In an era where cyberattacks on the health care industry have become alarmingly frequent and catastrophic, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has taken a bold step forward. The recently issued Notice of Proposed Rulemaking (NPRM) is OCR’s direct response to the escalation of cyber threats and harm paired with perceived pervasive noncompliance with the HIPAA Security Rule across the health care sector. The NPRM introduces many detailed security requirements that far surpass all previous legal mandates from OCR and may set the highest bar in the United States for securing electronic data.

The proposed amendments are not merely incremental updates; they represent a seismic shift in the regulatory landscape. If these changes are finalized as drafted, compliance for many HIPAA-regulated organizations will be a resource-intensive endeavor and may be operationally impossible in such an interconnected industry with a wide range in the sophistication level of stakeholders. In this client alert, we detail what HIPAA-regulated organizations can expect if the rule is finalized later this year.

Reed Smith will continue to follow developments related to the HIPAA Security Rule. If you have any questions about this rule or would like to submit a comment on it, please do not hesitate to reach out to the authors of this post or to your health care attorneys at Reed Smith.