Healthcare organizations continue to be prime targets of cyberattacks. It is well-established that cyberattacks can lead to financial loss, reputational damage, and, in some cases, risks to patient care and safety. The recent and well-publicized cybersecurity incident affecting Change Healthcare further evidences these risks. As a result of the widespread and disruptive impact of this most recent cyberattack on the healthcare ecosystem, on March 5, 2024 the U.S. Department of Human Services (HHS) issued a public statement and has also announced that it opened an investigation.

In light of these growing threats and potential disruptive impacts on the healthcare industry, HHS’ 2024 agenda continues to encourage compliance with cybersecurity and privacy regulations through a variety of mechanisms. As of the first quarter of 2024, specific efforts include issuance of updated guidance from HHS and the National Institute of Standards and Technology (NIST), changes to existing regulations, and leveraging investigatory and enforcement authorities.

Updated Guidance

As a foundational step, HHS ended 2023 by issuing a Healthcare Sector Cybersecurity concept paper. Soon after on January 24, 2024, HHS introduced its Healthcare and Public Health Cybersecurity Performance Goals (HPH CPGs), and launched a gateway website to assist organizations with implementation. The HPH CPGs outline specific measures to assist healthcare organizations, including small- and medium-sized organizations, in implementing baseline safeguards to address common vulnerabilities (Essential Goals), and help healthcare organizations mature their cybersecurity capabilities to reach the next level of defense (Enhanced Goals). HPH CPGs fit within existing Health Industry Cybersecurity Practices (HICPs) and address controls outlined in NIST Special Publication 800-53 (NIST SP 800-53), Security and Privacy Controls for Information Systems and Organizations. While the HPH CPGs provide foundational practices to enhance cyber preparedness and resilience, they are voluntary in nature, and do not replace the obligation to comply with Health Insurance Portability and Accountability Act (HIPAA) requirements. However, in its concept paper, HHS has indicated its intention to work with Congress to establish incentives to “encourage all hospitals to invest in advanced cybersecurity practices to implement ‘enhanced’ HPH CPGs.” In the meantime, it is important to note that state lawmakers explore ways to bolster cybersecurity as well, as we previously discussed here.

In February 2024, NIST also finalized its long-awaited update: “Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide”, SP 800-66r2. NIST’s guide to implementing the HIPAA Security Rule, originally published in 2005 and previously updated in 2008, offers practical guidance on evaluating and addressing organizational risks. The recently released guidance includes updates to account for changes in technology, including cloud computing, mobile devices, and tracking technology, as well as the increased sophistication of threat actors. The NIST update also includes a robust appendix containing a litany of HIPAA Security Rule Resources that Covered Entities and Business Associates can leverage in their compliance efforts.

Compliance Audits

The HHS, Office for Civil Rights (OCR) is taking initial steps to begin its next round of audits as required by the Health Information Technology for Economic and Clinical Health Act (HITECH), which calls on HHS to periodically audit HIPAA-covered entities and business associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules. Specifically, on February 12, 2024, OCR issued a proposed Information Collection Request (ICR), seeking comments on the effectiveness, and burden estimate, of past audits. If the ICR proceeds, OCR will focus on collecting feedback from the 207 Covered Entities and Business Associates that were previously part of the HIPAA Audits conducted between 2016-2017. If your organization was the subject to those prior audits, consider providing feedback by April 12, 2024 to the contacts listed in the ICR.

Regulatory Changes

On February 16, 2024, HHS, through the Substance Abuse and Mental Health Services Administration (SAMHSA) and Office for Civil Rights (OCR), issued a Final Rule updating 42 CFR part 2 (Part 2), Confidentiality of Substance Use Disorder (SUD) Patient Records (the Final Rule). The Final Rule more closely aligns certain Part 2 requirements with HIPAA Rules, and it clarifies certain existing Part 2 permissions and restrictions to improve the ability of entities to use and disclose Part 2 records. Notably, as described in HHS’s press release, the Final Rule “permits use and disclosure of Part 2 records based on single patient consent given once for all future uses and disclosures for treatment, payment, and health care operations,” and “outlines new breach notification requirements.” Although the Final Rule is set to become effective on April 16, 2024, SUD providers have until February 16, 2026, to achieve compliance. 

Investigations and Enforcement

OCR recently settled a high-profile investigation demonstrating its intent to hold healthcare organizations accountable for security compliance. On February 21, 2024, OCR announced a settlement with a Maryland-based provider based on a ransomware attack resulting in the encryption of patient records, impacting over 14,000 individuals. This was the second-ever ransomware settlement for OCR. In its press release, OCR alleged that the provider failed to implement security measures to reduce risks and vulnerabilities and further failed to have sufficient monitoring of its health information systems. The settlement amount was $40,000, and the corrective action plan requires monitoring by OCR for a period of three years. As ransomware attacks continue to plague healthcare companies, it is important to know that regulators investigating ransomware-related breach reports will continue to employ their enforcement authority when such breaches may result, in part, from security failings of the HIPAA-subject entity.

Moving Forward

As these developments demonstrate, the first quarter HHS activity in 2024 continues to emphasize cybersecurity. Accordingly, it is imperative for healthcare organizations to conduct thorough assessments of their privacy and security programs, ensure compliance with evolving privacy and security standards, stay on top of enforcement trends, and recognized security best practices for the healthcare industry in the context of the shifting threat landscape.