A newly proposed cybersecurity regulation could make it untenable for physicians to safeguard electronic protected health information (ePHI), the Texas Medical Association recently warned the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services.
The proposal recommends sweeping, significant revisions to established definitions, language, and standards for ePHI, citing a changing health care landscape and a worrisome increase in cyberattacks affecting patient information. A few of the many proposed changes would require:
- Vulnerability scanning at least every six months and penetration testing at least once every 12 months;
- Network segmentation; and
- Requiring separate technical controls for backup and recovery of ePHI and relevant electronic information systems.
TMA understands the importance of appropriate security measures, policies, and procedures to protect ePHI, and realizes that physicians must take steps to proactively guard against bad actors who want to infiltrate their electronic health tools. However, the association sees the proposed measures as an overreach of existing policy and disagrees with OCR’s projection that the cost of implementation will not negatively affect physician finances.
“What OCR is proposing goes far beyond what the law has required since Congress passed the Health Insurance Portability and Accountability Act, commonly known as HIPAA, in 1996, and would add significant administrative and financial burden to medical practices,” said Joseph H. Schneider, MD, member of TMA’s Committee on Health Information Technology.
Such burden would further degrade the viability of independent physician practices, especially those providing care to rural and under-served populations.
Many existing resources can teach physicians to implement good cybersecurity policies and practices. TMA therefore recommends that OCR use existing resources like Assistant Secretary for Technology Policy and Centers for Medicare & Medicaid Services tools and requirements rather than adding layers of administrative work without guaranteed success.
TMA will continue to monitor whether the proposed federal cybersecurity rule is implemented and what physicians need to comply. Read Texas Medicine Today for updates.
Last Updated On
March 18, 2025
Originally Published On
March 18, 2025