Early last month, the U.S. Department of Health & Human Services (HHS) Office for Civil Rights published a proposed rule, which seeks comments on proposed modifications to the Security Standards for the Protection of Electronic Protected Health Information, commonly known as the “Security Rule.” The proposed changes aim to address modern breach and cybersecurity risks to electronic protected health information and common deficiencies observed by the HHS in Security Rule compliance investigations. They also incorporate current industry best practices and court decisions affecting enforcement of the Security Rule.
The relevant provisions are summarized below.
Technology Asset Inventory & Network Map
The proposed standards specify development and revision of a technology asset inventory and network map illustrating the movement of ePHI throughout the regulated entity’s electronic information systems on an ongoing basis, but at least every 12 months and following any change to the regulated entity’s environment or operations that may affect ePHI.
Risk Analysis
The changes include greater specificity for conducting a risk analysis, which must include a review of the technology asset inventory and network map; identification of all reasonably anticipated threats to the confidentiality, integrity and availability of ePHI; identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems; and an assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
Annual Security Rule Compliance Audits
HIPAA-regulated entities will be required to conduct a HIPAA Security Rule compliance audit at least every 12 months.
Contingency Planning & Security Incident Response
The modifications would establish written procedures for restoring electronic information systems and data within 72 hours; conduct an analysis of the relative criticality of electronic information systems and technology assets to establish the restoration priority; establish written security incident response plans and procedures on how workforce members can report potential or known security incidents; establish written procedures on how the entity will respond; and implement written procedures for testing and revising incident response plans.
Notification Requirements
Certain regulated entities must be notified within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated. Business associates must notify covered entities when they have implemented their contingency plans without unnecessary delay and no later than 24 hours after the contingency plan has been implemented.
Annual Verification of Business Associates’ & Contractors’ Technical Safeguards
At least every 12 months, business associates must have a subject matter expert verify that they have deployed the technical safeguards required by the Security Rule to protect ePHI. The same applies to business associates’ contractors for their business associates.
It is unclear whether the Trump administration will preserve this proposed update to the Security Rule or issue its own proposal. ACR/ARP members should email the ACR’s advocacy team at [email protected] with any questions and comments they may have. We will monitor the rule’s implementation and serve as an educational resource for members on its provisions and the impact they will have on rheumatology.
