New Year, new HIPAA considerations. As of December 9, 2024, there were more than 168 million individuals affected by healthcare data breaches reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). This number is record breaking. The 10 largest data breaches affected nearly 137 million individuals. Moreover, nine of the top 10 were perpetrated through either hacking or an IT incident, with several originating within a HIPAA business associate's network server (e.g., MOVEit Transfer).
While federal law enforcement agencies have highlighted the propensity and perniciousness of cybercriminals to attack the healthcare sector over the past several years, in November 2024, the HHS Office of the Inspector General (OIG) released report A-18-21-08014, “The Office for Civil Rights Should Enhance Its HIPAA Audit Program to Enforce HIPAA Requirements and Improve the Protection of Electronic Protected Health Information” (hereinafter “Report”). The impetus for the Report and the call for HHS-OCR to refine and reinstitute its Audit Program, which is different from when a complaint of a potential HIPAA violation is received through the portal, included three objectives to determine whether (or not): (1) OCR fulfilled its requirement under the HITECH Act to “perform periodic audits of entities to assess compliance with HIPAA Privacy, Security, and Breach Notification Rules; (2) OCR's HIPAA audit implementation and its audit protocol have been effective in assessing ePHI protections and reducing risks within the healthcare sector; and (3) OCR's oversight of its HIPAA audit program was effective at improving cybersecurity protections at entities” (p. 2).
The end results? Here are three that stood out to me:
- While OCR fulfilled the HITECH Act's requirement to perform periodic audits of HIPAA Rules' compliance by covered entities and business associates, it “did not include assessing the majority of the required protections for compliance with the HIPAA Rules” (p. 7).
- OCR “did not implement a documented process that laid out the procedures to follow during and after its Phase 2 HIPAA audits to resolve any identified deficiencies” (p. 10).
- Although OCR refuted many of the recommendations made by OIG, there was an indication that not only will the HHS-OCR HIPAA audits resume in early 2025, they will be more detailed and will likely have additional downstream impact for covered entities and business associates' significant non-compliance because of OIG's concern “that OCR's HIPAA audits, as implemented, do not provide assurance that audited entities are complying with the HIPAA Rules requirements” (p. 12).
As the Report highlighted, “The American public has witnessed disruptive attacks on its healthcare sector that jeopardize sensitive personal information, delay medical treatment, and ultimately may lead to increased suffering and death” (p. 6). Subsequently, and perhaps not surprisingly, on December 27, 2024, HHS-OCR announced a Notice of Proposed Rulemaking (NPRM), as required by the Administrative Procedures Act (APA), to update the Security Rule's standards to strengthen cybersecurity standards to relevantly address the ever-evolving cybersecurity threats to the healthcare sector.
Compliance Considerations
In 2023, HHS released its Healthcare Sector Cybersecurity concept paper (hereinafter “Concept Paper”), which detailed advancing cybersecurity enhancements for the healthcare sector, including the publication of voluntary best practices. Additional resources were released in early 2024, and in October 2024 (after a five-year hiatus), HHS and the National Institute for Standards and Technology (NIST) hosted the “Safeguarding Health Information: Building Assurance Through HIPAA Security” that highlighted the imminent proposed updates to the Security Rule.
Some of the key proposed items appearing on the HHS website, which appear in the Federal Register (90 Fed. Reg. 898 [Jan. 6, 2025]) in regulatory prose include the following:
- Eliminate the terms “required” and “addressable” and make all specifications required with express, limited exceptions in certain circumstances;
- Update definitions and revise implementation specifications to reflect changes in technology and terminology;
- Add specific compliance time periods for many existing requirements;
- Emphasize the annual risk analysis, including the development and revision of a technology map and asset inventory;
- Strengthen disaster recovery and business continuity strategies and the related policies and procedures;
- Require business associates to verify at least every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate's relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed a nd is accurate; and
- Require certain regulated entities within 24 hours when a workforce member's access to ePHI or certain electronic information systems is changed or terminated.
Many of these requirements build on what already exists and what both covered entities and business associates should have been complying with since 2005. For those who have been complying from the outset, whether in existence since 2005 or if a business was established after 2005, the task will not be quite as daunting. For those who have significant gaps that have been identified and never corrected them, those who did not have a proper audit done by a subject matter expert, and for those who have not kept up with technical, administrative, and physical safeguards, now is the time to invest in a comprehensive risk analysis and related items. Given the number of class action lawsuits, federal and state enforcement actions – whether administrative or litigation, and the evolving threat landscape, the potential financial, reputational, legal, and, most importantly in healthcare, patient harm, cybersecurity and HIPAA compliance can no longer be ignored.
Conclusion
HIPAA enforcement, the likelihood of increased penalties, and lawsuits involving cybersecurity are only set to increase. In healthcare, it is vital to remember that “cybersecurity is patient safety.” Moreover, there are now more resources than ever to ensure compliance. It is safe to say that excuses will not be tolerated by federal and state government agencies or by lawyers bringing cases for non-compliance or post-breach. In sum, how would you like your sensitive information protected and handled?
Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate, and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston.
Rachel can be reached through her website: www.rvrose.com