Health Law Highlights

New Guidelines Anticipated Following HHS’s Health Cybersecurity Concept Paper

From Shutts & Bowen LLP, by Kurtis Hutson, Timothy Monaghan, Ella Shenhav:

Updates to HIPAA Security Rule: The Department of Health and Human Services (HHS) and the Centers for Medicare and Medicaid Services (CMS) plan to update the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and propose new cybersecurity requirements in Spring 2024. These changes aim to shift the cybersecurity burden from end users to the owners and operators of technologies in critical infrastructure sectors, including healthcare.

Impact on Healthcare Companies: The new requirements could significantly expand the enforcement capabilities of regulators, impacting all entities involved in the healthcare industry. This includes manufacturers, sellers, service providers, healthcare providers, and payors who access, process, transmit, or store electronic protected health information (ePHI).

Voluntary Cybersecurity Performance Goals: HHS is developing voluntary Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs). Although termed “voluntary”, these will be used by CMS to propose new cybersecurity requirements for hospitals and participants in Medicare and Medicaid programs, and will influence the update to the HIPAA Security Rule.

Need for Proactive Measures: Healthcare organizations are advised not to adopt a “wait and see” approach, but to ensure they can demonstrate the implementation of Recognized Security Practices (RSPs). The HITECH Act amendment of January 2021 provides a safe harbor that could lead to reduced fines or termination of HIPAA-related investigations for organizations that can prove they had RSPs in place for at least the previous twelve months.