There have been a number of governmental updates for health care and other providers to review relating to the federal HIPAA and related rules over the last few months. Here are some of the highlights:
(1) The federal Office for Civil Rights (“OCR”) and the National Institute of Standards and Technology (“NIST”) released the final update to its special HIPAA publication 800-66 (Revision 2) entitled Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide. This updated guide includes guidance relating to the HIPAA Security Rules and risks surrounding electronic protected health information and cybersecurity. Here is a link to this new update:
Additionally, NIST has also provided additional cybersecurity strategies relating to telemedicine, ransomware, mobile device security, medical device security, and cloud services at this link:
Furthermore, NIST has modified its Cybersecurity and Privacy Reference Tool which can be found here:
It is advisable to incorporate these materials into your applicable HIPAA Security Rules and cybersecurity compliance plans.
(2) On February 14, 2024, OCR finalized two reports for Congress on HIPAA compliance and enforcement – HIPAA Privacy, Security, and Breach Notification Rule Compliance and Breaches of Unsecured Protected Health Information. The reports contain information on the number of complaint cases reviewed and noncompliance areas. Here are links to the reports:
(3) OCR announced on February 22, 2024 that it has settled its second ever ransomware cybersecurity attack investigation with a Maryland-based behavioral health practice. This incident impacted over 14,000 individuals. OCR found that the practice failed to implement security protocols to reduce risks and vulnerabilities to an acceptable standard and failed to monitor its systems to protect against a cybersecurity incident. OCR agreed to pay $40,000 and to implement a corrective action plan to be reviewed by OCR for three years. Here is a link to the resolution agreement with OCR and the corrective action plan:
A review of these materials will be useful for all health care providers, health plans, clearinghouses, and business associates - in order for these parties to enhance existing practices to prevent or lessen the likelihood of cybersecurity attacks.
(4) OCR also recently announced the settlement of a malicious insider cybersecurity investigation with a New York City not-for-profit hospital system for $4.75 million. The investigation determined that the system had numerous failures relating to data security that resulted in an employee stealing and selling the protected health information of 12,517 patients to an identity theft ring. OCR found that the system failed to identify risks and vulnerabilities to protected health information, failed to safeguard its health information systems, and failed to implement policies and procedures that recorded and examined activity in its information systems. Here is a link to the resolution agreement and corrective action plan with the system:
(5) OCR and the Substance Abuse and Mental Health Services Administration (“SAMHSA”) recently finalized revisions to the federal regulations at 42 CFR Part 2, which protect the privacy of records for patients with substance use disorders. In particular, the new revisions more closely align the SAMHSA and HIPAA regulations. Here is a link to the new regulations:
Here is a link a fact sheet as well relating to the new regulations:
(6) Additionally, with respect to cybersecurity, the federal Department of Health and Human Services recently published guidance for the health care sector generally related to cybersecurity strategies, which can be found here:
(7) Lastly, the federal Department of Health and Human Services, through the Administration for Strategic Preparedness and Response (“ASPR”), also released voluntary health care specific cybersecurity performance goals and a site to assist health care and other organizations to implement cybersecurity best practices. Here is a link to this guidance:
As detailed above, the government has been quite active recently in issuing guidance in the health care arena relating to the privacy and security of health information – with a focus on cybersecurity best practices. Providers and business associates should review these materials and incorporate them as appropriate into their existing compliance plans and training programs.
The embedded links in this briefing are currently active but may become unavailable in the future.
Our firm has extensive experience counseling health care providers on statutory and regulatory requirements, as well as preparing and implementing applicable policies. If you have any questions related to this Legal Briefing, please contact any member of our firm at 585-730- 4773.
This Legal Briefing is intended for general informational and educational purposes only and should not be considered legal advice or counsel. The substance of this Legal Briefing is not intended to cover all legal issues or developments regarding the matter. Please consult with an attorney to ascertain how these new developments may relate to you or your business. © 2024 Law Offices of Pullano & Farrow PLLC