EPIC Encourages HHS to Promulgate Updated Cybersecurity Requirements to Protect Electronic Personal Health Information

EPIC submitted comments to the Department of Health and Human Services (HHS) in its Notice of Proposed Rulemaking to update the HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information (ePHI).

HHS has proposed updated cybersecurity requirements for HIPAA-regulated entities to keep pace with modern technologies like telehealth, online appointment booking, and the uniquity of digital health records. Some of the proposed requirements include basic security measures like multifactor authentication, network segmentation, encryption, reviewing and testing security measures, and contingency planning. The drastic increase in data security incidents like cyberattacks, unauthorized disclosure, and breaches of sensitive health information leads to significant harms to patients. EPIC commends the agency for attempting to update HIPAA to protect patient health information as intended.

EPIC regularly advocates for strong cybersecurity protections to protect data privacy and pushes to protect sensitive health information from unauthorized access.