New Cybersecurity Guide Released

Bruce Armon, Caroline Patterson
Saul Ewing LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Saul Ewing LLP

On February 16, 2024, the HHS Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) published a final version of the cybersecurity resource guide (the “Guide”) with respect to the HIPAA Security Rule. As noted in the Guide’s abstract, “This publication provides practical guidance and resources that can be used by regulated entities of all sizes to safeguard ePHI and better understand the security concepts discussed in the HIPAA Security Rule.”

What You Need to Know:

  • The HHS Office for Civil Rights and the National Institute of Standards and Technology published a final version of the cybersecurity resource guide.
  • The guide provides an overview of the HIPAA Security Rule, guidelines for covered entities and business associates to conduct a risk assessment, risk management guidelines, and considerations when applying the Security Rule.
  • The guide is a useful tool for HIPAA-covered entities and business associates in assessing compliance with the Security Rule.

The HIPAA Security Rule focuses on safeguarding the confidentiality, integrity, and availability of electronic PHI (“ePHI”). Because the HIPAA Security Rule is flexible by design, there is no standard or single approach for a HIPAA-covered entity or business associate to achieve and maintain HIPAA Security Rule compliance. This can simultaneously offer comfort and be a source of concern because the underlying analysis with respect to the decisions made by the covered entity or business associate is critical and there is not a one-size-fits-all document to ensure Security Rule compliance.

The Guide, “includes a brief overview of the HIPAA Security Rule, provides guidance for regulated entities in assessing and managing risk to ePHI, identifies typical activities that a regulated entity should consider when implementing an information security program, and lists additional resources that regulated entities may find useful when implementing the Security Rule.  

The Guide provides an overview of the HIPAA Security Rule, guidelines for covered entities and business associates to conduct a risk assessment, risk management guidelines, and considerations when applying the Security Rule. Importantly, the Guide also includes helpful appendices for small and large entities alike.  

The Guide notes several of its intended benefits, including:

“• Ensuring that each organization is selecting security practices and controls that adequately safeguard ePHI of which they are the steward, 

• Informing the development of compliance strategies that are in concert with the size and structure of the entity,

• Providing guidance on best practices for developing and implementing a risk management program, and

• Creating appropriate documentation that demonstrates effective compliance with the HIPAA Security Rule.”   

The Guide provides a handy one-stop document that is a useful tool for HIPAA-covered entities and business associates. Many recent OCR settlements [here, here and here] have focused on alleged HIPAA Security Rule violations, including the threats to ePHI that are prevalent within the health care delivery system.  

The Guide has multiple tables that explain in a straightforward manner important considerations and explanations and key considerations, including the relevant questions that need to be asked, for parties when making decisions with respect to addressable and required implementation specifications with respect to HIPAA Security Rule compliance. 

The Guide is helpful from a prospective and retrospective basis. Prospectively, covered entities and business associates should review the Guide to ensure their HIPAA Security Rule plan is well-conceived and addresses the necessary considerations. Retrospectively, if OCR ever questions a provision(s) of a covered entity or business associates thought process with respect to creating its HIPAA Security Rule compliance document, the Guide can be an important first step in justifying the decisions made by the entity. 

HIPAA Privacy Rule, Breach Notification, and Security Rule compliance is imperative for covered entities and business associates. The Guide is a very useful tool with respect to Security Rule compliance and the Guide can be reviewed here

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Saul Ewing LLP | Attorney Advertising

Written by:

Saul Ewing LLP
Saul Ewing LLP
Contact
more
less

Saul Ewing LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide