Updates to the Health Insurance Portability and Accountability Act Security Rule (“HIPAA Security Rule”) are planned for Spring 2024. New guidance from The Department of Health and Human Services (“HHS”) via a recently released Concept Paper confirms plans to update the HIPAA Security Rule and additionally, the Centers for Medicare and Medicaid Services (“CMS”) will propose new cybersecurity requirements for program participants.[1] These proposed updates are in line with current White House strategic objectives. You may remember that last March, the White House unveiled the President’s National Cybersecurity Strategy[2]. In it, the President identified protection of systems deployed in Critical Infrastructure as a top priority. Healthcare and the Public Health Sector is a Critical Infrastructure Sector that HHS has the duty under Presidential Policy Directive 21 to oversee.[3] The effects of these coming changes will be felt by healthcare providers, payers, and all companies with a business nexus to the healthcare market.
One of the most valuable takeaways from The National Cybersecurity Strategy was that it signaled a clear intent to shift the burden of cybersecurity from the end users of technologies deployed in Critical Infrastructure Sectors to the owners and operators of those end user technologies. Updating the HIPAA Security Rule and new cybersecurity requirements for CMS program participants will clearly achieve that result. The HIPAA Security Rule found under C.F.R. Part 160 and Subparts A and C of Part 164, requires that Covered Entities maintain appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (“ePHI”). While the Concept Paper did not provide exact specifics, we expect to see a hardening of the requirements. Additionally, these new requirements could greatly expand the enforcement capabilities of regulators. A paradigm shift is underway, future regulations and enforcement efforts will target the entire stream of commerce of technologies deployed in healthcare, from the manufacturers, sellers, and service providers of them to the healthcare providers and payors utilizing them. Put more simply, if you access, process, transmit, or store ePHI, you could have a new target on your back.
What specifically did HHS say in the Concept Paper and why specifically should it matter to healthcare companies? In the Concept Paper, HHS revealed that it is currently developing voluntary Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (“HPH CPGs”). However, don’t let the word “voluntary” lull you into inaction. HHS also stated that the HPH CPGs will be utilized by CMS to propose new cybersecurity requirements for hospitals and participants in the Medicare and Medicaid programs. Further, and equally as consequential, HHS confirmed that the HHS Office for Civil Rights (“OCR”) will begin an update to the HIPAA Security Rule in Spring 2024.
Employing a “wait and see” approach until Spring 2024 is not an advisable strategy. Changes in legal requirements are coming. Privacy, security, and compliance teams will be tasked with responding during this ongoing period of change. We recommend that organizations start by ensuring they can demonstrate the implementation of Recognized Security Practices (“RSPs”). The January 2021 amendment to the HITECH Act created a safe harbor whereby OCR in their discretion could reduce fines or terminate altogether a HIPAA-related investigation if the organization under investigation could demonstrate that they had RSPs in place for at least the previous twelve (12) months.[4] The HPH CPGs and any new requirements and enforcement strategies will likely share plenty of common ground with them. Additionally, changes to OCRs expectations of what constitutes appropriate administrative, physical, and technical safeguards for ePHI under the HIPAA Security Rule will undoubtably incorporate RSPs as well. If the incentive to have OCR mitigate fines or terminate a HIPAA-related investigation entirely was not enough, the further evolution of RSPs and their cross-pollination into the new HPH CPGs and ensuing updates to HIPAA should be.
Below are some specific actions organizations should take to prepare for the upcoming changes:
- Recognized Security Practices. Organizations should at a minimum be able to show that they have operationalized, recognized security practices appropriate to the sophistication of their business for at least the last twelve (12) months. If not, then getting RSPs in place as soon as possible should be the priority. Next, does your organization have a dedicated resource responsible for implementing and updating RSPs at your organization? That is another crucial component to address.
- Vendor Contract Requirements. Any changes to the HIPAA Security Rule and changes to cybersecurity requirements for CMS program participants will likely impact terms within Business Associate Agreements, Information Security Agreements, Data Use Agreements, or any agreements that contain terms covering the accessing, processing, transmitting, or storing of ePHI and other sensitive data. Organizations should consider what those impacts might be and start addressing any gaps in their terms sooner rather than later.
Note, this is not intended to be a comprehensive list.
[1] U.S. Dept. Health and Hum. Serv., HHS Announces Next Steps in Ongoing Work to Enhance Cybersecurity for Health Care and Public Health Sectors (December 6, 2023), available at HHS.gov
[2] The White House, Off. Of the Pres., Biden-Harris Administration Announces National Cybersecurity Strategy (March 1, 2023), available at whitehouse.gov
[3] The White House, Off. Of the Press Sec., Presidential Policy Directive/PPD-21 (February 12, 2013), available at cisa.gov
[4] H.R. 7898, Public Law 116-321, Vol. 166 (2020), enacted Jan. 5, 2021
