What will HIPAA 2022 bring? Picture the end of 2020. A raging COVID pandemic, for which vaccinations had only started. An outgoing Presidential administration giving the reins to a new one. And, in the middle of all of this, some seeds planted by the federal government seemed bound to blossom into changes in HIPAA law and regulations.
At the end of 2020, a proposal from the Department of Health and Human Services (HHS) to revamp the HIPAA Privacy Rule to make it more patient-friendly, was put on the table. A new Information Blocking Rule, implemented to prevent information blocking by healthcare providers, technology companies, and exchanges, had just become effective. An end-of-the-year HHS proposal to put more teeth into the HIPAA right of access had also just been announced.
2021, from a HIPAA perspective, very much was shaping up to be The Year of the Patient. Flash forward to the end of 2021. The proposed revamp of the Privacy Rule, designed to put patients in the driver’s seat, is still that – a proposal. The proposed changes to the right of access have yet to be implemented. HHS HIPAA activity in 2021 reflected very much the news of that year: In January, a new presidential administration came to power. The COVID-19 pandemic raged on, but vaccines were finally available, along with increased access to telehealth. What we got from HHS in 2021, then: installation of a new Director for the Office for Civil Rights, expansion of COVID-19-related enforcement discretion, and issuance of guidance on HIPAA, COVID-19 vaccinations, and the workplace. Some HIPAA 2022 predictions are offered below.
HIPAA 2022 Predictions: Securing the Blessings of HR 7898
In early January of 2021, HR 7898, which has been nicknamed the “HIPAA Cybersecurity Recognized Best Practices Bill,” was signed into law. The bill amends the HITECH Act to require the Department of Health of Human Services to consider whether a covered entity or business associate has met recognized security practices when HHS makes certain determinations, such as whether to bring an enforcement action, select an entity for an audit, or issue a monetary penalty.
The bill requires HHS to consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place. If these measures were in place, HHS can lower the amount of a fine and decrease the length and extent of an audit.
Under this legislation, “recognized security practices” include:
- Standards, guidelines, best practices, methodologies, procedures, and processes developed under the National Institute of Standards and Technology Act (NIST Act).
- The cybersecurity practices developed under section 405(d) of the Cybersecurity Act of 2015.
- Programs and practices that are developed in, recognized by, or outlined in, federal laws other than HIPAA.
Yeah, that’s helpful.
The HIPAA cybersecurity world waited all year for HR 7898 regulations that would have provided more details and fewer acronyms. The regulations have yet to be issued. All the same, HHS has given us a pretty decent hint of what constitutes Section 405(d) “recognized security practices.” HHS put its cards on the table in early December of 2021, by issuing its “HHS 405(d) Aligning Health Care Industry Security Approaches” guidance.
This guidance offers a main document, two technical volumes, and resources and templates, for small, medium, and large healthcare organizations. A key component of the guidance is its “10 Best Practices” to improve cybersecurity.
These best practices cover the following areas:
- Access Management
- Asset Management
- Cybersecurity Policies
- Data Protection & Loss Prevention
- Email Protection Systems
- Endpoint Protection Systems
- Incident Response
- Medical Device Security
- Network Management
- Vulnerability Management
The HIPAA 2022 crystal ball predicts the eventual regulations will incorporate this guidance in some fashion.
HIPAA 2022: The Union of the State(s)
Several states, inspired by HR 7898, have developed their own “Safe Harbor” legislation.
Utah’s Cybersecurity Affirmative Defense Act, signed into law in March of 2021, provides an affirmative defense for companies that create, maintain, and reasonably comply with a written cybersecurity program, but that are nonetheless victims of a data security breach. Utah requires that the written cybersecurity program “conform to a recognized cybersecurity framework.”
Utah considers the following to be recognized cybersecurity frameworks:
- NIST special publication 800-171;
- NIST special publications 800-53 and 800-53a;
- The Federal Risk and Authorization Management Program (FedRAMP) Security Assessment Framework;
- The Center for Internet Security Critical Security Controls for Effective Cyber Defense; and
- The ISO 27000 family of standards.
To avail itself of the affirmative defense, the company must also provide administrative, technical, and physical safeguards to protect personal information; and, the program must be appropriately scaled for a company’s size, scope of activities, and sensitivity of information. Finally, the written program must be a “reasonable security program,” which the law describes as including, among other things, practices and procedures to detect, prevent, and respond to breaches, including by conducting security risk assessments.
If the company takes all of these measures, it then has an affirmative defense in court against the following three claims:
- Failure to implement reasonable information security controls;
- Failure to appropriately respond to a breach; and
- Failure to appropriately notify individuals whose personal information was compromised.
Next up with its safe harbor law in Connecticut. Connecticut’s “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” (in English, HB 6607), was signed into law in July of 2021.
If a company complies with HB 6607, Connecticut courts may not assess punitive damages against the company, in a data breach case brought against the company. Like the Utah law, HB 6607 requires companies to create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal or restricted information and that conforms to an industry-recognized cybersecurity framework.
Connecticut considers the following to be “industry-recognized cybersecurity frameworks”:
- The “Framework for Improving Critical Infrastructure Cybersecurity” published by the National Institute of Standards and Technology;
- NIST special publication 800-171;
- NIST special publications 800-53 and 800-53a;
- The Federal Risk and Authorization Management Program (FedRAMP) Security Assessment Framework;
- The Center for Internet Security Critical Security Controls for Effective Cyber Defense; and
- The ISO 27000 family of standards.
The HIPAA 2022 crystal ball predicts that more states will adopt safe harbor legislation.
HIPAA 2022: Weeding Out Cannabis Dispensary Noncompliance
In 2021, Illinois’ main cannabis regulator – the Illinois Department of Financial and Professional Regulation – announced that medical and co-located marijuana dispensaries in Illinois must protect patient information in accordance with the HIPAA Privacy and Security Rules. Dispensaries are required to perform a complete HIPAA security risk assessment by December 1, 2021. To become HIPAA compliant, dispensaries are required to administer a comprehensive risk analysis (at least annually), conduct risk management, conduct employee training (at least annually), and implement updated policies and procedures annually, to safeguard protected health information (PHI).
The HIPAA 2022 crystal ball predicts that Illinois-style HIPAA cannabis regulations will crop up in multiple states.
HIPAA 2022: The Fines That Bind
In 2022, the Office for Civil Rights resolved twelve HIPAA right of access cases. OCR entered into a settlement agreement (which consists of monetary payment and imposition of a corrective action plan) with 11 providers and imposed a civil monetary penalty on an elusive twelfth provider. Back in 2019, OCR announced its intention to “vigorously enforce” the HIPAA right of access. 2 right of access resolutions followed later that year. 11 more followed in 2020, and 12 followed in 2021. The message, by now, should be obvious: Neither rain nor snow nor COVID nor a change in presidential administrations will keep OCR from enforcing the right of access initiative. Even a HIPAA 2022 broken clock can make this prediction with confidence.
HIPAA 2022: Brave New World
In the HIPAA world, Christmas perennially arrives early for fitness and other health apps that are neither covered entities nor business associates. No matter how much health information these apps collect, they are not subject to HIPAA rules and regulations; only covered entities and business associates are.
In September of 2021, these apps got a lump of coal from a different, related arm of the federal government – the Federal Trade Commission (FTC). The FTC issued guidance clarifying that vendors of personal health records, including health and fitness apps, must notify consumers and the FTC when a data breach occurs, under the FTC’s Breach Notification Requirement. That rule was issued specifically to ensure that companies beyond HIPAA’s reach are still held responsible for data breaches of identifiable health information. HIPAA and the FTC work in concert to require breach notification.
The HIPAA 2022 projectionist is speaking loud and clear: Government regulations will never completely fail, so long as they have friends.