On October 23-24, 2024, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) Information Technology Laboratory hosted the Safeguarding Health Information: Building Assurance through HIPAA Security conference. After a five-year absence, the conference has returned to Washington, D.C., at the HHS Headquarters.
Below are six important takeaways from the conference that covered entities and business associates regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) need to pay attention to:
- OCR's New Initiative on Risk Analyses
- Changes Coming to the HIPAA Security Rule
- No Timeline for Publishing Updated HIPAA Privacy Rule
- Time to get your Business Associate Agreements in Order!
- Right of Access: A Bipartisan Priority
1. OCR's New Initiative on Risk Analyses
OCR indicated that a major priority for the agency is ensuring that covered entities and business associates are performing thorough risk analyses.
Under the HIPAA Security Rule, covered entities and business associates are required to conduct accurate and thorough analyses of "the potential risks and vulnerabilities to the confidentiality, integrity, and availability of [their] electronic protected health information (ePHI)." 45 CFR 164.308(a)(1)(ii).
OCR stated that most of its recent investigations of large data breaches revealed that the covered entity or business associate did not have a compliant risk analysis – either the risk analysis did not encompass all the systems that maintain ePHI, the analysis was a series of questions with "yes" and "no" responses, or the risk analysis was simply a high-level summary that did not contain the details required under the Security Rule.
Despite identifying many noncompliant risk analyses, OCR stated that it will not be providing examples of compliant risk analyses.
Further, OCR stated that covered entities and business associates cannot rely solely on the free Security Risk Assessment Tool developed by OCR and the Office of the National Coordinator for Health Information Technology for their risk analyses, as the tool does not address all areas of risks and vulnerabilities.
BakerHostetler works with numerous covered entity and business associate clients to conduct risk analyses. If your organization needs assistance with conducting a risk analysis, please contact BakerHostetler's Healthcare Privacy and Compliance team for guidance.
2. Changes Coming to HIPAA Security Rule
OCR announced that a Notice of Proposed Rulemaking (NPRM) for the HIPAA Security Rule is expected to be issued in late 2024/early 2025. One of the goals for updating the Security Rule is to provide a baseline of safeguards informed by changes in the healthcare cybersecurity landscape and OCR's extensive experience investigating data breaches.
When the NPRM for the HIPAA Security Rule is published, covered entities and business associates will have the opportunity to read the proposed changes and provide public comment. BakerHostetler will work with its clients to prepare and submit public comments to ensure that covered entities and business associates' perspectives are shared with HHS and OCR.
3. No Timeline for Publishing Updated HIPAA Privacy Rule
Despite issuing an NPRM for the HIPAA Privacy Rule and receiving thousands of public comments in 2021, OCR stated that there is no timeline for when the final rule implementing the proposed changes to the HIPAA Privacy Rule will be published.
4. Get Your Business Associate Agreements in Order!
OCR identified several investigation priorities, one of which is business associate agreements.
The HIPAA Privacy Rule requires that covered entities enter into agreements with their business associates to help ensure that the business associates safeguard the protected health information (PHI) it receives or creates on behalf of the covered entities. 45 CFR 164.504(e).
OCR stated that its investigations of large data breaches identified both numerous covered entities without business associate agreements with their vendors and overall poor vendor management.
BakerHostetler works with numerous covered entities and business associates on drafting their business associate agreements and developing vendor management programs. If your organization needs assistance with vendor management, please contact BakerHostetler's Healthcare Privacy and Compliance team for guidance.
5. Right of Access: A Bipartisan Priority
While the priorities of the OCR under the Trump and Biden administrations differ significantly, one that they both agreed on is the individual right of access.
The HIPAA Privacy Rule requires that covered entities provide individuals with access to their PHI within 30 days of receiving a request for access. 45 CFR 164.404.
OCR stated that it will continue to investigate complaints regarding alleged violations of the right of access. To date, OCR has initiated nearly 50 enforcement actions related to the right of access.
BakerHostetler's Healthcare Privacy and Compliance team has significant experience advising clients on the release of information and the right of access. If your organization needs assistance with release of information policies, please contact BakerHostetler's Healthcare Privacy and Compliance team for guidance.
6. Access Controls and Information System Activity Review Need to Be Implemented ASAP
Another common HIPAA compliance issue OCR has identified through its investigations is the lack of access controls and information system activity review.
The HIPAA Security Rule requires that covered entities and business associates implement policies and procedures to limit access to ePHI to only authorized persons. 45 CFR 164.308. The HIPAA Security Rule also requires that covered entities and business associates regularly examine information system activity records to identify inappropriate use or disclosure of ePHI. Id.
OCR stated that its investigations will be focusing on what access controls were in place at the time of the incident and whether the covered entity or business associate was properly reviewing information system activity.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.