White House OMB reviews proposed cybersecurity updates to HIPAA

The Department of Health and Human Services has submitted to the Office of Information and Regulatory Affairs proposed changes to the Health Insurance Portability and Accountability Act of 1996 to strengthen the cybersecurity of electronic protected health information.

The Executive Branch’s Central Regulatory Review Authority has provided few details, but once the White House reviews the HIPAA updates, HHS may release its notice of proposed rulemaking for public comment.

WHY IT’S IMPORTANT

This rule will propose changes to the security standards for protecting electronic protected health information under HIPAA and the Health Information Technology for Economic and Clinical Health Act of 2009, according to the abstract.

At a joint security conference between HHS and the National Institute of Standards and Technology on Wednesday, an official from the Office of Civil Rights indicated that the release of the NRPM security rule would occur this year, according to Federal News Network.

“We have seen a dramatic increase in the use of ransomware and hacking to gain unauthorized access to ePHI, and since 2003 there has been an evolution in the technical capabilities of systems of record used to track health information, and changes in the cost of a variety of security measures,” said Marissa Gordon Nguyen, OCR senior advisor for health information privacy, data and cybersecurity, according to the story.

NIST revised its healthcare guidelines two years ago to improve compliance with HIPAA security rules, in response to the wave of health data breaches that continue to plague the industry.

THE BIG TREND

Complicating HIPAA compliance for healthcare organizations, legal ambiguity remains regarding what data is not considered ePHI afterward AHA vs. Becerraa federal lawsuit that sought to ban enforcement of OCR’s online tracking tools under HIPAA.

Plaintiffs’ attorneys are taking full advantage of such gray areas, and healthcare organizations are simultaneously being exposed to class action lawsuits.

Iliana Peters, lawyer and shareholder at law firm Polsinelli, compared the privacy climate of patients to the ‘Wild West’. She told me Healthcare IT news Earlier this month, HHS said that while HHS dropped its call to include the sharing of individual IP addresses with third parties in what constitutes a HIPAA data breach, other tools such as appointment scheduling, geolocation features, translation tools and chatbots on unverified websites are still can be considered.

“Other activities might well be within scope, because the ruling does not say that they are not,” she explained.

The federal privacy framework has undergone periodic updates.

In 2018, HHS issued an update to the Substance Abuse and Mental Health Services Administration regulation to block the sharing of substance abuse treatment information for billing and payments, despite the care coordination benefits cited by hospital and provider commenters on the regulations.

In April, HHS also released its last line to change the standards for the privacy of individually identifiable health information under HIPAA and the Health Information Technology for Economic and Clinical Health Act of 2009, which took effect in June.

HHS said in the summary of that rule that because the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, “overturned a precedent that protected a constitutional right to abortion and changed the legal and health care landscape,” increasing the likelihood that an individual PHI could be disclosed in a manner that HIPAA seeks to protect.

“The threat of PHI being disclosed and used to conduct any such investigation against, or to impose liability on, an individual or any other person is likely to decrease an individual’s willingness to seek legitimate health care or to provide complete information to their health care provider. providers in obtaining that treatment, and on the willingness of providers to provide such care,” HHS said.

Nichole Sweeney, general counsel and chief privacy officer at CRISP and CRISP Shared Services, recommended that healthcare organizations work with electronic health record vendors to maintain interoperability and limit access to legally protected data to mitigate reproductive privacy risks.

“Rather than halting the exchange of entire patient records to prevent their inclusion in national exchange frameworks, we can place guardrails around common medications and procedures – and the providers and organizations that typically provide these services,” she shared. Healthcare IT news last year.

“To avoid information blocking issues, such guardrails should be created within the framework of an applicable state law or policy and/or at the patient’s request.”

At this time, regulated entities must review and implement their policies and procedures to comply with HIPAA’s reproductive privacy changes by December 23.

ON THE RECORD

“These changes will improve cybersecurity in the healthcare industry by strengthening requirements for HIPAA-regulated entities to protect electronically protected health information to prevent, detect, control, mitigate, and remediate cybersecurity threats,” OCR said in the summary of the HIPAA Security Rule changes.

Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

The HIMSS Healthcare Cybersecurity Forum will take place from October 31 to November 1 in Washington, DC More information and registration.

Related Post