Updates to the Health Insurance Portability and Accountability Act Security Rule (“HIPAA Security Rule”) are planned for Spring 2024. New guidance from The Department of Health and Human Services (“HHS”) via a recently released Concept Paper confirms plans to update the HIPAA Security Rule and additionally, the Centers for Medicare and Medicaid Services (“CMS”) will propose new cybersecurity requirements for program participants.[1] These proposed updates are in line with current White House strategic objectives. You may remember that last March, the White House unveiled the President’s National Cybersecurity Strategy[2]. In it, the President identified protection of systems deployed in Critical Infrastructure as a top priority. Healthcare and the Public Health Sector is a Critical Infrastructure Sector that HHS has the duty under Presidential Policy Directive 21 to oversee.[3] The effects of these coming changes will be felt by healthcare providers, payers, and all companies with a business nexus to the healthcare market.
One of the most valuable takeaways from The National Cybersecurity Strategy was that it signaled a clear intent to shift the burden of cybersecurity from the end users of technologies deployed in Critical Infrastructure Sectors to the owners and operators of those end user technologies. Updating the HIPAA Security Rule and new cybersecurity requirements for CMS program participants will clearly achieve that result. The HIPAA Security Rule found under C.F.R. Part 160 and Subparts A and C of Part 164, requires that Covered Entities maintain appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (“ePHI”). While the Concept Paper did not provide exact specifics, we expect to see a hardening of the requirements. Additionally, these new requirements could greatly expand the enforcement capabilities of regulators. A paradigm shift is underway, future regulations and enforcement efforts will target the entire stream of commerce of technologies deployed in healthcare, from the manufacturers, sellers, and service providers of them to the healthcare providers and payors utilizing them. Put more simply, if you access, process, transmit, or store ePHI, you could have a new target on your back.
What specifically did HHS say in the Concept Paper and why specifically should it matter to healthcare companies? In the Concept Paper, HHS revealed that it is currently developing voluntary Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (“HPH CPGs”). However, don’t let the word “voluntary” lull you into inaction. HHS also stated that the HPH CPGs will be utilized by CMS to propose new cybersecurity requirements for hospitals and participants in the Medicare and Medicaid programs. Further, and equally as consequential, HHS confirmed that the HHS Office for Civil Rights (“OCR”) will begin an update to the HIPAA Security Rule in Spring 2024.
Employing a “wait and see” approach until Spring 2024 is not an advisable strategy. Changes in legal requirements are coming. Privacy, security, and compliance teams will be tasked with responding during this ongoing period of change. We recommend that organizations start by ensuring they can demonstrate the implementation of Recognized Security Practices (“RSPs”). The January 2021 amendment to the HITECH Act created a safe harbor whereby OCR in their discretion could reduce fines or terminate altogether a HIPAA-related investigation if the organization under investigation could demonstrate that they had RSPs in place for at least the previous twelve (12) months.[4] The HPH CPGs and any new requirements and enforcement strategies will likely share plenty of common ground with them. Additionally, changes to OCRs expectations of what constitutes appropriate administrative, physical, and technical safeguards for ePHI under the HIPAA Security Rule will undoubtably incorporate RSPs as well. If the incentive to have OCR mitigate fines or terminate a HIPAA-related investigation entirely was not enough, the further evolution of RSPs and their cross-pollination into the new HPH CPGs and ensuing updates to HIPAA should be.
Below are some specific actions organizations should take to prepare for the upcoming changes:
- Recognized Security Practices. Organizations should at a minimum be able to show that they have operationalized, recognized security practices appropriate to the sophistication of their business for at least the last twelve (12) months. If not, then getting RSPs in place as soon as possible should be the priority. Next, does your organization have a dedicated resource responsible for implementing and updating RSPs at your organization? That is another crucial component to address.
- Vendor Contract Requirements. Any changes to the HIPAA Security Rule and changes to cybersecurity requirements for CMS program participants will likely impact terms within Business Associate Agreements, Information Security Agreements, Data Use Agreements, or any agreements that contain terms covering the accessing, processing, transmitting, or storing of ePHI and other sensitive data. Organizations should consider what those impacts might be and start addressing any gaps in their terms sooner rather than later.
Note, this is not intended to be a comprehensive list. For additional information or to learn more about the proactive steps your organization can take, please contact the authors.
[1] U.S. Dept. Health and Hum. Serv., HHS Announces Next Steps in Ongoing Work to Enhance Cybersecurity for Health Care and Public Health Sectors (December 6, 2023), available at HHS.gov
[2] The White House, Off. Of the Pres., Biden-Harris Administration Announces National Cybersecurity Strategy (March 1, 2023), available at whitehouse.gov
[3] The White House, Off. Of the Press Sec., Presidential Policy Directive/PPD-21 (February 12, 2013), available at cisa.gov
[4] H.R. 7898, Public Law 116-321, Vol. 166 (2020), enacted Jan. 5, 2021
- Senior Associate
Kurtis M. Huston is a Senior Associate in the Tampa office of Shutts & Bowen LLP, where he is a member of the Corporate Practice Group, with a focus on health care.
Kurtis has experience advising clients doing business in the health care ...
- Partner
Timothy E. Monaghan is a Partner in the West Palm Beach office of Shutts & Bowen LLP, where he is a member of the Health Care Practice Group.
Tim has practiced health law for over thirty (30) years and represents healthcare providers in a ...
- Partner
Ella A. Shenhav is a partner in the Tampa office of Shutts & Bowen LLP, where she is a member of the Business Litigation Practice Group. She is a Certified Information Privacy Professional (CIPP/US), accredited by the International ...
Search Blog
Follow Us
Recent Posts
- Construction Contractors Should Prepare for the Effects of Potential New Tariffs on Construction Material Prices and Availability
- Federal Court Strikes Down the DOL’s Increased Salary Thresholds for Executive, Administrative, Professional, And Highly Compensated Employee Overtime Exemptions
- Breaking News: FinCEN Postpones Beneficial Ownership Reporting Deadlines for Companies Impacted by Recent Major Storms
- What You Need to Know About the U.S. Department of Transportation’s Build America TIFIA Loan
- Breaking News: Federal Judge Blocks Nationwide Implementation of the FTC’s New Rule Banning Noncompete Agreements
- September 4th is Almost Here: How Employers Can Prepare for the Upcoming Effective Date of the FTC’s Non-Compete Rule
- Florida’s New Statutory Home Warranty: What Home Builders Need to Know
- Orange County Proposes Temporary Suspension Ordinance on New Development Applications
- Raising the Roof: The U.S. Department of Labor Announces Rule Raising Salary Thresholds for Overtime Exemptions
- New Guidelines Anticipated Following HHS’s Health Cybersecurity Concept Paper
Popular Categories
- Construction
- Construction Litigation
- Employment and Labor
- Litigation (Labor & Employment)
- Construction
- Business of Real Estate
- Landlord-Tenant
- Department of Labor
- Real Estate Law
- Competition
- Cybersecurity
- Intellectual Property
- Salary
- Appeals
- Contracts
- Litigation
- Trusts and Estates
- Data Security
- Business
- Supreme Court
- Development/Land Use
- Public Private Partnership
- IP Litigation
- Technology
- Privacy
- Patents
- Litigation (Appellate)
- Business
- Public Finance
- Regulatory Compliance
- Florida Government Contracts
- Foreclosures
- Trademark
- Contracting
- Health Care
- Financial Institutions
- Compliance
- Estate planning
- International Dispute Resolution
- Florida Public Contracts
- Government Contracting
- Government Contracts
- Property Tax
- Government
- Lease
- Conveyances
- Appellate Blog
- Patent Office
- Insurance
- Wealth planning
- Federal Government Contracting
- Florida Bid Protests
- Public Contracts
- Infringement
- Cyber fraud
- Proposal Writing
- Public Bidding
- GAO
- Bid Protest
- International Arbitration and Litigation
- Americans with Disabilities Act
- Arbitration
- International
- Restrictive Covenants
- Grant Writing
- Copyright
- Promissory Notes
- Title
- Small Business
- Florida Procurement
- Public procurement
- PTAB
- General Liability
- Technology
- Consumer Privacy
- International Arbitration
- Liens and encumbrances
- Liens
- Creditor's Rights
- Bidding
- Attorneys' Fees
- Inter Partes Review
- Consumer Protection
- Regulation
- Venue
- Power Generation
- Contracting
- Government Vendor
- State Government Contracts
- Ad Valorem Assessments
- Florida Administrative Law
- Attorneys' Fees
- Florida Rules of Appellate Procedure
- Bankruptcy
- Florida Public Procurement
- Russia-Related Arbitration
- Mortgages
- Record on Appeal
- FINRA
- Rehearing
- Eviction
- Loan guaranties
- Patents - Assignor Estoppel
- Statute of limitations
- Statute of repose
- Dispute Resolution
- Liens
- Damages
- Maritime
- Briefing
- Request for Proposal
- Patents - Obviousness
- Commercial Brokerage
- Trade Secrets
- Bid Writing
- Florida Bidding Strategies
- Renewal
- Attorneys' Fees
- Florida County Lands
- Florida Economic Incentive Packages
- Jury Instructions
- Design Professionals
- Stay
- Certiorari
- email hacking
- Forum Selection
- Offers of Judgment
- Prevailing Party
- Settlements
- Assignment of Contract
- Assignment of Proceeds
- Lis Pendens
- Appellate Jurisdiction - Deadlines
- Banking
- Designer Liability
- Federal Rules of Appellate Procedure
- Finality
- Fintech
- Marketing/Advertising
- Unlicensed Contracting
- Evidence
- Evidence
- Expert
- Expert Science
- Federal Supply Schedule
- Florida Public Records Law
- Mootness
- Preservation
- Socio-Economic Programs
- Sunshine Law
- Veteran Owned Business
- Homestead
- Partnerships and LLCs
- Standing
Editors
- Of Counsel
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Associate
- Partner
- Partner
- Associate
- Partner
- Partner
- Partner
- Partner
- Senior Associate
- Partner
- Associate
- Partner
- Senior Associate
- Partner
- Associate
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Of Counsel
- Senior Associate
- Partner
- Associate
- Partner
- Partner
- Associate
- Partner
- Partner
- Partner
Archives
- December 2024
- November 2024
- October 2024
- September 2024
- August 2024
- June 2024
- May 2024
- February 2024
- November 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- October 2019
- August 2019
- July 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- December 2018
- November 2018
- October 2018
- September 2018
- August 2018
- July 2018
- June 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016