HIPAA Security Rule updates: What it means for small healthcare practices

Estimated reading time: 10 minutes

In early 2024, the HHS released the Cybersecurity Performance Goals (CPGs) as part of a plan to update the HIPAA Security Rule.

Many small healthcare practices may need help preparing for the upcoming changes to the HIPAA Security Rule. If your practice falls into this category or you've been caught off guard by this update, this guide is for you.

Quick recap: What’s the HIPAA Security Rule?

HIPAA rules have two main categories — the HIPAA Privacy Rule and the HIPAA Security Rule.

While the HIPAA Privacy Rule covers protected health information (PHI), the HIPAA Security Rule only covers electronic protected health information (ePHI). It applies to information stored on computers, sent over the internet, or stored on devices like phones or tablets.

The HIPAA Security Rule requires practices to have certain administrative, physical, and technical safeguards in place to protect PHI from leaks, breaches, cybercrimes, and other web vulnerabilities.

👉 Recommended reading: Privacy vs. security

What Are the Cybersecurity Performance Goals?

In December 2023, the Department of Health and Human Services (HHS) released a document highlighting the growing need for stronger online security measures in the healthcare industry. Then, in early 2024, they introduced the Cybersecurity Performance Goals (CPGs) as part of their plans to update the HIPAA Security Rule.

Think of these goals as a practical checklist to safeguard your practice and clients' information. It's like ensuring you've locked the doors and windows of your digital office.

These goals come in two levels:

• Essential Goals: These are the basics you (and everyone) should do, like keeping your software up-to-date. These goals are flexible and adaptable, so they can be used by healthcare organizations of all sizes, even for solo practices. We'll dive deeper into these goals later in this guide.
• Enhanced Goals: These are the extra steps you can take for even more protection. While not mandatory yet, these are practices that the HHS recommends so you'll stay ahead of the curve. These goals are most relevant for big healthcare organizations with a large number of computers and multiple locations.

Why should your small practice care about these goals?

Following these goals not only protects your practice from problems like hackers stealing information but also helps you avoid serious HIPAA breaches and the HIPAA Wall of Shame.

HHS also sees these goals as a stepping stone toward stronger security measures in the future. They've indicated (and signaled their intent) that they may become part of the HIPAA Security Rule down the line.

For these reasons, getting a head start is a sensible move for small healthcare practices. By doing so, you're not only protecting your practice today but also preparing for what's to come.

Getting started with the Essential Goals: the foundation of your practice's online security

You might see terms like "mitigating vulnerabilities" or "multi-factor authentication" if you look up the Essential Goals online. Don't worry; it's just jargon for things you're probably already familiar with. Consider these goals as the foundation for protecting your practice online.

We'll examine each goal in the "Essential" list more closely and help you develop an action plan.

1. Fix the weak spots in your practice's computer systems (Mitigate known vulnerabilities).

Keep your computer and software updated to prevent hackers from breaking in and stealing information.

Your action plan

• Ensure your computer, phone, and any software you use for your practice are always running the latest versions.
• Use strong passwords and a reliable password manager.
• Use antivirus and anti-malware software to scan for and remove threats.
• Fix any problems or threats found during check-ups immediately.
• If you or your staff work remotely, avoid connecting to public WiFi.
• Get help if you need it. If you're unsure how to update your computer or install software, ask a trusted tech-savvy friend or consider hiring a professional.

👉 Recommended reading: Do you know what to do if you have a data breach?

2. Ensure your emails are safe from falling into the wrong hands (Email security).

For this goal, take steps to protect your practice’s email from hackers and breaches.

Your action plan

• Choose a HIPAA-compliant email, like Hushmail for Healthcare, with encryption to protect your client's information.
• Be cautious of attachments. Avoid opening suspicious attachments or clicking on links from unknown senders.
• Ensure everyone in your practice understands the importance of email security and knows how to spot potential threats.

👉 Recommended reading: A non-intimidating guide to HIPAA-compliant email for therapists

3. Add an extra layer of security beyond just a password (Multi-factor authentication).

Multi-factor authentication (MFA), sometimes called two-step verification, is like having a second lock on your door—even if someone gets your key (password), they still can't get in without a second code.

For the delivery method, you usually get options like a text message, an app on your phone, or a physical security key. This step adds an extra layer of protection to your accounts.

Your action plan

• Enable MFA for your email, telehealth platform, and any other important accounts where it is available.

👉 Recommended reading: Why you should turn two-step verification on today (plus steps on how to set it up in Hushmail)

4. Learn the basics of how to stay safe online (Basic cybersecurity training).

Even if it's just you in your practice, staying informed about what you can do to stay safe online should be a priority.

Your action plan

• Look out for red flags like suspicious emails, unexpected attachments, or requests for sensitive information.
• Be careful with what you click or download. Don't open emails or attachments from unknown senders, and be wary of clicking on links in emails.
• Schedule short, monthly training sessions about basic online security practices for yourself and any staff, if applicable.

👉 Recommended reading: 4 security measures you might not be taking in your practice, but maybe you should

5. Use encryption to keep sensitive information private and secure when it's being sent or stored (Use strong encryption).

Encryption is like putting your client's information in a safe. Only those with the right combination (or key) can access it.

Your action plan

• Use a HIPAA-compliant email service that allows you to encrypt your messages. If you use Hushmail, everyone in your practice gets a secure email account with built-in encryption.
• Turn on Touch ID or Face ID if your device has it.
• Look for an option like "Encrypt phone" or "Encrypt device" in your phone's security settings. When backing up your iPhone, check the "Encrypt local backup" option.
• Set a strong password, PIN, or pattern. Also, enable automatic screen locking.
• If you use cloud storage (like Google Drive), ensure it offers encryption. Most do, but double-check to be safe.
• Use secure web forms like Hush™ Secure Forms.

👉 Recommended reading: How Hush™ Secure Forms can be a HIPAA-compliant substitute for fax

6. Remove access for people who leave your practice (Revoke credentials for departing work members).

When someone leaves your practice (employee, contractor, etc.), immediately remove their access to your computer systems, email, and other practice resources.

Your action plan

• Identify all places they had access to.
• Disable their accounts.
• Change passwords for any shared accounts or those the employee knew.
• Collect any company-issued devices like laptops, phones, or ID badges.
• If applicable, notify relevant external parties (e.g., IT vendors) of the departure.
• Don't forget to document all the steps you've taken. Keep records of all actions, including dates and times, to ensure compliance and security.

7. Having a plan for what to do if something goes wrong (Basic incident planning and preparedness).

Ensure your practice can quickly and effectively respond to, fix, and recover from breaches or attacks.

Your action plan

• Identify risks by brainstorming potential incidents (data breaches, natural disasters, etc.).
• Develop step-by-step instructions for each type of incident, including who to contact and what to do.
• Review and practice your plan regularly with staff to ensure everyone knows their role.
• Keep detailed records of any incidents and use them to improve your plan.

👉 Recommended reading: How to do your HIPAA risk assessment (with template)

8. Create unique logins for you and each staff member (Use unique credentials).

If you have staff in your practice, use unique logins for each member to make it easier to detect any unusual activity.

Your action plan

• Avoid shared accounts. Ensure each staff member has a unique username and strong password.
• Create distinct user accounts and permissions for computers, email, cloud storage, and your EHR.
• Grant each user only the minimum access they need to do their job. This limits the potential damage if an account is compromised.
• Enforce complex passwords and consider a password manager to help staff securely manage them.
• Check user accounts and permissions regularly to remove unused or unnecessary access.

9. Keep regular accounts separate from accounts with special access rights (Separate user and privileged accounts).

For this goal, create backup accounts with more privileges separate from your regular accounts to prevent hackers from gaining control.

Your action plan

• Identify privileged accounts: Determine which accounts require elevated access to sensitive data or settings (e.g., IT admin, billing manager).
• Create separate accounts: Ensure these privileged users have two accounts:
  • A regular user account for daily tasks like email.
  • A separate privileged account used only for administrative tasks.
• Limit privileged use: Encourage staff to use their regular accounts for most tasks and only log into privileged accounts when absolutely necessary. This minimizes the risk of accidental misuse or unauthorized access.

10. Make sure that the companies you work with also have good online practices (Vendor/supplier cybersecurity requirements )

For this last essential goal, determine and address any risks from the companies or services (vendors) your practice uses.

Your action plan

• Ensure contracts with companies or businesses you work with include rules for keeping computer systems and information safe. It should also outline their responsibilities for protecting your data. If a company or business could have access to your clients' protected health information (PHI), they must also sign a Business Associate Agreement (BAA).
• Assess the risk each vendor poses to your practice's data. Prioritize vendors with access to the most sensitive information.
• Research vendors' online security practices before signing contracts. Ask for proof of security compliance, certifications, or audits.

In summary, implementing these essential goals will establish a strong foundation for protecting your practice's sensitive data.

Looking ahead: Enhanced Goals

As your healthcare practice grows or if you have additional resources to invest in online security, consider implementing the Enhanced Goals below. These goals are tailored toward larger or more complex healthcare organizations with extensive networks and systems.

Let's take a quick look at them below to give you an idea:

• Asset inventory: Keep a detailed record of all your hardware and software.
• Third-party vulnerability disclosure: Establish processes to promptly discover and respond to known threats in third-party software and systems.
• Third-party incident reporting: Establish processes to promptly discover and respond to known security incidents or breaches in third-party software and systems.
• Cybersecurity testing: Regularly test your systems for vulnerabilities.
• Cybersecurity mitigation: Have plans and processes to reduce the impact of security incidents.
• Threat detection and response: Actively monitor for threats and have a plan to respond quickly.
• Network segmentation: Divide your network into smaller parts to limit damage from a breach.
• Centralized log collection: Collect and analyze logs from different systems to spot suspicious activity.
• Centralized incident planning and preparedness: Have a coordinated plan for dealing with security incidents.
• Configuration management: Manage and control changes to your systems to minimize risk.

While these enhanced goals might only apply to some small practices, it's valuable to be aware of them as your practice grows.

If you think implementing some of these enhanced goals might benefit your practice, you can explore them in detail on the HHS website's guided tour of the CPGs.

Do you really need to comply with the Essential Goals?

The HHS has strongly indicated its intent to incorporate the Essential Goals when creating new rules in the future. This means that these guidelines will likely become healthcare practice requirements and might be part of the next HIPAA Security Rule updates.

It's a smart move to start working on these guidelines now, even before they become official rules. This way, you'll be ahead of the game and ready to meet any new requirements when they come out.

Remember, these guidelines are designed to protect your clients’ information and your practice from online threats. Taking steps now is a proactive way to ensure the safety and security of your practice.

Also, if you have an issue, following the guidelines will allow you to show HHS that you took steps to protect your clients’ information.

Be proactive and get ready for the upcoming HIPAA Security Rule changes

The newly released CPGs provide a practical roadmap for adhering to the HIPAA Security Rule, and there's no better time than now to strengthen your practice's online security.

Remember that these goals complement, not replace, the existing HIPAA Security Rule requirements, which include ongoing risk assessments for any system handling electronic protected health information (ePHI).

Don't feel overwhelmed by these changes. No matter how small, every step you take brings you closer to protecting your practice and your clients' data.

Ready to take the next step?

Consider a HIPAA-compliant email provider like Hushmail for Healthcare. We can help you address many Essential Goals, such as email security, encryption, and strong authentication. With Hushmail, you can assure your clients their information is safe and secure.