On February 14, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) published a new, final version of their guidance for regulated healthcare entities to follow to improve cybersecurity and compliance with the Health Insurance Portability and Accountability (HIPAA) Security Rule.

Quick Hits

  • HHS and NIST issued new guidance to provide information and serve as a resource for HIPAA-regulated entities to improve cybersecurity and compliance with the HIPAA Security Rule.
  • The guidance comes after HHS announced a new carrots-and-sticks strategy to improve cybersecurity in the healthcare industry with additional resources and a proposal to increase civil penalties for data breaches to incentivize security measures.

The 122-page guidance, "Special Publication (SP) 800-66 Revision 2, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide," provides information and resources to HIPAA-covered entities—healthcare providers, health plans, healthcare clearinghouses, and their business associates—for them to improve their cybersecurity risk assessment and risk management efforts and understand their obligations under the HIPAA Security Rule.

SP 800-66 Revision 2 replaces the version released in July 2022, which revised the guidance first proposed in April 2021. The new guidance largely follows the July 2022 version but adds reminders that the Security Rule is flexible and addresses individual entities based on their size, their nature, and the unique security risks they face.

Overview of the New Guidance

The new guidance in SP 800-66 Revision 2 is meant to be a resource to assist regulated entities in their cybersecurity efforts and compliance with the HIPAA Security Rule. The rule requires regulated entities to implement reasonable and appropriate security measures to safeguard electronic protected health information (ePHI), including protecting against "reasonably anticipated" cybersecurity threats or vulnerabilities to the confidentiality, integrity, and availability of ePHI.

Specifically, the new guidance highlights that because "the Security Rule is flexible, scalable, and technology-neutral ... there is no one single compliance approach that will work for all regulated entities." The new guidance is designed to use "in whole or in part to help improve their cybersecurity posture and assist with achieving compliance with the Security Rule."

The new guidance further highlights entities' accountability to safeguard data, stating that "improv[ing] organizational cyber posture is mission-critical" amid growing data security risks, including ransomware attacks and large data breaches costing millions of dollars. Beyond compliance with the Security Rule, the guidance notes that entities also have "business reasons" to improve cybersecurity practices, including avoiding costly breaches and reputational harm from breaches.

SP 800-66 Revision 2 comes in the context of efforts by the Biden administration to address cybersecurity risks and on the heels of the HHS OCR's announced plan in December 2023 to "advance cyber resiliency in the healthcare sector." That strategy includes setting new voluntary goals, providing new resources and incentives, and supporting greater enforcement and accountability, including by asking the U.S. Congress to increase civil monetary penalties for HIPAA violations.

Risk Assessment and Management Guidance

In particular, the guidance provides more resources and information regarding key aspects of cybersecurity and compliance to assist entities with designing and implementing security safeguards customized to their unique needs and security risks.

  1. Risk Assessment Guidance – The guidance breaks down the importance of risk assessment and risk management and the approach that regulated entities may take to assess risk to ePHI, which can be used to develop a risk management plan. The new guidance states that the steps "should be customized to effectively identify risk for a regulated entity" (emphasis added).
  2. Risk Management Guidance – The guidance reminds regulated entities that they are required to assess risks and vulnerabilities and to implement security controls, but notes that "regulated entities are free to use another risk management methodology that effectively safeguards the confidentiality, integrity, and availability of ePHI."
  3. Considerations When Implementing the HIPAA Security Rule – The guidance presents various security measures for each standard of the Security Rule with tables "designed to initiate the thought process for regulated entities to implement the requirements of the Security Rule."

Key Takeaways

Cybersecurity threats to the healthcare industry, including insurers and employer-sponsored health plans, continue to grow. The federal government has made preventing data breaches and holding entities that fail to take proper security measures accountable a top priority. The new guidance in SP 800-66 Revision 2 adds to the various resources provided by HHS to HIPAA-regulated entities to assess and prevent threats, avoid breaches, and comply with federal regulations. HIPAA-regulated entities might want to consider reviewing their cybersecurity practices and safeguards and consider whether a new risk assessment or risk management plan is appropriate.

To learn more about the latest legal updates and obligations to address cybersecurity and data privacy, please join us at Ogletree Deakins' national Workplace Strategies program, which will feature a breakout session entitled "Cybersecurity and Data Privacy Download: Updates, Trends, and Risk Mitigation Techniques." This annual seminar, which will be held May 1–4, at the historic Washington Hilton in Washington, D.C., is the premier event of its kind for sophisticated HR professionals, in-house counsel, and other business professionals.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.