By Beth Neal Pitman, Eddie Williams III and Shannon Britton Hartsfield
Holland & Knight
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has, as part of its mandate, the responsibility to enforce the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. For HIPAA covered entities and business associates that have not dusted off their HIPAA Security Rule compliance programs in a while, now is an excellent time to make sure that their risk analyses and policies and procedures are up to date.
Website Tracking Tools
Some HIPAA-regulated entities are still scrambling to address OCR guidance regarding website tracking tools and the wave of litigation brought against companies that use pixels and other tracking tools on their healthcare-related websites. Increasingly, vendors are willing to sign HIPAA business associate agreements to enable regulated entities to include certain website features without running afoul of HIPAA. Designing websites that are user friendly and allow easy interaction with the public while avoiding use of certain tracking tools remains challenging. OCR will pay close attention to how HIPAA-regulated entities are assessing and managing risks to PHI associated with uses of technology on websites.
Security Rule Changes
on the Horizon
OCR Director Melanie Fontes Rainer indicated recently in an interview with the Information Security Media Group that the HHS has proposed regulatory revisions in the works related to the HIPAA Security Rule. She indicated that OCR is working to have the proposed regulations completed by the end of the year. She observed, “I think the beauty of the HIPAA Security Rule is that it’s 20 years old, it’s technology neutral, and it’s scalable, so we’re still able to use it and enforce the law vigorously. The downside of the HIPAA Security Rule is that it’s 20 years old and doesn’t reflect how we receive healthcare today, so that’s why we’re taking a look at it to make sure we’re building into it practices we know like end-to-end encryption, things like that, to think about in the state of healthcare.” She noted that breaches are becoming larger and so much of what we do is online, so the Security Rule needs to be updated to reflect changes that have come about in the past two decades.
Risk Analyses
Rainer also said that OCR is making HIPAA Security Rule compliance an enforcement priority, and a HIPAA risk analysis initiative was announced last year. She noted that covered entities frequently do not have a risk analysis on the front end. OCR has provided extensive technical assistance regarding this requirement. In hacking incidents resulting in OCR enforcement actions, OCR identified the lack of a security risk analysis, implementing and adopting security risk management plans, and appropriately performed analyses as significant deficiencies contributing to cybersecurity incidents and breaches. Rainer pointed out that OCR sees both failure to perform an appropriate security risk analysis and failure to implement and follow a security risk management plan based on a risk analysis as frequent occurrences in OCR enforcement actions. She also noted that OCR will focus on enforcement actions that will provide education to regulated entities regarding the security risk analysis and management requirements.
Could a HITECH Audit Be
in Your Future?
According to Rainer, “OCR’s budget has been flatlined for a long time,” and there are only two investigators per state. With limited resources, OCR is trying to drive voluntary compliance. OCR has, most recently in 2017, engaged in an auditing process authorized by the Health Information Technology for Economic and Clinical Health Act (HITECH). She said OCR has reopened the HITECH audit program and plans to “initiate audits of HIPAA-regulated entities later this year.” Impending HITECH audits will focus on the Security Rule and specifically, security risk analyses and risk management.
Beth Neal Pitman is a partner in Holland & Knight’s Birmingham, Alabama, office. Eddie Williams III and Shannon Britton Hartsfield are partners in the firm’s Tallahassee, Florida, office.