S3 E2: Proposed HIPAA Security Rule Updates

Audio version

Proposed HIPAA Security Rule Updates

Transcript

Jordan Eisner: Hello, everybody, and welcome back to Compliance Pointers. This is Season 3, Episode 2. I’m joined again by our favorite healthcare expert, Carol Amick.

Hey, Carol.

Carol Amick: Hello, how are you doing?

Jordan Eisner: Pretty good. Excited, maybe, is the word to talk about this HIPAA Security Rule, these proposed changes. It seems from what I read, now you’re going to correct me on that, but there’s some significant changes in there. I think some of the stuff is maybe a little bit more of what’s been proposed before.

And then, of course, got to caveat all of it with its proposed. So, might not necessarily be in place, or at least not all portions of it.

But before we get into that, I want to remind our listeners that this podcast, Compliance Pointers, is put on by the company, CompliancePoint, that Carol and I both work for. So Carol is the director of our Healthcare services. You’ve been with the company, I want to say, definitely over five years.

Carol Amick: I’m actually at eight, so yeah.

Jordan Eisner: You’re at eight? Maybe when we started doing this, you were just over five, I guess that makes sense. Season three. I got to keep up with the times.

And I am the VP of sales at CompliancePoint and the host of Compliance Pointers podcast. And for those of you unaware, CompliancePoint helps organizations with a variety, really, of data risk items, I would say. So, PHI being the topic today, but we also help organizations with regulations that pertain to PII, such as GDPR, US State Privacy Law, and that law that continues to emerge. Other select data sets, PCI, payment card information, but really, it’s about good data stewardship and we help organizations with appropriate risk management and maturity around operations with safeguarding that on behalf of their partner organizations and clients and vendors, but also on behalf of consumers like you, maybe listening to this.

So, we will dive right into a little background on Carol. She’s got 20-plus years in the healthcare industry. She’s worked on the client side. She’s worked in the healthcare system. She’s worked in the government. She’s worked for big consulting firms. And now we’ve been lucky enough to have her for coming up on eight years at CompliancePoint, heading up our healthcare group that works with organizations primarily on HIPAA and also an information security framework called HITRUST, but other areas here and there as well.

So, we’re going to be talking about the HIPAA security rule and some of the proposed updates to it. We put a blog post out on January 6th. You can find that on our website, CompliancePoint.com. Carol, I read the blog post a little bit. Like I said at the top of the podcast, some interesting things in there. So, we’re going to dive into it.

Let’s start with, it’s been over 10 years since the rules have been updated. Is that correct?

Carol Amick: Yeah, really the security rule has not been updated since 2013. And during that time, you’ve seen a huge increase in breaches, large breaches, and the number of affected individuals. The press release from the Office of Civil Rights said that they measured 102% increase in the number of large breaches between them and over a 1,000% increase in the number of affected individuals.

And just this year, we saw one breach, just last year, I guess 2024, one breach that affected at least one-third of the United States. And I think that number may still be low. So, it’s obviously this data is highly sought after.

Jordan Eisner: I saw that 167 million people were affected.

Carol Amick: Yeah. You haven’t gotten your letter, you probably will.

Jordan Eisner: Probably more. Yeah, my wife’s letter came a few months after mine. My wife doesn’t work in the industry at all, right? So Ignorance is bliss on some of this and she goes, do you know about this? This Change Healthcare thing? I said, yeah, I know about it.

Carol Amick: Yeah, it’s a big one.

Jordan Eisner: Okay, so what jumps out to you then in the proposed changes? Some of it was to me, you know, doing and working with our data privacy group when you talk about asset inventory and network mapping. Yeah, I saw some of that here on PHI. Maybe that’s existed before and I didn’t know. One thing that stood out to me was the proposed you might need to show maps of the flow of PHI within your organization. What about you? You’ve been working this for a while, what stood out to you?

Carol Amick: Well, there are a couple things. One that jumps out, you know, we work in cybersecurity. I mean, work with clients that are generally more proactive. And so a lot of these are things that they’re probably already doing.

I mean, this is not, you talked about the HITRUST standard we audit against. This is not an incredibly strict list and a tough standard that the Office of Civil Rights is putting out for this security. These are things that really, I think you and I would probably consider a lot of them cybersecurity basics.
You’re right, the data mapping, but you would be surprised how many people don’t necessarily know where their data is going.

The other thing I saw that I thought was guidance that was helpful to organizations was risk assessment guidance. One of the things that you consistently see in the Office of Civil Rights audit reports and their findings and their fines and penalties is failure to do a risk assessment. And they’ve kind of given you more guidance now on what they want to see in that and what they expect you to be doing, which I think will help people who have not been doing that.

Another was vul/pen testing. We do a lot of vul/pen testing for a lot of clients, but it is not necessarily widespread in healthcare because it hasn’t been required.

Jordan Eisner: Yeah, and even every six months, that’s not a rule.

Carol Amick: They took away some excuses, and I’ll give you an example. In the current security role, encryption is what they call addressable, which means you only have to do it if it’s easy to do or something. In 2013, encryption was a giant undertaking. So yes, it was addressable. You decided where you wanted to encrypt and you did that, but you didn’t necessarily do what we do now, which every laptop should be encrypted. Everything should be encrypted. Encryption is now affordable and easy to implement. So they’re saying we aren’t going to have addressable. It’s going to be required.

And I think that’s, they’ve had an issue where they got somebody got out of a major fine by claiming that addressable and they’re going to take that away from you to have them.

Jordan Eisner: Well, laptops being encrypted and the data actually being encrypted at rest and in transit are a little different.

Carol Amick: Yeah, but I think you’ve got to start encrypting everything. I mean, everything that they’re saying, if you’ve got data, if you’ve got evidence, I mean, a lot of people working in healthcare have on their laptop, PHI for various reasons. And so, you know, that needs to be encrypted. Even if it’s accidentally on there, it needs to be encrypted.

Jordan Eisner: Well, I just thought the cadence of every six months of vulnerability scanning, okay, that’s fine. Maybe they’re proposing, but it should be really more often. PCI says quarterly and that seems outdated.

Carol Amick: You got to start somewhere though. I mean, I would say if you would be really surprised probably how many health organizations have not done that at all are at best or doing it once a year.

Jordan Eisner: Well, and this is probably an impossible question, but talk a little bit about the, you know, the teeth, the bike behind this, because my understanding is these sort of penalties, they’re notoriously taking a long time, the investigation is taking a long time. These proposed changes that go into place should organizations feel that, you know, there’s going to be more scrutiny, there’s going to be more eyes on, there’s going to be more penalties if they don’t cooperate.

Carol Amick: Well, they have also talked about restarting their audit program. And several years ago, and it was before I came to CompliancePoint, so it’s probably been at least 10 years ago, the Department of Human Services implemented a HIPAA audit program, and they would audit hospitals, business associates, just about anybody, and they would audit it to see if you were complying. Now, at that time, they were not penalizing you for failing the audit, but they have the ability to do that. So that is one option they have to start enforcing the regulation, and they have talked about restarting that.

I do think that this, they want this so that when there’s a breach, they can go down this list and say, look, these are the things you didn’t do. And you see it with the risk assessment now, and they’ve been very upfront and vocal about the fact that if you aren’t doing a risk assessment and you have a breach and you get an investigation, your fine and penalty will be higher.

Now they are behind in their breach investigations, but they have been campaigning and getting money from Congress to increase their investigative staff. So I think we will see some improvement there.

Jordan Eisner: I was always taught that’s the first thing they ask, taught by you, that that’s the first thing the OCR will ask for in the event of a breach or investigation. When’s your last risk assessment?

Carol Amick: Yeah, and as you may recall, we had, we talked about this a couple of years ago, the Safe Harbor Act, they passed, actually says if you’ve done all these things and you’ve done a good job, then the Office of Civil Rights is supposed to back off and not penalize you as much, not spend as much time investigating, et cetera. So it’s not a get out of jail free card, it is an improvement. So I think that, you know, they know they’re going to have to push it.

The other thing you run into, to be honest, if there’s a regulation and you’re not complying with it and you have a breach and you’re, and it’s big enough, you’re Change Healthcare, you’re going to have class action lawsuits. If you look right now, there are already class action lawsuits out there against Change because it’s such a deep-pocketed organization. But they’re going to pull that out and say, you know, these are the laws you were supposed to be complying with and you didn’t.

Jordan Eisner: So in the event of a breach, in the event of an incident, in the event of some sort of investigation or inquiry by the OCR, what in addition to a risk assessment might, are you, you know, this spells out a compliance audit to be conducted every single year. Might they request the audit results? Might they request maps of PHI or do we just, we, it’s just uncertain right now.

Carol Amick: No, I think you can assume they would request those things. I think you can assume they would request, did you do those annual audits? Show us your audit report. So I mean, they’re not saying it has to be done. I mean, we do audit reports like that for our clients. We do do audits of HIPAA compliance. They’re not saying it has to be done by someone like us with the independence, the benefit of independence is you do have that to give them if you needed it, but you need to have a formal written document, not a set in office read the regulations and say, okay, we got all this done moving on.

Jordan Eisner: That’s what I was going to ask if there’s any definition around the independence of that audit.

Carol Amick: They’re not requiring that from what we’ve seen now that, you know, the devil will be in the details when it comes out. You know, that’s what will happen. But they’re going to want it to be at least documented and conducted with a, with an appearance of independence means you’re sitting back and looking at your organization critically, not just checking boxes.

And the other thing they’re asking is that you have tested, you have checked with your business associates every year to ensure they are complying with the security law. And I can tell you what most people do is they hire a company or service provider or somebody to work for them who’s a business associate. So they have access to PHI for you. They hopefully they do a risk assessment and an analysis when they sign, they get an agreement and they put it on the door and that’s the end of it.

So this is another thing you’re going to have to start taking on is an annual review of those to make sure they’re still doing what you expect them to do. If you don’t know who all your business associates are and the contact information, because it’s been five years since you did that and you don’t know who the CISO is anymore, you might want to go ahead and start compiling that data over the next few months as you get ready for this.

Jordan Eisner: So that brings up a good point. This is proposed. This is not in place. Sounds like they’re going to come out. Are they going to come out relatively soon with this?

Carol Amick: So they, they gave the 60-day notice in December. So they’re accepting comments through, you know, for 60 days. I don’t know how long it’ll take. I know from talking to them at a conference we went to last year, they would like to have it done next year. So yeah, that’s now whether they’ll make it, you know.

Jordan Eisner: Well, you talked about identifying the vendors who’s done the bit, you know, risk assessments of late, have they gotten updated versions of those recently?

What other actions would you recommend organizations take knowing that not all these might go in place or you don’t want to go full bore on all of this? But what would you be doing right now if you were a covered entity or business associate? This was coming out and you wanted to prepare for knowing that it might be a year before this is finalized.

Carol Amick: I’m, I think there are two ways to approach this and I’m going to, if I was on the, if I was back in the industry side, you need to be doing these things now. So you need to start thinking about this because the truth is this, a lot of these things as you, as you know, Jordan working in the industry are kind of what we would consider security basics.

Vul/pen testing, prime example, we would consider that a security basic at this day and age. We would consider having a data mapping knowing where your data flowings pretty much security basic.
The data mapping, if you have not done that and you are a large organization that’s going to take a while, I would go ahead and get started on that. I certainly wouldn’t wait until the regulations came out because that can take much longer than you think it did.

I remember when HIPAA first came out, I was working for a healthcare organization and it was, it was an undertaking for us just to figure out where we were sending all of our PHI. So, yeah, it can be an undertaking if you’re a complex organization. And you haven’t done that in a while. You might want to do it anyway because yeah, you may, might be interesting to find out where your gaps are.

Jordan Eisner: And you might be in one of the 20 states or 19 states or so that now have data privacy law that maybe don’t spell out that you need to have a map of all personal data across the organization, but you have to be able to respond to certain access requests and some things from consumers that a map’s kind of a prerequisite for.

Carol Amick: And that’s the same thing. Well, when you are supposed to be able to respond to a patient right now and say, who did you disclose my PHI to? And so you need to know where you’re sending PHI. So you can tell them that. So yeah, you know, the same kind of thing.

So that would be one, if I, you know, business such as a key, if you look at just the number of breaches happening business such as if you did that one and done assessment 10 years ago, you might want to dig it out. I’ve used an example of this, but you know, they had a good CSO, they were in good shape. A lot happened over the last 10, five or six years in healthcare and in organizations. We’ve seen it with some of our clients, key management leaves and things. Sometimes we start objecting and we’re like, what happened? You are really great shape. Two years ago, what’d you do? Well, so-and-so, who kept all this together, got a better job. And you know, it didn’t get transferred to us.

So those are ones I would definitely start looking into. The other thing that it talks about is you need to have a plan to respond if there’s an incident. And obviously you should not be waiting on the regulations for that. You just see in the industry, the ransomware cases, the hacking cases, you better have that now because that waiting for the regulations to tell you have to, if you get ransomware in the meantime, you’re going to need it.

Jordan Eisner: Well, last question maybe in closing. Do you think the new administration, you anticipate any changes with that?

Carol Amick: I think it will slow things down. And I think that because, you know, in addition to the Secretary of Health and Human Services, who’s the one you hear about being, you know, who the government’s pointing and all that, there are a lot of appointed executives in these government agencies and all of them have to be approved. I think you run through a period generally at the start of any administration where there’s not as much leadership in place as you might normally see.

But going back to the prior Trump administration, there actually were HIPAA privacy regulations that have just kind of come out and been implicated that were started during that administration. So I don’t think they’re going to be anti-HIPAA privacy regulation and kill the regulations like, you know, because it’s a government regulation. I think they will go forward. I think the Change Healthcare situation is going to force, it’s going to push them to want to be able to say, look, we’re doing something to protect you because that’s gotten a lot of press, it’s gotten a lot of publicity. So many people were impacted, including, you know, a lot of members of Congress and elected officials who got the same letters you and I got.

I think it will impact it, but I think the biggest impact is going to just mean it’s going to slow things down because of the turnover and leadership.

Jordan Eisner: Well, Carol, thank you as always for joining. For our listeners, there is a blog post on our website, compliancepoint.com. It’s called changes to the HIPAA Security Rule Could be on the Way. So Carol wrote and published it on January 6th. It has links to the actual notice of proposed rulemaking. It’s got links to the HIPAA security rule, national cybersecurity strategy, and it’s got the complete list of the proposed rule changes too. So I’d encourage you to check that out for the short download, but also if you want to look further into some of the proposed changes, it’s all there for you.

And if you have questions for Carol, myself, CompliancePoint, our services, our expertise, please don’t hesitate to reach out and find us both on LinkedIn. There are many channels you can reach out to us on via our website. One is connect@compliancepoint.com. You can just email directly into that and we’ll respond and be interested in hearing your story.

So thank you everybody and look forward to more content like this being produced throughout the year.