The AAMC submitted March 7 comments in response to proposals from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to strengthen the Security Rule under the Health Insurance Portability and Accountability Act (HIPAA, P.L. 104-191) [refer to Washington Highlights, Jan. 10]. The HIPAA Security Rule, last updated in 2013, establishes policies and procedures that HIPAA-covered entities and business associates must have in place to protect electronic protected health information (ePHI).
The OCR proposed these new updates, citing the need to improve cybersecurity protections in the health care sector in response to the increase in high-profile cyberattacks. Emphasizing the inordinate burden and costs associated with the proposals, the AAMC urged the OCR to withdraw the proposed rule and convene a broad group of stakeholders to provide input on updating the Security Rule in a less burdensome manner. The AAMC provided detailed comments on provisions of the proposed rule, including allowing for increased compliance timelines and providing flexibility for regulated entities to adopt security practices in line with their risk analyses. The provisions of the rule, if finalized, would take effect 240 days from the publication of a final rule.