The Prescription for Cyber Resiliency in Healthcare

It’s been nearly 30 years since the Health Insurance Portability and Accountability Act went into effect. Among other provisions, it protects patients by preventing disclosure of private health information without their consent. Over the years, the act has been updated and amended in response to changing technologies and related healthcare legislation and policy.

Last year, the U.S. Department of Health and Human Services (HHS) proposed significant amendments to the HIPAA Security Rule to enhance the cybersecurity of electronic health records (EHR)). The newest modifications were created in response to increased electronic record keeping and transfer, increased number and severity of security breaches, and other cybersecurity practices and enforcement issues that have changed or arisen since the rule was last updated in 2013.

A key component of this proposal mandates that covered entities establish written procedures to restore critical electronic information systems and data within 72 hours of a loss. This requirement aims to enable healthcare organizations to promptly recover essential systems and data after a security incident, thereby minimizing disruptions to patient care and maintaining the confidentiality, integrity, and availability of EHR.

Read more  about how Commvault can be used to rapidly recover EHR, including in Epic and Meditech environments.

HIPAA Enforcement

HIPAA enforcement falls under the Office for Civil Rights (OCR) within HHS. The OCR is responsible for making sure that healthcare providers, health plans, clearinghouses, and their business associates comply with the HIPAA Privacy, Security, and Breach Notification Rules.

In recent years, OCR has prioritized financial penalties for violations – particularly those related to the HIPAA Security Rule. In 2024, OCR reported that HIPAA enforcement was at near-record levels, with $9.9 million collected, including one $4.75 million settlement for multiple Security Rule violations. However, while the number of enforcement actions has increased, the average penalty amount has decreased due to a reinterpretation of penalty tiers under the HITECH Act.

Key Enforcement Mechanisms for New Mandates

With new HIPAA Security Rule mandates on the horizon, OCR will enforce compliance through a mix of education, audits, investigations, and penalties. Below is a detailed breakdown of how these enforcement mechanisms work:

1. Education & guidance (early-stage enforcement)

OCR provides guidance, training, and best practices to help covered entities and business associates comply with HIPAA regulations. This includes:

• Updated FAQs, training programs, and online resources.
• Collaboration with industry groups to clarify how the new security mandates should be implemented.
• Technical guidance on risk analysis and management (an area of frequent non-compliance).

This stage allows organizations to update their security programs, risk management policies, and workforce training before strict enforcement begins.

2. Compliance investigations & breach reporting

OCR investigates compliance in response to:

• Complaints: Individuals can report HIPAA violations, triggering OCR investigations.
• Breach reports: Any breach involving 500 or more records must be reported to OCR, which then investigates whether non-compliance contributed to the breach.

Given the rise in hacking incidents, OCR has been focusing on cybersecurity preparedness, requiring stronger risk analysis and system monitoring by healthcare organizations.

3. HIPAA audits & risk analysis focus

OCR has emphasized risk analysis as a top enforcement priority due to widespread non-compliance.

• In the 2016–2017 HIPAA audits, most organizations failed to conduct a comprehensive risk analysis or update it regularly.
• In 2024, 14 out of 22 OCR enforcement actions were for HIPAA Security Rule violations, with risk analysis failures being the most common issue.
• OCR intends to relaunch compliance audits (although budget constraints may delay this initiative).

Expect stricter scrutiny on how organizations assess and mitigate risks to ePHI.

4. Financial penalties & corrective action plans (CAPs)

OCR can issue penalties for non-compliance, with fines ranging from thousands to millions of dollars based on:

• Negligence or willful neglect
• Failure to correct violations after notification
• Number of individuals affected

Since HIPAA fines have decreased significantly (from an average of $2.6 million in 2018 to about $450,000 in 2024), OCR has sought alternative enforcement strategies, such as CAPs requiring organizations to improve security measures within a set timeframe and stricter state-level enforcement.

What This Means for Your Organization

With OCR prioritizing risk analysis enforcement, these steps can help you comply with the proposed updates:

• Regularly update risk assessments and cover all ePHI systems.
• Implement stronger cybersecurity measures (e.g., encryption, multi-factor authentication, and continuous monitoring).
• Train employees on HIPAA compliance and breach response protocols.
• Provide timely breach notifications with accurate content.
• Maintain documentation proving compliance efforts.

State-Level Enforcement & Legal Action

State attorneys general can independently enforce HIPAA and impose penalties for violations. California’s largest 2024 penalty ($6.75M) targeted a cloud storage provider for mishandling patient data security. With states passing additional cybersecurity laws (e.g., New York’s hospital cybersecurity mandates), expect HIPAA enforcement to expand beyond OCR oversight.

Final Thoughts: Challenges Ahead

Despite increases in both reports of breaches and HIPAA complaints, OCR appears unlikely to receive the increased funding it says it needs to ramp up enforcement. It remains unclear how the agency will be impacted by ongoing budget cuts from the Department of Government Efficiency – and how the new administration will proceed after public comment on the proposed changes closes on March 7.

Whether or not the new HIPAA Security mandates do take effect this year, organizations would benefit by proactively strengthening their cybersecurity measures, risk analysis, disaster recovery strategies, and compliance training. By managing these issues, healthcare entities can help avoid potential penalties, reduce breach risks, and protect patient data effectively.

Learn more about how Commvault can aid your organization in its compliance efforts.