HHS, NIST conference: OCR identifies top priority areas

HIPAA Security Rule updates are underway

Most notably, Fontes Rainer highlighted upcoming updates to the HIPAA Security Rule, which OCR submitted to the Office of Management and Budget at the White House in October 2024. The draft is not yet public, but the changes are expected to be significant.

"The HIPAA Security Rule will be updated for the first time in nearly 20 years -- substantive updates. We expect that process to be robust," Fontes Rainer said during the keynote session. "We are looking forward to the opportunity to engage with folks on that through the public comment process."

OCR's investigations into HIPAA-related complaints and healthcare data breaches continue to inform its rulemaking process as well.

"We have all this enforcement experience now -- we know things like risk analysis need more framing on to help covered entities," Fontes Rainer said. "We know some of the technologies are changing. We have a lot of experience now to write a stronger rule to help make sure that our healthcare sector is more secure."

The proposed updates have been anticipated since HHS released a concept paper in December 2023, in which it stated that it would update the HIPAA Security Rule in 2024 to include new cybersecurity requirements. The updated rule is expected to be published in December 2024.

OCR cracks down on risk analysis deficiencies

In addition to its focus on updating the HIPAA Security Rule, OCR officials emphasized the office's continued efforts to investigate HIPAA complaints and follow up on data breach notifications.

In 2024, OCR reached numerous settlements, levied enforcement actions and imposed civil monetary penalties against healthcare organizations, revealing recurring HIPAA compliance issues, such as right of access or a lack of business associate agreements.

Risk analysis, or lack thereof, remains a consistent issue, Fontes Rainer noted. In response to this trend, OCR launched a risk analysis enforcement initiative to bring more attention to this systemic issue.

"If you look at our press releases of our enforcement over the last year, really over the last decade, continually, there is a trend of covered entities -- whether to health plan providers, clearinghouses, whether they're small, medium, large -- not having a risk analysis or having an insufficient risk analysis or having a risk analysis and not using it," Fontes Rainer told TechTarget Editorial in a press conference. "And the idea is that we're drawing more attention to it."

Tim Noonan, deputy director at OCR, added that the risk analysis enforcement initiative can be likened to the HIPAA right of access initiative, which focuses on ensuring that patients have timely access to their medical records.

"We recently completed 50 enforcement actions under the right of access initiative and we started that initiative because right of access is one of the largest sources of complaints that we see. We try to be a data-centric entity and respond to real-time problems," Noonan said.

"Risk analysis is a big problem, and so it's the same idea. We're going to focus certain investigations on risk analysis to get more completed enforcement actions out there and draw more attention to the real need to fix that."

Although OCR continues to focus on enforcement, Fontes Rainer pointed out during the keynote session that the majority of cases that come through her office end in technical assistance rather than an enforcement action.

"And my point in telling you this is that we are not your enemy. We are a partner. We want to work with you," Fontes Rainer told the audience.

"We also want you to follow the law, the things that we're flagging matter and they're important, and we want to make sure that we're giving you as many tools as possible to do that together."

Enhancing OCR's engagement with the healthcare sector

The third key priority area for OCR is engaging more with the healthcare industry on healthcare cybersecurity, Fontes Rainer said.

OCR remains a small office within HHS, despite its wide enforcement scope.

"That means that we have to be very strategic in how we engage with the community, and it's also to everyone in this room and across the country's value that we work together on these things because we need to work together to drive compliance in this space," Fontes Rainer said.

"It serves no one if an emergency department goes offline, it serves no one to have a healthcare system unable to serve patients. And so we need to be able to work on these things together."

Fontes Rainer pointed to the office's increasing regional presence, as well as regional webinars, additional newsletters and informational YouTube videos that show OCR's efforts to reach more covered entities.

Healthcare cybersecurity risks and threats are continuing to grow, as exemplified by the growing number of large breaches reported to OCR year after year. For example, in 2023, upwards of 160 million individuals were affected by healthcare data breaches, according to OCR data displayed at the conference. In 2024, the Change Healthcare cyberattack alone resulted in a breach that affected 100,000,000 individuals and counting.

OCR's focus areas will likely continue to evolve as the threat landscape shifts, but covered entities can continue reducing risk by following security best practices and preparing for an update to the HIPAA Security Rule.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.