On January 21, 2021, the Department of Health and Human Services (HHS) published proposed modifications to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), discussed in a previous McGuireWoods’ post. The comment period for these proposals recently ended on May 6, 2021, and HHS received almost 1500 comments from interested stakeholders. If finalized, these proposals will require HIPAA-covered entities and business associates to implement many changes, including updates to their policies, procedures, security standards, notices of privacy practices, authorization and disclosure forms, and business associate agreements. In the age of digital targeting and ransomware, possibly the most important of these is a change to security standards.
Recognized Cybersecurity Practices
The proposed changes to the HIPAA rule should be viewed in tandem with the January 5, 2021 update to HITECH under HR 7898, which required that the Secretary of HHS consider “recognized cybersecurity practices,” defined as those set forth by the National Institute of Standards and Technology (NIST) in determining any HIPAA fines, Office of Civil Rights (OCR) audits of covered entities and business associates, and appropriate breach mitigation remedies. The definition of “recognized security practices,” through the National Institute of Standards and Technology Act (NISTA) and other statutory authorities, requires development of voluntary, consensus-based, industry-led standards and processes to cost-effectively reduce cyber risks to critical infrastructure. This new law creates a strong incentive for covered entities and business associates to pay attention to guidance issued by NIST as a source of “recognized cybersecurity practices.” NIST’s most on-point guidance, Special Publication 800-66, An Introductory Resource Guide for Implementing the HIPAA Security Rule (“Resource Guide”), however, was issued 13 years ago in October 2008.
NIST Prepares to Modernize Security Guidance
Given the age of the Resource Guide, combined with this new incentive for healthcare providers to rely on the Resource Guide, NIST is now seeking comment from industry stakeholders to inform updates to the Resource Guide to bring its recommendations up to speed with accepted practical security efforts. Comments are due by June 15, 2021. NIST is requesting comments on improvements to the Resource Guide as well as information on how covered entities and business associates are currently using the Resource Guide. A complete list of the call for comments is available here, in which NIST requests that commenters:
- Share any topics that they believe are missing from the Resource Guide and why they merit special attention;
- Describe how the Resource Guide can be more beneficial to a variety of audiences (e.g., small health care providers, health plans, health care clearinghouses, business associates);
- Describe how their organizations determine that security measures are effective in protecting ePHI and how often their organizations initiate a process to determine such effectiveness;
- Describe how their organizations manage concerns regarding business associates’ compliance with the HIPAA Security Rule;
- Describe the role that contracts or other agreements serve in protecting ePHI disclosed to business associates; and
- Other questions that are outlined in the call for comments.
NIST Seeks Non-Compliance Information
A unique hallmark of this request for comments comes from NIST’s call for information related to recognized practices that diverge from compliance with the HIPAA Security Rule. In making this request, NIST acknowledges the diversity of existing security practices in the industry and that some of those practices may lie outside of the boundaries of laws and regulations initially drafted years before modern technology had developed. The result of this request could have a dramatic impact not only on the NIST guidance but also on the Security Rule if regulators find that successful practical efforts fall outside of the current rule’s construction for no justifiable reason.
As HIPAA and HITECH undergo modernization, some questions will arise. We will continue to monitor these updates to inform best practices for compliance.