Key Takeaway: With healthcare data breaches affecting over 87 million patients in 2023 and ransomware attacks doubling in frequency, HHS has proposed the first major update to HIPAA's Security Rule in a decade. For healthcare business associates like autonomous medical coding providers, this landmark HIPAA Security Rule Notice of Proposed Rulemaking transforms previously optional security measures into strict requirements, mandating the same level of cybersecurity protocols previously required only of healthcare providers.
Why Healthcare Cybersecurity Needs an Update
Key Changes in the HIPAA Security Rule Proposal
Impact on Autonomous Medical Coding
Nym's Approach to Enhanced HIPAA Security
The healthcare sector faces unprecedented cybersecurity challenges. In 2023, healthcare organizations reported 725 data breaches to the HHS Office for Civil Rights—the highest number ever recorded [1]. Even more concerning is that 58% of the 77.3 million individuals affected by these breaches were impacted through attacks on healthcare business associates, representing a 287% increase from 2022 [2]. This dramatic rise in business associate breaches highlights a critical vulnerability in the healthcare data ecosystem.
The current HIPAA Security Rule, which has not been significantly updated since 2013, has allowed healthcare business associates to treat many security measures as "addressable," meaning they could choose alternative security measures if they deemed them more appropriate. This flexibility, while intended to accommodate different organizational needs, has created inconsistent security standards across the healthcare ecosystem. With business associates now handling increasing volumes of sensitive patient data through AI and cloud computing solutions and accounting for the majority of breached records, this variable approach to healthcare cybersecurity has become a significant vulnerability.
The proposed updates fundamentally change how healthcare organizations and their business associates must approach security compliance. Given that business associates were responsible for nearly 60% of breached records in 2023, these new mandatory requirements are particularly crucial:
Annual third-party security audits with written certification
Regular penetration testing and vulnerability scanning
24-hour notification requirements for security incidents
For the autonomous medical coding industry, these HIPAA security changes represent a significant shift in requirements. With business associates now implicated in the majority of healthcare data breaches, the standardization of security requirements is particularly crucial in this sector, as autonomous coding platforms process vast amounts of protected health information through AI models and algorithms.
For healthcare providers partnering with autonomous medical coding vendors, these new requirements provide essential protection against the growing threat of third-party breaches. This is especially important given that AI-powered coding automation often requires real-time access to clinical documentation and patient records. Healthcare organizations can now expect consistent, high-level security practices across all their technology partners, addressing the vulnerability highlighted by the 287% increase in business associate breaches in 2023.
The standardization of these requirements will also help level the playing field in terms of security capabilities across the healthcare business associate ecosystem, though it may present challenges for newer or smaller vendors who haven't yet invested in comprehensive security infrastructure.
Since Nym’s founding in 2018, we've prioritized healthcare cybersecurity as a core component of our autonomous medical coding solution, anticipating that robust security measures would become increasingly critical in healthcare. Nym is SOC 2 Type II certified (mapped to HiTrust), and this, among countless other security measures, has positioned Nym as a leader in healthcare data protection.
"Since day one, we've made security a fundamental part of how we operate at Nym. The new HIPAA Security Rule proposal mandates annual third-party audits, continuous vulnerability scanning, and 24-hour incident reporting - and we've already built all of this into our security program. We partner with the most trusted third-party auditors, who lead the industry in rigorous penetration tests and validations. We also have dedicated personnel monitoring and investigating all network and data assets under our custody around the clock. Every employee goes through comprehensive security training, from HIPAA privacy to Medicare fraud prevention. When you're handling sensitive medical information at our scale, security can't just be a checkbox exercise - it's about earning and keeping the trust of our healthcare partners and protecting patient privacy."
- Yoav Ramon, Chief Technology Officer at Nym
The elimination of "addressable" security measures marks a new era in healthcare cybersecurity. For autonomous medical coding providers and other healthcare business associates, this represents an opportunity to demonstrate security leadership by implementing comprehensive HIPAA security programs that match or exceed those of covered entities. Organizations that proactively adapt to these new requirements will be better positioned to protect sensitive healthcare data while maintaining efficient operations.
Get in touch with a member of our team
Schedule a demo and see Nym's engine in action
Alder, Steve. “Healthcare Data Breach Statistics,” The HIPAA Journal, Dec 30, 2024. https://www.hipaajournal.com/healthcare-data-breach-statistics/
Broderick, Tim. "Healthcare data breaches hit new highs in 2023," Modern Healthcare, January 25, 2024. https://www.modernhealthcare.com/cybersecurity/healthcare-data-breaches-2023-anthem-lbm