• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to secondary sidebar
  • Skip to footer

  • Opinion
  • Health IT
    • Behavioral Health
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Patient Engagement
    • Population Health Management
    • Revenue Cycle Management
    • Social Determinants of Health
  • Digital Health
    • AI
    • Blockchain
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • M&A
  • Value-based Care
    • Accountable Care (ACOs)
    • Medicare Advantage
  • Life Sciences
  • Research

HIPAA Enforcement is Changing. Providers Must Too.

by Cam Roberson, VP at Beachhead Solutions 12/20/2023 Leave a Comment

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print
Cam Roberson, VP at Beachhead Solutions

Healthcare delivery organizations and those working with them that are still in business are either well aware of their duties under HIPAA, work with managed service providers that understand the law well, or…are lucky to have made it this far. Even for organizations that have steered clear of both cyberattacks and regulatory fines, vigilance is essential to maintaining a clean bill of (cybersecurity) health.

With HIPAA guidance and enforcement practices shifting increasingly quickly right now, businesses must adapt their cybersecurity strategies to remain alert and in step with regulators’ most current expectations.

The fines they are a-changin’

Historically, HIPAA regulators have most often levied fines in the seven-figure range—but levied them relatively sparingly. As a result, HIPAA enforcement actions have long been viewed as a force of nature akin to lightning strikes: extremely lethal to most businesses, but just as extremely rare. That state of play has made it easy for organizations to adopt a dangerous “It won’t happen to me” attitude, as well as the mindset that fines could happen to anyone with bad enough luck.

HIPAA regulators are now changing their enforcement practices to take that perception of luck out of the equation—and force every organization that touches sensitive patient data to get serious about cybersecurity.

Regulators’ new strategy: assign five-figure fines per violation that most businesses can afford, and ramp up enforcement to make sure all organizations might receive a fine if they aren’t meeting their regulatory obligations. Ironically, this affordable-pricing strategy was pioneered by ransomware attackers in recent years, who have moved away from huge price tags that had their victims defiantly abandoning data, and become clever in sizing ransoms such that a business’s easiest choice is to pay up. With HIPAA regulators now applying clear and constant pressure via fines, organizations are correctly incentivized to maintain compliant cybersecurity practices and avoid writing checks to either law enforcers or lawbreakers.

HIPAA security controls have caught up with the times

When HIPAA was first enacted in 1996, the law’s writers looked to contemporary cybersecurity frameworks (like the versions of ISO and NIST in use at the time) to borrow guidance on effective controls for ensuring the safety of patient health information. Needless to say, a thing or two has changed in the 27 years since, from the sophistication of cyberattack strategies to the introduction of more modernized cybersecurity frameworks. 

The recent bill H.R.7898 has now addressed this discrepancy, allowing organizations to align their HIPAA security policies with modern control sets. Organizations should take full advantage of this development, mapping HIPAA to today’s most effective security standards (such as NIST CSF or ISO 27001) in order to increase the effectiveness of their protections.

New guidelines suggest that HIPAA is no longer DIY for smaller businesses

Back in 2005, the government drafted the Health Industry Cybersecurity Practices (HICP) guidelines to provide healthcare organizations with recommendations and best practices for complying with HIPAA and protecting their patients’ data. Throughout the HICP’s history up until just recently, these guidelines maintained a DIY tone, telling organizations how to accomplish and maintain HIPAA-compliant cybersecurity internally. 

However, a recent substantial overhaul of 405(d) HICP guidelines now directly offers advice on how to select an effective and trustworthy security-minded MSP (or MSSP) partner. At the root of this change: cyber threats and corresponding cybersecurity countermeasures in the HICP guidelines have become so complicated that smaller-scale healthcare delivery organizations and businesses attached to them can no longer be expected to navigate those complexities without expert support. For example, prescriptive cybersecurity controls, including automated threat detection and mitigation, are quickly becoming essential. Getting this right substantially curtails security risk—if in the hands of those (internally or externally) who know how to leverage those tools optimally.

The more things change…

While the sophistication of modern-day cyberattacks and security protections has reached an unprecedented level, the fundamentals remain the same. Safeguarding patients’ HIPAA-protected data requires thorough risk assessments to flag vulnerabilities, effective data encryption and access control, continuous employee training, and incident response planning to meet and overcome challenges as they arrive. Pairing that strong foundation with evolving protections—aligned with an awareness of the latest regulatory behaviors, security controls, and HIPAA guidelines—is the recipe for successful healthcare cybersecurity today.


About Cam Roberson 

Cam Roberson is Vice President at Beachhead Solutions, a San-Jose-based cybersecurity company. Cam previously worked in product management roles at Apple.

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print

Tagged With: Cybersecurity

Tap Native

Get in-depth healthcare technology analysis and commentary delivered straight to your email weekly

Reader Interactions

Primary Sidebar

Subscribe to HIT Consultant

Latest insightful articles delivered straight to your inbox weekly.

Submit a Tip or Pitch

Featured Insights

2025 EMR Software Pricing Guide

2025 EMR Software Pricing Guide

Featured Interview

Paradigm Shift in Diabetes Care with Studio Clinics: Q&A with Reach7 Founder Chun Yong

Most-Read

Medtronic to Separate Diabetes Business into New Standalone Company

Medtronic to Separate Diabetes Business into New Standalone Company

White House, IBM Partner to Fight COVID-19 Using Supercomputers

HHS Sets Pricing Targets for Trump’s EO on Most-Favored-Nation Drug Pricing

23andMe to Mine Genetic Data for Drug Discovery

Regeneron to Acquire Key 23andMe Assets for $256M, Pledges Continuity of Consumer Genome Services

CureIS Healthcare Sues Epic: Alleges Anti-Competitive Practices & Trade Secret Theft

The Evolving Role of Physician Advisors: Bridging the Gap Between Clinicians and Administrators

The Evolving Physician Advisor: From UM to Value-Based Care & AI

UnitedHealth Group Names Stephen Hemsley CEO as Andrew Witty Steps Down

UnitedHealth CEO Andrew Witty Steps Down, Stephen Hemsley Returns as CEO

Omada Health Files for IPO

Omada Health Files for IPO

Blue Cross Blue Shield of Massachusetts Launches "CloseKnit" Virtual-First Primary Care Option

Blue Cross Blue Shield of Massachusetts Launches “CloseKnit” Virtual-First Primary Care Option

Osteoboost Launches First FDA-Cleared Prescription Wearable Nationwide to Combat Low Bone Density

Osteoboost Launches First FDA-Cleared Prescription Wearable Nationwide to Combat Low Bone Density

2019 MedTech Breakthrough Award Category Winners Announced

MedTech Breakthrough Announces 2025 MedTech Breakthrough Award Winners

Secondary Sidebar

Footer

Company

  • About Us
  • Advertise with Us
  • Reprints and Permissions
  • Submit An Op-Ed
  • Contact
  • Subscribe

Editorial Coverage

  • Opinion
  • Health IT
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Population Health Management
    • Revenue Cycle Management
  • Digital Health
    • Artificial Intelligence
    • Blockchain Tech
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • Value-Based Care
    • Accountable Care
    • Medicare Advantage

Connect

Subscribe to HIT Consultant Media

Latest insightful articles delivered straight to your inbox weekly

Copyright © 2025. HIT Consultant Media. All Rights Reserved. Privacy Policy |