The Department of Health and Human Services has filed proposed modifications to the Health Insurance Portability and Accountability Act of 1996 security rule to strengthen the cybersecurity of electronic protected health information with the Office of Information and Regulatory Affairs.

The central authority for the review of Executive Branch regulations provided few details, but once the White House reviews HIPAA updates HHS can release its Notice of Proposed Rulemaking for public comment.

WHY IT MATTERS

This rule will propose modifications to the Security Standards for the Protection of Electronic Protected Health Information under HIPAA and the Health Information Technology for Economic and Clinical Health Act of 2009, according to the abstract. 

During a joint HHS and National Institute of Standards and Technology security conference Wednesday, an official with the Office of Civil Rights indicated that publication of the security rule NRPM would happen this year, according to Federal News Network.

"We’ve seen tremendous increases in the use of ransomware and hacking to obtain unauthorized access to ePHI, and since 2003 there’s been an evolution in technical capabilities of record systems that are used to maintain health information, and there have been changes in the costs of variety of security measures," said Marissa Gordon Nguyen, OCR senior advisor for health information privacy, data and cybersecurity, according to the story.

NIST revised its healthcare guidance to improve HIPAA Security Rule compliance two years ago in response to the wave of health data breaches that continue to pummel the sector.

THE LARGER TREND

Complicating HIPAA compliance for healthcare organizations, legal ambiguity remains over what data is not considered ePHI after AHA v. Becerra, a federal lawsuit that sought to bar enforcement of OCR's governing online-tracking tools under HIPAA.

Plaintiff attorneys are taking full advantage of such grey areas, and healthcare organizations are getting simultaneously whacked in class-action litigations.

Iliana Peters, an attorney and shareholder at the legal firm Polsinelli, likened the patient privacy climate to the "Wild West." She told Healthcare IT News earlier this month that while HHS dropped its appeal to include the sharing of individual IP addresses with third parties in what constitutes a HIPAA data breach, other tools like appointment scheduling, geolocation features, translation tools and chatbots on unauthenticated websites could still be considered.

"Other activity, arguably, would be in scope because the ruling doesn't say it's not," she explained.

Periodically, the federal privacy framework has undergone updates.

In 2018, HHS released an update of the Substance Abuse and Mental Health Services Administration's regulation to block the sharing of drug abuse treatment information for billing and payments, despite care coordination benefits cited by hospitals and providers that commented on the rulemaking.

In April, HHS also issued its final rule to modify the Standards for Privacy of Individually Identifiable Health Information under HIPAA and the Health Information Technology for Economic and Clinical Health Act of 2009, which became effective in June. 

HHS said in that rule's summary that because the Supreme Court decision in Dobbs v. Jackson Women's Health Organization, "overturned precedent that protected a constitutional right to abortion and altered the legal and healthcare landscape," increasing the likelihood that an individual PHI could be disclosed in ways HIPAA aims to protect.

"The threat that PHI will be disclosed and used to conduct such an investigation against, or to impose liability upon, an individual or another person is likely to chill an individual's willingness to seek lawful health care treatment or to provide full information to their health care providers when obtaining that treatment, and on the willingness of health care providers to provide such care," HHS said.

Nichole Sweeney, general counsel and chief privacy officer at CRISP and CRISP Shared Services, advised healthcare organizations to partner with electronic health record vendors to maintain interoperability and restrict access to legally-protected data to mitigate reproductive privacy risks.

"Rather than shutting down the exchange of full patient records to avoid their inclusion on national exchange frameworks, we can put guardrails around common medications and procedures – and the providers and organizations who typically provide these services," she told Healthcare IT News last year. 

"To avoid information blocking concerns, such guardrails need to be created within the framework of an applicable state law or policy and/or at the patient's request."

At this time, regulated entities must revise and implement changes to their policies and procedures to comply with the reproductive privacy modifications to HIPAA by December 23.

ON THE RECORD 

"These modifications will improve cybersecurity in the healthcare sector by strengthening requirements for HIPAA regulated entities to safeguard electronic protected health information to prevent, detect, contain, mitigate and recover from cybersecurity threats," OCR said in the HIPAA Security Rule modifications abstract.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.

The HIMSS Healthcare Cybersecurity Forum is scheduled to take place October 31-November 1 in Washington, D.C. Learn more and register.