On February 16, the US Department Of Health And Human Services (HHS) Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) announced the publication of the final version of Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide. This revised publication is a collaborative effort between NIST and OCR. It includes resources for HIPAA-covered entities (most healthcare providers, health plans, and healthcare clearinghouses) and their business associates to help them understand the HIPAA Security Rule, comply with the law, and bolster security.
According to the press release, the publication provides an overview of the HIPAA Security Rule, strategies for assessing and managing risks to electronic protected health information (ePHI), suggestions for cybersecurity measures and solutions that HIPAA-covered entities and business associates might consider as part of an information security program, and resources for implementing the Security Rule. Specific topic areas include:
- Explanations of the HIPAA Security Rule’s Risk Analysis and Risk Management requirements.
- Key activities to consider when implementing Security Rule requirements.
- Actionable steps for implementing security measures.
- Sample questions to determine adequacy of cybersecurity measures to protect ePHI.
In addition to the publication itself, NIST has also provided supplementary content on its website to further assist HIPAA-covered entities and business associates with strategies to improve their cybersecurity in specific areas including:
- Telehealth/Telemedicine
- Mobile Device Security
- Ransomware & Phishing
- Medical Device Security
- Cloud Services
- Internet of Things Used in Healthcare
- Application Security
- Supply Chain
NIST also updated its Cybersecurity and Privacy Reference Tool (CPRT). The CPRT shows HIPAA Security Rule regulations with links to additional NIST tools.
OCR also maintains information on its website to assist regulated entities with their obligations to protect ePHI including HIPAA Security Rule Guidance Material and Cybersecurity Guidance Material.
You can access the revised guide here.
Compliance Perspective
Issue
According to OCR, cyber incidents in healthcare are on the rise. From 2018–2022, there was a 93 percent increase in large breaches reported to OCR (369 to 712), with a 278 percent increase in large breaches involving ransomware. Cyber incidents affecting hospitals and health systems have led to extended care disruptions, patient diversions to other facilities, and delayed medical procedures, all putting patient safety at risk. The HIPAA Security Rule specifically focuses on safeguarding the confidentiality, integrity, and availability of ePHI. All HIPAA-regulated entities must comply with the requirements of the Security Rule. The ePHI that a regulated entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures.
Discussion Points
- Review policies and procedures related to HIPAA, ePHI, and the Privacy Rule. Ensure that they address how to secure ePHI and how to avoid falling prey to security breach efforts by unauthorized individuals. Update these documents as new information becomes available.
- Train all staff on HIPAA, ePHI, and the Privacy Rule, including how to avoid phishing schemes, malware exposures, and unauthorized release of ePHI. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred and file the signed training document in the employees’ education files.
- Periodically audit to ensure that the facility’s policies and procedures for HIPAA, ePHI, and Privacy are being followed by all staff, and that each person demonstrates understanding and competency.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
