The National Institute of Standards and Technology is seeking public comment as it plans to update its 2008 guidance for implementing the HIPAA Security Rule, which went into effect about 20 years ago.
Meanwhile, regulatory experts are debating whether the rule itself needs an update.
NIST is accepting comments through June 15 on updates designed to provide education about information security terms used in the HIPAA Security Rule, amplify awareness of relevant cybersecurity guidance from NIST and others and illustrate how to implement the rule in the current environment.
“Recognizing that covered entities and business associates have diverse ways of implementing the HIPAA Security Rule, NIST is soliciting feedback about how organizations are implementing the [current] resource guide, its application and its use in practice,” NIST says.
“NIST’s cybersecurity resources have evolved since SP 800-66, Revision 1 … and stakeholders will benefit from guidance that includes references to these updated resources,” the agency notes.
Once comments have been reviewed, NIST will release a draft of its updated HIPAA Security Rule guidance and will again solicit comments before finalizing the document.
NIST is asking covered entities and business associates to describe how their organizations:
- Manage compliance and security simultaneously – for example, complying with the HIPAA Security Rule while also improving cybersecurity posture;
- Assess risk to electronic protected health information – and how this assessment leads to the identification of appropriate security controls and practices;
- Determine that security measures implemented in accordance with the security rule are effective in protecting ePHI and how often they initiate a process to determine effectiveness;
- Manage concerns, including ePHI disclosures, regarding business associates’ compliance with the security rule;
- Facilitate internal and external communication about security rule implementation and compliance.
NIST is also asking organizations if they implement “recognized security practices” and how they document the process of demonstrating adequate implementation. Plus, it’s asking them to describe how these recognized security practices overlap with and diverge from compliance with the HIPAA Security Rule.
NIST notes that legislation signed into law in January allows the Department of Health and Human Services “to reduce fines and penalties for violations of certain federal privacy standards for health information if an entity subject to those standards has adopted particular cybersecurity practices.” (See: The Final HIPAA Actions Under Trump Administration).
Time for a Rule Update?
Some security experts are debating whether it’s time to update the HIPAA Security Rule itself – and not just the NIST guidance.
“The HIPAA Security Rule is a very process-oriented rule, by intent,” says privacy attorney Kirk Nahra of the law firm WilmerHale.
“It addresses ways to think about and approach security, rather than identify specific standards to follow. That means that, from my perspective, it is in many ways a perfect rule that does not need to be updated in its language – the [compliance] process must be updated regularly by any covered entity or business associate, but that ‘updating’ is already incorporated into the rule.”
NIST is trying to give organizations “a way to turn the HIPAA process into reality – to move from process to substance,” with updated guidance, he contends.
If HHS were to consider changes to the HIPAA Security Rule, “I would only caution them as they move through the process of evaluating potential changes to keep the idea of the HIPAA Security Rule as it is, and not to turn a broad process that is flexible and scalable to adjust to the wide volume of different kinds of entities regulated by HIPAA into something more specific and less flexible,” Nahra says.
Privacy attorney David Holtzman of the consulting firm HITprivacy LLC, says revisions in the HIPAA Security Rule “may depend on the outcome of action in Congress to set national standards for privacy and/or cybersecurity. While changes in how the healthcare sector uses technology to create and maintain e-PHI provide ample justification to support an update to the security rule, substantive efforts are likely frozen unless and until the outcome of the debate in Congress.”
But Holtzman argues that the time has come to “bring the HIPAA Security Rule into the 21st century.”
“The definitions, standards and implementation specifications of the HIPAA Security Rule are virtually unchanged since first proposed in August 1998,” he says. “While the fundamental approach to developing and implementing a risk management framework to protect e-PHI has remained constant, the technologies that create and maintain the confidentiality, integrity and availability of e-PHI have evolved beyond the imagination of the authors of the security rule.”
Proposed Privacy Rule Changes
Meanwhile, HHS’ Office for Civil Rights in January published in the Federal Register proposed changes to the HIPAA Privacy Rule.
The proposed changes – first announced in December – aim to improve information sharing for care coordination and strengthen individuals’ rights to access their own health information.