The U.S. Department of Health and Human Services (HHS) Office for Civil Rights has issued a proposed rule to improve cybersecurity and better protect the U.S. health care system from an increasing number of cyberattacks. The AASM submitted comments on the proposed rule, highlighting two key concerns that need to be addressed to ensure the feasibility of these changes for providers.
Financial Burden of Implementation
Multi-factor authentication, encryption of all electronic protected health information, and comprehensive risk analyses will require substantial investments in technology and staff training, which will significantly impact providers, particularly those in small and rural practices.
Compliance Timeline Challenges
The proposed 180-day compliance timeline from the effective date of the final rule will be extremely difficult for small and mid-sized practices with limited information technology resources. To facilitate a smoother transition, AASM recommends that HHS extend the compliance period or introduce a phased implementation approach allowing providers to adopt the necessary security measures without disrupting patient care.
For more information, read the HHS fact sheet, “HIPAA Security Rule Notice of Proposed Rulemaking to Strengthen Cybersecurity for Electronic Protected Health Information.” Members may send questions regarding the HIPAA security proposed rule to coding@aasm.org.