarding this term. Therefore, the HIPAA Security Rule should say clearly about the number of analyses and tests that should be conducted on the systems and structures where the ePHI data is stored.
Policies: This term has different interpretations. Many understand policies as mere documents defining management’s demands to technical settings or controls. Thus, the HIPAA Security Rule needs to identify the relevant definition, or an Active Directory to make it more transparent and more predictable.
Incidents: The HIPAA security rule addresses events and requirements that were applicable and necessary during 1998. IT needs to upgrade and be realistic enough to meet current demands. Therefore, it should be able to determine the occurrence of any phishing or ransomware breaching taking place.
Why It's Time To Update The HIPAA Security Rule
