April 21, 2019

April 19, 2019

Subscribe to Latest Legal News and Analysis

New Cybersecurity Guidance for the Health Care Industry (and Last Call for HIPAA Rule Comments)

We discuss below two important updates impacting the health care industry.

Important New Cybersecurity Guidance for the Health Care Industry

The US Department of Health and Human Services (HHS) has released an important new set of cybersecurity guidance documents for health care organizations of all types and sizes. Created by a task group comprised of cybersecurity and health care industry representatives from the public and private sectors, the guidance provides voluntary, consensus-based guidelines and best practices intended to "significantly move the needle" on five prevalent cybersecurity threats: e-mail phishing attacks; ransomware attacks; theft or loss of equipment or data; insider (accidental or intentional) data loss; and attacks on connected medical devices.

The guidance then recommends 10 cybersecurity practices that experts agree are effective in mitigating these threats:

  • E-mail protection systems;
  • Endpoint protection systems;
  • Access management;
  • Data protection and loss prevention;
  • Asset management;
  • Network management;
  • Vulnerability management;
  • Incident response;
  • Medical device security; and
  • Cybersecurity policies.

Helpfully, there are separate "technical" volumes (intended for information technology and security professionals) tailoring the 10 recommended cybersecurity practices to small organizations (such as a sole practitioner physician) and medium and large health care organizations (such as a sophisticated academic medical center), in an effort to make the information more actionable to organizations with varying levels of complexity and resources.  There is no one-size-fits-all solution to cybersecurity, and the practices are presented as recommendations. These practices align with the outcomes listed in the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

The guidance is not intended to introduce new regulatory requirements, and implementation of the recommendations does not guarantee compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or other laws. However, the guidance is intended to (and no doubt will) push the industry toward greater consistency in how these critical cyber threats are addressed. Organizations should carefully review the guidance in the context of their overall cybersecurity program.

To obtain a copy of the guide, titled "Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients," please click here.

Want to Improve HIPAA? HHS is Accepting Public Comments Until February 12

  • HHS's Office for Civil Rights (OCR) is continuing to accept feedback from the public, via a Request for Information (RFI), on how to improve HIPAA's Privacy and Security Rules (the HIPAA Rules)[1] in order to better promote coordinated, value-based health care and improve the process for sharing information.[2]

In particular, the RFI seeks recommendations on how to generally improve the HIPAA Rules, as well as focuses on specific areas, which include:

■ Promoting information sharing for treatment and care coordination and/or case management;

■ Encouraging the sharing of treatment information with parents and caregivers of adults facing health emergencies—especially related to the opioid crisis;

■ Implementing the accounting of disclosures from an electronic health record for treatment, payment and health care operations; and

■ Eliminating or modifying the requirement for health care providers to obtain a patient's written acknowledgment of receipt of the Notice of Privacy Practices.

To obtain a copy of the RFI, please click here.

1. See Department of Health and Human Services, Request for Information on Modifying HIPAA Rules to Improve Coordinated Care, Vol. 83 Federal Register No. 240, December 14, 2018, 64302 here.

2.  See HHS Press Release, HHS seeks public input on improving care coordination and reducing the regulatory burdens of the HIPAA Rules, December 12, 2018, here.

Download PDF

©2019 Katten Muchin Rosenman LLP

TRENDING LEGAL ANALYSIS


About this Author

Doron Goldstein, Katten Muchin Law Firm, Intellectual Property Attorney
Partner

Doron S. Goldstein's practice primarily deals with intellectual property, information technology and advertising, marketing and branded entertainment transactions and counseling, including privacy and information security, trademark, copyright, software and technology matters, and he is co-head of Katten's Advertising, Marketing and Promotions practice and of the firm's Privacy, Data and Cybersecurity group.

Doron regularly advises on various aspects of integrated marketing campaigns, including talent and production agreements, advertising agency...

212-940-8840
Megan Hardiman, Katten Muchin Law Firm, Health Care Legl Specialist
Partner

Megan Hardiman draws on her broad regulatory background to advise clients on complex health information privacy issues, tax-exempt organization compliance issues, including maintaining tax-exempt status, IRS Form 990 reporting issues and best practices for executive compensation, state fee-splitting and corporate practice of medicine prohibitions and fraud and abuse compliance.

Megan devotes a significant portion of her practice to helping health care companies and business associates understand and meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA).  Megan's depth of knowledge of HIPAA and state privacy laws helps her clients mitigate risk in today’s enhanced enforcement environment.

312-902-5488
Cheryl Murray Health Care Attorney
Partner

Cheryl Camin Murray advises providers, financial institutions and other businesses, on entity formation, structural, contractual and health care regulatory issues.

Cheryl counsels clients on how to structure arrangements and transactions in compliance with the Anti-Kickback Statute, Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH Act) and Stark Law, as well as on how to comply with state and other federal health care laws and regulations. She regularly handles...

214-765-3678