Updates to the Health Insurance Portability and Accountability Act Security Rule (“HIPAA Security Rule”) are planned for Spring 2024. New guidance from The Department of Health and Human Services (“HHS”) via a recently released Concept Paper confirms plans to update the HIPAA Security Rule and additionally, the Centers for Medicare and Medicaid Services (“CMS”) will propose new cybersecurity requirements for program participants.[1] These proposed updates are in line with current White House strategic objectives. You may remember that last March, the White House unveiled the President’s National Cybersecurity Strategy[2]. In it, the President identified protection of systems deployed in Critical Infrastructure as a top priority. Healthcare and the Public Health Sector is a Critical Infrastructure Sector that HHS has the duty under Presidential Policy Directive 21 to oversee.[3] The effects of these coming changes will be felt by healthcare providers, payers, and all companies with a business nexus to the healthcare market.
One of the most valuable takeaways from The National Cybersecurity Strategy was that it signaled a clear intent to shift the burden of cybersecurity from the end users of technologies deployed in Critical Infrastructure Sectors to the owners and operators of those end user technologies. Updating the HIPAA Security Rule and new cybersecurity requirements for CMS program participants will clearly achieve that result. The HIPAA Security Rule found under C.F.R. Part 160 and Subparts A and C of Part 164, requires that Covered Entities maintain appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (“ePHI”). While the Concept Paper did not provide exact specifics, we expect to see a hardening of the requirements. Additionally, these new requirements could greatly expand the enforcement capabilities of regulators. A paradigm shift is underway, future regulations and enforcement efforts will target the entire stream of commerce of technologies deployed in healthcare, from the manufacturers, sellers, and service providers of them to the healthcare providers and payors utilizing them. Put more simply, if you access, process, transmit, or store ePHI, you could have a new target on your back.
What specifically did HHS say in the Concept Paper and why specifically should it matter to healthcare companies? In the Concept Paper, HHS revealed that it is currently developing voluntary Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (“HPH CPGs”). However, don’t let the word “voluntary” lull you into inaction. HHS also stated that the HPH CPGs will be utilized by CMS to propose new cybersecurity requirements for hospitals and participants in the Medicare and Medicaid programs. Further, and equally as consequential, HHS confirmed that the HHS Office for Civil Rights (“OCR”) will begin an update to the HIPAA Security Rule in Spring 2024.
Employing a “wait and see” approach until Spring 2024 is not an advisable strategy. Changes in legal requirements are coming. Privacy, security, and compliance teams will be tasked with responding during this ongoing period of change. We recommend that organizations start by ensuring they can demonstrate the implementation of Recognized Security Practices (“RSPs”). The January 2021 amendment to the HITECH Act created a safe harbor whereby OCR in their discretion could reduce fines or terminate altogether a HIPAA-related investigation if the organization under investigation could demonstrate that they had RSPs in place for at least the previous twelve (12) months.[4] The HPH CPGs and any new requirements and enforcement strategies will likely share plenty of common ground with them. Additionally, changes to OCRs expectations of what constitutes appropriate administrative, physical, and technical safeguards for ePHI under the HIPAA Security Rule will undoubtably incorporate RSPs as well. If the incentive to have OCR mitigate fines or terminate a HIPAA-related investigation entirely was not enough, the further evolution of RSPs and their cross-pollination into the new HPH CPGs and ensuing updates to HIPAA should be.
Below are some specific actions organizations should take to prepare for the upcoming changes:
- Recognized Security Practices. Organizations should at a minimum be able to show that they have operationalized, recognized security practices appropriate to the sophistication of their business for at least the last twelve (12) months. If not, then getting RSPs in place as soon as possible should be the priority. Next, does your organization have a dedicated resource responsible for implementing and updating RSPs at your organization? That is another crucial component to address.
- Vendor Contract Requirements. Any changes to the HIPAA Security Rule and changes to cybersecurity requirements for CMS program participants will likely impact terms within Business Associate Agreements, Information Security Agreements, Data Use Agreements, or any agreements that contain terms covering the accessing, processing, transmitting, or storing of ePHI and other sensitive data. Organizations should consider what those impacts might be and start addressing any gaps in their terms sooner rather than later.
Note, this is not intended to be a comprehensive list. For additional information or to learn more about the proactive steps your organization can take, please contact the authors.
[1] U.S. Dept. Health and Hum. Serv., HHS Announces Next Steps in Ongoing Work to Enhance Cybersecurity for Health Care and Public Health Sectors (December 6, 2023), available at HHS.gov
[2] The White House, Off. Of the Pres., Biden-Harris Administration Announces National Cybersecurity Strategy (March 1, 2023), available at whitehouse.gov
[3] The White House, Off. Of the Press Sec., Presidential Policy Directive/PPD-21 (February 12, 2013), available at cisa.gov
[4] H.R. 7898, Public Law 116-321, Vol. 166 (2020), enacted Jan. 5, 2021
- Senior Associate
Kurtis M. Huston is a Senior Associate in the Tampa office of Shutts & Bowen LLP, where he is a member of the Corporate Practice Group, with a focus on health care.
Kurtis has experience advising clients doing business in the health care ...
- Partner
Timothy E. Monaghan is a Partner in the West Palm Beach office of Shutts & Bowen LLP, where he is a member of the Health Care Practice Group.
Tim has practiced health law for over thirty (30) years and represents healthcare providers in a ...
- Partner
Ella A. Shenhav is a partner in the Tampa office of Shutts & Bowen LLP, where she is a member of the Business Litigation Practice Group. She is a Certified Information Privacy Professional (CIPP/US), accredited by the International ...
Search Blog
Subscribe Today
Follow Us
Recent Posts
- New Guidelines Anticipated Following HHS’s Health Cybersecurity Concept Paper
- EU-U.S. Data Privacy Framework Advances to the Next Stage
- Changes to GLBA Safeguards Rule Affect More Than Traditional Financial Institutions
- Ransomware and Phishing Dangers On the Rise
- FTC to Embark on New Privacy Rulemaking
- Hackers are Leveraging Fear during the COVID-19 Pandemic
- No Trespassing: Can Public Websites Ever Be Off Limits?
- Cybersecurity – Global Ransomware Attack is Top of Mind with U.S. Securities Regulator
- Cybersecurity - a Top Operational Risk in FINRA’s 2017 Regulatory and Examination Priorities Letter
- Following Intense Industry Criticism, New York Overhauls Cybersecurity Requirements for Financial Services Companies
Popular Categories
Editors
- Senior Associate
- Partner
- Partner