On March 17, 2022, the U.S. Department of Health and Human Service’s Office for Civil Rights (“OCR”) issued industry guidance for Health Insurance Portability and Accountability Act (“HIPAA”) regulated entities to take preventative steps to protect against some of the more common, and often successful, cyber-attack techniques. For example, the number of breaches of unsecured electronic Personal Health Information (“ePHI”) reported to the OCR affecting 500 or more individuals due to hacking or IT incidents increased 45% from 2019 to 2020. Further, OCR noted that the number of breaches due to hacking or IT incidents accounted for 66% of all breaches affecting 500 or more individuals reported to the Department in 2020. OCR concludes most cyber-attacks could be prevented or substantially mitigated if HIPAA covered entities and business associates implemented HIPAA Security Rule requirements to address the most common types of attacks.
OCR’s reminders and recommendations for regulated entities include to:
- assess and reduce risks and vulnerabilities to the availability of ePHI, which is defined as “the property that data or information is accessible and useable upon demand by an authorized person” pursuant to the HIPAA Security Rule. See 45 CFR 164.308(a)(1)(ii)(A)-(B): Implementation Specification: Risk Analysis (required), Implementation Specification: Risk Management (required); see also 45 CFR 164.304 (definition of “Availability”).
- implement stronger authentication solutions, such as multi-factor authentication.
- implement a security awareness and training program for all workforce members pursuant to the HIPAA Security Rule. 45 CFR 164.308(a)(5)(i). Management personnel should also participate, as senior executives may have greater access to ePHI and are often targeted in phishing email attacks;
- implement a vulnerability management program that includes using a vulnerability scanner to detect vulnerabilities such as obsolete software and missing patches; and periodically conducting penetration tests to identify weaknesses that could be exploited by an attacker.
- implement a privileged access management (PAM) system that is reasonable and appropriate to reduce the risk of unauthorized access to privileged accounts pursuant to the HIPAA Privacy Rule. See 45 CFR 164.312(a)(1): Standard: Access Control.
- pay careful attention to cybersecurity alerts describing newly discovered vulnerabilities, including those from the Cybersecurity and Infrastructure Security Agency (CISA) and the HHS Health Sector Cybersecurity Coordination Center (HC3).
- periodically examine the strength and effectiveness of their cybersecurity practices and increase or add security controls to reduce risk as appropriate pursuant to the HIPAA Privacy Rule. See 45 CFR 164.306(e): Maintenance.
- upgrade or replace obsolete, unsupported applications and devices (legacy systems). However, if an obsolete, unsupported system cannot be upgraded or replaced, additional safeguards should be implemented or existing safeguards enhanced to mitigate known vulnerabilities until upgrade or replacement can occur.
Relatedly, as issues around data in the healthcare industry grow, Congress continues to contemplate modernization of the HIPAA—which originally passed over 25 years ago and has not been substantively updated since 2009 (or when the iPhone was barely 2 years old). HIPAA and its Standards for the Privacy of Individually Identifiable Health Information (“Privacy Rule”) were released in the 1990s when health records were generally paper-based. Proposed changes to the HIPAA Privacy Rule first announced in the fall of 2020 by the Office for Civil Rights, Department of Human and Health Services (“OCR”) may be finalized this year. However, these changes would not address what many see as an industry gap because HIPAA only covers health data collected, used, stored, and transmitted by Covered Entities (healthcare providers, health plans, and healthcare clearinghouses) and their Business Associates. Emerging technologies such as health apps and wearable devices are not necessarily subject to the same privacy or security requirements.
Senators Tammy Baldwin (D-WI) and Bill Cassidy, M.D. (R-LA) introduced the Health Data Use and Privacy Commission Act (“Act”) on February 10, 2022. The Act aims to form a health and privacy commission to research and give official recommendations to Congress and the President on how to modernize the use of health data and revise privacy laws. The Commission created by the Act would explore not only HIPAA covered entities and their business associates but also companies not currently required to comply with HIPAA, such as those in health technology, insurance, financial services, consumer electronics, advertising, technology industries, app providers, researchers, and others investing in the collection and use of health data.
The proposed Commission would: conduct a coordinated and comprehensive review and comparison of existing protections of personal health information at the state and federal level; identify and describe current practices for health data use by the industries identified; provide recommendations to Congress on whether federal legislation is needed to modernize health data privacy; and determine the best path for updating laws. Under the proposed act, a majority of the Commission members would be expected to approve a report “[n]ot later than 6 months after the appointment of all members of the Commission.” Then the Commission would submit the approved report to Congress and the President.
Industry leaders, including athenahealth, American College of Cardiology, IBM, Epic Systems, Federation of American Hospitals, Association of Clinical Research Organizations, and others, voiced their support for the legislation in a letter to Senators Cassidy and Baldwin. The Bill is set for review for the Committee on Health, Education, Labor, and Pensions.
Companies can track developments on the bill here and evaluate their own health care data privacy and cybersecurity risks and compliance concerns.
This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.