Executive Summary
Our Health Care and Privacy, Cyber & Data Strategy Groups cover an upcoming proposed rule from U.S. Health and Human Services (HHS) that would formalize cybersecurity requirements and allow the Office for Civil Rights (OCR) to expand enforcement.
- The rule is a response to ransomware and hacking to access electronic protected health information
- The Cybersecurity Performance Goals from earlier this year provide a template of how HHS and OCR may approach the proposed rule
- OCR may use the proposed rule to codify its tracking technologies guidance, which has been under attack in court
The U.S. Department of Health and Human Services (HHS) has announced a proposed rule to modify the HIPAA Security Rule. According to an abstract the agency filed with the White House Office of Information and Regulatory Affairs, the proposed rule is intended to "improve cybersecurity in the health care sector by strengthening requirements for HIPAA regulated entities to safeguard electronic protected health information to prevent, detect, contain, mitigate, and recover from cybersecurity threats." Formalizing cybersecurity requirements via rulemaking would also position the Office for Civil Rights (OCR) to expand its enforcement capabilities. The proposed rule is expected to be published by the end of the calendar year.
Speaking at a joint HHS and National Institute of Standards and Technology (NIST) conference last week, OCR senior policy advisor Marissa Gordon-Nguyen, J.D. indicated the upcoming changes are a response to the prevalence of ransomware and other cybersecurity events impacting the health care industry. "We've seen tremendous increases in the use of ransomware and hacking to obtain unauthorized access to ePHI [electronic protected health information], and since 2003 there's been an evolution in technical capabilities of record systems that are used to maintain health information, and there have been changes in the costs of [a] variety of security measures."
As health care entities await the proposed rule, they may recall the Cybersecurity Performance Goals (CPGs) that HHS released earlier this year, with practices ranging from multi-factor authentication to workforce training to incident response. Although the CPGs are voluntary, they provide a window into OCR's view of security and therefore may provide a preview of the types of new requirements that could be incorporated into the proposed rule. In a 2023 concept paper, HHS previewed its desire to incorporate the CPGs into regulation to establish enforceable cybersecurity standards.
The announcement of the upcoming proposed rule comes after a very busy year for HHS and OCR. In April, OCR issued the HIPAA Privacy Rule to Support Reproductive Health Care Privacy, which prohibits certain disclosures of PHI related to lawful reproductive health care. OCR defended a court challenge to its tracking technologies guidance, most recently appealing and then withdrawing its appeal of a June 2024 decision vacating a narrow part of the guidance. The timing of the withdrawn appeal and the upcoming proposed rule raises questions of whether OCR might seek to codify portions of the guidance in regulation.
Alston & Bird continues to track the proposed rule.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.