HHS' latest proposed HIPAA Security Rule, published Jan. 6, would mandate several changes to the way health care providers protect patient information. Part B News
asked Brad Moody, CIPP/US, co-chair of the data breach response practice at Nelson Mullins Riley & Scarborough LLP in Jackson, Miss., for some clarity on the 393-page proposal.
Question: It seems many if not most of these proposed changes are semantic and legalistic – an impression supported by statements like “many regulated entities would benefit from additional instruction in regulatory text regarding their compliance obligations.” This seems to imply HHS is mainly telling them to do what they were supposed to be doing already. What do you think?
Answer: I don’t think the changes are just semantic. HHS is concerned that organizations have been more focused on "paper compliance" than on implementing and testing safeguards. The proposed rule aims to force implementation of more security measures. For example, HHS plans to insist on encrypting all ePHI with a few limited exceptions. That is a significant change as encryption is currently an addressable issue.
Question: What are some of the big lifts in this rule? For example, do the “technology assets" and "network map” requirements qualify?
Answer: My experience is that it will be a change for a lot of organizations. I think most organizations know what’s in their EHR, but data mapping throughout a network is typically not a priority for organizations.
[The requirement to recover] electronic systems within 72 hours of a ransomware attack is a big ask. In my experience, safely recovering within 72 hours is not feasible even when viable backups are available. It can take at least 72 hours just to contain an attack and deploy monitoring software to ensure the environment is safe for restoring.
Another significant change is the requirement for business associates to report major security incidents to covered entities within 24 hours. This change is understandable to mitigate the risk of threats spreading to other environments. However, the concern is that OCR [HHS' Office for Civil Rights] may ultimately find that the 24-hour notice triggers the 60-day breach reporting requirement for a covered entity even if a business associate does not know whether PHI has been compromised.
Question: Do you think this rule will be finalized in an altered state, or at all, by the Trump administration?
Answer: This rule doesn’t address politically sensitive issues like reproductive health. I predict the rule will get finalized subject to changes based on meaningful input from the comment process.