HHS OCR Proposes New Cybersecurity Requirements for Health Care Organizations

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Jan. 6 published a proposed rule intended to strengthen the Security Rule under the Health Insurance Portability and Accountability Act(HIPAA, P.L. 104-191) to improve cybersecurity protections in the health care sector in response to high profile cyberattacks in 2024 [refer to Washington Highlights, May 3, 2024]. The proposals include requiring HIPAA-covered entities and business associates to encrypt electronic protected health information with limited exception, implement multifactor authentication with limited exception, and establish written procedures to restore certain electronic information systems and data within 72 hours of cyberattack, among other updates to the Security Rule. The HHS OCR issued a fact sheet with the proposed rule. Comments are due March 7.