Editor’s Note: PYA and Foley & Lardner hosted the 6^th Annual “Let’s Talk Compliance” two-day Virtual Conference on January 18 and 19, 2024. Panelists included Foley & Lardner attorneys and PYA experts. The event was hosted by Foley partner, Jana Kolarik and PYA Tampa office managing principal, Angie Caldwell. Below are a few major takeaways from Session #2. Please reach out to us if you have any questions.

In January 2024, Foley partner Jennifer Hennessy and PYA principal Barry Mathis addressed hot topics in health care privacy and cybersecurity, including the following, in a session that was part of the 6^th Annual “Let’s Talk Compliance” series. The recording and slides from this session (and other sessions that were part of the series) can be found here.

• Challenges and trends regarding the use of artificial intelligence (AI) in the health care space,
• Recent trends in health care cybersecurity, including a discussion of health care-related dark web activity,
• A refresher on HIPAA’s right for patients to access their own information in light of the HIPAA Right of Access Initiative,
• Considerations on the use of tracking technologies in the health care space, and
• Other trends reflected in recent Department of Health and Human Services (HHS) investigation settlements.

Artificial Intelligence

AI has quickly become a commonplace term in many industries across the U.S. and the world. There are lively debates on what is true AI or simply smart algorithms. In this webinar, AI is discussed as an impact on health care and the potential risks it may bring as more and more turn toward AI for assistance. Wider AI adoption could save the U.S. 5% to 10% or $200 billion to $360 billion a year, according to research from Harvard University and McKinsey & Company. Here are just a few adoption facts as presented in an NantHealth survey:

• 99% of health care leaders anticipate tangible cost savings as a result of investing in AI.
• 96% say AI plays a crucial role in their efforts to reach the organization’s equity goals.
• 39% believe AI presents opportunities to ease administrative burdens.
• 72% of health care leaders trust AI to support non-clinical tasks.

Cybersecurity

This portion of the session discussed recent and expected changes to law and guidance impacting health care cybersecurity. Some of those changes include the following:

• HHS will propose updates to the HIPAA Security Rule this year to include new cybersecurity requirements, according to HHS’ strategy report on Healthcare Sector Cybersecurity. The HIPAA Security Rule has not been substantively revised since 2003.
• Although we are still awaiting a proposed rule, in 2022, HHS released a Request for Information seeking input from HIPAA covered entities and business associates on how the industry understands and is implementing what are defined as “recognized security practices” under the Health Information Technology for Economic and Clinical Health (HITECH) Act. This followed the amendment to the HITECH Act to require HHS to take into consideration “recognized security practices” of covered entities and business associates that were in place for the previous 12 months when determining fines, audit results, or other remedies for resolving potential violations of the HIPAA Security Rule. See Foley’s blog on this topic for more information.
• Mathis also discussed emerging AI tools designed to harm rather than help, such as WormGPT and FraudGPT.

HIPAA Right to Access

HHS has vigorously enforced the HIPAA Right to Access Initiative with enforcement actions over the past couple of years. The HIPAA Privacy Rule requires covered entities to provide individuals, upon request, with access to the protected health information (PHI) about them maintained in one or more Designated Record Sets, subject to limited exceptions. Entities generally must respond within thirty (30) calendar days of the request. The definition of “Designated Record Set” is broad – including medical and billing records, health plan enrollment, payment, claims adjudication, and case or medical management records, and any records used, in whole or in part, by or for the covered entity to make decisions about individuals.

Most HIPAA Right to Access Initiative settlements involved HIPAA covered entities failing to respond in a timely manner, often after repeated requests by individuals. Under these settlements, HHS generally imposes a civil monetary penalty plus a period of monitoring by HHS. This often includes a requirement to update policies and train workforce on the policies, submit information to HHS on access requests the organization received and the responses, as well as a requirement for the organization to self-report failures to comply with HIPAA policies to HHS.

Tracking Technologies

Health care organizations should carefully assess their use of tracking technologies on their platforms, including how these technologies are applied and whether information is shared with any third parties, and then assess their compliance with federal and state regulatory requirements.

Trends in HHS Investigations

The session concluded with the discussion of recent trends in HHS HIPAA investigations, including the importance of conducting an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI. and developing a written risk management plan to address and mitigate security risks and vulnerabilities identified in the risk analysis.

[View source.]