June 13, 2021

Volume XI, Number 164

Advertisement

June 11, 2021

Subscribe to Latest Legal News and Analysis

June 10, 2021

Subscribe to Latest Legal News and Analysis

Hitting the Reset Button: NIST Seeks Comments on Version 2.0 of HIPAA Security Rule Compliance Guidance

Cyber threats and cybersecurity controls have evolved significantly over the past two decades since the HIPAA Security Rule were originally promulgated. During this same time, healthcare entities have increasingly become a prime target of hackers seeking to extort payment using ransomware, exfiltrate patient data to commit fraud, or disrupt operations in other nefarious ways.  Recognizing these challenges, some security professionals have sought further clarity on the HIPAA Security Rule that they deem to be “long in the tooth”. Yet, regulators have not made any significant modifications – perhaps driven by the original policy considerations of the HIPAA Security Rule that: “the standard should be comprehensive and coordinated to address all aspects of security”; that it be “scalable, so that it can be effectively implemented by covered entities of all types and sizes”; and that it “not be linked to specific technologies, allowing covered entities to make use of future technology advancements.”

As we previously discussed, the HITECH Act was recently modified to require that HIPAA regulators take into account “recognized security practices” in the context of investigation and enforcement actions. One such source of “recognized security practices” has historically been the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-66, Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Yet, this NIST guidance also appears to be “long in the tooth” as it was issued nearly 13 years ago in October of 2008.

In the absence of significant regulatory changes to the HIPAA Security Rule, NIST called for comments from healthcare industry stakeholders regarding how to revise guidance SP 800-66. This will help clarify what “recognized security practices” are in today’s highly digitized, increasingly distributed and technology-driven world. NIST’s move brings its considerable cybersecurity expertise and resources to bear on updating the guidance to address the current cybersecurity threat landscape that healthcare entities face.

Chiefly, NIST seeks to update the guidance to:

  • Increase awareness of relevant NIST cybersecurity resources,

  • Increase awareness of relevant non-NIST resources relevant to compliance with the HIPAA Security Rule, and

  • Provide HIPAA Security Rule implementation guidance that reflects the current cyber threat landscape and best practices.

NIST is encouraging comments on stakeholder experiences leveraging SP 800-66 in practice in an effort to identify gaps in the guidance. NIST is also curious to hear from stakeholders who found the guidance not to be applicable to their organization in order to determine ways to make it more useful, relatable, and actionable. Specifically, NIST is seeking information on useful tactics, tools, resources, and techniques that stakeholders have leveraged in their compliance efforts including, but not limited to:

  • managing both practical and compliance aspects of security,

  • assessing risks to ePHI such as determining if security measures are effective, and

  • documenting adequate implementation for purposes of compliance.

To gain out-of-the-box perspectives, NIST is also seeking comment on any recognized security practices that stakeholders employ which diverged from compliance with the HIPAA Security Rule. While stakeholders may not want to go on the record describing how their own security practices “diverge” from the HIPAA Security Rule, they may more generally discuss industry practices. In that regard, perhaps these comments will be most interesting of all, as they will illustrate if practical security has diverged in a way that requires regulators to revisit the HIPAA Security Rule.

NIST encourages submission of comments here through June 15, 2021. Feel free to contact EBG’s Privacy, Cybersecurity, and Data Asset Management Team if you are interested in developing and submitting comments to shape what will likely constitute “recognized security practices” for the foreseeable future.

©2021 Epstein Becker & Green, P.C. All rights reserved.National Law Review, Volume XI, Number 126
Advertisement
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement
Advertisement

About this Author

Alaap Shah Attorney Healthcare Life Sciences
Member

Alaap B. Shah is a Member of the Firm in the Health Care and Life Sciences practice, in the firm's Washington, DC, office.

Mr. Shah:

  • Advises clients on federal and state privacy and data security laws and regulations
  • Advises on cybersecurity and data breach matters
  • Advises clients on health care fraud and abuse matters and government investigations relating to health information technology
  • Counsels clients on digital health and data strategies and related compliance issues

His work focuses on defense and counseling...

202-861-5320
Patricia M. Wagner, Epstein becker green, health care, life sciences
Member

PATRICIA M. WAGNER is a Member of the Firm in the Health Care and Life Sciences and Litigation practices, in the firm's Washington, DC, office. In 2014, Ms. Wagner was selected to the Washington DC Super Lawyers list in the area of Health Care.

Ms. Wagner's experience includes the following:

Advising clients on a variety of matters related to federal and state antitrust issues 

Representing clients in antitrust matters in front of the Federal Trade Commission and the United States Department of...

202-861-4182
Advertisement
Advertisement