Federal Register - HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information
p
This site displays a prototype of a Web 20 version of the daily
Federal Register It is not an official legal edition of the Federal
Register and does not replace the official print version or the official
electronic version on GPOs govinfogov
pp
The documents posted on this site are XML renditions of published Federal
Register documents Each document posted on the site includes a link to the
corresponding official PDF file on govinfogov This prototype edition of the
daily Federal Register on FederalRegistergov will remain an unofficial
informational resource until the Administrative Committee of the Federal
Register ACFR issues a regulation granting it official legal status
For complete information about and access to our official publications
and services go to
About the Federal Register
on NARAs archivesgov
pp
The OFRGPO partnership is committed to presenting accurate and reliable
regulatory information on FederalRegistergov with the objective of
establishing the XMLbased Federal Register as an ACFRsanctioned
publication in the future While every effort has been made to ensure that
the material on FederalRegistergov is accurately displayed consistent with
the official SGMLbased PDF version on govinfogov those relying on it for
legal research should verify their results against an official edition of
the Federal Register Until the ACFR grants it official status the XML
rendition of the daily Federal Register on FederalRegistergov does not
provide legal notice to the public or judicial notice to the courts
pp
Enter a search term or FR citation eg
88 FR 382
30 FR 7878
202413208
USDA
090524
RULE
0503AA39
SORN
pp
Choosing an item from
full text search results
will bring you to those results Pressing enter in the search box
will also bring you to search results
Choosing an item from
suggestions
will bring you directly to the content
pp
Background and more details are available in the
Search Navigation
guide
pp
A Proposed Rule by the Health and Human Services Department on 01062025
pp
This document has a comment period that ends in 41 days
03072025
Submit a public comment
pp
Thank you for taking the time to create a comment Your input is important
pp
Once you have filled in the required fields below you can preview andor submit your comment to the Health and Human Services Department for review All comments are considered public and will be posted online once the Health and Human Services Department has reviewed them
pp
You can view alternative ways to comment or you may also comment via Regulationsgov at httpswwwregulationsgovcommentonHHSOCR202400200001
pp
Note You can attach your comment as a file andor attach supporting
documents to your comment
Attachment Requirements
ppthis will NOT be posted on regulationsgovppThis document has been published in the Federal Register Use the PDF linked in the document sidebar for the official electronic formatpp
This table of contents is a navigational tool processed from the
headings within the legal text of Federal Register documents
This repetition of headings to form internal navigation links
has no substantive legal effect
pp
Comments are being accepted Submit a public comment
pp
41 comments
have
been received at Regulationsgov
pp
Agencies review all submissions and may choose to redact or withhold
certain submissions or portions thereof Submitted comments may not be
available to be read until the agency has approved them
pp
FederalRegistergov retrieves relevant information about this document
from Regulationsgov to provide users with additional context This
information is not part of the official Federal Register document
pp
Document page views are updated periodically throughout the day and are
cumulative counts for this document Counts are subject to sampling
reprocessing and revision up or down throughout the day
pp
This document is also available in the following formats
pp
More information and documentation can be found in our
developer tools pages
pp
This PDF is the current
document as it appeared on Public Inspection on
12272024 at 415 pm
pp
It was viewed
16
times while on Public Inspection
pp
If you are using public inspection listings for legal research you
should verify the contents of the documents against a final official
edition of the Federal Register Only official editions of the
Federal Register provide legal notice of publication to the public and judicial notice
to the courts under 44 USC 1503 1507
Learn more here
ppThis document has been published in the Federal Register Use the PDF linked in the document sidebar for the official electronic formatpp
Document headings vary by document type but may contain
the following
pp
See the
Document Drafting Handbook
for more details
ppOffice for Civil Rights OCR Office of the Secretary Department of Health and Human ServicesppNotice of proposed rulemaking notice of Tribal consultationppThe Department of Health and Human Services HHS or Department is issuing this notice of proposed rulemaking NPRM to solicit comment on its proposal to modify the Security Standards for the Protection of Electronic Protected Health Information Security Rule under the Health Insurance Portability and Accountability Act of 1996 HIPAA and the Health Information Technology for Economic and Clinical Health Act of 2009 HITECH Act The proposed modifications would revise existing standards to better protect the confidentiality integrity and availability of electronic protected health information ePHI The proposals in this NPRM would increase the cybersecurity for ePHI by revising the Security Rule to address changes in the environment in which health care is provided significant increases in breaches and cyberattacks common deficiencies the Office for Civil Rights has observed in investigations into Security Rule compliance by covered entities and their business associates collectively regulated entities other cybersecurity guidelines best practices methodologies procedures and processes and court decisions that affect enforcement of the Security Rulepppp
Comments
Submit comments on or before March 7 2025
pp
Meeting
Pursuant to Executive Order 13175 Consultation and Coordination with Indian Tribal Governments the Department of Health and Human Services Tribal Consultation Policy and the Departments Plan for Implementing Executive Order 13175 the Office for Civil Rights solicits input from Tribal officials as the Department develops the modifications to the HIPAA Security Rule at 45 CFR part 160 and subparts A and C of 45 CFR part 164 The Tribal consultation meeting will be held on February 6 2025 at 2 pm to 330 pm eastern time
ppYou may submit comments identified by RIN Number 0945AA22 by any of the following methods Please do not submit duplicate commentsppPlease note that comments submitted by fax or email and those submitted after the comment period will not be acceptedpp
Inspection of Public Comments
All comments received by the accepted methods and due date specified above may be posted without change to content to
httpswwwregulationsgov
which may include personal information provided about the commenter and such posting may occur after the closing of the comment period However the Department may redact certain nonsubstantive content from comments or attachments to comments before posting including threats hate speech profanity sensitive health information graphic images promotional materials copyrighted materials or individually identifiable information about a thirdparty individual other than the commenter In addition comments or material designated as confidential or not to be disclosed to the public will not be accepted Comments may be redacted or rejected as described above without notice to the commenter and the Department will not consider in rulemaking any redacted or rejected content that would not be made available to the public as part of the administrative record
pp
Docket
For complete access to background documents the plainlanguage summary of the proposed rule of not more than 100 words in length required by the Providing Accountability Through Transparency Act of 2023 or posted comments go to
httpswwwregulationsgov
and search for Docket ID number HHSOCR0945AA22
pp
Tribal consultation meeting
To participate in the Tribal consultation meeting you must register in advance at
httpshhsgovzoomgovcommeetingregistervJItdOyhrjgoHxJWMDxozrxT98yXyCO3lkspp
Marissa GordonNguyen at 202 2403110 or 800 5377697 TDD or by email at
OCRPrivacyhhsgovppThe discussion below includes an Executive Summary a description of relevant statutory and regulatory authority and history the justification for this proposed regulation a sectionbysection description of the proposed modifications and a regulatory impact analysis and other required regulatory analyses The Department solicits public comment on all aspects of the proposed rule The Department requests that persons commenting on the provisions of the proposed rule label their discussion of any particular provision or topic with a citation to the section of the proposed rule being addressed and identify the particular request for comment being addressed if applicableppI Executive SummaryppA OverviewppB ApplicabilityppC Table of AbbreviationsCommonly Used Acronyms in This DocumentppII Statutory Authority and Regulatory HistoryppA Statutory Authority and Historypp1 Health Insurance Portability and Accountability Act of 1996 HIPAApp2 Health Information Technology for Economic and Clinical Health HITECH ActppB Regulatory Historypp1 1998 Security Rule Notice of Proposed Rulemakingpp2 2003 Final Rulepp3 2009 Delegation of Authoritypp4 2013 Omnibus RulemakingppIII Justification for This Proposed RulemakingppA Strong Security Standards Are Essential to Protecting the Confidentiality Integrity and Availability of ePHI and Ensuring Quality and Efficiency in the Health Care SystemppB The Health Care Environment Has Changed Since the Security Rule Was Last Revised and Will Continue To EvolveppC Regulated Entities Compliance With the Requirements of the Security Rule Is InconsistentppD It Is Reasonable and Appropriate To Strengthen the Security Rule To Address the Changes in the Health Care Environment and Clarify the Compliance Obligations of Regulated Entitiespp
1 Congress and the Department Anticipated That Security Standards
print page 899
Safeguards Would Evolve To Address Changes in the Health Care Environment
pp2 NCVHS Believes That the Security Standards Evolve To Address Changes in the Health Care Environmentpp3 A Strengthened Security Rule Would Continue To Be Flexible and Scalable While Providing Regulated Entities With Greater Claritypp4 Small and Rural Health Care Providers Must Implement Strong Security Measures To Provide Efficient and Effective Health Carepp5 A Strengthened Security Rule Is Critical to an Efficient and Effective Health Care SystemppE The Secretary Must Develop Standards for the Security of ePHI Because None Have Been Developed by an ANSIAccredited Standard Setting OrganizationppIV SectionbySection Description of the Proposed Amendments to the Security RuleppA Section 160103Definitionspp1 Current Provisionpp2 Issues To Addresspp3 Proposalspp4 Request for CommentppB Section 164304Definitionspp1 Clarifying the Definition of Accesspp2 Clarifying the Definition of Administrative Safeguardspp3 Clarifying the Definition of Authenticationpp4 Clarifying the Definition of Availabilitypp5 Clarifying the Definition of Confidentialitypp6 Adding Definitions of Deploy and Implementpp7 Adding a Definition of Electronic Information Systempp8 Modifying the Definition of Information Systempp9 Modifying the Definition of Malicious softwarepp10 Adding a Definition of Multifactor Authentication MFApp11 Clarifying the Definition of Passwordpp12 Clarifying the Definition of Physical Safeguardspp13 Adding a Definition of Relevant Electronic Information Systempp14 Adding a Definition of Riskpp15 Clarifying the Definitions of Security or Security Measures and Security Incidentpp16 Adding Definitions of Technical Controlspp17 Modifying the Definition of Technical Safeguardspp18 Adding a Definition of Technology Assetpp19 Adding a Definition of Threatpp20 Clarifying the Definition of Userpp21 Adding a Definition of Vulnerabilitypp22 Clarifying the Definition of Workstationpp23 Request for CommentppC Section 164306Security Standards General Rulespp1 Current Provisionspp2 Issues To Addresspp3 Proposalspp4 Request for CommentppD Section 164308Administrative Safeguardspp1 Current Provisionspp2 Issues To Addresspp3 Proposalspp4 Request for CommentppE Section 164310Physical Safeguardspp1 Current Provisionspp2 Issues To Addresspp3 Proposalspp4 Request for CommentppF Section 164312Technical Safeguardspp1 Current Provisionspp2 Issues To Addresspp3 Proposalspp4 Request for CommentppG Section 164314Organizational Requirementspp1 Section 164314a1Standard Business Associate Contracts or Other Arrangementspp2 Section 164314b1Standard Requirements for Group Health Planspp3 Request for CommentppH Section 164316Documentation Requirementspp1 Current Provisionspp2 Issues To Addresspp3 Proposalspp4 Request for CommentppI Section 164318Transition Provisionspp1 Current Provisions and Issues To Addresspp2 Proposalpp3 Request for CommentppJ Section 164320SeverabilityppK New and Emerging Technologies Request for Informationpp1 Quantum Computingpp2 Artificial Intelligence AIpp3 Virtual and Augmented Reality VR and ARpp4 Request for CommentppV Regulatory Impact AnalysisppA Executive Order 12866 and Related Executive Orders on Regulatory Reviewpp1 Summary of Costs and Benefitspp2 Baseline Conditionspp3 Costs of the Proposed Rulepp4 Benefits of the Proposed Rulepp5 Comparison of Benefits and CostsppB Regulatory Alternatives to the Proposed RuleppC Regulatory Flexibility ActSmall Entity AnalysisppD Executive Order 13132FederalismppE Assessment of Federal Regulation and Policies on FamiliesppF Paperwork Reduction Act of 1995pp1 Explanation of Estimated Annualized Burden Hourspp
In this notice of proposed rulemaking NPRM the Department of Health and Human Services HHS or Department proposes modifications to the Security Standards for the Protection of Electronic Protected Health Information Security Rule issued pursuant to section 262a of the Administrative Simplification provisions of title II subtitle F of the Health Insurance Portability and Accountability Act of 1996 HIPAA1
The Security Rule 2
is one of several rules collectively known as the HIPAA Rules3
that protect the privacy and security of individuals protected health information 4
PHI which is individually identifiable health information 5
IIHI transmitted by or maintained in electronic media or any other form or medium with certain exceptions6
The Security Rule applies only to electronic PHI ePHI which is IIHI that is transmitted by or maintained in electronic media7
pp
The Security Rule was initially published in 2003 and most recently revised in 20138
Since its publication there have been significant changes to the environment in which health care is provided and how the health care industry operates Today cybersecurity is a concern that touches nearly every facet of modern health care certainly more than it did in 2003 or even 2013
print page 900
Almost every stage of modern health care relies on stable and secure computer and network technologies including but not limited to the following appointment scheduling prescription orders telehealth visits medical devices patient records medical and pharmacy claims submissions and billing insurance coverage verifications payroll facilities access and management internal and external communications and clinician resources These tools and technologies are an integral part of the modern health care system but they also present opportunities for bad actors to cause harm through hacking ransomware and other means Covered entities and business associates collectively regulated entities may also experience malfunctions and inadvertent errors that threaten the confidentiality integrity or availability of ePHI Thus cyberattacks malfunctions and inadvertent errors can negatively affect the provision of health care as well as the efficiency and effectiveness of the health care system
pp
As discussed in greater detail below in recent years there has been an alarming growth in the number of breaches affecting 500 or more individuals reported to the Department the overall number of individuals affected by such breaches and the rampant escalation of cyberattacks using hacking and ransomware The Department is concerned by the increasing numbers of breaches and other cybersecurity incidents experienced by regulated entities We 9
are also increasingly concerned by the upward trend in the numbers of individuals affected by such incidents and the magnitude of the potential harms from such incidents10
pp
In recognition of those potential harms and the health care sectors importance to the economy and security of the US the President has designated Healthcare and Public Health as a critical infrastructure sector 11
and the Department as the Sector Risk Management Agency SRMA12
In addition to address concerns about the increasing level of cybercrime the President has charged Federal agencies with establishing and implementing minimum requirements for risk management and robustly enforcing those requirements and Federal laws to help manage that risk13
We believe that a comprehensive and updated Security Rule is critical to accomplishing these directives and to the Departments effectiveness as the SRMA for the Healthcare and Public Health sector
pp
In further recognition of these concerns States have promulgated or are in the process of promulgating regulations that would require the adoption of certain standards or measures for the protection of sensitive information such as PHI14
While these proposed regulations may contain helpful guidance for regulated entities none specifically focus on ensuring the security of ePHI and the information systems that create receive maintain or transmit ePHI Additionally a patchwork of Statespecific laws may create difficulties for regulated entities that are located or operate in multiple States Several entities including Federal agencies have published and maintained guidelines best practices methodologies procedures and processes for protecting the security of sensitive information including PHI Some examples of these resources include the National Institute of Standards and Technologys NISTs Cybersecurity Framework 15
the HHS 405d Programs Health Industry Cybersecurity Practices Managing Threats and Protecting Patients 16
the Federal Trade Commissions FTCs Start with Security A Guide for Business 17
and the Departments Cybersecurity Performance Goals CPGs18
We believe that the proliferation of such documents in recent years has been helpful and we have considered them in the development of this NPRM However in light of the increasing number and sophistication of cybersecurity incidents we do not believe that these documents are sufficiently instructive for regulated entities to help improve their compliance with the Security Rule
pp
Under its statutory authority to administer and enforce the HIPAA Rules the Department modifies the HIPAA Rules as needed but does not modify a standard or implementation specification more than once every 12 months19
The Department makes the determination that such modifications may be needed using information it receives on an ongoing basisfrom the Departments Federal advisory committee on HIPAA the public regulated entities media reports and its own analysis of the state of privacy and security for IIHI As referenced above and discussed in greater detail below while the Department believes that the Security Rule generally continues to accomplish the goals of HIPAA20
we believe that it would be appropriate to consider modifying the Security Rule to address the following
pp
The effective date of a final rule would be 60 days after publication21
Regulated entities would have until the compliance date to establish and implement policies procedures and practices to achieve compliance with any new or modified standards
print page 901
Regulated entities would be permitted to comply earlier than the compliance date but the Department would not take action against them for noncompliance with the proposed changes that occurs before the compliance date Except as otherwise provided 45 CFR 160105 provides that regulated entities must comply with the applicable new or modified standards or implementation specifications no later than 180 days from the effective date of any such change The Department has previously noted that the 180day general compliance period for new or modified standards would not apply where a different compliance period is provided in the regulation for one or more provisions22
However the compliance period cannot be less than the statutory minimum of 180 days23
ppWhile we recognize that we are proposing to substantially revise the regulatory text the Department believes that most of the existing Security Rules obligations for regulated entities would not be substantially changed by the proposed modifications Instead the proposed modifications would explicitly codify those activities that are critical to protecting the security of ePHI as requirements and provide greater detail for such requirements in the regulatory text For example regulated entities are already required to conduct an accurate and thorough risk analysis While not specified in the regulatory text of the Security Rule an accurate and thorough risk analysis requires a regulated entity to perform an inventory of its technology assets determine how ePHI moves through its information systems and identify the locations within its information systems or components thereof where ePHI may be created received maintained or transmitted Applying such an approach protects ePHI across all phases of the data lifecycle consistent with the purpose of the Security Rule The proposals to require a regulated entity to inventory its technology assets and map the movement of ePHI through its information systems would illuminate considerations to be included in the regulated entitys risk analysispp
As another example implementing a mechanism to encrypt ePHI is an addressable implementation specification under the standard for access control at 45 CFR 164312a2iv Under the existing Security Rule a regulated entity must assess whether encryption is a reasonable and appropriate safeguard in its environment when analyzed with reference to its likely contribution to protecting ePHI and implement encryption if reasonable and appropriate24
If encryption is not reasonable and appropriate a regulated entity must document why it would not be reasonable and appropriate for it to implement the safeguard and must implement an equivalent alternative measure if reasonable and appropriate25
As discussed in greater detail below encryption is built into most software today and where it is not there are affordable and easily implemented solutions that can encrypt sensitive information Thus it generally would be reasonable and appropriate for regulated entities to implement a mechanism to encrypt ePHI and regulated entities should already have done so in most circumstances By expressly requiring regulated entities to encrypt ePHI with limited exceptions the Departments proposal would reflect our expectations in the current cybersecurity environment and eliminate the need for regulated entities to perform an analysis of whether encryption is reasonable and appropriate
ppThus most of the modifications we are proposing would provide regulated entities with greater clarity and specificity regarding how to fulfill their obligations and the Departments expectationspp
Accordingly we do not believe that the proposed rule would pose unique implementation challenges that would justify an extended compliance period
ie
a period longer than the standard 180 days provided in 45 CFR 160105 Further the Department believes that adherence to the standard compliance period is necessary to timely address the circumstances described in this NPRM Thus the Department proposes to apply the standard compliance date of 180 days after the effective date of a final rule26
pp
To help reduce administrative burdens on regulated entities the Department proposes to add a provision at 45 CFR 164318 affording regulated entities a transition period beyond the 180day compliance period to modify business associate contracts herein referred to as business associate agreements or other written arrangements 27
that would qualify for the longer transition period as discussed further below
ppThe Department seeks comment on the proposed compliance period and transition periodppAs used in this preamble the following terms and abbreviations have the meanings noted belowpp
In 1996 Congress enacted HIPAA 28
to reform the health care delivery system to improve portability and continuity of health insurance coverage in the group and individual markets 29
and to simplify the administration of health insurance 30
Through subtitle F of HIPAA Congress amended title XI of the Social Security Act of 1935 SSA by adding part C entitled Administrative Simplification 31
A primary purpose of part C is to improve the Medicare and Medicaid programs and the efficiency and effectiveness of the health care system by encouraging the development of a health information system through the establishment of uniform standards and requirements for the electronic transmission of certain health information 32
pp
Congress recognized that the development of a health information system that enabled the electronic transmission of IIHI as required by HIPAA would pose risks to the privacy of confidential health information and viewed individual privacy confidentiality and data security as critical to support the shift from a paperbased recordkeeping system for health information to a digital one33
Congress intended for the law to enhance individuals trust in health care providers which required that the law provide additional protection for the confidentiality of IIHI As described by a Member of Congress at the time of the laws passage this standardization however accelerates the creation of large databases containing personally identifiable information All this information is transmitted over electronic networks We need to be very careful about how safe and secure that information is from prying eyes Some of it may be extremely sensitive and could be used in a malicious or discriminatory manner 34
Moreover Congress considered that health care reform required an approach that would not compromise privacy as health information became more accessible35
pp
Congress applied the Administrative Simplification provisions directly to three types of persons referred to in regulation as covered entities health plans health care clearinghouses and health care providers who transmit information electronically in connection with a transaction for which HHS has adopted a standard36
Under HIPAA covered entities are required to maintain reasonable and appropriate administrative physical and technical safeguards 37
to 1 ensure the integrity and confidentiality of information 38
2 protect against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized uses or disclosures of the information 39
and 3 otherwise ensure compliance with HIPAA by the officers and employees of covered entities40
pp
HIPAA required the Secretary to adopt uniform standards to enable health information to be exchanged electronically 41
Congress also directed the Secretary to among other things adopt standards for the security of IIHI42
The statute also directed the Secretary to adopt initial security standards within 18 months of its
print page 903
enactment43
In adopting security standards for health information HIPAA requires the Secretary to consider all of the following 44
pp
Congress contemplated that the Departments rulemaking authorities under HIPAA would not be static In fact Congress specifically built in a mechanism to adapt such regulations as technology and health care evolve directing the Secretary to review and adopt modifications to the Administrative Simplification standards including the security standards as determined appropriate but not more frequently than once every 12 months46
That statutory directive complements the Secretarys general rulemaking authority to make and publish such rules and regulations as may be necessary to the efficient administration of the functions with which the Secretary is charged47
The Secretary may adopt either a standard developed adopted or modified by a standard setting organization that relates to a standard that the Secretary is authorized or required to adopt under the Administrative Simplification provisions or a standard that is different if the different standard will substantially reduce administrative costs to health care providers and health plans48
If no standard has been adopted by any standard setting organization the Secretary shall rely on the recommendations of the National Committee on Vital and Health Statistics NCVHS and consult with Federal and State agencies and private organizations49
pp
On February 17 2009 Congress enacted the Health Information Technology for Economic and Clinical Health Act of 2009 HITECH Act part of the American Recovery and Reinvestment Act of 2009 ARRA50
promoting the nationwide adoption and standardization of health information technology health IT to support the electronic sharing of clinical data The HITECH Act created financial incentives for health IT use among health care practitioners by providing funding for investing in health IT infrastructure purchasing certified electronic health records EHRs and training on and the dissemination of best practices to integrate health IT51
The Purpose statement of an accompanying House of Representatives report 52
on the Energy and Commerce Recovery and Reinvestment Act 53
recognizes that widespread health IT adoption has the potential to ameliorate many of the quality and efficiency problems endemic to our health care system Congress also understood that ensuring the privacy and security of electronic health information is critical to the success of this immense effort to promote health IT adoption54
As a result the HITECH Act also introduced substantial changes to the HIPAA regulations by mandating stronger safeguards for the privacy and security of ePHI55
pp
The HITECH Acts security requirements focused on safeguarding an individuals health information while allowing covered entities to rapidly adopt new technologies to improve the quality and efficiency of patient care56
Specifically the HITECH Act extends the application of the Security Rules provisions on administrative physical and technical safeguards and documentation requirements to business associates of covered entities making those business associates subject to civil and criminal liability for violations of the Security Rule57
The HITECH Act also requires existing business associate agreements to incorporate new security requirements58
Additionally the HITECH Act requires the Secretary to regularly issue guidance on the most effective and appropriate technical safeguards59
pp
In enacting the HITECH Act Congress affirmed that the existing HIPAA Rules were to remain in effect to the extent that they are consistent with the HITECH Act and directed the Secretary to revise the HIPAA Rules as necessary for consistency with the HITECH Act60
Congress confirmed that the new law was not intended to have any effect on authorities already granted under HIPAA to the Department including part C of title XI of the SSA61
Thus Congress affirmed the Secretarys ongoing rulemaking authority to modify the Security Rules standards and implementation specifications as often as every 12 months when appropriate including to strengthen security protections for IIHI
pp
In 2021 the HITECH Act was amended to require the HHS Secretary to further encourage regulated entities to bolster their cybersecurity practices62
The amendment requires the Department to consider certain recognized security practices of regulated entities when making determinations relating to certain Security Rule compliance and enforcement activities63
pp
The Security Rule requires regulated entities to implement administrative physical and technical safeguards to
print page 904
protect ePHI64
Specifically regulated entities must ensure the confidentiality integrity and availability of all ePHI they create receive maintain or transmit 65
protect against reasonably anticipated threats or hazards to the security or integrity of the information 66
and reasonably anticipated impermissible uses or disclosures 67
and ensure compliance by their workforce68
pp
The Administrative Simplification provisions of HIPAA instructed the Secretary to adopt several standards concerning electronic transmission of health information including those for the security of health information69
In accordance with these provisions the Department published the Security and Electronic Signature Standards Proposed Rule 1998 Proposed Rule on August 12 199870
pp
In support of developing the national standards mandated under HIPAAs Administrative Simplification provisions the Secretary with significant input from the health care industry defined a set of principles for guiding choices for the standards to be adopted by the Secretary71
The principles were based on direct specifications in HIPAA and also took the purpose of the law and generally desirable principles into account Based on this work the Department proposed that each HIPAA standard should be clear and unambiguous but technology neutral improve the efficiency and effectiveness of the health care system meet the needs of covered entities related to ease of use and affordability of adoption and maintain consistency or alignment with other HIPAA standards adopted by an organization accredited by the American National Standards Institute ANSI and using the ANSI process for adopting such standards72
pp
In describing its general approach to the 1998 Proposed Rule the Department defined the security standard as a set of requirements with implementation features that covered entities must include in their operations to assure the security of individuals ePHI73
The security standard was based on three basic concepts that were derived from the Administrative Simplification provisions of HIPAA and consistent with the characteristics the Department identified as appropriate for all HIPAA Rules74
First the standard should be comprehensive and coordinated to address all aspects of security Second it should be scalable so that it could be effectively implemented by covered entities of all types and sizes Third it should not be linked to specific technologies allowing covered entities the flexibility to make use of future technology advancements75
ppThe 1998 Proposed Rule included four categories of requirements that a covered entity would have to address to safeguard the confidentiality integrity and availability of ePHI They were as followspp
The implementation specifications described some of the requirements in greater detail based on our determination regarding the level of instruction necessary to implement such requirements76
The Department viewed all categories as equally important77
pp
The proposed standard did not address the extent to which a covered entity should implement the specifications78
Instead the Department proposed to require that each covered entity assess its own security needs and risks and devise implement and maintain appropriate security to address its business requirements The Department believed that this approach would leave a significant amount of flexibility for covered entities and balance the needs of securing health data against risk with the economic cost of doing so79
pp
The Department issued the final Security Rule 80
on February 20 2003 2003 Final Rule In accordance with the Administrative Simplification provisions of HIPAA the 2003 Final Rule adopted standards for the security of ePHI to be implemented by covered entities
pp
The Department reiterated the purposes and guiding principles it articulated in the 1998 Proposed Rule and repeated that the protection of the privacy of information depends in large part on the existence of security measures to protect that information81
The Department noted that there were still no standard measures in the health care industry that address all aspects of the security of ePHI while it is being stored or during the exchange of that information between entities82
The Department explained that the use of the security standards would improve the Medicare and Medicaid programs other Federal health programs and private health programs and the effectiveness and efficiency of the health care industry in general by establishing a level of protection for ePHI83
pp
Provisions of the 2003 Final Rule did not mirror the 1998 Proposed Rule rather the Department finalized only certain changes The Department noted for example that to maintain consistency with the use of terms as they appear in the statute and other previously released HIPAA Rules
ie
the HIPAA Privacy and Transactions Rules it was changing some terminology from the 1998 Proposed Rule replacing the terms requirement with standard and implementation feature with implementation specification 84
pp
According to the Department the comments received in response to the 1998 Proposed Rule overwhelmingly validated its basic assumptions that the covered entities were so varied in terms of installed technology size resources and relative risk that it would be impossible to dictate a specific solution or set of solutions that would be usable by all covered entities85
Similarly we received numerous comments expressing the view that the security standards should not be overly prescriptive because the speed with which technology is evolving could make specific requirements obsolete and might in fact deter technological progress Accordingly the Department framed the standards in the 2003 Final Rule in terms that were as generic as possible and that could generally be met through a variety of approaches or technologies86
The standards we
print page 905
explained do not allow organizations to make their own rules only their own technology choices87
pp
We also recognized that entities could minimize risk through their security practices but likely could never completely eliminate all risk In the preamble to the 2003 Final Rule the Department acknowledged that there is no such thing as a totally secure system that carries no risks to security88
The Department opined that Congress intent in the use of the word ensure in section 1173d of the SSA was to set an exceptionally high goal for the security of ePHI However we also recognized that Congress anticipated that some tradeoffs would be necessary and that ensuring protection did not mean doing so without any regard to the cost89
As such the Department explained that we expected a covered entity to protect that information to the best of its ability90
Thus a covered entity would be expected to balance the identifiable risks to and vulnerabilities of ePHI with the cost of various protective measures while also taking into consideration the size complexity and capabilities of the covered entity91
pp
In the 2003 Final Rule the Department introduced the concept of addressable implementation specifications which it distinguished from required implementation specifications The goal was to provide covered entities with even more flexibility92
While none of the implementation specifications were optional designating some of the implementation specifications as addressable provided each covered entity with the ability to determine whether certain implementation specifications were reasonable and appropriate safeguards for that entity based on its risk analysis risk mitigation strategy previously implemented security measures and the cost of implementation93
pp
On October 7 2003 the Secretary delegated authority for administering and enforcing the Security Rule to the Administrator of the Centers for Medicare Medicaid Services CMS94
The Secretary issued a notice on August 4 2009 superseding the previous delegation and replacing it with a delegation authority to the Director of OCR effective July 27 200995
pp
Following the enactment of the HITECH Act the Department issued an NPRM entitled Modifications to the HIPAA Privacy Security and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health HITECH Act 2010 Proposed Rule96
to propose implementation of certain HITECH Act requirements In the 2010 Proposed Rule the Department noted that it had not amended the Security Rule since 200397
We further explained that information gleaned from contact with the public since that time OCRs enforcement experience and technical corrections needed to eliminate ambiguity provided the impetus for the Departments actions to propose certain regulatory changes beyond those required by the HITECH Act98
pp
In 2013 the Department issued the final rule Modifications to the HIPAA Privacy Security Enforcement and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health HITECH Act and the Genetic Information Nondiscrimination Act and Other Modifications to the HIPAA Rules 2013 Omnibus Rule99
which implemented applicable provisions of the HITECH Act to strengthen security protections for individuals health information maintained in EHRs
pp
For example the Department modified the Security Rule to implement the HITECH Acts provisions that extended direct liability for compliance with the Security Rule to business associates100
We explained that before the enactment of the HITECH Act the Security Rule did not directly apply to business associates of covered entities The HITECH Act extended the application of the Security Rules administrative physical and technical safeguards requirements as well as the rules policies and procedures and documentation requirements to business associates in the same manner as the requirements apply to covered entities making those business associates civilly and criminally liable for violations of the Security Rule101
The Department noted that the Security Rule requires a covered entity to establish business associate agreements that obligate business associates to implement administrative physical and technical safeguards that reasonably and appropriately protect the confidentiality integrity and availability of the ePHI that they create receive maintain or transmit on behalf of the covered entity102
Accordingly we reasoned that business associates and subcontractors should already have security practices in place that comply with the Security Rule or require only modest improvement to come into compliance with the Security Rule requirements103
Like the 2003 Final Rule104
the 2013 Omnibus Rule highlighted that the Security Rule was designed to be technology neutral and scalable and reiterated that regulated entities have the flexibility to choose security measures appropriate for their size resources and the nature of the security risks they face105
Accordingly regulated entities have the flexibility to choose appropriate security measures considering their size capabilities the costs of the specific security measures and the operational impact enabling them to reasonably implement the standards of the Security Rule
pp
The Department also adopted technical revisions to 45 CFR 164306e to clarify that regulated entities must review and modify security measures as needed to ensure reasonable and appropriate protection of ePHI and update documentation of security measures accordingly106
pp
Finally because the HITECH Act made business associates directly liable for compliance with the Security Rule the 2013 Omnibus Rule modified the Security Rule to clarify that a covered entity is not required to obtain satisfactory assurance from a business associate that is a subcontractor that the subcontractor will appropriately safeguard its ePHI Rather the business
print page 906
associate of the covered entity must obtain the required satisfactory assurances from the subcontractor to protect the security of ePHI107
pp
HIPAA and the HIPAA Rules promote access to highquality and effective health care by establishing standards for the security of ePHI The standards when implemented appropriately by regulated entities protect the confidentiality integrity and availability of individuals health information Such protections promote the electronic transmission of PHI through a national health information system To ensure access to highquality health care services regulated entities must assure their customers
eg
individuals health care providers and health plans of the security of the sensitive and confidential health information the regulated entities electronically create receive maintain or transmit
pp
As discussed above the Security Rule carefully balances the benefits of safeguarding against security risks with the burdens of implementing protective measures by permitting regulated entities to consider several factors including costs and available technology for preventing and mitigating security risks108
when determining which security measures are reasonable and appropriate for protecting the security of individuals ePHI109
pp
For example the Security Rule requires that a regulated entity implement policies and procedures to limit physical access to its electronic information systems and the facilities in which they are housed while ensuring that users who are authorized to access such information systems and facilities are permitted to do so110
The implementation specifications associated with this standard only address the need for operationalized policies and procedures related to specific aspects of physical security111
They do not dictate the specifics of such policies and procedures because we recognize that the nature of the physical safeguards should depend on the type of regulated entity its size its level of access to ePHI and a number of other factors
pp
Since the Security Rules promulgation in 2003 the environment in which health care is provided and in which regulated entities operate has changed significantly including transformative changes in how regulated entities create receive maintain and transmit ePHI For example as of 2021 almost 80 percent of physician offices and 96 percent of hospitals had adopted certified EHRs112
The use of health IT including EHRs certified or otherwise has led to enormous advancements in the fields of medicine and public health not only improving outcomes for individuals but also assisting in addressing the social economic and environmental factors that affect health on an individual and community level113
And the electronic exchange of health information spurred by HIPAA the HITECH Act and the 21st Century Cures Act Cures Act114
has enabled regulated entities and others to more quickly and efficiently share individuals health information increasing the quality and efficiency of health care increasing patient engagement and reducing administrative burden115
However the widespread use of health IT systems makes it even more critical for regulated entities regardless of their size or location to fully assess the risks and vulnerabilities to ePHI and their information systems and implement strong security measures to address those risks and vulnerabilities
pp
Experts repeatedly have expressed concern regarding the state of cybersecurity in the health care industry116
For example in a 2017 report to Congress experts convened by the Department pronounced Now more than ever all health care delivery organizations have a greater responsibility to secure their systems medical devices and patient data 117
This responsibility has only increased as the delivery of health care and the exchange of PHI have increasingly shifted to cyberspace
pp
Despite advancements in technology including health IT the core requirements of the Security Rule remain relevant and applicable today In fact they serve as a foundation for more recently promulgated cybersecurity guidelines best practices processes and procedures Security management regular monitoring and review of information system activity information access management security awareness and training contingency planning encryption and authentication all continue to be represented in the most wellknown cybersecurity frameworks including the NISTs Cybersecurity Framework118
the HHS 405d Programs Health Industry Cybersecurity Practices Managing
print page 907
Threats and Protecting Patients 119
and the Departments CPGs120
pp
While these concepts remain highly relevant and applicable the Department has concerns regarding the sufficiency of the security measures implemented by regulated entities OCRs experience investigating allegations of Security Rule violations reports received by OCR of breaches of unsecured PHI and the results of the audits conducted by OCR in 20162017 demonstrate that regulated entities are not consistently complying with the Security Rules requirements121
Additionally the Department is concerned about the extent to which regulated entities have updated their security measures to adjust to the changes in the health care environment and their operations including new and emerging threats to the confidentiality integrity and availability of ePHI
pp
And the Department is not alone in its concerns NCVHS serves as the Departments advisory body for HIPAA122
Given the increase in cybersecurity incidents affecting the health care sector NCVHS held a series of public hearings on cybersecurity to better understand how to protect ePHI and individuals In response to those hearings NCVHS submitted several recommendations to the Department regarding the importance of strengthening the Security Rule123
As discussed above HIPAA requires the Secretary to rely on NCVHS recommendations 124
with respect to standards promulgated under the statute
ppGiven the importance of strong security measures the changed environment and operations for health care uncertainty expressed by regulated entities regarding their compliance obligations deficiencies identified by OCR in its investigations of regulated entities and the recommendations of NCVHS we believe that it is necessary and appropriate for the Department to propose modifications to clarify and strengthen the Security Rulepp
A primary purpose of HIPAAs Administrative Simplification provisions 125
is to among other things improve the efficiency and effectiveness of the health care system by encouraging the development of a health information system through the establishment of uniform standards and requirements for the electronic transmission of certain health information 126
As Congress recognized when it enacted HIPAA protecting the security of ePHI is essential for accomplishing this goal Members of Congress acknowledged at that time that the provisions of HIPAA would create electronic databases of PHI enabling the PHI to be transmitted electronically with both the benefits and risks that accompany such electronic transactions127
Congressional statements leading up to HIPAAs enactment demonstrate Congress recognition of the potential risks of the shift from paper recordkeeping to electronic We need to be very careful about how safe and secure that information is from prying eyes Some of it may be extremely sensitive and could be used in a malicious or discriminatory manner 128
Accordingly HIPAA required the establishment of strict security standards for health information
pp
As discussed above the Security Rule as amended by the HITECH Act specifically requires regulated entities to maintain reasonable and appropriate administrative physical and technical safeguards to ensure the confidentiality integrity and availability of ePHI to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI and unauthorized uses or disclosures of ePHI and ensure compliance with the Administrative Simplification provisions by officers and workforce members of regulated entities129
pp
It is reasonable to anticipate that regulated entities will need to protect ePHI against cyberattacks and unauthorized uses and disclosures of ePHI by their workforce members Experts estimate the costs to the US from cyberattacks on health care facilities to be significant130
According to one study health care data breach costs to affected organizations have increased by more than 50 percent since 2020 making health care data breaches more expensive than data breaches in any other sector at an average cost of almost 101 million per breach131
Yet these costs though sizeable do not fully take into account the practical implications of poor or ineffective cybersecurity protocols A failure to implement adequate security measures may lead to financial loss reputational harm for affected individuals and affected regulated entities privacy loss and safety concerns132
Additionally breaches of unsecured PHI may lead to identity theft fraud stock manipulation and competitive disadvantage133
According to a study funded by the Institute for Critical Infrastructure Technology victims of medical identity theft incur on average costs of 13500 to recover from that theft134
Unlike financial information much of an individuals PHI is
print page 908
immutable For example an individuals date and location of birth and their health history will not change even if their address might In contrast an individuals passwords bank account numbers and other financial information can all be changed Thus PHI can continue to be exploited throughout an individuals lifetime making PHI likely to be far more valuable than an individuals credit card information135
pp
On the surface the harms that result from a breach of ePHI or a cyberattack on a regulated entitys electronic information systems as discussed above are not significantly different than those that would result from a breach of information in another sector However the reality is as discussed above that the implications of such harms are far greater in the health care sector because of their potential to adversely affect an individuals health or quality of life or even to cost an individual their life136
As stated by the Health Care Industry Cybersecurity Task Force in its 2017 report on the state of cybersecurity in health care The health care system cannot deliver effective and safe care without deeper digital connectivity If the health care system is connected but insecure this connectivity could betray patient safety subjecting them to unnecessary risk and forcing them to pay unaffordable personal costs 137
In the event of a cybersecurity incident patients health including their lives may be at risk where such incident creates impediments to the provision of health care such as interference with the operations of a critical medical device or to the administrative or clinical operations of a regulated entity such as preventing the scheduling of appointments or viewing of an individuals health history138
pp
According to a Cybersecurity Infrastructure Security Agency CISA statistical analysis of the effects of a hypothetical cyberattack on a model hospital a hospitals relative performance will suffer amidst a cyberattack139
The analysis found that the hypothetical cyberattack would lead to hospital strain from inaccessible patient schedules and records disrupted communication and delays in processing and communicating test results in time to effectively treat individuals140
While the analysis did not find any deaths directly attributable to the hypothetical attack it is logical to conclude that deathsor at least worsened outcomesare a significant risk where there are disruptions in communications as well as delays in processing and communicating test results especially for emergent or acute medical cases For example an inability to access an individuals pharmacy records could affect the ability of a pharmacist to identify known interactions between newly prescribed medications and an existing medication list potentially leading to an individuals injury or death Other studies have similarly found that cyberattacks can have a substantial effect on access to health care and potentially mortality141
In fact a more recent study found that cyberattacks had disproportionately negative effects on inhospital mortality rates for Black patients who were already admitted to the hospital at the time of the cyberattack142
A recent survey found that 92 percent of surveyed health care organizations had experienced a cyberattack in the past year 143
and almost threequarters of the respondents who had experienced a cyberattack reported negative effects on patient care including delays in tests or procedures longer stays and increased mortality rates complications from medical procedures and patient transfers or diversions to other facilities144
A recent letter from NCVHS referenced anecdotal accounts of patient deaths that have been attributed to ransomware attacks145
For example in 2019 a ransomware attack may have contributed to a babys death at an Alabama hospital A change in the babys fetal heart rate went unnoticed because the large digital display that normally would have displayed the information was affected by the attack The baby born with her umbilical cord wrapped around her neck suffered severe brain damage and died nine months later146
pp
Cyberattacks can divert both human and machine resources leading to process slowdowns cancelled procedures delayed hospital or unit lockdowns and transfers increases in wait times for individuals both increases and decreases in staff utilization and a decrease in a health care providers capacity147
A 2020 cyberattack on a large integrated academic health system attributed to malicious software embedded in an email attachment opened by an employee on their laptop affected more than 5000 enduser devices across 1300 servers and led to revenue losses of more than 63 million148
Though the health care providers EHR was not infected it elected to shut the EHR down proactively Ultimately the covered entity experienced 39 days of downtime in outpatient imaging 149
pp
In another example a ransomware attack on an academic level 1 trauma center caused it to go without access to its EHR for 25 days150
and the attack affected 5000 computers and destroyed the trauma centers electronic information systems that contained ePHI The hospital lost access to its EHR internet and intranet which also removed functionality of hospital phones EHR integrated office and surgical scheduling access to digitized radiology studies and network account access through local and remote computers 151
pp
These serious incidents and resulting effects demonstrate the importance of planning and preparing for a potential
print page 909
cyberattack or other event that adversely affects a regulated entitys information systems While such planning and preparation may not prevent all cyberattacks it can reduce the number of successful incidents and mitigate their effects In fact studies have suggested that such preparation may allow for at least close to realtime recovery152
pp
The effects of a cyberattack are not limited to the regulated entity that experiences it and the individuals whose ePHI is compromised Surveys conducted by various organizations representing health care providers indicate that an overwhelming majority of health care providers in the US were affected by a ransomware attack on a large health care clearinghouse153
A study published in 2023 examined the effects on the of a cyberattack at a neighboring unaffiliated hospital on a large academic medical center154
The study found that the academic medical center experienced among other things significant increases in the number of patients admitted ambulance arrivals waiting room times and patients leaving without being seen The studys authors concluded that their findings suggested that health care cyberattacks such as ransomware are associated with greater disruptions to regional hospitals and should be treated as disasters necessitating coordinated planning and response efforts 155
Thus implementing reasonable and appropriate security measures better protects not only the regulated entity and its ePHI but other regulated entities with whom it interacts and may reduce the effects of cyberattacks and other security incidents that adversely affect the confidentiality integrity or availability of ePHI
pp
As discussed above several industry organizations have published and maintained compilations of voluntary standards guidelines best practices methodologies procedures and processes for protecting the security of sensitive and confidential information including PHI Additionally certain Federal health programs now either require or recommend the adoption of specific criteria that are intended to protect the confidentiality integrity and availability of ePHI For example the Health IT Certification Program maintained by the Assistant Secretary for Technology Policy and Office of the National Coordinator for Health Information Technology ASTPONC 156
sets minimum requirements for certified health IT including criteria that pertain to cybersecurity157
These criteria are included in the Health IT Certification Programs Health IT Privacy and Security Framework158
which identifies
when technical capabilities to support
the privacy and security of electronic health information 159
must be included in certified health IT products Additionally health care providers that participate in certain Federal health programs must use health IT certified to these requirements160
Regulated entities also may want to consider adoption of certified health IT because it could contribute to compliance with the Security Rule We will continue to work across the Department to ensure the adoption of consistent requirements for Federal programs that support the secure electronic exchange of health information to the extent that such consistency is appropriate Throughout this preamble we provide examples of how a regulated entitys participation in other Federal programs that require the use of health IT certified through the ONC Health IT Certification Program or adoption of other Federal recommendations such as the HHS CPGs might support their compliance with the proposals in this NPRM
pp
Additionally as discussed above several organizations have published and maintained compilations of voluntary standards guidelines best practices methodologies procedures and processes for protecting the security of sensitive and confidential information including PHI These compilations and the State regulations discussed above range from granular 161
to highlevel 162
and from health carespecific 163
to industry agnostic164
Despite these differences these compilations and regulations have a great deal in common with each otherand with the Security Rule its longevity notwithstanding In fact the foundational elements of the Security Rule promulgated more than 20 years ago can still be found in cybersecurity compilations published today They generally either require or recommend administrative physical and technical safeguards to identify and mitigate risks and vulnerabilities implement authentication and access controls conduct security awareness and training for information system users and plan for contingencies and incident response165
Additionally these compilations all require or recommend the designation of a specific individual who is accountable for implementing the requirements or recommendations And importantly they all ultimately address how to maintain the
print page 910
confidentiality integrity and availability of sensitive and confidential information including ePHI
ppA major distinguishing factor between the content of the Security Rule and these compilations and regulations is the Security Rules scope The compilations and regulations are designed to protect various types of data and information systems broadly In comparison a defining quality of the Security Rules requirements is that they focus specifically on the protection of ePHI and the information systems that create receive maintain or transmit ePHI Thus while the foundational elements of various cybersecurity compilations and State regulations and the Security Rule may be the same the Security Rule alone addresses the application of those elements to ePHI and all of the components of information systems that create receive maintain or transmit ePHI Thus while the standards of the Security Rule generally align with those of other cybersecurity standards frameworks best practices guidelines processes and procedures the specific implementation specifications of the Security Rule reflect the particular sensitivities of the health care industry particularly small and rural health care providers in a way that is necessary to ultimately improve the efficiency and effectiveness of the health care system and avoid imposing unreasonable compliance burdens on regulated entitiespp
The health care sector has undergone a dramatic transformation over the last 24 years and particularly in the past 10 years spurred at least in part by the Departments implementation of HIPAA the HITECH Act and the Cures Act The industry has shifted from one that generally relied upon a system of paperbased recordkeeping and siloed devices to one that depends on interconnected information systems to maintain and exchange patient records conduct research run health care provider facility management systems and provide patient care166
This shift is largely the result of HIPAAs emphasis on the development and use of standards and the EHR incentive funds made available under the HITECH Act for health care providers167
Data from ASTPONC offer clear and convincing evidence of this shift In 2008 before the enactment of the HITECH Act less than 10 percent of nonFederal acute hospitals had implemented what was referred to at the time as a Basic EHR
ie
an electronic health record168
By 2015 six years after the enactment of the HITECH Act almost 84 percent had adopted a Basic EHR while 96 percent had adopted a certified EHR169
The transformation was further enabled by the Cures Act which encouraged the development of a trusted exchange framework for the nationwide exchange of health information and provided penalties for health care providers health information exchanges and networks and developers of certified health IT that engage in information blocking170
In 2014 41 percent of such hospitals routinely had electronic access to clinical information from outside providers or sources when treating a patient171
By 2023 70 percent of nonFederal acute care hospitals engaged in all domains of interoperable exchange routinely or sometimes a significant leap forward172
In 2017 only 38 percent of hospitals enabled patients to access their health information using an application and in 2018 57 percent enabled patient access to their clinical notes in their patient portal by 2021 70 percent of hospitals enabled patients to access their health information using an application and 82 percent enabled patients to view their clinical notes in their patient portal173
And just a year later the percentage of hospitals that supported patient access through applications increased to 86 percent174
Based on this data it is clear that HIPAA coupled with the HITECH Act and the Cures Act has successfully encouraged the development of a nationwide electronic health information system
pp
Not only is PHI increasingly maintained and transmitted electronically but treatment is also increasingly provided electronically The coronavirus disease 2019 COVID19 pandemic led to a dramatic increase in the use of telemedicine175
According
print page 911
to ONC data only 15 percent of officebased physicians used any form of telemedicine in 201819 In 2021 telemedicine usage increased to 87 percent176
The electronic content generated or transmitted during a telemedicine visit constitutes ePHI so the increase in telemedicine further increases the amount of PHI that is also ePHI
pp
It is not only the ePHI maintained in EHRs and other electronic recordkeeping systems that faces security risks Medical equipment and devices are increasingly connected through one or more networks which means that any issues affecting the network likely will affect the medical equipment and devices177
And some medical equipment and devices rely on offtheshelf operating systems such as Windows Linux and similar thirdparty software 178
thus the medical equipment and devices can experience the same vulnerabilities as personal computing devices Generally the US Food Drug Administration FDA does not need to review software patches or configuration updates for offtheshelf software before a device manufacturer puts them in place because the FDA views most patches and configuration updates as design changes that can be made without prior discussion179
pp
Cybercriminals may useor targettechnology assets such as software or medical devices used for treating individuals For example in 2021 a cyberattack on cloudbased systems supplied by a particular company compromised the ePHI of more than 200000 individuals and affected the software for linear accelerators used in radiotherapy leading to disruptions to cancer treatment180
Thus to protect technology assets used for treatment the information systems that create receive maintain and transmit ePHI also must be protected As another example in 2013 the Mayo Clinic 181
hired a group of ethical hackers 182
to identify vulnerabilities in 40 different medical devices183
The hackers were able to gain access to all of the devices meaning that the devices could all be vulnerable to a cyberattack184
Such attacks may create an opening for a subsequent attack on the device itself or on the regulated entitys information systems that create receive maintain or transmit ePHI compromising those information systems and the ePHI itself185
It also may lead intentionally or not to a loss of device integrity which could result in the corruption of the devices functionality or the ePHI on the device186
A cyberattack on a medical device may also reduce the ability of the authorized person to use the device
eg
a denial of service attack which is a type of cyberattack that overloads the device by flooding the network with traffic187
Depending on the device and its use the result of cyberattacks on a medical device could range from little or no effect to serious injury or death188
pp
According to researchers at Brown University medical devices are a prime target for cybercriminals In fact they believe More than just technically feasible the widespread takedown of medical devices is an imminent threat 189
A 2023 Government Accountability Office report on medical device cybersecurity described the importance of robust cybersecurity controls to ensure medical device safety and effectiveness because of the increasing integration of wireless internet and networkconnected capabilities and the electronic exchange of health information 190
The FDA has also acknowledged As electronic medical devices become increasingly connected to each other and to other technologies the ability of connected systems to safely securely and effectively exchange and use the information becomes critical Cybersecurity concerns rise along with the increasing medical device interoperability 191
Accordingly in 2023 the FDA issued updated guidance for industry and FDA staff on requirements for cybersecurity in medical devices192
pp
And then there are digital health applications When an application is deployed by a covered entity an application developer may be a business associate and subject to the Security Rule An application developer may also meet the HIPAA Rules definition of health care provider 193
and be a covered entity194
But also individuals are increasingly interested in accessing their ePHI using applications and transmitting information collected by health and wellness applications to
print page 912
their health care providers195
Such applications may empower individuals to better manage their health and participate in their health care and provide health care providers and researchers with a more holistic view of the individuals health at a particular point in time and over an extended period of time196
This technology while valuable for understanding an individuals overall health introduces another potential vulnerability to the security of ePHI and the information systems that create receive maintain or transmit it
pp
EHRs networked medical devices and applications are only the beginning Artificial intelligence AI in health care particularly for diagnosis and treatment is in the nascent stages of development but many are eager to test its promise197
After all many experts believe that AI promises opportunities to improve patient care outcomes and population health as well as to reduce costs198
The use of AI in health care is increasing and is expected to continue to increase199
A 2023 Healthcare Information and Management Systems Society HIMSS survey of health care cybersecurity professionals reported that approximately 50 percent of respondents organizations permitted the use of generative AI technology200
And other new technologies are expected shortly as discussed below For example according to reports quantum computing may be available in the near future which may have ramifications for data privacy and security201
We also know that researchers are exploring methods for storing ePHI in biological material
eg
DNA202
pp
While the promise of these new technologies is exciting they come with increased risks and vulnerabilities to ePHI and the information systems that create receive maintain or transmit it As noted by Executive Order EO 14110 AI must be safe and secure Meeting this goal requires addressing AI systems most pressing security risksincluding with respect to biotechnology cybersecurity critical infrastructure and other national security dangerswhile navigating AIs opacity and complexity 203
For these reasons the EO required the Secretary of HHS in consultation with the Secretary of Defense and the Secretary of Veterans Affairs to establish an HHS AI Task Force to develop a strategic plan that includes policies and frameworks on responsible deployment and use of AI and AIenabled technologies in the health and human services sector including the incorporation of safety privacy and security standards into the softwaredevelopment lifecycle for the protection of personally identifiable information such as measures to address AIenhanced cybersecurity threats in the health and human services sector204
The Department has taken a number of actions to address the use of AI in health care including establishing an AI Council appointing a Chief AI Officer205
and taking steps to regulate the use of AI in health care206
Accordingly regulated entities must be prepared to identify mitigate and remediate such risks and vulnerabilities
pp
While the health care industry has generally shifted from paper recordkeeping and noninteroperable electronic devices to an interconnected electronic health care system it has led to an increasing vulnerability to breaches of unsecured PHI resulting from unauthorized uses and disclosures and cyberattacks According to an article published by the American Hospital Association Center for Health Innovation Health care organizations are particularly vulnerable and targeted by cyberattacks because they possess so much information of high monetary and intelligence value to cyber thieves and nationstate actors 207
In fact on the dark web PHI is deemed more
print page 913
valuable than credit card data enabling cybercriminals to extract as much as 1000 per stolen medical record 208
Before this shift to an interconnected electronic system lost or misplaced paper records or even a laptop could lead to a breach of unsecured PHI affecting hundreds or thousands of individuals209
While a breach of that size remains significant unauthorized access to a single workstation today could lead to a breach that affects millions of individuals because of the increase in interconnectivity210
pp
Between 2018 and 2023 the number of breaches of unsecured PHI reported to the Department grew at an alarming rate 100 percent increase as did the number of individuals affected by such breaches 950 percent increase211
The reports reflect rampant escalation of cyberattacks using hacking 260 percent increase and ransomware 264 percent increase212
Based on reports made to OCR in 2022 approximately threefourths of the breaches of unsecured PHI affecting 500 or more individuals were the result of hacking of electronic equipment or a network server213
In 2023 over 160 million individuals were affected by breaches involving the PHI of 500 or more individualsa new record We anticipate that 2024 will surpass that record particularly in light of the estimate provided by a large covered entity regarding the number of individuals affected by a breach of its subsidiary214
pp
In 2023 the Federal Bureau of Investigations internet Crime Complaint Center received almost 250 reports of ransomware affecting the Healthcare and Public Health sector the most of any of the 16 identified infrastructure sectors215
The Healthcare and Public Health sector has been the most targeted critical infrastructure sector since at least as far back as 2015216
Between 2015 and 2019 cyberattacks on health care organizations increased by 125 percent217
And between 2022 and 2023 ransomware attacks against the US health care sector increased 128 percent218
pp
Many people including regulated entities inaccurately believe that only large regulated entities that maintain electronic records about millions of individuals are likely to face a cyberattack and thus that it is less important for smaller regulated entities to invest resources in cybersecurity219
In fact smaller regulated entities may also be the target of or adversely affected by cybercrime partly because of the interconnectedness of health care and partly because they are less likely to have invested in cybersecurity making them easier targets220
pp
As explained in a recent national security memorandum cybercriminals are targeting critical infrastructure
ie
the physical and virtual assets and systems so vital to the Nation that their incapacity or destruction would have a debilitating impact on national security national economic security or national public health or safety and their activities may be tolerated or enabled by other countries221
Thus it is essential that the Department and regulated entities take steps to safeguard health care infrastructure and ePHI
pp
External actors are not the only or even the greatest threat to the security of ePHI According to a recent study insiders were the second leading cause of breaches in the health care sector in 2023 exceeded only by miscellaneous errors such as misdelivery222
For example a recent settlement resolved an OCR investigation involving the theft and sale of the ePHI of more than 12000 patients by an employee of a large health care system223
In another example security guards at a large health care provider were alleged to have used their login credentials to inappropriately access ePHI224
Thus it is critical that regulated entities improve their cybersecurity posture to protect not only against external threats but also
print page 914
internal ones and both intentional and accidental breaches
pp
Emergencies or other occurrences can affect the security of ePHI without an intentional act For example in 2024 CrowdStrike released a defective update for its software on computers running Microsoft Windows225
This update affected the ability of regulated entities to access the ePHI of millions of individuals for varying periods of time During this time ePHI was unavailable meaning that one of the key prongs of the security triad of confidentiality integrity and availability was affected226
Because of the increased digitization of PHI it is for example essential that covered health care providers engage in thoughtful contingency planning that considers how they will proceed in the event that they are unable to access ePHI in their EHRs Additionally threat actors will often seek to take advantage of such incidents As reported by a large subcontractor of a business associate less than a week after the outage the company observed threat actors leveraging the event to distribute ransomware227
The environment in which health care is delivered the way in which it is delivered and the manner in which related information is collected all mean that regulated entities must consider a different approach to operational continuity and resiliency in the face of such challenges Additionally they must be wary of the potential for bad actors to attempt to take advantage of such events
pp
Despite the proliferation of cybersecurity standards guidelines best practices methodologies procedures and processes and the documented increase in unauthorized uses and disclosures of ePHI many regulated entities have been slow to strengthen their security measures to protect ePHI and their information systems that create receive maintain or transmit it in this new environment228
Among the reasons for this are the rapid pace of EHR adoption and digitization of health care increased connectivity and use of cloudbased infrastructures limited competition and a stable customer base limited operating margins and a failure to invest in cybersecurity infrastructure229
For example regulated entities continue to rely on legacy systems and software that are unsupported by manufacturers which means that the manufacturers no longer provide security patches or other updates to address security threats and vulnerabilities230
In a 2021 survey of health care cybersecurity professionals 73 percent reported having legacy operating systems231
This apparent lack of urgency in adopting new supported operating systems has serious implications for the confidentiality integrity and availability of ePHI
pp
In addition many regulated entities fail to invest adequate resources in cybersecurity Far too many regulated entities do not view cybersecurity as a necessary component of their operations that allows them to fulfill their health care missions Anecdotal evidence suggests that senior management often lacks awareness of cybersecurity including both threats and methods for protecting against such threats232
A lack of maturity and effectiveness of the information technology function is evident when healthcare organizations fail to maintain a current inventory of sensitive and valuable data and where those reside 233
While maintaining an accurate and thorough inventory of technology assets is not currently an explicit requirement of the Security Rule it is clearly a fundamental component of conducting a risk analysis and many of the other existing requirements234
And yet based on the Departments experience many regulated entities are not maintaining such an inventory At least in part because of senior managements lack of cybersecurity awareness many fail to invest or fail to invest appropriately in cybersecurity infrastructure235
Given the vulnerability of ePHI and the information systems of regulated entities and the potential effects of cyberattacks on patient safety and the delivery of health care it is important that regulated entities prioritize such investments236
pp
The security of ePHI also is at risk because despite our explanation of the Security Rules structure in 2003237
regulated entities are not fully complying with the standards and implementation specifications From 2016 to 2017 the Department conducted audits of 166 covered entities and 41 business associates regarding compliance with selected provisions of the HIPAA Rules including the required implementation specifications for risk analysis 238
and risk management239
The Department found that most regulated entities failed to implement the Security Rule requirements for risk analysis and risk management requirements that are fundamental to protecting the confidentiality integrity and availability of ePHI240
While most of the audited business associates reported not having experienced any breaches of unsecured PHI we found that those that
print page 915
had experienced a breach generally engaged in minimal or negligible efforts to address the risk analysis and risk management requirements241
According to the report at that time only 14 percent of covered entities and 17 percent of business associates were substantially fulfilling their regulatory responsibilities to safeguard ePHI they held through risk analysis activities 242
while 94 percent of covered entities and 88 percent of business associates failed to implement appropriate risk management activities sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level 243
The report specifically noted that the audit results were consistent with the findings of OCRs compliance reviews and complaint investigations244
pp
Recent enforcement actions provide evidence that the results of the 20162017 audits were not isolated cases In 2023 OCR entered into seven resolution agreements with regulated entities after investigations indicated that they had potentially violated the Security Rule constituting almost half of the total resolution agreements OCR entered into that year245
In each case OCRs investigation found evidence of multiple potential violations For example in one case a regulated entity did not detect an intrusion into its network until 20 months later when its files were encrypted with ransomware246
OCRs investigation found evidence of potential failures of the regulated entity to conduct a risk analysis or to sufficiently monitor information system activity OCR also found evidence that the regulated entity may not have had policies and procedures in place to implement the requirements of the Security Rule to protect the confidentiality integrity and availability of ePHI247
pp
As another example an OCR investigation of a large health care system found indications of multiple potential violations of the Security Rule including failures by the regulated entity to conduct a risk analysis monitor and safeguard its electronic information systems and implement policies and procedures to record and examine activity in its electronic information systems containing ePHI248
The regulated entity was not only unable to prevent the cyberattack but it was unaware the attack had occurred until two years later This is despite the longstanding requirements of the Security Rule and the obligations imposed on regulated entities for risk analysis and risk management
pp
Despite the longstanding nature of the Security Rule and the proliferation of guidance documents from NIST the Department CISA FTC and others regulated entities continue to fail to implement reasonable and appropriate security measures as required by the Security Rule249
For example the Security Rule and NIST guidance have addressed encryption for data in transit and at rest for many years250
And yet in the 2021 survey of health care cybersecurity professionals only half of the respondents reported having implemented encryption for data in transit across the enterprise251
Similarly according to its CEO a large covered entity failed to deploy multifactor authentication MFA throughout its enterprise and experienced a significant breach252
If this is accurate it would run counter to longstanding provisions in both the Security Rule and NIST guidance the Security Rule has required the implementation of appropriate access controls since 2003 and NIST recommends similar controls253
pp
As another example based on OCRs investigation experience some regulated entities are not developing and implementing compliant response plans for security incidents including those that are breaches of unsecured ePHI under the Breach Notification Rule Section 164308a6i establishes the standard that requires regulated entities to implement policies and procedures to address security incidents while 45 CFR 164308a6ii includes the implementation specifications for that standard This requirement included in the 2003 Final Rule aligns with the NIST Cybersecurity Framework version 20 requirement for incident management254
Similarly NIST Cybersecurity Framework version 11 recommended the execution and maintenance of response processes and procedures to ensure response to detected cybersecurity incidents255
And yet when OCR investigates the circumstances surrounding breach reports OCR continues to find evidence that regulated entities have not implemented policies and procedures to detect and respond to security incidents leading to significant time lapses between a successful security incident 256
and discovery of and response to the security incident257
Thus based on the OCRs experience investigating and enforcing the Security Rule the Department believes that many regulated entities would benefit from additional instruction in regulatory text regarding their compliance obligations to determine how to select security
print page 916
measures that are reasonable and appropriate for their circumstances
pp
We are also concerned that recent caselaw has not accurately set forth the steps regulated entities must take to adequately protect the confidentiality integrity and availability of ePHI as required by the statute Specifically in the
University of Texas MD Anderson Cancer Center
v
HHS
MD Anderson
the US Court of Appeals for the Fifth Circuit held among other things that the Security Rule does not say anything about how effective a mechanism for encryption must be nor does it require that an encryption mechanism provide bulletproof protection of all systems containing ePHI258
Thus under the courts interpretation a regulated entity can meet its obligations under the Security Rule concerning encryption and decryption of ePHI by implementing a mechanism to do so without regard for the effectiveness of the implementation259
Additionally the court noted that the requirement for a mechanism does not prohibit a regulated entity from creating a mechanism by directing employees to sign an agreement that requires the encryption of portable devices 260
While the Department disagrees with the courts interpretation that merely requiring employees to sign an agreement to encrypt portable devices is sufficient to comply with its Security Rule obligations to implement a mechanism to encrypt and decrypt ePHI the Department believes that additional clarity is warranted to ensure that regulated entities understand their obligation to have encryption mechanisms in place and deployed throughout the regulated entitys enterprise to ensure the confidentiality integrity and availability of ePHI
ppSeveral technical safeguards currently require regulated entities to implement a mechanism as part of complying with the associated standard Given that written policies and procedures alone are insufficient to protect ePHI and the misinterpretation of what it means to implement a mechanism also could lead to inadequate protection of ePHI the Department believes that the Security Rule must be revised consistent with its statutory mandate as discussed in greater detail abovepp
By requiring that regulated entities maintain reasonable and appropriate safeguards to protect against reasonably anticipated threats or hazards or unauthorized uses or disclosures of ePHI Congress clearly anticipated that the administrative physical and technical safeguards implemented to protect the security of ePHI would need to change in response to changes in the environment in which health care is provided261
As the health care environment and the operations of regulated entities evolve so must the protections for ePHI and the information systems used to create receive maintain or transmit it For example regulated entities must be expected to adopt safeguards that address new risks to the security of ePHI such as those posed by maintaining ePHI in the cloud the connection of medical devices and other technology to networks and the connection of information systems used to create receive maintain or transmit ePHI to the same networks as those do not perform such activities After all it is reasonable to anticipate that there will be new threats or hazards to ePHI or efforts by unauthorized persons to use or disclose such ePHI in an increasingly connected environment
pp
By design the Security Rule sets a national floor for the security measures that regulated entities are required to implement to protect the confidentiality integrity and availability of ePHI In 2003 the Department opted to frame the standards in terms that were as generic as possible and in a manner that enabled the standards to be met through various approaches or technologies to ensure that regulated entities had the flexibility to determine how best to protect the confidentiality integrity and availability of ePHI based on their specific circumstances262
When we extended the Security Rule in 2013 to directly apply to business associates in accordance with the HITECH Act263
the Department acknowledged that some business associates might not have engaged in the formal administrative safeguards required by the Security Rule and we made it clear that business associates would be expected to do so going forward264
Despite the changes in the health care environment between 2003 and 2013 the Department made minimal changes to the Security Rule at that time because we believed that the compliance obligations of regulated entities were clear and wellunderstood In fact when a commenter recommended that the Department remove the addressable designation from the Security Rule because it leads to ambiguity in the rules application we declined to do so at that time because we were concerned that it would reduce the rules scalability and flexibility265
However as we noted in 2003 the rules flexibility of approach is primarily provided for in paragraph b2 of 45 CFR 164306 and in the standards themselves266
The addressability feature merely provided an added level of flexibility 267
in a way that the Department now believes is inadequate to ensure that regulated entities implement reasonable and appropriate security safeguards
pp
Changes to the health care environment and the operations of regulated entities have increased the importance of implementing strong security measures to protect ePHI and the information systems that create receive maintain or transmit it While we recognize the burdens posed by such implementation on regulated entities there is also a clearly documented increase in the number of breaches of unsecured PHI and instances of cybercriminals accessing ePHI without authorization at regulated entities The changes to the health care environment including the increase in breaches and cyberattacks and operations of regulated entities have made it increasingly likely that unauthorized persons will seek to obtain ePHI and disrupt the US health care system Additionally the clearly documented failure of regulated entities to fully implement the policies and procedures required by the Security Rule and apply the required security measures throughout their operations has caused the Department to question whether the existing Security Rule should be revised to clarify and strengthen the obligations of regulated entities and revisit our
print page 917
decision from 2013268
In many cases involving a breach of ePHI that OCR has investigated a breach may not have occurred or would have been less widespread and disruptive had the regulated entities fully implemented the provisions of the Security Rule269
pp
The Department is not alone in believing that the Security Rule should be strengthened to address concerns about whether regulated entities are sufficiently protecting the confidentiality integrity and availability of ePHI An inquiry conducted by NCVHS between July 2021 and September 2023 reached the same conclusion270
During this inquiry NCVHS listened to the testimony of cybersecurity experts and Department officials The experts and Department officials consistently voiced their concerns about the major increase in incidents and in particular the widespread lack of robust risk analysis on the part of covered entities and business associates that would lead to prior planning for and mitigation of a range of cybersecurity threats 271
In response to this inquiry and consistent with their statutory mandate272
NCVHS transmitted two letters to the Secretary with recommendations for improving cybersecurity practices in the health care industry including recommendations for modifying the Security Rule273
As part of the explanation for its concerns NCVHS cited a 2021 survey of acute and ambulatory care organizations that found only 32 percent of those organizations had a comprehensive security program while only 26 percent of the longterm and postacute care facilities met the minimum security requirements274
Specifically NCVHS made the following recommendations for improvements to the Security Rule
pp
The Department in drafting this NPRM relied on the recommendations of NCVHS OCRs enforcement experience news reports and our assessment of the environment Consistent with NCVHS recommendation to revisit the Security Rules classification of some implementation specifications as addressable the Department also believes that it is appropriate to revisit our decision regarding the amount of flexibility regulated entities have in determining reasonable and appropriate safeguards as described above Based on OCRs experience in investigations and audits we believe that regulated entities would benefit from greater specificity in the Security Rule The Department has provided extensive guidance on questions to consider when adopting and implementing security measures and ways to comply with the Security Rule283
as directed by the HITECH Act And yet despite this proliferation of guidance regulated entities continue not to comply For example despite the explanation in 45 CFR 164306d about addressable implementation specifications and the notable changes in the environment in which health care is provided we are concerned that some regulated entities proceed as if compliance with an addressable implementation specification is optionaland that where there is an addressable implementation specification that compliance with the relevant standard is also optional That interpretation is incorrect and weakens the cybersecurity posture of regulated entities We believe that compliance with the implementation specifications currently designated as addressable is notand should not beoptional particularly in light of the shift to an interconnected and cloudbased environment and a significant increase in the number of breaches of unsecured PHI from both internal and external actors regardless of the regulated entitys specific circumstances Thus we believe that it is necessary to strengthen the Security Rule to reflect the changes in the health care environment and the evolution of
print page 918
technology and to underscore that compliance with all of our proposals if finalized is required
pp
The Security Rules fundamental flexibility and scalability generally would remain should the proposals in this NPRM be adopted However we are proposing to reduce that flexibility to better strengthen protections and address the changed nature of the environment in which health care is provided The Department is also proposing in this NPRM to strengthen the Security Rule by providing greater clarity regarding the nature of its flexibility and scalability and the Departments expectations as requested by regulated entities and other stakeholders In fact in response to a request for information published in 2022284
several commenters urged the Department to propose regulations that establish a single set of clear standards for regulated entities raise the floor for security requirements and expectations and encourage regulated entities to safeguard ePHI while maintaining flexibility and scalability Commenters also encouraged the Department to rely on commonly available nonproprietary frameworks that allow regulated entities to adopt critical security measures We believe that our proposals are consistent with those recommendations
pp
Under the proposal regulated entities would retain the ability to determine the security measures that are reasonable and appropriate to fulfill the required standards and implementation specifications taking into consideration the factors listed at proposed 45 CFR 164306b2 In fact the NPRM if adopted as proposed would add to the rules flexibility and scalability by adding a new factor for regulated entities to consider when determining the reasonable and appropriate security measures285
pp
Additionally if modifications are adopted as proposed the Security Rule would remain flexible and scalable by retaining broad standards with which regulated entities could comply in a variety of ways In 2003 the 13 implementation specifications that the Security Rule requires were considered so basic that no covered entity could effectively protect ePHI without implementing them286
While the Department agrees that these implementation specifications remain essential we no longer believe that they are sufficient to address the risks to ePHI today Rather regulated entities must do more to ensure the confidentiality integrity and availability of ePHI today because of the changes in the environment in which health care is provided how ePHI is maintained the level of connectivity between information systems and the technological sophistication of bad actors
pp
We acknowledged in 2003 and again acknowledge here that there is no such thing as a totally secure system that carries no risks to security 287
We posited at that time that Congress intended to set an exceptionally high goal for the security of ePHI while also recognizing that securing ePHI did not require that covered entities do so without regard for the cost288
However we also made clear that a covered entity is required to implement adequate security measures and that cost was but one factor for a covered entity to consider when determining what constituted appropriate security measures289
As we noted Cost is not meant to free covered entities from this responsibility 290
In the 2013 Omnibus Rule we further explained that regulated entities have the flexibility to choose security measures appropriate for their size resources and the nature of the security risks they face enabling them to reasonably implement any given Security Rule standard Thus the costs of implementing for business associates will be proportional to their size and resources 291
We continue to believe that this is the case Additionally as discussed above there is a significant cost associated with breaches and unauthorized accessfinancial reputational for both the individual and the regulated entity and more Thus we believe that the standards and implementation specifications that we propose in this NPRM are the minimum that regulated entities should be doing to protect the security of ePHI and lower the costs associated with breaches and other incidents
pp
The statute requires that we consider the needs and capabilities of small health care providers and rural health care providers as such providers are defined by the Secretary 292
We recognize that small and rural health care providers may have needs and capabilities that differ from those of other regulated entities For example small health care providers and rural health care providers are often located at a greater distance from other health care providers293
It may be more challenging for them to attract and retain clinicians and administrative support staff294
They also face difficulty attracting and retaining security experts and must make difficult decisions regarding investments in competing priorities295
Often preparation for security incidents or other occurrences that adversely affect the confidentiality integrity or availability of ePHI is neglected in favor of other priorities putting small and rural health care providers at greater risk for such an occurrence296
pp
We continue to believe that it is just as important for small and rural health care providers to implement strong security measures as it is for larger health care providers and other categories of regulated entities According to experts Cybercriminals go after small businesses especially those in the healthcare industry
print page 919
because they are easy targets 297
In 2017 93 percent of small rural and critical access hospitals and 86 percent of physician offices relied on health IT to inform their clinical practice298
And yet small health care providers are less likely than a larger organization to even have a designated security or compliance officer299
Smaller practices and rural and community facilities also may be more likely to rely on older technologies that are no longer supported by security patches and updates including medical devices such as insulin pumps and pacemakers in which inaccuracies or errors could affect patient safety300
Thus small health care providers are at the greatest risk of a breach Smaller rural practice settings are especially highrisk target areas for a breach 301
According to an expert who speaks to and works with health care providers on IT services and cybersecurity small health care providers are more susceptible because they do not have a lot of the tools and security measures necessary to protect themselves 302
For example a critical access hospital in Colorado recovered from a cyberattack in 2019 but it required an incredible amount of staff time many months of recovery efforts and an enormous financial outlay to restore systems and prevent another attack 303
In fact the hospital estimates that it took a full year of a staff persons time to complete the recovery and protect the organization for the future 304
These costs do not include the multiple ransoms paid to the attackers after the first set of keys did not unlock all of the data305
pp
Patients and communities have a critical need for health care providers including rural hospitals and other rural health care providers to be resilient and remain operational which depends in part on the cybersecurity of their electronic information systems For rural health care providers especially hospitals a breach can significantly affect an entire community306
Rural health care providers often are separated by significant distances which can have real consequences for someone experiencing a medical emergency307
A recent study comparing hospital characteristics and operations of rural and urban hospitals that experienced ransomware attacks between 2016 and 2021 found that rural hospitals experienced large declines in inpatient admissions and Medicare revenue similar to those experienced by urban hospitals308
The study also found that the decline in volume and revenue of hospital outpatient and emergency room visits was more pronounced among rural facilities309
In fact in June 2023 a hospital in rural Illinois announced that it would close in part because a 2021 cyberattack prevented it from submitting claims to health plans for months310
According to a local elected official the hospitals closure would require some residents to travel approximately 30 minutes for the nearest emergency room and obstetrics services311
Thus implementing security measures to maintain facility operations is critical to minimize or avoid disruptions to patient care and patient safety activities in such facilities Consistent with these examples the Department believes that small and rural health care providers are also viewed as potential targets by cybercriminals and such providers need to implement strong cybersecurity measures to secure the ePHI in their possession In fact in June 2024 the Administration announced a collaboration with the private sector to provide additional cybersecurity resources for rural health care providers in recognition of the importance of protecting the security of ePHI created received maintained or transmitted by such entities312
We believe this collaboration will provide small and rural health care providers with additional support particularly when coupled with other resources described in greater detail below313
Thus we believe that small and rural health care providers have both the need to comply with the proposals in this NPRM and the capability of doing so Additionally we believe that the NPRM would continue to provide all regulated entities including small and rural health care providers the ability to take into account their circumstances when determining which security measures are reasonable and appropriate314
pp
While the Security Rule generally continues to accomplish a primary goal of HIPAA315
the Department believes that it is essential to propose modifications to strengthen its protections for the confidentiality integrity and availability of ePHI to address the changing health care environment We also believe it is important to clarify the obligations of regulated entities and emphasize the importance of protecting the confidentiality integrity and availability of ePHI We believe that the proposed revisions would require regulated entities to consider and potentially modify their safeguards more regularly which would better enable them to quickly respond to changes in the environment and be consistent with cybersecurity best practices While we do not expect that compliance with the Security Rule will
print page 920
prevent all breaches or interruptions in the confidentiality integrity or availability of ePHI we believe that it will prevent many and enable regulated entities to identify mitigate and remediate the damage more quickly if there is a breach or other security incident thereby reducing harm to individuals and the overall costs of such occurrences to regulated entities and to the US health care system As such the proposed modifications would support a primary goal of HIPAAs Administrative Simplification provisions improving the efficiency and effectiveness of the US health care system by encouraging the development of health information systems through the establishment of uniform standards and requirements for electronic transmission of ePHI including those for security316
pp
HIPAA requires the Secretary to adopt standards that have been developed adopted or modified by a standard setting organization accredited by ANSI except in certain circumstances317
For example HIPAA permits the Secretary to develop standards where no relevant standards have been developed adopted or modified by an ANSIaccredited standard setting organization In developing adopting or modifying a standard the Secretary is required to consult with standard setting organizations NCVHS and with the appropriate Federal and State agencies318
pp
The statutory definition of the term standard applies only to standards for electronic transactions and data elements for such transactions that are appropriate for 1 the financial and administrative transactions described in the statute and 2 other financial and administrative transactions consistent with the goals of improving the operation of the health care system and reducing administrative costs as determined appropriate by the Secretary319
Under HIPAA security is not considered a financial or administrative transaction or a data element of such transaction320
In the Health Insurance Reform Standards for Electronic Transactions final rule in 2000 we explicitly adopted a broader definition of standard because we recognized that the statutory definition only applied to standards for financial and administrative transactions despite the statutes requirement that the Secretary adopt standards addressing other matters including privacy and security321
At that time we explained that we adopted a broader definition of standard to accommodate the varying functions of the specific standards proposed in other HIPAA regulations322
For the same reason we believe that it is appropriate to continue to rely on the regulatory definition of standard323
pp
As discussed above in both 1998 and 2003 the Department determined that no comprehensive scalable and technologyneutral set of standards exists and accordingly we proposed and adopted a new standard324
In 2013 we made only minor modifications to the standards when we complied with explicit directions from Congress to apply the requirements of the Security Rule to business associates so we did not need to consider whether an ANSIaccredited standard setting organization had adopted a comprehensive set of standards on the security for ePHI that was flexible scalable and technologyneutral325
pp
However because we believe it is appropriate for us to consider modifying the Security Rule at this time for the reasons discussed above we must again consider whether an ANSIaccredited standards setting organization has developed adopted or modified a standard relating to the security of ePHI The Department continues to believe that any standard must be comprehensive rather than piecemeal as recommended by the ANSI Healthcare Informatics Standards Board326
We also continue to agree with the recommendation that the standards should be technologyneutral because security technology continues to evolve to keep pace with the evolution of technology more broadly Additionally the Security Rule must remain flexible and scalable to allow for consideration of the wide variety of regulated entities enabling such entities to determine the reasonable and appropriate security measures for their circumstances by taking into account the factors specified by HIPAA327
pp
We are not aware of any standard setting organizations that are accredited by ANSI that have issued standards for the security of ePHI let alone standards that are sufficiently comprehensive flexible scalable and technologyneutral to enable regulated entities to take into account the HIPAA factors For example NIST has issued numerous publications addressing health care cybersecurity that are considered by NIST to be guidance rather than standards In fact NIST is ANSIaccredited for only one standard328
And with the exception of publications that analyze the Security Rule NISTs guidance does not specifically address the security of ePHI CISA has issued crosssector CPGs but it is not ANSIaccredited There may be other organizations that have set standards for the transmission of particular information such as the secure transmission of images but adopting such individual standards would not meet the Departments criteria In this case adoption of such standard would be far too granular and require the Department to revise the Security Rule at the same interval as the particular standard which may be irregular Additionally given that the Department is limited to modifying each standard or implementation specification no more frequently than once every 12 months this approach would be inefficient and could lead to a requirement that the Department update the Security Rule more than once a year depending on when such individual standards or implementation specifications are revised Even modifying the standards annually would require a significant investment of Department resources not to mention the investment required of regulated entities to comply with an everchanging set of requirements
pp
Additionally in 2021 Congress amended the HITECH Act to require the Secretary to consider whether a regulated entity has adequately demonstrated that it had in place recognized security practices for a certain period of time329
Congress defined recognized security practices to include certain NIST publications the approaches promulgated under
print page 921
section 405d of the Cybersecurity Act of 2015 and other programs and processes that address cybersecurity and that are developed recognized or promulgated through regulations under other statutory authorities 330
However the HITECH Act amendment did not require the Secretary to accept a regulated entitys implementation of recognized security practices as an alternative to compliance with the Security Rule nor did it provide that such implementation was sufficient to meet the security objectives of HIPAA or the HITECH Act Accordingly it is appropriate for the Department to develop and adopt its own standards to meet the statutory objective of ensuring the security of ePHI The standards and implementation specifications proposed herein take into consideration not only those promulgated by NIST but also guidelines best practices methodologies processes and procedures published by CISA the HHS 405d program CMS State governments and others The proposals also enable regulated entities to adopt security measures that ensure the confidentiality integrity and availability of ePHI protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI and unauthorized uses or disclosures of such ePHI ensure compliance with the Security Rule by the workforce members of regulated entities while also taking into account the technical capabilities of record systems used to maintain ePHI the costs of such measures the need for training users who have access to ePHI the value of audit trails in computerized record systems and the needs and capabilities of small and rural health care providers
pp
The Department has consulted with and relied on the recommendations of NCVHS in the formulation of this proposed rule 331
and intends to continue to engage in these consultations before finalizing the rule332
We also expect to consult with the National Uniform Billing Committee the National Uniform Claim Committee the Workgroup for Electronic Data Interchange and the American Dental Association before finalizing this rule as required by section 1172c3Aii of HIPAA333
ppThis section contains a description of the proposed amendments to the Security Rule and the Departments rationale for its proposals As part of this rationale we often include a discussion of best practices contained in previously published guidance documents issued by the Department NIST and other Federal agencies We request comment on previously published guidance documents that are not discussed herein that were issued by the Department or other Federal agencies and contain best practices but may be relevant or applicable to regulated entities including the names of and citations for such guidance documents We do not propose to adopt referenced best practices as the standard or implementation specifications unless otherwise specified in the proposed regulatory text Rather we include such discussion to provide regulated entities with context for the aforementioned proposals We recognize that regulated entities are of varying types and sizes and may be concerned that requiring the adoption of such best practices might not be appropriate for all However we request comment on whether we should require implementation of certain aspects of a particular guidance document If so please explain which aspects we should require the rationale and information about the burden of implementing such aspectspp
Electronic media are used by many health care organizations to process transmit and maintain ePHI As defined by the Security Rule the term electronic media 334
encompasses both 1 electronic storage material on which data is or may be electronically recorded and 2 transmission media used to exchange information already in electronic storage media It specifically excludes certain transmissions such as those of paper via facsimile fax and voice via telephone from being considered transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission
pp
The Department revised the definition of electronic media in 2013 by replacing the term electronic storage media with electronic storage material in recognition that there may be storage material other than media that houses electronic data in the future335
At that time the Department said that a fax machine accepting a hardcopy document for transmission is not a covered transmission even though the document may have originated from printing from an electronic file336
In response to commenter concerns we also clarified that ePHI maintained intentionally or otherwise in a photocopier fax machine or other device is subject to the Security Rule and reminded regulated entities that they should be aware of the capabilities of such devices with respect to their ability to maintain ePHI337
Additionally a regulated entity should consider the appropriateness of implementing security measures that account for such capabilities338
pp
Since 2013 the role technology plays in the storage and transmission of information has changed as have the types of media used to store and transmit such information For example traditional landlines 339
are rapidly being replaced with electronic communication technologies such as Voice over internet Protocol VoIP340
and mobile technologies that use electronic media such as the internet intra and extranets cellular and WiFi341
Some current electronic technologies that regulated entities use for remote communications may include communication applications on a smartphone or another computing device VoIP technologies technologies that electronically record or transcribe a telehealth session and messaging services that electronically store audio messages The definition of electronic media does not account for these changes because it excepts
print page 922
transmissions via fax and of voice via telephone from transmissions via electronic media nor does the definition take into consideration new and emerging technologies Accordingly the Department believes that it is appropriate to reconsider this definition
ppThe Department proposes to modify the definition of electronic media as follows First the Department proposes to revise paragraph 1 of the definition to clarify that electronic media includes not only media on which data may be recorded but also media on which data may be maintained or processedpp
Generally data is either at rest in transit or in process
eg
being worked on in use being modified in memory or being updated342
After the data is no longer in use it is either maintained or transmitted It is especially important for entities to protect data in process because generally data must be unencrypted to be processed making this a time when it is particularly vulnerable to a breach or other security incident343
To that end the Departments proposal would clarify that the definition includes electronic media that is used to record maintain or process data
ppThe Department also proposes to revise paragraph 1 to clarify and update terminology used in a nonexhaustive list of examples of electronic storage material Additionally to ensure that the definition includes future technology the Department proposes to add to the list of examples any other form of digital memory or storage on which data may be recorded maintained or processedpp
As discussed above traditional landlines and fax machines are rapidly being replaced with electronic communication technologies and mobile technologies that use electronic media The Security Rule applies when a regulated entity uses such electronic communication technologies Therefore regulated entities using telephone systems and fax equipment that transmit ePHI need to apply the Security Rule safeguards to those technologies344
Accordingly in paragraph 2 we propose to revise the description of transmission media to recognize that data is transmitted almost exclusively in electronic form today The limited exception to this would be data that is handwritten on paper and handdelivered or mailed such that the data is never on electronic storage material Additionally the Department proposes to include public networks in the examples of transmission media and to remove the sentence that describes transmissions that are not considered transmissions via electronic media By making these changes we would reflect technologys evolution since 2013
pp
We also propose to make a technical correction to paragraph 2 of the definition consistent with a revision made in the 2013 Omnibus Rule to paragraph 1345
Specifically the Department proposes to replace the term electronic storage media with electronic storage material in paragraph 2 to clarify the connection between definitions of electronic storage material and transmission media We neglected to make this change in 2013 when we replaced electronic storage media with electronic storage material in paragraph 1 which means that paragraph 2 relies on a term that is no longer defined This technical correction we propose is consistent with how the Department has interpreted the definition of transmission media and the connection between it and electronic storage material since the change was made in 2013
ppThe Department requests comment on the foregoing proposals including any benefits drawbacks or unintended consequences We also request comment on the following considerations in particularppa Whether the proposed modifications accurately capture current use of electronic mediappb Whether the proposed modifications allow for future technological innovationppc Whether there are other types of electronic storage material that the Department should include in the nonexhaustive list of examplesppd Whether there are other types of transmission media that the Department should include in the nonexhaustive list of examplesppSection 164304 includes definitions for key regulatory terms in the Security Rule The Department proposes to add ten new defined terms and to modify the definitions of fifteen existing terms The proposed new regulatory terms would be Deploy Implement Electronic information system Multifactor authentication Relevant electronic information system Risk Technical controls Technology asset Threat and Vulnerability The definitions we propose to modify are for the following terms Access Administrative safeguards Authentication Availability Confidentiality Information system Malicious software Password Physical safeguards Security or Security measures Security incident Technical safeguards User and Workstation Generally the Department is proposing to add or modify regulatory terms that would either clarify how regulated entities should apply the standards and implementation specifications or modernize the rule to better account for changes in the environment in which health care is providedpp
The Security Rule defines the term access as the ability or means necessary to perform a set of activities describing how a user may interact with a system resource346
These activities are reading writing modifying communicating datainformation or otherwise using any component of an information system The definition applies only to the Security Rule not to the Breach Notification Rule or the Privacy Rule
pp
The term access defines the scope of some key regulatory provisions in the Security Rule For example whether a person meets the definition of a user is determined based on whether their access to information or a component of the regulated entitys information system is authorized347
The definition
print page 923
of the term security incident requires consideration of whether a person attempted to access or accessed information without authorization348
To determine whether a regulated entity complied with the administrative safeguard standard for workforce security the Department must consider to what extent a regulated entity established policies and procedures for ensuring that workforce members have appropriate access to ePHI349
ppThe current definition is expansive but not fully representative of how users could interact with information today As discussed above users create receive maintain and transmit information in more ways now than they did ten years ago Thus the Department believes that it is critical for the Department to consider modifying the definition of this term to adequately reflect the current electronic environmentppThe Department proposes to expand the list of activities that should be considered under the term by adding the activities of deleting and transmitting The Department also proposes to replace system resource with component of an information system to rely on an already defined term information system The proposed modification would clarify that the term includes any and all components of an information system and an information system as a whole Additionally the Department believes that a component of an information system better describes how the term access applies today because it is inclusive of hardware software and people as opposed to only the inherent capabilities that contribute to performance such as system memory and hard disk spacepp
Administrative safeguards are administrative actions policies and procedures to manage the selection development implementation and maintenance including reviewing and modifying of security measures to protect ePHI350
Administrative safeguards also manage the conduct of the regulated entitys workforce in relation to the protection of ePHI Under the Security Rule there are minor inconsistencies in language between the definitions of the types of safeguards which might lead to uncertainty about how to interpret the terms and lead to unintended consequences For example the definitions of administrative safeguards and physical safeguards use are while the definition of technical safeguards uses means 351
ppIn addition the existing definition of administrative safeguards does not expressly relate the administrative actions to the policies and procedures addressing the activities covered by the definition nor does it make clear that the policies and procedures are in addition to the administrative actions The same is true for the definitions of physical and technical safeguards Further the definition of administrative safeguards does not expressly mention managing updates and modifications to safeguardsppTo address the minor inconsistencies between the definitions of the safeguards and to ensure that each safeguard is afforded an equal weight of importance the Department proposes similar but minor changes across the definitions The Department proposes to add the word related to the definition here and below to add the words and related when necessary to more clearly connect the components that make up safeguards In the case of administrative safeguards the Departments proposal relates administrative actions to administrative policies and procedures The Department believes that this change would reduce confusion and improve clarity about compliance obligations We are proposing a similar change to the definitions of physical safeguards and technical safeguards below Additionally we are proposing to clarify that maintenance includes updating and modifying with respect to administrative safeguardspp
The Security Rule defines authentication as corroboration that a person is the one claimed By limiting the definition of authentication to persons the current definition neglects to acknowledge the importance to the security of ePHI of authenticating technology assets that are components of a regulated entitys electronic information systems that create receive maintain or transmit ePHI or that otherwise affect the confidentiality integrity or availability of ePHI or that the regulated entity intends to connect to such electronic information systems352
Absent such authentication a bad actor could add technology assets
eg
software to a regulated entitys electronic information systems that enable the bad actor to compromise the security of ePHI
ppTo modernize the definition of authentication to reflect best practices in cybersecurity today the Department proposes to clarify the definition to mean corroboration that either a person or technology asset is the one they are claiming to be The modified definition would also improve readability with minor changes in wording The Department believes as proposed the revised definition would more accurately reflect the role played by technology assets in electronic information systems today For example a covered health care provider permits individuals to access their own PHI using an application that connects to the software that runs the covered health care providers patient portal Not only must the individual be authenticated as a user but the application must be authenticated such that the covered entitys software can verify that the application is what it claims to be In another example a portable technology asset for retrieving and storing PHI in the cloud must be authenticated before retrieving data from cloud storagepp
Availability is defined in the Security Rule as the property that data or information is accessible and usable upon demand by an authorized person Although not intended the current definition could be read to limit the scope of availability only to authorized persons And yet it is equally important to ensure that authorized technology assets such as connected medical devices software and workstations
print page 924
have access on demand to ePHI to carry out their functions
ppGiven the increased connectivity of the health care environment the Department proposes to clarify the definition of availability by specifying that availability means the property that data or information is accessible and usable upon demand by not only an authorized person but also an authorized technology asset In so doing the Department is not changing the meaning of availability but rather clarifying its scopeppSimilar to the definition of availability the definition of the term confidentiality could be read as limited to the property that data or information is not made available or disclosed to unauthorized persons or processes Read that way the definition does not reflect todays health care environment in which data and information may be accessed through any component of an interconnected electronic information systemppThe Department proposes to clarify the definition of confidentiality to specify that it means the property that data or information is not made available or disclosed to unauthorized persons technology assets or processespp
The Security Rule directs regulated entities to implement technical policies and procedures and assumes that such implementation requires the installation and configuration of technical safeguards353
OCR is concerned based on its investigations and compliance reviews that some regulated entities may interpret the regulatory requirement to implement technical policies and procedures to mean that a regulated entity is only required to establish written policies and procedures about technical requirements but need not then apply effective automated technical policies and procedures to all ePHI throughout the regulated entitys enterprise For example in
MD Anderson
the court stated that the encryption requirement at 45 CFR 164312a2iv requiring a regulated entity to implement a mechanism to encrypt ePHI does not require a covered entity to warrant that its mechanism provides bulletproof protection of all systems containing ePHI Nor does it require covered entities to warrant that all ePHI is always and everywhere inaccessible to unauthorized users 354
Further the court added that the requirement does not say anything about how effective a mechanism must be how universally it must be enforced or how impervious to human error or hacker malfeasance it must be 355
ppTherefore the Department believes it is necessary to add definitions that distinguish between implementation of the administrative and technical safeguards by separately describing how regulated entities can comply with requirements to implement technical safeguards and install technical solutionsppThe Department proposes to define the term deploy to identify a specific type of implementation We believe that the new term and definition would help to better describe the compliance obligations for implementation specifications related to the use of technology for securing the confidentiality integrity or availability of ePHI As proposed the definition would require a regulated entity to ensure that technology is in place configured for use and actually in use and operational throughout the regulated entity The Departments proposed use of the term helps illustrate its purpose and utility in clarifying that policies and procedures while necessary are insufficient to meet requirements for technical safeguardspp
For example the Department is proposing to create a new requirement for regulated entities to verify that business associates have deployed technical safeguardsthat is the technology is configured and operational not only addressed in policies and procedures356
In another example the Department is proposing new implementation specifications under the access control standard that would require a regulated entity to deploy technical controls for relevant electronic information systems so that the system is configured and applied to limit access to only users and technology assets that have been granted access rights357
In the automatic logoff implementation specification for that same standard the Department is proposing to replace the requirement to implement electronic procedures for terminating an electronic session with a requirement to deploy technical controls that terminate an electronic session after a period of inactivity358
In each case the technical controls must not only be configured for use but they also must be applied to and in effect in all ePHI and relevant electronic information systems
pp
The Department proposes to define the term implement to clarify that a safeguard must be put into place and be in effect throughout the enterprise as opposed to only some components of a regulated entitys relevant information systems
eg
some laptops or servers or applied to a subset of ePHI The Department also proposes the term to further clarify what it means to configure and put technology technical controls and related policies and procedures into effect and be in use operational and function as expected throughout the regulated entitys enterprise
ie
deploy as compared to putting into place and making effective administrative or physical safeguards Further the Department proposes to expressly clarify that implement also means that a safeguard must function as expected Under this proposal if adopted we would not consider a safeguard to be implemented if it is not functioning in the manner in which it is expected
ppFor example a regulated entitys administrative policy requiring it to take action to prevent infections from malicious software is not implemented until it is applied throughout the enterprise meaning that the entity has ensured that antimalware protections have been put into place on all relevant electronic information systems that create receive maintain or transmit ePHI or that otherwise affect the confidentiality integrity or availability of ePHI throughout the enterprisepp
Similarly to operationalize such a policy the regulated entity must deploy technology assets andor technical controls to block such software according to its technical policies and
print page 925
procedures In this regard the proposed term deploy clarifies that the technology assets or technical control must be put into place configured and actually work
ie
function in the manner expected of the technology or technical control throughout a regulated entity in addition to the relevant policy and procedures being applied across a regulated entity To implement a policy and procedure is separate from the implementation of a technology asset or technical control but in both cases the underlying requirement is application across the enterprise
pp
The current Security Rule includes explicit requirements for regulated entities to protect electronic information systems by implementing policies and procedures to limit physical access to such systems 359
and by implementing technical policies and procedures for electronic information systems that maintain ePHI to allow access to only persons or technology assets that have been granted access rights pursuant to 45 CFR 164308a4360
Further the physical measures policies and procedures that meet the definition of physical safeguards are specifically limited to those that protect regulated entities electronic information systems and related buildings and equipment361
And yet the Security Rule does not explicitly define this term Instead it assumes that the definition is easily understood to be a subset of information system a broad term that is not limited by the boundaries of the Security Rule The Department believes that regulated entities would benefit from additional clarity regarding the definition of this term given its foundational nature
ppThe Department proposes to add a definition of electronic information system to better distinguish the concept from the broader category of an information system Accordingly the Department would limit the definition to an interconnected set of electronic information resources under the same direct management control that shares common functionality Under this proposal an electronic information system generally would include technology assets such as hardware software electronic media data and informationppAs discussed above the Department seeks to clarify the scope of an information system as compared to an electronic information system We believe that it would be beneficial to align the common elements of these terms and clarify the relationship between them given their importance to compliance with requirements of the Security Rule Additionally the changes in the environment such as the shift to cloudbased computing may raise questions regarding the Departments interpretation of direct management controlppAccordingly the Department proposes to modify the definition of information system to clarify that an information system generally not just normally includes hardware software data communications and people The Department believes this proposed modification combined with the existing broad reference to resources more accurately reflects the typical components of an information system and the full extent of resources that are addressed by the Security Rule We also propose to remove applications from the list of technology assets that are generally included in an information system because applications are a type of software making the inclusion of applications redundant This proposed modification would not alter our interpretation that an information system includes applicationsppWe use this opportunity to affirm that a technology asset may be included as part of the information systems of multiple regulated entities where such regulated entities all have direct management control over the technology asset For example both a health care provider and a cloudbased EHR vendor have direct management control over the ePHI in the cloudbased EHR Accordingly such ePHI generally is part of both the information system of the health care provider and of the cloudbased EHR vendor Additionally the EHR that is used to create receive maintain or transmit ePHI regardless of whether it is accessed using software installed on the health care providers workstations or an internet browser generally is also part of the information system of both entities because both the health care provider and the vendor have direct management control over the EHRppPersons seeking unauthorized access to data and information are increasingly sophisticated Their methods of attempting to gain such access can take many forms and result in a wide array of harms as discussed above One of the methods they use is through the introduction of malicious software also referred to as malware into an electronic information system As the sophistication of bad actors has increased so has the variety of types of malicious software that they use to access electronic information systems The Security Rule defines malicious software but limits it to software designed to damage or disrupt a system The regulatory text provides only one example of malicious software in regulatory texta viruspp
The Department proposes to replace the current definition of malicious software with one that would be consistent with how cybersecurity experts define the term today362
Specifically we propose to define it to mean software or firmware intended to perform an unauthorized action or activity that will have adverse impact on an electronic information system andor the confidentiality integrity or availability of electronic protected health information This proposal would therefore clarify that malicious software could include either software or firmware and that the negative effects of the malicious software may not be limited to damaging or disrupting a system Rather effects of the software could be intended to have any type of adverse impact on an electronic information system andor the confidentiality integrity or availability of ePHI The Department also proposes to include in regulatory text a nonexhaustive list of examples such as viruses worms Trojan horses spyware and some forms of adware to assist regulated entities in understanding what constitutes malicious software
ppThe Security Rule includes several technical safeguard provisions that require regulated entities to identify and authenticate persons accessing information and systems to protect ePHI Section 164312a21 includes the standard that requires a regulated entity to implement technical policies and procedures that limit access to ePHI to only those persons or software programs that have been granted access rights while 45 CFR 164312d2 the standard for person or entity authentication requires a regulated entity to implement procedures to verify that a person seeking access to ePHI is the one claimedpp
Historically regulated entities relied on combinations of usernames and passwords to identify users and authenticate users to the system We recognize that such combinations are insufficient to secure sensitive information and that more sophisticated mechanisms for doing so have been developed As a best practice for managing cyber threats most cybersecurity frameworks including those discussed above recommend that organizations adopt solutions that rely on multiple factors to identify and authenticate users For example the HHS 405d Programs Health Industry Cybersecurity Practices Managing Threats and Protecting Patients 363
recommends a layered approach to cyber defense
ie
if a first layer is breached a second exists to prevent a complete breach364
It further provides that MFA as a source of identity and access security control is an important means to control access to infrastructure and conduct proper change management control365
The Departments CPGs 366
identify MFA as an essential goal and a critical additional layer of security for the protection of assets and accounts that are directly accessible from the internet367
The Department has also explained in guidance that weak authentication processes leave organizations vulnerable to intrusion while effective authentication ensures that only authorized entities may access information systems and data368
Additionally CISA has issued recommendations for implementing MFA specifically MFA solutions that are phishing resistant to protect against disclosures of authentication data to a bad actor369
pp
The Department proposes to define the term Multifactor authentication to provide regulated entities with a specific level of authentication for accessing relevant electronic information systems370
Regulated entities would be required to apply this proposed definition when implementing the proposed rules specific requirements for authenticating users identities through verification of at least two of three categories of factors of information about the user The proposed categories would be
pp
MFA relies on the user presenting at least two factors Authentication that relies on multiple instances of the same factor such as requiring a password and PIN is not MFA because both factors are something you know 371
For example where MFA is deployed users could seek access by entering a password However without the entry of at least a second factor such as a token 372
or smart identification card the user is not granted access and the password is useless by itself Cybercriminals seeking access to MFAprotected information systems require significantly more resources to launch the attack because there are multiple data points required to succeed373
pp
The Department proposes that the personal characteristics that could be used as factors would include both physical characteristics such as fingerprints or facial identifiers and behavioral characteristics such as a users gait or typing cadence374
pp
The Security Rule currently defines password as confidential authentication information composed of a string of characters375
The definition provides no further regulatory instruction on what constitutes a character for purpose of compliance
pp
The Department proposes to add examples to the definition to further clarify what constitutes a character and adds such as letters numbers spaces and other symbols to the existing definition The Department believes that regulatory examples would provide necessary context for regulated entities that deploy safeguards involving passwords
print page 927
ppPhysical safeguards encompass the physical measures policies and procedures that protect a regulated entitys electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion As discussed within the definition of administrative safeguards the Department believes that it is necessary to reduce minor inconsistences in language between the definitions of the types of safeguards Additionally the definition of physical safeguards relies on an undefined term buildings despite the existence of a defined term facilities that has an equivalent meaningpp
The Department proposes to clarify that the policies and procedures referred to in the definition are those that specifically are related to physical measures and to replace buildings with facilities because facility is a defined term under the Security Rule and has an equivalent meaning376
The Department intends and has always intended the physical safeguards to apply to any location where a regulated entity might possess ePHI including the physical premises and interior and exterior of a building and any location that might affect the confidentiality integrity or availability of ePHI Additionally given the mobility of technology today including workstations that may access ePHI we believe it would be more appropriate to use the term facility to make clear that the physical safeguards are to apply throughout the premises of the regulated entity For the same reasons discussed above we also propose to clarify that the physical safeguards serve to protect relevant electronic information systems as we propose to define the term elsewhere in this NPRM rather than all electronic information systems Further the Department proposes to better standardize the administrative physical and technical safeguard requirements by using defined terms where they exist
pp
The Security Rule requires a regulated entity to ensure the confidentiality integrity and availability of all of the ePHI it creates receives maintains or transmits377
To protect the ePHI as required a regulated entity must also protect the electronic information systems that create receive maintain or transmit ePHI and the electronic information systems that otherwise affect the confidentiality integrity or availability of ePHI The Department believes that regulated entities are not consistently protecting ePHI in a manner that is consistent with their Security Rule obligations and believes that it is necessary to clarify the scope of those obligations We believe that creating a new defined term for the electronic information systems to which the Security Rule requirements apply will help achieve this goal by ensuring that regulated entities fully understand how their technology assets and the architecture of their electronic information systems affect the confidentiality integrity and availability of ePHI
ppThe Department proposes to add and define the term relevant electronic information system to mean an electronic information system that creates receives maintains or transmits ePHI or that otherwise affects the confidentiality integrity or availability of ePHI We believe that distinguishing between a relevant electronic information system and an electronic information system as proposed would further clarify the scope of regulated entities compliance obligations including the obligation of regulated entities to understand the relationship between their various electronic information systems and the confidentiality integrity and availability of ePHIpp
The Department believes it is important to clarify that the requirements of the Security Rule do not only apply to electronic information systems that create receive maintain or transmit ePHI After all cybercriminals may be able to access ePHI by leveraging vulnerabilities in some electronic information systems that do not themselves create receive maintain or transmit ePHI where such information systems are connected to or otherwise affect electronic information systems that do create receive maintain or transmit ePHI For example while a payment processing system used in a covered entitys food and beverage outlets or gift shops may not create receive maintain or transmit ePHI it may affect the confidentiality integrity or availability of ePHI in certain circumstances such as where such systems are connected to the same network as servers that contain ePHI378
Accordingly we would interpret an electronic information system as otherwise affecting the confidentiality integrity or availability of ePHI if it is insufficiently segregated physically and electronically from an electronic information system that creates receives maintains or transmits ePHI or one that otherwise affects the confidentiality integrity or availability of ePHI
pp
An electronic information system would also fit the category of otherwise affecting if it contains information that relates to an electronic information system that creates receives maintains or transmits ePHI or to another electronic information system that otherwise affects the confidentiality integrity or availability of ePHI For example a compromised electronic information system used to provide administrative functions such as user authentication or management of storage area network infrastructure that does not contain ePHI may allow unauthorized access to ePHI affecting the confidentiality of ePHI or disruption of storage configuration data affecting the integrity and availability of ePHI An electronic information system that is not connected to a covered health care providers EHR but that maintains user IDs and passwords for the EHR also may not create receive maintain or transmit ePHI however the confidentiality integrity or availability of the ePHI in the EHR would be affected if an unauthorized person gained access to that electronic information system And the same is true for an electronic information system that contains the decryption keys for a regulated entitys encryption algorithms Thus it is important that administrative physical and technical safeguards be implemented not only for electronic information systems that create receive maintain or transmit ePHI but also for electronic information systems that otherwise affect the confidentiality integrity or availability of ePHI
print page 928
pp
The Security Rule does not currently include a definition for the term risk The Department considered defining it when it first promulgated the final rule in 2003 but declined to do so because it determined that the term was commonly understood379
However the Department now believes that the lack of a definition may affect the clarity of some key requirements for regulated entities Such requirements include conducting a risk analysis to assess the potential risks and vulnerabilities to the confidentiality integrity and availability of ePHI held by the regulated entity 380
and implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the general rules at 45 CFR 164306a381
pp
One of the ways NIST defines the term is as a measure of the extent to which an entity is threatened by a potential circumstance or event and typically a function of i the adverse impacts that would arise if the circumstance or event occurs and ii the likelihood of occurrence 382
This and other NIST definitions serve as helpful references for the Department when considering how to define the term within the rule
pp
The Department proposes to define risk as the extent to which the confidentiality integrity or availability of ePHI is threatened by a potential circumstance or event The Department believes that defining the term would clarify several existing and proposed provisions of the Security Rule such as the factors regulated entities must consider when determining the security measures they will implement 383
and the importance and purpose of conducting the required risk analysis384
pp
The Security Rule defines security or security measures as encompassing all of the administrative physical and technical safeguards in an information system385
The definition implies that the safeguards must be part of the information system as opposed to something that may be applied or done to a system to protect the confidentiality integrity and availability of ePHI
ppThe rule also defines security incident as the attempted or successful unauthorized access use disclosure modification or destruction of information or interference with system operations in an information system The existing definition does not make clear that a security incident may result from two types of behaviorsthose related to attempted or successful but unauthorized access use disclosure modification or destruction of information in an information system and those that are related to the attempted or successful unauthorized interference with system operations in an information system In other words a security incident may directly touch upon information in a system or interfere with the operations of the system itself The Department believes that it is necessary to clearly convey the distinct types of incidents to regulated entities to ensure that regulated entities implement and deploy safeguards that address both concernspp
The Department proposes to modify the definition of security or security measures to clarify that security or security measures may not only exist in information systems but may also be applied to information systems386
This clarification would better reflect the multilayered approach to cybersecurity recommended by experts to address the concerns facing regulated entities today For example a regulated entity may determine that it is necessary to apply access controls and encryption mechanisms through an external mechanism such as added firewall technology387
that is applied to the system rather than technical controls that are embedded within the system or components of the system The Department believes that the proposed definition would provide a more complete instruction
ppThe Department proposes to reorganize the definition of security incident into two numbered paragraphs to delineate the two separate categories of security incidents We also propose to clarify that in both instances the definition applies when the described action affects an information system and regardless of whether an attempt to affect the information in the system or interfere with system operations is successful or notpp
Throughout the technical safeguards provisions in 45 CFR 164312 the Department directs regulated entities to implement technical policies and procedures The court in
MD Anderson
interpreted technical policies and procedures as written policies and procedures on technical matters388
This interpretation does not reflect the Departments intent for technical safeguards to include policies and procedures that rely on technology or technological solutions for implementation389
We believe that the courts interpretation could have significant consequences for the confidentiality integrity and availability of ePHI
pp
The Department proposes to add and define the term technical controls to help regulated entities better understand what we mean by technical safeguards for purposes of complying with the Security Rule We propose to define technical controls as technical mechanisms contained in the hardware software or firmware components of an electronic information system that are primarily implemented and executed by the electronic information system to protect it and the data within the electronic information system The Department believes that adding this term would better convey the expectation that a regulated entity is
print page 929
required to deploy technical safeguards across its enterprise by among other things configuring and using technical mechanisms in the hardware software and firmware components of its relevant electronic information systems to protect ePHI and electronic information systems that create receive maintain or transmit ePHI or that otherwise affect the confidentiality availability or integrity of ePHI
pp
The current definition of technical safeguards includes the technology and policy and procedures for its use that protect ePHI and control access to it390
As discussed above the Department believes that there is an immediate need to modernize and update the definition to better reflect the role technology plays in protecting ePHI and the technical components of information systems versus the role of policies and procedures This would complement our effort to clarify the relationship between technology and the implementation of technical policies and procedures
ppThe Department proposes to modify the definition of technical safeguards to expressly include technical controls We also propose to add language that would clarify that the technology technical controls and related policies and procedures in this category govern the use of the technology to protect and control access to ePHI The proposed changes also would improve the consistency of language across the safeguard provisions and ruleppThroughout the Security Rule standards and implementation specifications list the components of electronic information systems to which its requirements apply Based on the Departments enforcement experience we believe that it would be beneficial to more clearly distinguish between the requirements that apply to all components of an electronic information system and those that only apply to certain components Additionally we believe it would be beneficial to distinguish between requirements that apply specifically to each particular component of an electronic information system and those that apply to the electronic information system as a wholeppThe Department proposes to define the term technology asset to mean the components of an electronic information system including but not limited to hardware software electronic media information and data In so doing we would clarify which Security Rule requirements apply to all of the components of electronic information systems as opposed to those that apply only to certain components and which requirements apply to each particular components and which apply to the entire electronic information systemppFor example understanding the risks and vulnerabilities to a regulated entitys ePHI requires a thorough understanding of the components of its electronic information systems the electronic information systems themselves how they are connected and how ePHI moves through those systems Thus by requiring a regulated entity to conduct an inventory of its technology assets and to create a network map of its electronic information systems we clarify that a regulated entity is obligated to consider not only its electronic information systems as a whole but also the components within those electronic information systems and their functionspp
Addressing threats to the confidentiality integrity and availability of ePHI is a key function of the Security Rule but the rule does not define threat The concept of threat also underlies the Departments proposed definition of risk defined above and forms the basis of a key proposed implementation specification associated with the standard for risk analysis391
pp
The Department proposes to define the term threat to mean any circumstance or event with the potential to adversely affect the confidentiality integrity or availability of ePHI This proposal is similar to NISTs varying definitions of threat edited to apply specifically to health care and the type of information addressed by the Security Rule392
Under this proposal we would construe the term to apply broadly to include threats caused by or existing because of a variety of circumstances that specifically could affect the security of ePHI Hackers malicious insiders and malicious software are examples of threat sources
pp
The Department first defined the term person in the HIPAA Rules as part of the 2003 Civil Money Penalties Procedures for Investigations Imposition of Penalties and Hearings interim final rule to distinguish a natural person who could testify in the context of administrative proceedings from an entity defined therein as a legal person on whose behalf a person would testify393
Although they were both published in 2003 the interim final rule was published two months after the Security Rule Thus when the Security Rule was published in 2003 it was necessary to specify that the term user included both natural persons and entities but we believe that this is no longer the case because the current definition of person includes natural persons as well as entities394
pp
The Department proposes to clarify the definition of User by removing the reference to an entity395
Because the definition of person includes an entity including entity in the definition of user is redundant and could cause confusion We believe that this is a technical correction because it would not change how the Department has interpreted the term
ppThe term vulnerability is currently not defined in the Security Rulepp
The Department previously explained that although some cyberattacks may be sophisticated and exploit previously unknown vulnerabilities
ie
zeroday attacks most can be prevented or mitigated by addressing known vulnerabilities396
For example
print page 930
exploitable vulnerabilities exist across many components of IT infrastructures including but not limited to servers desktops mobile device operating systems web software and firewalls397
To mitigate against intrusions and hacking threats the Department has recommended that regulated entities install vendor patches make software updates and monitor sources of cybersecurity alerts describing new vulnerabilities such as the NIST National Vulnerability Database 398
and CISAs Known Exploited Vulnerabilities Catalog399
pp
The Department proposes to define vulnerability by adopting substantially the same definition as NIST a weakness in an information system system security procedures internal controls or implementation that could be exploited or triggered by a threat source 400
with minor changes to clarify how it applies to regulated entities and ePHI The definition if adopted as proposed would then form the basis for understanding key assessment and mitigation strategies proposed in this NPRM such as risk analyses401
patch management402
and vulnerability management and scans403
pp
The Department currently defines the term workstation to mean an electronic computing device and provides the examples of technology that dominated the health care environment in 2003 and 2013 such as a laptop desktop computer and other device that performs similar functions and electronic media stored in its immediate environment404
Workstations are essential for workforce members to perform their assigned functions such as clinicians entering an individuals health history and treatment plan or billing staff preparing claims Workstations are one of the key entry points for users to access a regulated entitys information systems Thus the Security Rule contains provisions requiring that regulated entities secure not only their information systems but also individual workstations405
However as discussed above the health care environment has changed It now includes both the physical and virtual environment and is replete with mobile devices and other types of devices that may serve as multifunctional workstations Clinicians and other workforce members often rely on smart phones smart watches tablets laptops and even personal digital assistants among other devices These devices have proliferated and so has their ability to perform a wide variety of functions with increasing sophistication The Department believes that it is necessary to update the definition to reflect the evolved nature of the landscape
ppIn recognition of this changed environment the Department proposes to modify the definition of workstation to provide additional examples of what constitutes a workstation Specifically we propose to add the examples of a server virtual device and a mobile device such as a smart phone or tablet Virtual devices could include a virtual medical device virtual server or virtual desktop computer The proposed definition also would clarify that technology properly considered as a workstation is not limited to the proposed regulatory examplesppThe Department requests comment on all the foregoing proposed definitions including any benefits drawbacks or unintended consequences We also request comment on the following considerations in particularppa Whether any of the proposed definitions would be problematic for regulated entities or result in unintended adverse consequences If so please explainppb Whether the Department should consider an alternative definition for any terms the Department proposes to define in the rule If the answer is yes please propose such an alternative definition and a reference or supporting rationaleppc Whether the Department should define any additional terms within the rule If the answer is yes please propose such additional terms and definitions along with any reference or supporting rationaleppd With respect to the definitions of information system and electronic information system the extent of a covered entitys direct management control over applications in cloud computing environments such as a cloudbased EHR systemppe With respect to the definitions of information system and electronic information system the extent of a business associates direct management control over applications in cloud computing environments where the business associate is the cloud service providerppf Whether defining the term technical controls and adding it to the definition of technical safeguards would more clearly explain the requirements of 45 CFR 164312ppg Whether defining implement and deploy as we propose would more clearly explain the differences between what is expected of regulated entities with respect to administrative and physical safeguards and technical safeguards To the extent that the proposals would not clarify the differences please provide alternative solutionspp
Section 164306 applies to regulated entities and includes the general rules for security standards Generally paragraph a codifies HIPAA statutory requirements for safeguarding ePHI406
Under these rules regulated entities are required to do all of the following
pp
Paragraph b of this section permits regulated entities to determine the most
print page 931
appropriate security measures for protecting ePHI and their information systems Accordingly 45 CFR 164306b1 permits regulated entities to use any security measures to reasonably and appropriately implement the standards and implementation specifications of the Security Rule while 45 CFR 164306b2 contains the factors that regulated entities are to consider when deciding which security measures to use This paragraph furthers the aim of HIPAAs requirement for the security standards to take into account certain factors by providing for their consideration by regulated entities411
Accordingly 45 CFR 164306b2 directs regulated entities to take these factors into account when determining the manner in which they will comply with the security standards and implementation specifications
ppSection 164306c requires regulated entities to comply with the administrative physical and technical safeguard standards in sections 45 CFR 164308 164310 and 164312 respectively and with standards for organizational requirements and policies procedures and documentation requirements in sections 45 CFR 164314 and 164316 This provision is followed by paragraph d which explains that regulated entities are required to implement a specific implementation specification if described as required If the implementation specification is described as addressable regulated entities are required to implement the implementation specification if it is reasonable and appropriate to do so or if it is not reasonable and appropriate document why and implement an equivalent alternative measureppFinally the maintenance provision at 45 CFR 164306e requires regulated entities to review and modify security measures implemented under the Security Rule as needed to continue providing reasonable and appropriate protection of ePHI It also requires regulated entities to update documentation of such security measures in accordance with the requirements for documentation at 45 CFR 164316b2iiipp
We believe that we can improve consistency in language between this section and other Security Rule provisions and better align this section with statutory terms and intent For example we are concerned that regulated entities are misinterpreting 45 CFR 164306a to apply the requirements of the Security Rule to only some ePHI rather than all ePHI This interpretation could lead to inadequate protection of ePHI and relevant electronic information systems412
We also believe that consistency in language facilitates clear understanding and less ambiguity about how regulated entities must apply Security Rule standards
pp
Flexibility and scalability are among the Security Rules defining characteristics and we intend to preserve those elements to the extent possible However we believe that in this era of increased reliance on technology more sophisticated cyber capabilities and increasing cyberattacks it is critical for regulated entities to implement and deploy strong security measures to protect ePHI and related information systems We are concerned that regulated entities have focused their attention primarily on the cost of security measures rather than considering the reasonableness and appropriateness of security measures in the context of all of the listed factors including the probability and criticality of potential risks to ePHI413
Further the Department believes that providing additional clarity would improve the ability of regulated entities to evaluate security measures for the protection of ePHI and the ability of a security measure to facilitate a regulated entitys recovery from emergencies and to support continued operations With these proposed modifications the Department seeks to ensure that regulated entities reliance on the Security Rules flexibility and scalability does not come at the expense of adequate security The current regulations framework in 45 CFR 164306b lacks any express factor that would require an evaluation of the effectiveness of the security measures in supporting the resiliency of the regulated entity
pp
The Department has explained in regulation and guidance the difference between required and addressable implementation specifications The meaning of required is clear Regarding addressable we previously explained that its purpose is to provide regulated entities flexibility with respect to implementation compliance414
We also previously explained that a regulated entity must assess whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its environment and if it is the regulated entity must implement the addressable implementation specification415
However the Department remains concerned that regulated entities believe that flexibility overrides the need for them to protect all ePHI and do not uniformly treat addressable implementation specifications as needing to be met if they are reasonable and appropriate OCRs enforcement experience and interaction with regulated entities causes us to believe that addressable is misunderstood to be optional leading regulated entities to choose not to adopt the implementation specification even when it would be reasonable and appropriate for them to do so416
pp
In 2022 NCVHS recommended that the Department eliminate the choice to not implement a specification or alternative and instead require that regulated entities implement the specification or adopt a documented reasonable alternative417
According to a survey referenced by NCVHS despite private sector and government efforts to address a changing cybersecurity landscape the majority of health care entities have failed to maintain a comprehensive security program and
print page 932
continue to neglect people and process measures necessary for a comprehensive security program418
NCVHS also pointed to a continued failure of regulated entities to develop adequate incident recovery plans and to assess their vulnerability to cyberattacks grounded in social engineering419
Finally NCVHS opined that the current structure of the Security Rule is inadequate to protect US health care infrastructure because it does not require regulated entities to adopt the basic building blocks of good security hygiene or a documented reasonable alternative 420
pp
We share NCVHS concerns and believe that we must squarely confront the problem of regulated entities treating addressable implementation specifications as optional Relatedly we also believe that we must consider modifying the Security Rule to set an acceptable minimum level of security specifications Circumstances have changed sufficiently since 2003 such that we now believe that good cyber hygiene requires regulated entities to implement more than the implementation specifications that we originally mandated421
Indeed we believe that it requires compliance with all of the standards and implementation specifications we are proposing with specific limited exceptions
ppWe also believe that the current maintenance requirement in 45 CFR 164306e would benefit from increased specificity in light of the dramatic transformation of the health IT environment discussed above For example providing the frequency with which regulated entities must review and update their security measures would improve the security of ePHI and regulated entities compliance with the Security Rule The Security Rules maintenance requirement would be further strengthened by requiring regulated entities to test their security measures to verify their sufficiency and by clarifying the Departments expectations regarding documentation Regulated entities lack of documentation about how they implement security measures makes it difficult for them to know what security measures they have in fact implemented and to demonstrate compliance with the requirements of the Security Rule Finally the maintenance requirement in 45 CFR 164306e is not included in or designated as a Security Rule standard although it explicitly references the overarching documentation requirements in 45 CFR 164316b2iii Thus there is overlap between the two sections that may be causing confusion regarding the obligations of regulated entities to maintain security measuresppThe Department proposes to expand the introductory language to the general requirements provision at 45 CFR 164306a to clarify the extent to which the general requirements apply to the obligations of regulated entities with respect to ePHI that they create receive maintain or transmitppUnder the proposal the Department would clarify that the general requirements apply to all ePHI Additionally the Department proposes to move language from paragraph a1 to paragraph a to further emphasize that regulated entities must apply the requirements of the Security Rule to protect all of the ePHI they create receive maintain or transmit We also propose to clarify that each regulated entity would be required to apply the obligations in paragraphs a1 through 4 to all ePHI it creates receives maintains or transmits The Department believes that this proposal would stress to regulated entities that each and every covered entity and business associate would be responsible for ensuring it meets Security Rule requirements with respect to all ePHIppThe Department believes this proposed change would also help address issues raised by current interpretations of the Security Rule that suggest that its plain wording may not require regulated entities to fully implement each security measure to protect all ePHI Thus the Departments proposed language would clarify that a security measure must be implemented such that it protects the security of all ePHI and all information systems that affect the confidentiality integrity and availability of ePHIpp
Additionally the Department proposes to modify the general requirements of paragraph a2 to require each regulated entity to protect against any reasonably anticipated threats or hazards to the confidentiality integrity or availability of all ePHI instead of to the security or integrity of ePHI We believe that this proposal would better align this requirement with the general requirement at 45 CFR 164306a1 and confidentiality integrity and availability are generally considered the three basic elements of security422
ppAdditionally the Department proposes a minor change to paragraph a3 to refer specifically to ePHI rather than using a more general term We believe that both proposals would constitute technical revisions and that neither would alter the meaning of 45 CFR 164306a2 or 3 respectivelyppFinally the Department proposes to modify paragraph a4 so that each regulated entity would be required to ensure that its workforce complies not only with the Security Rule but also all administrative physical and technical safeguards implemented in accordance with this subpartpp
These proposals would better align the language of the general requirements in paragraph a of 45 CFR 164306 with the statute 423
and 45 CFR 164530c424
These proposals are also consistent with our proposals to revise the introductory language for each of the safeguard provisions to clarify the provisions therein would be the minimum regulated entities are to implement
ie
that the security measures required by the Security Rule constitute a floor of protections not a ceiling
pp
The Departments proposals generally retain the flexible approach described in paragraph b As discussed above the Security Rule carefully balances the benefits of safeguarding against risks to security and the burdens of implementing protective measures by for example enabling regulated entities to take into account specified factors when determining how to implement security measures in a manner that complies with the Security Rule To acknowledge the rapid evolution of technology and increasing threats the Department proposes to clarify
print page 933
paragraph b1 to provide that regulated entities are to apply reasonable and appropriate security measures to implement the standards and implementation specifications of the Security Rule This proposal if adopted would replace the existing paragraph providing for regulated entities reasonable and appropriate implementation of standards and implementation specifications which could be misinterpreted to mean that a regulated entity may determine that implementation itself is unreasonable or inappropriate in some circumstances That has never been the case Thus the proposed modification would clarify that implementation is not optional based on whether a regulated entity believes it is reasonable and appropriate to the contrary a regulated entity is required to implement the standards and implementation specifications and must adopt reasonable and appropriate security measures that allow the entity to achieve such implementation The proposed clarification would comport more precisely with the statute which requires regulated entities to maintain reasonable and appropriate safeguards425
pp
The Department also proposes to add a new element to the list of factors that regulated entities must take into account when deciding whether a particular security measure
eg
a technical control is reasonable and appropriate for implementing a standard and its associated implementation specifications the effectiveness of the security measure in supporting the resiliency of the regulated entity A regulated entity would be required to consider this factor in addition to the existing factors for example when choosing a specific encryption solution that allows the entity to meet the proposed requirement to encrypt ePHI which will help prevent an unauthorized user from accessing the entitys ePHI or when developing its security incident plan or disaster recovery plan which will help ensure that the regulated entity can recover data or reestablish data integrity after a security incident or disaster
pp
The Department proposes at 45 CFR 164306b2v to require a regulated entity to take into account how effectively its application of a particular security measure to achieve compliance with a standard and its associated implementation specifications would support its resiliency in the face of an event that adversely affects the entity According to NIST information system resilience addresses how well information systems continue to i operate under adverse conditions or stress even if in a degraded or debilitated state while maintaining essential operational capabilities and ii recover to an effective operational posture in a time frame consistent with mission needs 426
Recently in this era of rising cybercrime NIST described cyber resiliency as the ability to anticipate withstand recover from and adapt to adverse conditions stresses attacks or compromises on systems that use or are enabled by cyber resources 427
Thus the Department proposes to require a regulated entity to consider the ability of its implementation of a particular security measure to aid it in preventing withstanding and recovering from an emergency or other occurrence that affects the confidentiality integrity or availability of ePHI including a successful security incident
pp
The Department proposes this new requirement to better enable regulated entities to ensure the confidentiality integrity and availability of all ePHI that they create receive maintain or transmit The general rules require regulated entities to not only prevent threats and hazards to the confidentiality and integrity of ePHI but also to ensure the availability of ePHI even during a security incident that has the potential to severely hinder the ability of a regulated entity to provide health care or to bring it to a standstill This new factor would require a regulated entity to consider whether a particular approach to complying with a standard and the associated implementation specifications can help it recover from an emergency or other occurrence in addition to maintaining operations throughout the event The Department proposes this factor to complement its proposals to strengthen the standards for security incident procedures 428
and contingency planning 429
and proposals for new standards for patch management 430
and vulnerability management431
discussed in detail below If finalized these proposals would help to ensure that regulated entities put in place the necessary measures to implement these standards
ppThe factors contemplate that regulated entities will regularly evaluate the security measures they have applied to comply with the standards and implementation specifications based on the technology available and known risks and vulnerabilities at the time of the evaluation The Department expects that when the existing factors are considered with the factor proposed in this NPRM a regulated entity would be required to consider whether a specific technical control has become sufficiently ubiquitous such that choosing not to adopt it would be unreasonablepp
To address the Departments concerns regarding the apparent misunderstanding by regulated entities of addressable we propose to modify 45 CFR 164306c and d by collapsing the separate paragraphs into one paragraph c to address both standards and implementation specifications and to remove the distinction between addressable and required implementation specifications Instead proposed paragraph c if adopted would require regulated entities to comply with both the standards and implementation specifications The Department believes that eliminating the distinction would make clear to regulated entities what has always been a requirementthat the Security Rule sets a floor for cybersecurity protections and that its flexibility is in allowing them to choose the manner in which they meet the standards and implementation specifications not whether they meet them The proposed change also would be consistent with NCVHS recommendation to require regulated entities to meet certain minimum cybersecurity hygiene requirements432
pp
The Department acknowledges that proposing to remove the addressability distinction is a change from the approach adopted in the 2003 Final Rule At that time we explained that the decision to include addressable implementation specifications was made to provide additional flexibility to
print page 934
covered entities433
In this rulemaking the Department proposes to strengthen protections and address evolving cybersecurity threats While we acknowledge that this proposal would reduce the Security Rules flexibility we believe that it is necessary to do so to achieve HIPAAs purpose of an efficient and effective health care system that relies on the secure electronic exchange of ePHI Importantly removing the distinction between required and addressable would not eliminate all of the Security Rules flexibility and scalability Instead it would simply clarify for regulated entities where the floor of protection must lie and regulated entities must implement solutions that meet that floor taking into consideration their needs and capabilities For example a small or rural health care provider must implement a solution that ensures the protection of ePHI in the manner required by the Security Rule but the specific solution that it chooses would reflect consideration of its particular circumstances including available resources In some cases a small or rural health care provider might opt to implement a cloudbased EHR or other software solution that could reduce the health care providers need to separately invest in data storage backup systems and IT personnel And in other circumstances a small or rural health care provider might choose to contract with a third party to provide IT support rather than hiring its own workforce members to perform such functions
ppThe Department also proposes to delete the maintenance provision at 45 CFR 164306e Instead as discussed in greater detail below we propose to clearly delineate maintenance implementation specifications for specific standards when applicable We believe this approach would clarify how maintenance requirements relate to specific security measures and would remove any ambiguity about the need for regulated entities to regularly review test and modify measures as reasonable and appropriate We further discuss maintenance provisions below for each safeguardppThe Department requests comment on the foregoing proposals including any benefits drawbacks or unintended consequences We also request comment on the following considerations in particularppa Whether removing the distinction between required and addressable implementation specifications would result in unintended negative consequences for regulated entities If so please explain and provide a recommendation for how the Department should clarify how regulated entities are required to implement the security measures described in the proposed ruleppb Whether the Department should include other factors in 45 CFR 164306b for regulated entities to consider when selecting the security measures that they will implement to meet the requirements of the Security Rule If so please explainppc Whether the factor proposed by the Department at proposed 45 CFR 164306b2v would help regulated entities identify reasonable and appropriate security measuresppd Whether the Departments proposals sufficiently clarify that a regulated entity is expected to modify its security measures in response to changes in the environment in which health care is provided including but not limited to the adoption of new technology the evolution of existing technology and the emergence of new threatsppe Whether the proposals sufficiently take into account the needs and capabilities of small health care providers and rural health care providers as required by the statute If not please explain and include a recommendation for ways that the Department could better account for such needs and capabilities while adequately ensuring the confidentiality integrity and availability of ePHI that they create receive maintain or transmit The recommendations should also take into consideration the effect of the actions taken by small and rural health care providers on the ePHI that is created received maintained or transmitted by other regulated entities with whom small and rural health care providers interactppSection 164308 of title 45 CFR contains the administrative safeguards that a regulated entity must implement consistent with the general requirements described in 45 CFR 164306 All of the standards and implementation specifications found in the Administrative Safeguards section refer to administrative functions such as policies and procedures that must be in place for the management and execution of security measuresppSection 164308a contains most of the standards and associated implementation specifications that are categorized as administrative safeguards The standards for administrative safeguards are as followsppThe standard for security management process at 45 CFR 164308a1i requires regulated entities to implement policies and procedures to prevent detect contain and correct security violations The Security Rule directs regulated entities as to how they are to comply with the standard for security management process through four implementation specifications Section 164308a1iiA requires regulated entities to conduct a risk analysis that accurately and thoroughly assesses potential risks and vulnerabilities to the confidentiality integrity and availability of ePHI they hold The implementation specification for risk management at 45 CFR 164308a1iiB requires regulated entities to implement measures to reduce risks and vulnerabilities such as those identified in the risk analysis to a reasonable and appropriate level Under 45 CFR 164308a1iiC regulated entities are required to apply appropriate sanctions against workforce members who fail to comply with applicable security policies and procedures while the implementation specification for information system activity review at 45 CFR 164308a1iiD requires regulated entities to implement procedures to regularly review information system activity recordsppThe standard for assigned security responsibility at 45 CFR 164308a2 requires regulated entities to identify a security official who is responsible for the development and implementation of the policies and procedures that are required by this section There are no implementation specifications associated with this standardpp
Section 164308a3i contains the standard for workforce security and requires regulated entities to implement policies and procedures to ensure that their workforce members have appropriate access to ePHI which includes preventing workforce members who do not have authorized access from
print page 935
obtaining it The implementation specifications associated with this standard address the need to implement certain procedures regarding workforce member access to ePHI Section 164308a3iiA addresses the implementation of procedures for the authorization andor supervision of workforce members who work with ePHI or in locations where it might be accessed The implementation specification for workforce clearance procedure at 45 CFR 164308a3iiB addresses the implementation of procedures to determine that a workforce members access to ePHI is appropriate while 45 CFR 164308a3iiC addresses the implementation of procedures for terminating a workforce members access to ePHI when their employment or similar arrangement ends or as required by the regulated entitys workforce clearance procedures
pp
Under 45 CFR 164308a4i the standard for information access management a regulated entity is required to implement policies and procedures for authorizing access to ePHI in a manner that is consistent with the requirements of the Privacy Rule that is only when such access is appropriate based on the user or recipients role
ie
rolebased access This interpretation is consistent with the Privacy Rules standard that limits most uses and disclosures of PHI to the minimum necessary to accomplish the purpose of the use or disclosure434
The standard for information access management has three implementation specifications paragraph a4iiA requires a health care clearinghouse that is part of a larger organization to implement policies and procedures to protect ePHI from unauthorized access by that organization paragraph a4iiB addresses implementation of policies and procedures for granting access to ePHI for example through a workstation program or other mechanism and paragraph a4iiC addresses the implementation of policies and procedures that based on the regulated entitys access authorization policies establish document review and modify a users right of access to a workstation program or other process
ppSection 164308a5i contains the standard for security awareness and training This standard requires a regulated entity to implement a security awareness and training program for all workforce members including management There are four associated implementation specifications that address the need for regulated entities to implement the followingppThe standard for security incident procedures at 45 CFR 164308a6i requires a regulated entity to implement policies and procedures to address security incidents The one implementation specification associated with this standard 45 CFR 164308a6ii requires regulated entities to identify and respond to suspected or known security incidents to mitigate to the extent practicable harmful effects of security incidents that are known to the regulated entity and to document security incidents and their outcomespp
Under the standard for contingency planning at 45 CFR 164308a7i a regulated entity is required to establish and implement as needed policies and procedures for responding to an emergency or other occurrence that damages systems that contain ePHI The standard includes five implementation specifications at 45 CFR 164308a7ii The first paragraph a7iiA requires a regulated entity to establish and implement procedures to create and maintain exact copies of ePHI that are retrievable439
Paragraph a7iiB requires a regulated entity to establish and implement as needed procedures to restore any lost data440
Paragraph a7iiC requires a regulated entity to establish and implement as needed procedures to enable continuation of critical business processes for protecting the security of ePHI while the regulated entity is operating in emergency mode Paragraph a7iiD addresses the implementation of procedures for periodic testing and revision of contingency plans and paragraph a7iiE addresses the assessment of the relative criticality of specific applications and data in support of other contingency plan components
ppThe standard for evaluation at 45 CFR 164308a8 requires a regulated entity to periodically perform a technical and nontechnical evaluation that establishes the extent to which the regulated entitys security policies and procedures meet the requirements of the Security Rule The initial evaluation is to be based upon the standards implemented under the Security Rule while subsequent evaluations are to be conducted in response to environmental or operational changes affecting the security of ePHIpp
Section 164308b contains the administrative safeguards that apply to the relationships between regulated entities Specifically 45 CFR 164308b1 permits a covered entity to engage a business associate to create receive maintain or transmit ePHI on the covered entitys behalf when it obtains satisfactory assurances consistent with the organizational requirements for business associate agreements or other arrangements in 45 CFR 164314a that the business associate will appropriately safeguard the ePHI Similarly under 45 CFR 164308b2 a business associate may retain a subcontractor to create receive maintain or transmit ePHI on its behalf if the business associate obtains satisfactory assurances through a business associate agreement or other arrangement that the subcontractor will appropriately safeguard the information Section 164308b3 requires that the contract or other arrangement be in writing441
pp
The Security Rule administrative standards are comprehensive but our experience has demonstrated that they have been misunderstood by some regulated entities especially regarding how compliance with the standards and implementation specifications must be integrated with the general requirements in 45 CFR 164306 including the requirement in 45 CFR 164306e that a regulated entity must review and modify security measures Section 164306 does not explicitly reference specific security measures and we are concerned that recent caselaw has highlighted conditions that may cause regulated entities to misinterpret regulatory text that connects the maintenance provision at 45 CFR 164306e with the documentation requirements in 45 CFR 164316 and the administrative safeguards Through OCRs educational and enforcement efforts we also have observed inadequacies in compliance with security management processes For example some regulated entities have
print page 936
incorrectly interpreted the standards to not require implementing administrative safeguards such as risk analyses for all relevant electronic information systems Some regulated entities have not documented in writing their policies procedures plans and analyses442
As discussed above many mistakenly treated addressable implementation standards as optional443
Enforcement experience has shown that regulated entities generally do not perform all elements of the risk management process that are fundamental to protecting the confidentiality integrity and availability of ePHI and to cybersecurity more broadly
pp
In addition since the Security Rule was issued in 2003 and revised in 2013 newer more protective security technology has become widely available to regulated entities and best practices for securing electronic information have evolved NIST has published numerous guides including its recent Cybersecurity Framework 20 providing resources for establishing and implementing policies and practices to better manage cybersecurity risks444
OCR is drawing upon its enforcement experience as well as best practices guidelines processes and procedures for improving cybersecurity to propose changes to these standards to better protect ePHI that a regulated entity creates receives maintains or transmits We believe that these proposals would help ensure that regulated entities implement compliance activities that are consistent with recommendations made by NIST the HHS 405d program and standards setting bodies regarding cybersecurity
pp
Because business associates are directly liable for compliance with the Security Rule in our 2013 Security Rule revisions we did not require covered entities to implement any additional safeguards to ensure that their business associate is in fact in compliance445
However OCR has learned through its enforcement experience that many covered entities have entrusted ePHI to business associates that are not employing appropriate safeguards Some business associates have such market power that covered entities may believe they have no alternative to using their services even if they have concerns about the safeguards employed by the business associate The Department is concerned by the breaches experienced by business associates and the effects of such breaches on the confidentiality integrity and availability of ePHI446
ppThroughout this section the Department proposes to add explicit maintenance requirements to certain standards to address concerns that regulated entities may be misinterpreting the regulatory text that connects the maintenance provision at 45 CFR 164306e with the administrative safeguards These proposals would clarify that a regulated entity is required to maintain certain security measures and that where a regulated entity is required to maintain a particular security measure it is required to review and test such measure on a specified cadence and to modify the measure as reasonable and appropriate Testing of particular security measures such as technical controls or policies and procedures would include verifying that the security measures work as designed and that workforce members know how to implement them For example written policies and procedures can be tested through various methods including but not limited to simulating security events that mimic realworld attacks to assess how effectively employees follow incident response and security procedures conducting knowledge assessments after training on policies and procedures and reviewing system logs and access records to evaluate whether policies and procedures governing access to ePHI are being followed We would expect a regulated entity to take the results of the required tests into consideration when determining whether it is reasonable and appropriate to modify its security measures as well as the actions that would be expected of a regulated entity that is similarly situated based on the results of such testsppWe also propose to modify certain administrative safeguards to clarify the obligations of a regulated entity to ensure the confidentiality integrity and availability of ePHI by securing its relevant electronic information systemsthat is its electronic information systems that create receive maintain or transmit ePHI and those that otherwise affect its confidentiality integrity or availabilityand the technology assets in its relevant electronic information systemsppThe Department proposes to modify the general language at 45 CFR 164308a to clarify the connection between the general rules for security standards at 45 CFR 164306 the standards for policies and procedures and documentation requirements at 45 CFR 164316 and the standards for the administrative safeguards under 45 CFR 164308a We also propose to clarify that regulated entities would be required to implement all of the administrative safeguards of the Security Rule to protect the confidentiality integrity or availability of all ePHI that they create receive maintain or transmit Thus when read together proposed 45 CFR 164308a and 164316a would require that a regulated entity implement and document in writing its implementation of the administrative safeguards required by the Security Rule These requirements set the baseline for administrative safeguards Nothing in this NPRM would prevent a regulated entity from implementing additional administrative safeguards provided that those additional safeguards do not conflict with any requirements in the Security RuleppThe proposed changes are discussed in greater detail belowpp
We propose to modify 45 CFR 164308a1 by elevating to standardlevel status the existing implementation specifications for the standard for security management process at 45 CFR 164308a1iiA through D and deleting the existing standard Doing so would highlight the importance of these elements and permit us to add implementation specifications that detail our expectations for compliance with those elements We believe that providing more specificity in our requirements would help regulated entities better understand their compliance responsibilities for
print page 937
safeguarding ePHI These proposals are consistent with current guidance as described below
ppIn place of the existing standard for security management process we propose a standard at 45 CFR 164308a1i that would require a regulated entity to conduct and maintain an accurate and thorough written technology asset inventory and a network map of its electronic information systems and all technology assets that may affect the confidentiality integrity or availability of ePHI The inventory forms the foundation for a fulsome and accurate risk analysis A regulated entity must identify its information systems that create receive maintain or transmit ePHI and all technology assets as we propose to define them in 45 CFR 164304 that may affect ePHI in such information systems in order to secure them Regulated entities cannot understand the risks to the confidentiality integrity and availability of their ePHI without a complete understanding of these assets We believe that this proposal would clarify compliance expectations and provide increased protections for the confidentiality integrity and availability of ePHI Consistent with practices previously highlighted in guidance regulated entities would be required by this proposal to conduct and maintain an accurate and thorough written inventory of technology assetspp
The standard would also require each regulated entity to determine the movement of ePHI through into and out of its information systems and to describe such movement in a network map A regulated entitys network map would reflect where its technology assets are for example physically located at the regulated entitys worksite or accessed through the cloud As another example a covered entity might determine that ePHI is created received maintained or transmitted by one or more offshore business associates
ie
persons that are located outside of the US for such services as claims processing call center staffing and technical support activities that inherently involve ePHI The technology assets used by the business associate to create receive maintain or transmit ePHI are not a part of the covered entitys electronic information system but do affect the confidentiality integrity or availability of ePHI and so would be required to be included in the network map of the covered entity447
Such assets would be considered part of the business associates electronic information systems and therefore would need to be included in both its technology asset inventory and network map Any technology assets used by the covered entity to create receive maintain or transmit ePHI to the business associate would need to be accounted for in both its technology asset inventory and network map Such technology assets would not be part of the business associates technology asset inventory but would need to be included on its network map
pp
This proposed standard aligns with the Departments enhanced CPG for Asset Inventory which requires that a regulated entity identify assets to more rapidly detect and respond to potential risks and vulnerabilities448
and is consistent with NCVHS recommendation to require regulated entities to identify where all PHI is stored and to collect data on applications and systems used by the organization to create a systems inventory449
pp
In 2003 the Department elected not to require regulated entities to conduct an inventory because we believed that regulated entities would understand that such an inventory is a vital component of the risk analysis making it redundant of other requirements of the Security Rule450
The Department and NIST have provided extensive guidance described below about how to conduct such inventories as part of compliance with 45 CFR 164308 However nearly 20 years of enforcement experience indicates that regulated entities routinely disregard this part of the process OCRs investigations frequently find that organizations lack sufficient understanding of where all the ePHI entrusted to their care is located451
pp
Understanding ones environmentparticularly how ePHI is created and enters an organization how ePHI flows through an organization and how ePHI leaves an organizationis crucial to understanding the risks ePHI is exposed to throughout an organization452
According to the NIST Cybersecurity Framework 20 having a comprehensive understanding of the organizations assets
eg
data hardware software systems facilities services people suppliers and related cybersecurity risks enables a regulated entity to prioritize its efforts consistent with its risk management strategy and its mission needs453
pp
The proposed standard would be accompanied by three implementation specifications Under the proposed implementation specification for inventory at proposed 45 CFR 164308a1iiA the regulated entity would be required to establish a written inventory that contains the regulated entitys technology assets Technology assets are components of an electronic information system including but not limited to hardware software electronic media information and data The written inventory would be required to include technology assets that create receive maintain or transmit ePHI and those that do not but that may affect the confidentiality integrity or availability of ePHI454
It would also be required to include the identification version person accountable for and location of each of the assets or information system components455
ppThe proposed implementation specification for network map at proposed 45 CFR 164308a1iiB would require a regulated entity to develop a network map that illustrates the movement of ePHI throughout its electronic information systems including but not limited to how ePHI enters and exits such information systems and is accessed from outside of such information systemspp
Under the proposed implementation specification for maintenance at proposed 45 CFR 164308a1iiC a regulated entity would be required to review and update the written inventory of technology assets and the network map in the following circumstances 1 on an ongoing basis but at least once every 12 months and 2 when there is a change in the regulated entitys environment or operations that may affect ePHI Such a change in the
print page 938
regulated entitys environment or operations would include but would not be limited to the adoption of new technology assets the upgrading updating or patching of technology assets newly recognized threats to the confidentiality integrity or availability of ePHI a sale transfer merger or consolidation of all or part of the regulated entity with another person a security incident that affects the confidentiality integrity and availability of ePHI and relevant changes in Federal State Tribal or territorial law For example a dissolution or bankruptcy of the regulated entity would require the regulated entity to review and update its inventory and network map For another example if a State implemented regulations specifying cybersecurity requirements for all hospitals these proposed specifications would require a regulated entity in that State to review and update its inventory and network map considering implementation of the State regulations by the regulated entity or other persons whose activities may affect movement of ePHI throughout its electronic information systems456
ppThe proposed standard is consistent with the NIST Cybersecurity Framework Identify function Asset Management IDAM category which describes inventorying hardware and software and mapping communication and data flows to create and maintain an asset inventory that can be used in a risk analysis process For example the Cybersecurity Framework recommends that when creating an asset inventory organizations should include all of the following as applicableppWhere multiple persons have control over a technology asset all persons that have control should include the asset in both their technology asset inventories and on their network maps For example where a covered entity contracts with a cloudbased EHR vendor both the covered entity and the EHR vendor have control over the ePHI in the EHR Thus the ePHI in the EHR and the EHR should be included in the technology asset inventories and network maps of both the covered entity and the cloudbased EHR vendor Where the technology assets are controlled entirely by another person such as the servers controlled by a cloudbased provider of data backup services the technology assets would not be considered part of a health care providers electronic information systems and therefore would not have to be included in its technology asset inventory However the data backup provider would have to be included in the health care providers network mappp
When creating or maintaining a technology asset inventory that can aid in identifying risks to ePHI regulated entities should consider their technology assets that may not create receive maintain or transmit ePHI but that may affect technology assets that do so458
Assets within an organization that do not create receive maintain or transmit ePHI may still present opportunities for intruders to enter the regulated entitys electronic information systems which could lead to risks to the confidentiality integrity or availability of an organizations ePHI For example consider a smart device that is connected to the internet
eg
connected to the Internet of Things 459
IoT and provides access to facilities for maintenance personnel to control and monitor an organizations heating ventilation and air conditioning HVAC Although it may not maintain or process ePHI such a device potentially can present serious risks to the security of ePHI in an organizations information systems Unpatched IoT devices with known vulnerabilities such as weak or unchanged default passwords installed on a network without firewalls network segmentation or other techniques that deny or impede an intruders lateral movement can provide an intruder with access to an organizations relevant electronic information systems The intruder may then leverage this access to conduct reconnaissance and further penetrate an organizations network and potentially compromise ePHI
ppThe risks and deficiencies OCR has observed in its enforcement experience persuades us that we must consider adding an express requirement for a regulated entity to conduct an accurate and thorough written inventory of its technology assets and create a network mappp
After a regulated entity conducts a written inventory of its technology assets and creates its network map it is critical for it to identify the potential risks and vulnerabilities to its ePHI Conducting a risk analysis is necessary to adequately protect the confidentiality integrity and availability of ePHI because it provides the basis for determining the manner in which the regulated entity will comply with and carry out the other standards and implementation specifications in the Security Rule460
Basic questions that a regulated entity would consider when conducting a risk analysis that is compliant with the Security Rule include 461
pp
There are numerous methods of performing a risk analysis and there is no single method or best practice that guarantees compliance with the Security Rule462
The Department has issued multiple guidance documents and tools for regulated entities to help them implement risk analyses463
and several versions of its Security Risk Assessment Tool a desktop application that walks users through the process of conducting a risk assessment464
NIST has published numerous guides for risk assessment over the past two decades465
in addition to reference materials it has developed in collaboration with the Department including a toolkit and a crosswalk between the Security Rule to NIST Cybersecurity Framework466
and how to guides on risk analysis467
In February 2024 NIST released a new guide that provides resources for implementing a Security Rule risk analysis468
Consistent with previous Department guidance the guide describes key elements in a comprehensive risk assessment process that include the following
pp
The Department has also published guidance that explains the differences between a risk analysis and a gap analysis and the use of both in an entitys risk management program470
While a risk analysis is a comprehensive identification of risks and vulnerabilities to all ePHI a gap analysis typically provides a partial assessment of an entitys enterprise and is often used to provide a highlevel overview of what safeguards are in place or missing and may also be used to review a regulated entitys compliance with particular standards and implementation specifications of the Security Rule
pp
Other NIST guidance on conducting risk assessments explains that the result of a risk analysis is a determination of risk posed to the regulated entitys ePHI and related information systems
471
print page 940
Consistent with the discussion above a key step is determining the risk level posed to such ePHI by threats and vulnerabilities and how critical it is to address and mitigate the identified risk In general the descriptive words very high or critical are used to indicate that a threat event could be expected to have multiple severe or catastrophic adverse effects on organizational operations organizational assets individuals other organizations or the country472
A high risk would indicate that a threat event could be expected to have a severe or catastrophic adverse effect on the same while a moderate risk could indicate that the threat event could have a serious adverse effect on the same Risks that are low and very low could be expected to have a limited and negligible effect respectively on organizational operations or assets individuals other organizations or the country
pp
The Department believes that determinations of risk level and criticality may vary based on the specific type of regulated entity and the regulated entitys specific circumstances For example a health care provider must consider the higher levels of risks to physical and technical security that are created by regular entry and exit of individuals seeking health care and other members of the public into its facilities creating potentially numerous avenues for access to ePHI through technology assets in contrast a health plan that generally does not permit physical entry by individuals into its office building may determine that the risks to ePHI from physical entry by individuals or other members of the public is low because its workforce members do not generally physically interact with the public As another example a vulnerability permitting unauthenticated remote code execution on a device connected to a regulated entitys relevant electronic information systems would likely constitute either a high or critical risk However should such a device not have the ability to connect to the network the risk might be low or moderate because the likelihood of triggering a network vulnerability on a nonnetworked device is low even though the impact of such trigger might be high Thus it is essential that a regulated entity consider its specific circumstances when assessing the criticality of a risk and to address such risks in a manner that is appropriate to its specific facts and circumstances473
In yet another example a regulated entity in possession of legacy devices or devices that are nearing the end of their lifespan should assess the risks associated with continued use of such devices as part of its risk analysis and ensure that replacement of such devices andor the implementation of compensating controls are included in its risk management plan
pp
Despite our having made available an abundance of free and widelypublicized guidance tools OCR unfortunately has learned through its compliance and enforcement activities that regulated entities often do not perform compliant risk analyses As discussed above in 2016 and 2017 the Department conducted audits of 166 covered entities and 41 business associates for their compliance with selected provisions of the HIPAA Rules474
These audits confirmed that only small percentages of covered entities 14 percent and business associates 17 percent were substantially fulfilling their regulatory responsibilities to safeguard ePHI they hold through risk analysis activities Entities generally failed to
pp
Failing to document any efforts to develop maintain and update policies and procedures for conducting risk analyses was common For example health care providers commonly submitted documentation of some security activities performed by a thirdparty security vendor without submitting documentation of any risk analysis that served as the basis of such activities475
Many regulated entities used and relied on outside persons to manage or perform risk analyses for their organizations however these outside persons frequently failed to meet the requirements of the Security Rule Regulated entities also frequently and incorrectly assumed that a purchased security product satisfied all of the Security Rules requirements
ppThe responsibility to maintain an appropriate risk analysis rests with the regulated entity Accordingly it is essential that regulated entities understand and comply with risk analysis requirements to appropriately safeguard PHIpp
Numerous OCR investigations reflect the failure of regulated entities to develop and implement holistic risk analysis programs For example OCRs investigation of a health system in the aftermath of a ransomware attack found evidence of potential failures to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems implement a contingency plan to respond to emergencies like a ransomware attack that damage systems that contain ePHI and implement policies and procedures to allow only authorized users access to ePHI476
pp
In another recently concluded investigation involving a large medical center the covered entity reported that over a sevenmonth period one of its employees inappropriately accessed the ePHI of more than 12000 patients and then sold certain patient information to an identity theft ring477
OCRs investigation indicated potential violations of the requirement to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality integrity and availability of all of the ePHI held by the medical center as well as the requirement at 45 CFR 164308a1iiD to implement procedures to regularly review records of information system activity such as audit logs access reports and security incident tracking
pp
In another case the OCR settled a ransomware cyberattack investigation with a business associate478
The cyberattack affected the ePHI of over
print page 941
200000 individuals when the business associates network server was infected with ransomware It took the company more than 18 months to detect the intrusion and they only did so when the ransomware was used by the intruder to encrypt the companys files Among other factors OCRs investigation found evidence of potential failures to conduct an accurate and thorough risk analysis and to implement procedures to regularly review records of information system activity such as audit logs access reports and security incident tracking reports
pp
Given the compliance deficiencies that OCR regularly seesthose cited as examples and what OCR has observed more broadlywe believe that stronger requirements coupled with greater specificity regarding the components of a risk analysis would help and encourage regulated entities to appropriately perform such activities Accordingly the Department proposes to elevate the requirement to conduct a risk analysis from an implementation specification at 45 CFR 164308a1iiA to a standard at proposed 45 CFR 164308a2i Under the proposal and consistent with NCVHS recommendations479
a regulated entity would be required to conduct an accurate and comprehensive written assessment of the potential risks and vulnerabilities to the confidentiality integrity and availability of all ePHI created received maintained or transmitted by the regulated entity
pp
The Department proposes eight implementation specifications for the risk analysis standard consistent with previously issued guidance described above The proposed implementation specification for a written assessment at proposed paragraph a2iiA would require the regulated entity at a minimum to perform and document all of the following 480
ppUnder the proposed implementation specification for maintenance at proposed 45 CFR 164308a2iiB a regulated entity additionally would be required to review verify and update the written assessment on an ongoing basis but in any event no less frequently than at least once every 12 months and in response to a change in the regulated entitys environment or operations that may affect ePHI As discussed above a change in the regulated entitys environment or operations that may affect ePHI would include but would not be limited to the adoption of new technology assets the upgrading updating or patching of technology assets newly recognized threats to the confidentiality integrity or availability of ePHI a sale transfer merger or consolidation of all or part of the regulated entity with another person a security incident that affects the confidentiality integrity or availability of ePHI and relevant changes in Federal State Tribal or territorial lawpp
The Department proposes to redesignate the existing evaluation standard at 45 CFR 164308a8 as 45 CFR 164308a3i and to revise the redesignated evaluation standard to require the technical and nontechnical evaluations to be in writing and performed to determine whether change in the regulated entitys environment or operations may affect the confidentiality integrity or availability of ePHI Evaluating the effects of a potential change on a regulated entitys environment or operations including the effects on the confidentiality integrity and availability of ePHI is a critical step in the change control process An evaluation serves a similar purpose to a risk analysis However while a risk analysis looks at the entirety of a regulated entitys enterprise regularly and in response to a change in the regulated entitys environment or operations an evaluation looks at a specific change that a regulated entity intends to make before the change is made Thus this proposal if adopted would ensure that a regulated entity proactively considers whether any risks or vulnerabilities to ePHI or its relevant electronic information systems will be introduced by changes it intends to make to its environment or operations and responds by implementing appropriate safeguards in a timely fashion489
pp
We also propose to delete the requirement that the evaluation be performed based initially on the standards implemented under this rule because an evaluation is performed to assess the effects of a planned change on the environment which can be observed when those effects are compared to the environment reflected in the risk analysis Additionally the Department proposes to add two implementation specifications at
print page 942
proposed 45 CFR 164308a3ii The proposed implementation specification for performance at proposed 45 CFR 164308a3iiA would require that a regulated entity conduct the evaluation within a reasonable period of time before making a change to its environment or operations while the proposed implementation specification for response at proposed 45 CFR 164308a3iiB would require a regulated entity to respond to the evaluation in accordance with its risk management plan
ppA change in the regulated entitys environment or operations would include but would not be limited to the adoption of new technology assets the upgrading updating or patching of technology assets newly recognized threats to the confidentiality integrity or availability of ePHI a sale transfer merger or consolidation of all or part of the regulated entity with another person a security incident that affects the confidentiality integrity or availability of ePHI and relevant changes in Federal State Tribal and territorial lawpp
NIST guidance provides descriptions of key activities and sample questions that would help regulated entities meet this evaluation standard490
They include
ppDespite the existing standard and the availability of guidance many regulated entities do not evaluate how changes in their environment such as a merger or acquisition or implementation of new technology may affect the security of ePHI In some instances regulated entities assert that they have done so but have no documentation of the purported evaluation The Department believes that this proposal if adopted would clarify our expectations for implementing these safeguardspp
As described in Department guidance regulated entities can defend themselves from common cyberattacks but hackers continue to target the health care industry in search of ways to access valuable ePHI491
Accordingly timely implementation of patches for known vulnerabilities is crucial to maintaining the security of ePHI Many cyberattacks could be prevented or substantially mitigated if regulated entities implemented activities to manage the implementation of patches updates and upgrades to comply with the Security Rules requirements for risk management which can deter one of the common types of attacks exploitation of known vulnerabilities If an attack is successful the intruder often will encrypt a regulated entitys ePHI to hold it for ransom or exfiltrate the data for future purposes including identity theft or blackmail Cyberattacks are especially concerning in the health care sector because they can disrupt the provision of health care services Exploitable vulnerabilities can exist in many parts of a regulated entitys information systems but often known vulnerabilities can be mitigated by applying vendor patches updating software or system configurations or upgrading to a newer version of the product If a patch update or upgrade is unavailable vendors often suggest actions to take that is compensating controls to mitigate a newly discovered vulnerability Such actions could include modifications of configuration files or disabling of affected services Regulated entities should pay careful attention to cybersecurity alerts describing newly discovered vulnerabilities These alerts often include information on mitigation activities and patching
pp
Risk management processes that are compliant with the Security Rule include identifying and mitigating risks and vulnerabilities that unpatched software poses to an organizations ePHI Mitigation activities could include installing patches if patches are available and patching is reasonable and appropriate In situations where patches are not available
eg
obsolete or unsupported software or testing or other concerns weigh against patching as a mitigation solution492
regulated entities should implement reasonable compensating controls to reduce the risk of identified vulnerabilities to a reasonable and appropriate level
eg
restricting network access or disabling network services to reduce vulnerabilities that could be exploited via network access Security vulnerabilities may be present in many types of software including databases EHRs operating systems email and device firmware Each type of program would have its own unique set of vulnerabilities and challenges for applying patches but identifying and mitigating the risks unpatched software
print page 943
poses to ePHI is important to ensuring that ePHI is protected493
pp
Although older applications or devices may no longer be supported with patches for new vulnerabilities regulated entities must still take appropriate action if a newly discovered vulnerability affects an older application or device If an obsolete unsupported system cannot be upgraded or replaced additional safeguards should be implemented or existing safeguards enhanced to mitigate known vulnerabilities until upgrade or replacement can occur
eg
increase access restrictions remove or restrict network access disable unnecessary features or services494
pp
Patches can be applied to software and firmware on all types of devicestelephones computers servers routers and more Installation of vendorrecommended patches is typically a routine process However regulated entities should be prepared if issues arise as a result of applying patches Software and hardware are often interconnected and dependent on the functionality and output of other information systems or components of other information systems When certain changes are made including the installation of a patch software dependent on the changed application may not perform as expected because settings or data may be affected Thus in complex environments patch management plays a crucial role in the safe and correct implementation of these changes495
Enterprise patch management is the process of identifying prioritizing acquiring installing and verifying the installation of patches updates and upgrades throughout an organization496
NIST has issued a series of guidance documents that regulated entities can use to design their own patch management processes as part of their risk management plans
pp
Consistent with previously issued guidance the discussion above and recommendations from NCVHS497
the Department proposes a new standard for patch management at proposed 45 CFR 164308a4i that would require a regulated entity to implement written policies and procedures for applying patches and updating the configurations of its relevant electronic information systems This proposed standard would ensure that a regulated entity is aware of its liability for appropriately safeguarding ePHI by installing patches updates and upgrades throughout its relevant electronic information systems
pp
The Department proposes six implementation specifications at proposed 45 CFR 164308a4ii that would be associated with the proposed standard for patch management The proposed implementation specification for policies and procedures at proposed paragraph a4iiA would require a regulated entity to establish written policies and procedures for identifying prioritizing acquiring installing evaluating and verifying the timely installation of patches updates and upgrades throughout its electronic information systems that create receive maintain or transmit ePHI or that otherwise affect the confidentiality integrity or availability of ePHI Under the proposed implementation specification for maintenance at proposed paragraph a4iiB a regulated entity would be required to review its patch management written policies and procedures at least once every 12 months and modify them as reasonable and appropriate based on that review The proposed implementation specification for application at proposed paragraph a4iiC would require a regulated entity to patch update and upgrade the configurations of its relevant electronic information systems in accordance with its written policies and procedures and based on the results of the regulated entitys risk analysis that would be required by proposed 45 CFR 164308a2 the vulnerability scans that would be required under proposed 45 CFR 164312h2i the monitoring of authoritative sources that would be required under proposed 45 CFR 164312h2ii and penetration tests proposed at 45 CFR 164312h2iii The proposal would require that such actions be taken within a reasonable and appropriate period of time except to the extent that an exception in proposed paragraph h2iiD applies Specifically a reasonable and appropriate period of time to patch update or upgrade the configuration of a relevant electronic information system would be within 15 calendar days of identifying the need to address a critical risk where a patch update or upgrade is available or where a patch update or upgrade is not available within 15 calendar days of a patch update or upgrade becoming available The proposal would require that within 30 calendar days of identifying the need to address a high risk498
a regulated entity patch update or upgrade the configuration of a relevant electronic information system where a patch update or upgrade is available or where a patch update or upgrade is not available within 30 calendar days of a patch update or upgrade becoming available For all other patches updates or upgrades to the configurations of relevant electronic information systems a reasonable and appropriate period of time would be determined by the regulated entitys written policies and procedures for identifying prioritizing acquiring installing evaluating and verifying the timely installation of patches updates and upgrades
pp
For the proposed exceptions to apply we propose in proposed paragraph a4iiD that a regulated entity would be required to document that an exception applies and that all other applicable conditions are met The first proposed exception in proposed 45 CFR 164308a4iiD
1 would be for when a patch update or upgrade to the configuration of a relevant electronic information system is not available to address a risk identified in the regulated entitys risk analysis The second proposed exception would be in proposed 45 CFR 164308a4iiD
2 for when the only available patch update or upgrade would adversely affect the confidentiality integrity or availability of ePHI The Department anticipates that this proposed exception would apply when a regulated entity tests a patch update or upgrade and determines that it would adversely affect the confidentiality integrity or availability of ePHI or where there are reports from government sources or persons with appropriate knowledge of an experience with generally accepted cybersecurity principles and methods for ensuring the confidentiality integrity and availability of ePHI indicating that the patch update or
print page 944
upgrade is likely to adversely affect the confidentiality integrity or availability of ePHI
ppIn proposed paragraph a4iiE the Department proposes to require a regulated entity document in realtime the existence of the applicable exception and to implement reasonable and appropriate compensating controls Similarly in proposed paragraph a4iiF we propose that where an exception applies a regulated entity would be required to implement reasonable and appropriate security measures as compensating controls to address the identified risk according to the timeliness requirements in proposed 45 CFR 164308a5iiD until such time as a patch update or upgrade that does not adversely affect the confidentiality integrity or availability of ePHI becomes availablepp
This proposed standard aligns with the Departments enhanced CPG for Cybersecurity Mitigation by quickly requiring a regulated entity to prioritize and mitigate vulnerabilities discovered by vulnerability scanning and penetration testing499
ppThe Department proposes to elevate the implementation specification for risk management to a standard at proposed 45 CFR 164308a5i This proposed standard would require a regulated entity to establish and implement a plan for reducing the risks identified through its risk analysis activities Specifically it would require a regulated entity to implement security measures sufficient to reduce risks and vulnerabilities to all ePHI to a reasonable and appropriate level What would constitute a reasonable and appropriate level depends on the regulated entitys specific circumstances including but not limited to its size needs and capabilities risk profile the ability of security measures to reduce or eliminate a particular identified risk or vulnerability and the ubiquity of such security measures We also propose four implementation specifications that would require regulated entities to engage in activities that are consistent with previously issued guidance described belowpp
Under the proposed implementation specification for planning at proposed paragraph a5iiA a regulated entity would be required to establish and implement a written risk management plan for reducing risks to all ePHI including but not limited to those risks identified by the regulated entitys risk analysis500
to a reasonable and appropriate level Proposed paragraph a5iB contains the proposed implementation specification for maintenance and would require the regulated entity to review the written risk management plan at least once every 12 months and as reasonable and appropriate in response to changes in its risk analysis The Department would interpret reasonable and appropriate in both paragraphs as requiring the regulated entity to take into account not only its specific circumstances but also the criticality of the risks identified We propose an implementation specification for priorities at proposed 45 CFR 164308a5iiC that would require a regulated entitys written risk management plan to prioritize the risks identified in the regulated entitys risk analysis based on the risk levels determined by that analysis Finally in the proposed implementation specification for implementation at proposed 45 CFR 164308a5iiD we propose to require that a regulated entity implement security measures in a timely manner to address the risks identified in the regulated entitys risk analysis in accordance with the priorities established under paragraph a5iiC The proposed risk management standard aligns with the Departments essential CPG to Mitigate Known Vulnerabilities501
pp
The Department previously issued guidance on risk management including links to NIST resources that is consistent with what we propose in this NPRM502
We encourage regulated entities to refer to similar NIST guidance for descriptions of risk management activities503
The results of a risk analysis performed in accordance with the proposed standard for risk analysis generally provide the regulated entity with a list of applicable threatvulnerability pairs as well as the overall risk rating of each pair to the confidentiality integrity and availability of ePHI504
For example some threatvulnerability pairs may result in a risk rating of moderate or high level of risk to ePHI while other pairs may result in a risk rating of low level of risk The regulated entity would need to determine what risk rating poses an unacceptable level of risk to ePHI and address any threatvulnerability pairs that indicate a risk rating above the organizations risk tolerance505
pp
Under this proposed standard the regulated entity would be required to reduce the risks to its ePHI to a level that is reasonable and appropriate for its specific circumstances Ultimately the regulated entitys risk assessment processes should inform its decisions about the manner in which it will implement security measures to comply with the Security Rules standards and implementation specifications506
Additionally each regulated entity would be required to document the security controls it has implemented because it has determined them to be reasonable and appropriate including analyses decisions and the rationale for decisions made to refine or adjust the security controls507
pp
As stated by NIST the documentation and retention of risk assessment and risk management activities is important for future risk management efforts 508
In general risk management activities should be performed with regular frequency to examine past decisions reevaluate risk likelihood and impact levels and assess the effectiveness of past remediation efforts 509
Risk management plans should address risk appetite risk tolerance workforce duties responsible parties the frequency of risk management and required documentation510
pp
Consistent with other proposals to elevate certain critical implementation specifications to standards we propose to elevate the implementation specification for sanction policy at 45 CFR 164308aiiC to a standard for sanction policy at proposed 45 CFR 164308a6i We propose this standard because applying appropriate sanctions against workforce members who fail to comply with security requirements and thus imperil the
print page 945
security of ePHI serves as an important tool for improving compliance by other workforce members with the regulated entitys safeguards for ePHI While the Department does not propose to modify the language of the standard we are proposing three implementation specifications that are consistent with guidance that was previously issued by the Department
ppSpecifically under the proposed implementation specification for policies and procedures at proposed 45 CFR 164308a6iiA a regulated entity would be required to establish written policies and procedures for sanctioning workforce members who fail to comply with the regulated entitys security policies and procedures The proposed implementation specification for modifications at paragraph a6iiB would require a regulated entity to review its written sanctions policies and procedures at least once every 12 months and based on that review modify such policies and procedures as reasonable and appropriate The proposed implementation specification for application at proposed paragraph a6iiC would direct a regulated entity to apply appropriate sanctions against workforce members who fail to comply with such security policies and procedures and to document when it sanctions a workforce member and the circumstances in which it applies such sanctionspp
The policy choices represented in this NPRM are informed by the compliance challenges OCR has observed through its enforcement activities These challenges demonstrate that regulated entities would benefit from greater precision and clarity about their legal obligations in the proposed standard Additionally according to a recent survey of IT and IT security practitioners in healthcare careless users were the top cause of data loss and exfiltration while accidental loss was the second highest cause Thirtyone percent of respondents indicated that the data loss or exfiltration was caused by a failure of workforce members to follow organizational policies511
As described in existing Department guidance an organizations sanction policies can be an important tool for supporting accountability and improving cybersecurity and data protection512
Sanction policies can be used to address the intentional actions of malicious insiders such as a workforce member that accesses the ePHI of a public figure or steals ePHI to sell as part of an identitytheft ring as well as the failure of workforce members to comply with policies and procedures such as failing to secure data on a network server or investigate a potential security incident
pp
Sanction policies that are appropriately applied can improve a regulated entitys general compliance with the HIPAA Rules Imposing consequences on workforce members who violate a regulated entitys policies and procedures implemented as required by the Security Rule or the HIPAA Rules generally can be effective in creating a culture of HIPAA compliance and improved cybersecurity Knowledge that there is a negative consequence to noncompliance enhances the likelihood of compliance513
Training workforce members on a regulated entitys sanction policy can also promote compliance and greater cybersecurity vigilance by informing workforce members in advance which actions are prohibited and punishable514
A sanction policy that clearly communicates a regulated entitys expectations should ensure that workforce members understand their individual compliance obligations and consequences of noncompliance
pp
Regulated entities have the flexibility to implement the standard in a manner consistent with numerous factors including but not limited to their size degree of risk and environment The HIPAA Rules do not require regulated entities to impose any specific penalty for any particular violation nor do they require regulated entities to implement any particular methodology for sanctioning workforce members Rather in any particular case each regulated entity must determine the type cause and severity of sanctions imposed based upon its policies and the relative severity of the violation515
A regulated entity may structure its sanction policies in the manner most suitable to its organization As described in previously issued guidance materials from the Department and NIST regulated entities should consider the following when drafting or revising their sanction policies
pp
Generally it is important for a regulated entity to consider whether its sanction policies align with its general disciplinary policies and how the individuals or departments involved in the sanction processes can work in concert when appropriate Regulated entities may also want to consider how sanction policies can be fairly and consistently applied throughout the organization to all workforce members including management523
The deterrent effect of penalizing noncompliance and misconduct paired with clear communications about the consequences of noncompliance can promote greater compliance with the HIPAA Rules through accountability understanding and transparency
pp
As described in previously issued HHS guidance review of activity in its relevant electronic information systems and their components including workstations524
enables a regulated entity to determine if any ePHI has been used or disclosed in an inappropriate manner525
The procedures should be customized to meet the regulated entitys risk management strategy and consider the capabilities of all information systems with ePHI526
These activities should also promote continual awareness of any information system activity that could suggest a security incident527
pp
Detecting and preventing data leakage initiated by malicious authorized users is a significant challenge528
Identifying potential malicious activity in relevant electronic information systems including in workstations and other components as soon as possible is key to preventing or mitigating the impact of such activity529
To identify potential suspicious activity organizations should consider an insiders interactions with information systems and their components A regulated entity can detect anomalous user behavior or indicators of misuse by either a trusted employee or thirdparty vendor who has access to critical systems workstations and other system components and data530
To minimize this risk an organization may employ safeguards that detect suspicious user activities such as traffic to an unauthorized website downloading data to an external device
eg
thumb drive or access to a network server by an unauthorized mobile device Maintaining audit controls
eg
system event logs application audit logs and regularly reviewing audit logs access reports and security incident tracking reports are important security measures that can assist in detecting and identifying suspicious activity or unusual patterns of data access531
pp
Regulated entities should regularly review activity in their relevant electronic information systems including the components of such systems for potential concerns and consider ways to automate such reviews532
Additionally regulated entities are responsible for establishing and implementing appropriate standard operating procedures including determining the types of audit trail data and monitoring procedures that would be needed to derive exception reports533
They also must activate the necessary review processes and maintain auditing and logging activity534
pp
Department and NIST guidance advise regulated entities to consider many questions when establishing their policies and procedures for reviewing activity in their relevant electronic information systems review535
These include
pp
Compliance challenges observed through OCRs enforcement activities suggest that regulated entities would benefit from an expanded standard to provide more details on compliance expectations Investigations of reported breaches of unsecured PHI discussed above as examples of risk analysis failures also identified a potential failure by the regulated entities to conduct appropriate information system activity review536
In an investigation involving a large health care provider the ePHI of more than 12000 patients was sold to an identity theft ring by employees who for six months inappropriately accessed patient account information537
Compliance with the requirement to implement procedures to regularly review records of activity in relevant electronic information systems such as audit logs access reports and security incident tracking could have identified and mitigated these disclosures538
pp
Similarly a business associate experienced an intrusion into its systems that it failed to notice for over 20 months Eventually the ePHI of more than 200000 individuals associated with several covered entities was encrypted in a ransomware cyberattack539
Among other factors OCRs investigation indicated that the business associate potentially failed to implement procedures for regularly reviewing records of activity in its relevant electronic information system such as audit logs access reports and security incident tracking reports540
pp
Consistent with previously issued guidance and based on OCRs enforcement experience the Department proposes to elevate the existing implementation specification for information system activity review to a standard and to redesignate it as proposed 45 CFR 164308a7i The purpose of the proposal is to impose specific requirements on a regulated entity to review the activity occurring in its relevant electronic information systems including the activity occurring in the components of such systems By virtue of these proposed requirements we would specify actions that a regulated entity is required to take to ensure that only appropriate users access ePHI and that it responds quickly to any suspicious activity in its relevant electronic information systems including in components thereof such as workstations that connect to or otherwise access its relevant electronic information systems We also propose to revise the language to provide regulated entities with additional direction regarding their review of suspicious activities The proposed standard if adopted would require a regulated entity to implement written policies and procedures for regularly reviewing
print page 947
records of activity in its relevant electronic information systems
pp
The Department proposes five implementation specifications for the proposed standard for information system activity review The proposed implementation specification for policies and procedures at proposed 45 CFR 164308a7iiA would require a regulated entity to establish written policies and procedures for retaining and reviewing records of activity in the regulated entitys relevant electronic information systems by persons and technology assets Such written policies and procedures should require review of activity in the regulated entitys relevant electronic information systems as a whole as well as the systems components including but not limited to any workstations They should also include information on the frequency for reviewing such records The frequency of review may vary based on the specific type of record being reviewed and the information it contains According to the proposed implementation specification for scope at proposed 45 CFR 164308a7iiB records of activity in the regulated entitys relevant electronic information systems by persons and technology assets would include but would not be limited to audit trails event logs firewall logs system logs data backup logs access reports antimalware logs and security incident tracking reports The proposed implementation specification for records review at proposed 45 CFR 164308a7iiC would require a regulated entity to review records of activity in its relevant electronic information systems by persons and technology assets as often as reasonable and appropriate for the type of report or log They would also be required to document such review A proposed implementation specification for record retention at proposed 45 CFR 164308a7iiD would require a regulated entity to retain records of activity in its relevant electronic information systems by persons and technology assets Under the proposal the regulated entity would be required to retain such records for an amount of time that is reasonable and appropriate for the specific type of report or log For example it may be reasonable and appropriate to retain audit trails for a different amount of time than security incident tracking reports because of the type of information they contain and their purpose The proposed implementation specification for response at proposed 45 CFR 164308a7iiE would require a regulated entity to respond to a suspected or known security incident identified during the review of activity in its relevant electronic information systems including any components thereof such as workstations in accordance with the regulated entitys security incident plan541
Finally the proposed implementation specification for maintenance at proposed 45 CFR 164308a7iiF would require a regulated entity to review and test its written policies and procedures for reviewing activity in its relevant electronic information systems at least once every 12 months The regulated entity would be expected to modify such policies and procedures as reasonable and appropriate based on the results of that review
ppConsider a large regulated entity that may have thousands of workforce members accessing various networks and relevant electronic information systems generating large amounts of log and audit data Given the size complexity and capabilities of entities of such size a reasonable and appropriate process for reviewing activity may include the adoption of an automated solution that performs rulesbased enterprise log aggregation and analysis to identify anomalous or suspicious patterns of behavior in the regulated entitys relevant electronic information systems and the components thereof including but not limited to workstations in realtime and sends alerts of potential security incidents to a workforce member or team for further review and action By contrast for a small regulated entity it might be reasonable and appropriate to have designated staff that manually review log files and audit trails multiple times per weekppThe Department proposes to redesignate the standard for assigned security responsibility at 45 CFR 164308a2 as proposed 45 CFR 164308a8 OCRs enforcement experience demonstrates that in practice many regulated entities follow informal policies and procedures that are not documented and have not documented the identification of the Security Official in writingppBased on OCRs enforcement experience and consistent with existing guidance we propose to modify the standard to specify that a regulated entity must identify in writing the Security Official who is responsible for the establishment and implementation of the policies and procedures whether written or otherwise and deployment of technical controls These proposals are consistent with our general intention in this NPRM to propose to clarify that policies and procedures required by the Security Rule should be reduced to writing and to distinguish between the implementation of written policies and procedures and the deployment of technical controlspp
As we previously explained in guidance542
the purpose of this standard is to identify who would be operationally responsible for assuring that the regulated entity complies with the Security Rule It is comparable to the Privacy Rule standard for personnel designations at 45 CFR 164530a1 which requires all covered entities to designate a Privacy Official The Security Official and Privacy Official can but need not be the same person While one workforce member must be designated as having overall responsibility other workforce members may be assigned specific security responsibilities
eg
facility security network security When making this decision regulated entities should consider basic questions such as Has the organization agreed upon and clearly identified and documented the responsibilities of the Security Official How are the roles and responsibilities of the Security Official crafted to reflect the size complexity and technical capabilities of the organization
pp
NIST guidance urges the regulated entity to select a workforce member who is able to assess the effectiveness of security to serve as the point of contact for security policy implementation and monitoring543
It further recommends that a regulated entity should document the responsibilities in a job description and communicate this assigned role to the entire organization NIST provides additional sample items for consideration by a regulated entity organizing its security practices including identifying the workforce members in the organization who oversee the development and communication of security policies and procedures direct IT security purchasing and investment and ensure that security concerns have been addressed in system implementation NIST also offers that a regulated entity should ask whether the security official has adequate access and communications with senior officials in the organization and whether there is a
print page 948
complete job description that accurately reflects assigned security duties and responsibilities
ppThe purpose of the workforce security standard is to ensure that workforce members only have access to ePHI that they need to perform their assigned functions and are prevented from accessing ePHI that they are not authorized to access to perform such functions The proposed changes to the standard and implementation specifications would clarify the actions required of a regulated entity to assure such limitspp
Individuals have been harmed in the past by the failure of regulated entities to comply with the Security Rule requirements for workforce security For example a former employee of a large covered entity was able to access their former worksite and workstation using stillactive credentials for more than a week after their employment was terminated544
OCRs investigation found evidence of a potential failure to terminate the former employees access to PHI which enabled the former employee to download the ePHI of nearly 500 individuals including their names addresses dates of birth raceethnicity gender and sexually transmitted infection test results onto a USB drive This type of realworld experience and OCRs observations more broadly inform the changes proposed in this NPRM
pp
Moreover this proposal is consistent with guidance issued by HHS and NIST for implementing this standard and associated implementation specifications For example in guidance issued in 2005 we explained that regulated entities must identify workforce members who need access to ePHI to carry out their duties545
For each workforce member or job function the regulated entity must identify the ePHI that is needed when it is needed and make reasonable efforts to control access to the ePHI a concept generally referred to as rolebased access
ie
authorizing access to ePHI only when such access is appropriate based on the workforce members role546
This also includes identification of the computer systems and applications that provide access to the ePHI A regulated entity must provide only the minimum necessary access to ePHI that is required for a workforce member to do their job547
As described in HHS guidance access authorization is the process of determining whether a particular user or a computer system has the right consistent with their function to carry out a certain activity such as reading a file or running a program548
Implementation may vary among regulated entities depending on the size and complexity of their workforce and their electronic information systems that contain ePHI For example in a small medical practice all staff members may need to access all ePHI in their information systems because each staff member may perform multiple functions In this case the regulated entity would document the reasons for implementing policies and procedures that permit this type of global access If the documented rationale is reasonable and appropriate this may be an acceptable approach The implementation specification provision for authorization andor supervision provides the necessary checks and balances to ensure that all members of the workforce have appropriate access or in some cases no access to ePHI
pp
NIST guidance provides descriptions of key activities and sample questions for regulated entities implementing this implementation specification549
To implement procedures for the authorization andor supervision of workforce members who work with ePHI or in locations where it might be accessed the guidance advises regulated entities to consider whether chains of command and lines of authority have been established as well as the identity and roles of supervisors A regulated entity also should establish clear job descriptions and responsibilities which includes defining roles and responsibilities for all job functions assigning appropriate levels of security oversight training and access and identifying in writing who has the business need and who has been granted permission to view alter retrieve and store ePHI and at what times under what circumstances and for what purposes550
To determine the most reasonable and appropriate authorization andor supervision procedures a regulated entity must be able to answer some basic questions about existing policies and procedures For example are detailed job descriptions used to determine what level of access the person holding the position should have to ePHI Who has or should have the authority to determine who can access ePHI
eg
supervisors or managers Are there written job descriptions that are correlated with appropriate levels of access to ePHI Are these job descriptions reviewed and updated on a regular basis Have workforce members been provided copies of their job descriptions and informed of the access granted to them as well as the conditions by which this access can be used As noted above a smaller regulated entity may address compliance by implementing a simpler approach but it is still liable for ensuring that workforce members only have access to ePHI that they need to perform their assigned functions551
pp
NIST also recommends establishing criteria and procedures for hiring and assigning tasks and ensuring that these requirements are included as part of the personnel hiring process552
In its guidance NIST provides questions and suggestions for regulated entities to consider with respect to these criteria procedures and requirements NIST guidance also describes this implementation specification as calling for regulated entities to implement appropriate screening of persons who would have access to ePHI and a procedure for obtaining clearance from appropriate offices or workforce members where access is provided or terminated553
Similarly the Departments guidance on workforce clearance procedures states that the clearance process must establish the procedures to verify that a workforce member would in fact have the appropriate access for their job function554
A regulated entity may choose to perform this type of screening procedure separate from or as a part of the authorization andor supervision procedure Sample questions for
print page 949
regulated entities to consider include the following Are there existing procedures for determining that the appropriate workforce members have access to the necessary information Are the procedures used consistently within the organization when determining access of related workforce job functions NIST guidance describes this implementation specification as calling for regulated entities to implement appropriate screening of persons who would have access to ePHI and a procedure for obtaining clearance from appropriate offices or workforce members where access is provided or terminated555
pp
We issued guidance in 2017 addressing termination procedures556
Data breaches caused by current and former workforce members are a recurring issue across many industries including the health care industry Effective identity and access management policies and controls are essential to reduce the risks posed by these types of insider threats Identity and access management can include many processes but most commonly it would include the processes by which appropriate access to data is granted and terminated by creating and managing user accounts Ensuring that user accounts are terminatedand in a timely mannerso that former workforce members do not have access to data is one important way identity and access management can help reduce risks posed by insider threats Additionally effective termination procedures also reduce the risk that inactive user accounts
eg
user accounts that are not being used or are inactive but are not fully terminated or disabled could be used by a current or former workforce member with malicious motives to get access to ePHI The Departments guidance also offers tips to prevent unauthorized access to PHI by former workforce members such as having standard procedures of all action items to be completed when an individual leaves557
pp
Guidance that we issued in 2019 further explains that security is a dynamic process 558
Good security practices entail continuous awareness assessment and action in the face of changing circumstances The information users can and should be allowed to access may change over time organizations should recognize this in their policies and procedures and in their implementation of those policies and procedures For example if a user is promoted demoted or transfers to a different department a users need to access data may change In such situations the users data access privileges should be reevaluated and as needed modified to match the new role if needed559
As described in other HHS guidance these procedures should also address the complexity of the organization and the sophistication of its relevant electronic information systems560
pp
NIST guidance provides additional descriptions of key activities and sample questions for regulated entities to consider when implementing this standard and associated implementation specifications561
Regulated entities should establish a standard set of procedures that should be followed to recover access control devices
eg
identification badges keys access cards when employment ends and likewise they should timely deactivate computer access
eg
disable user IDs and passwords and facility access
eg
change facility security codesPINs Sample questions for implementation include the following Are there separate procedures for voluntary termination
eg
retirement promotion transfer change of employment versus involuntary termination
eg
termination for cause reduction in force involuntary transfer criminal or disciplinary actions Is there a standard checklist for all action items that should be completed when a workforce member leaves
eg
return of all access devices deactivation of accounts and delivery of any needed data solely under the workforce members control Do other organizations need to be notified to deactivate accounts to which that the workforce member had access in the performance of their employment duties
ppHowever regulated entities often do not establish or implement written procedures nor even in instances where they have established or implemented them have they done so in an appropriate fashion to protect ePHI from improper access by current or former workforce memberspp
Consistent with the guidance described above and other proposals in this NPRM the Department proposes to redesignate the workforce security standard at 45 CFR 164308a3i as proposed 45 CFR 164308a9i to add a paragraph heading to clarify the organization of the regulatory text and to modify the regulatory text clarify that a regulated entity must implement written policies and procedures ensuring that workforce members have appropriate access to ePHI and to relevant electronic information systems The regulated entity must also implement written policies and procedures preventing workforce members from accessing ePHI and relevant electronic information systems if they are not authorized to do so The modifications we propose to the implementation specification for authorization andor supervision would clarify that a regulated entity is required to establish and implement written procedures for the authorization andor supervision of workforce members who access ePHI or relevant electronic information systems or who work in facilities where ePHI or relevant electronic information systems might be accessed562
We propose similar modifications to the implementation specification for workforce clearance procedure which would require a regulated entity to establish and implement written procedures to determine that the access of a workforce member to ePHI or relevant electronic information systems is appropriate in accordance with written policies and procedures for granting and revising access to ePHI and relevant electronic information systems as required by proposed 45 CFR 164308a10iiB563
Additionally we propose several clarifications to the implementation specification for termination procedures Specifically the proposed implementation specification for modification and termination procedures at proposed 45 CFR 164308a9iiC would require procedures for terminating a workforce members access to ePHI and relevant electronic information systems and to facilities where ePHI or relevant electronic information systems might be accessed Proposed paragraph a9iiC
1 would require a regulated entity to establish and implement written procedures for terminating a workforce members access to ePHI and relevant electronic information systems
print page 950
and to locations where ePHI or relevant electronic information systems might be accessed Proposed paragraph a9iiC
2 would require that the workforce members access be terminated as soon as possible but no later than one hour after the workforce members employment or other arrangement ends A proposed implementation specification for notification at proposed 45 CFR 164308a9iiD would require a regulated entity to establish and implement written procedures for notifying another regulated entity of a change in or termination of a workforce members authorization to access ePHI or relevant electronic information systems Proposed paragraph a9iiD
1 would require the regulated entity to establish and implement written procedures for notifying another regulated entity after a change in or termination of a workforce members authorization to access ePHI or relevant electronic information systems that are maintained by such other regulated entity where the workforce member is or was authorized to access such ePHI or relevant electronic information systems by the regulated entity making the notification Proposed paragraph a9iiD
2 would require the notice to be provided as soon as possible but no later than 24 hours after the workforce members authorization to access ePHI or relevant electronic information systems is changed or terminated Finally a proposed new implementation specification for maintenance at proposed 45 CFR 164308a9iiE would require a regulated entity to review and test its written workforce security policies and procedures at least once every 12 months and to modify them as reasonable and appropriate564
The proposed implementation specifications for termination procedures and notification implementation align with the Departments essential CPG for Revoke Credentials for Departing Workforce Members Including Employees Contractors Affiliates and Volunteers by requiring a regulated entity to promptly remove access following a change in or termination of a users authorization to access ePHI565
pp
The purpose of the standard for information access management is to protect ePHI by reducing the risk that other persons or technology assets may access the information for their own reasons Existing HHS guidance explains that restricting access to only those persons and entities with a need for access is a basic tenet of security566
By implementing this standard the risk of inappropriate disclosure alteration or destruction of ePHI is minimized A regulated entity must determine those persons and technology assets that need access to ePHI within its environment The implementation specifications associated with the standard on information access management are closely related to those associated with the standard for workforce security567
Compliance with the proposed and existing standards for information access management should support a regulated entitys compliance with the Privacy Rules minimum necessary requirements which requires a regulated entity to evaluate its practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of PHI568
pp
OCRs enforcement experience demonstrates that many regulated entities have not adequately implemented this standard Thus we believe it is necessary to consider strengthening the requirement For example on one occasion a large covered entitys failure to implement its written policies and procedures to ensure that employees only had access to ePHI that they had proper authorization or authority to access enabled an employee to access the ePHI of more than 24000 individuals569
This failure also enabled other employees to inappropriately access the ePHI of a celebrity570
ppTo ensure that regulated entities implement recommendations and best practices for securing ePHI we propose to require in the standard for information access management and associated implementation specifications that a regulated entity must establish and implement written policies and procedures for authorizing access to ePHI and relevant electronic information systems that are consistent with the Privacy Rule The Department also proposes to redesignate the standard at 45 CFR 164308a4i as proposed 45 CFR 164308a10i and to add a paragraph heading to clarify the organization of the regulatory text Additionally the Department proposes to modify three of the associated existing implementation specifications and to add three new implementation specifications as followsppSpecifically the Department proposes to redesignate the implementation specification for isolating health care clearinghouse functions as proposed 45 CFR 164308a10iiA and to modify it to require a health care clearinghouse that is part of a larger organization to establish and implement written policies and procedures that protect the ePHI and relevant electronic information systems of the clearinghouse from unauthorized access by the larger organizationpp
The existing implementation specification for isolating health care clearinghouse functions only applies in the situation where a health care clearinghouse is part of a larger organization This would remain true under the proposal to revise this implementation specification if adopted In these situations the health care clearinghouse is responsible for protecting the ePHI that it is creating receiving maintaining and transmitting As discussed in NIST guidance if a health care clearinghouse is part of a larger organization the clearinghouse must implement policies and procedures that protect the ePHI of the clearinghouse from unauthorized access by the larger organization571
This necessarily includes its relevant electronic information systems First the regulated entity must determine
print page 951
whether any of its components constitute a health care clearinghouse under the Security Rule572
If no health care clearinghouse functions exist within the organization the regulated entity should document this finding If a health care clearinghouse does exist within the organization the regulated entity must implement procedures that are consistent with the Privacy Rule573
Questions for regulated entities to consider include If health care clearinghouse functions are performed are policies and procedures implemented to protect ePHI from the other functions of the larger organization Does the health care clearinghouse share hardware or software with a larger organization of which it is a part Does the health care clearinghouse share staff or physical space with staff from a larger organization Has a separate network or subsystem been established for the health care clearinghouse if reasonable and appropriate Has staff of the health care clearinghouse been trained to safeguard ePHI from disclosure to the larger organization if required for compliance with the Privacy Rule 574
Regulated entities should also consider whether additional technical safeguards are needed to separate ePHI in electronic information systems used by the health care clearinghouse to protect against unauthorized access by the larger organization
pp
We also propose to redesignate the implementation specification for access authorization as proposed 45 CFR 164308a10iiB and to modify it to emphasize that a regulated entity must establish and implement written policies and procedures for granting and revising access to ePHI and the regulated entitys relevant electronic information systems as necessary and appropriate for each prospective user and technology asset to carry out their assigned functions
ie
rolebased access policies Additionally we propose to redesignate the implementation specification for access establishment and modification as 45 CFR 164308a10iiD and to modify the heading to Access determination and modification We also propose to modify this implementation specification to require a regulated entity to establish and implement written policies and procedures that based on its access authorization policies establish document review and modify the access of each user and technology asset to specific components of the regulated entitys relevant electronic information systems Such written policies and procedures would be required to be based upon the regulated entitys policies for authorizing access Under this proposal and consistent with the existing implementation specification575
the regulated entity would be required to establish standards for granting access to ePHI and relevant electronic information systems and provide formal authorization from the appropriate authority before granting access to ePHI or relevant electronic information systems Regulated entities should regularly review personnel access to ePHI and relevant electronic information systems to ensure that access is still authorized and needed and modify personnel access to ePHI and electronic information systems as needed based on review activities
pp
The existing implementation specification for access authorization calls for the regulated entity to implement policies and procedures for granting access to ePHI for example through components of its information system576
The Departments proposal to revise this implementation specification would provide greater specificity than our existing requirements and echo NIST guidance on this topic Specifically NIST guidance 577
describes the key steps for developing policies and procedures for granting access to ePHI as follows
pp
Other questions that a regulated entity should consider when establishing such policies and procedures include Have appropriate authorization and clearance procedures as specified in the standard for workforce security578
been performed prior to granting access Do the organizations systems have the capacity to set access controls Are there additional access control requirements for users who would be accessing privileged functions Have organizational personnel been explicitly authorized to approve user requests to access ePHI andor systems with ePHI
pp
The Department proposes three additional implementation specifications for authentication management maintenance and network segmentation These specifications clarify the Departments expectations for compliance and are consistent with NIST guidance We believe that the proposed additions would assist regulated entities in their efforts to prevent or mitigate attacks by malicious internal and external actors For the implementation specification on authentication management at proposed 45 CFR 164308a10iiC we propose to require a regulated entity to establish and implement written policies and procedures for verifying the identities of users and technology assets before accessing the regulated entitys relevant electronic information systems including written policies and procedures for implementing MFA technical controls579
The proposed implementation specification for network segmentation at proposed 45 CFR 164308a10iiE would require a regulated entity to establish and implement written policies and procedures that ensure that its relevant electronic information systems are segmented to limit access to ePHI to authorized workstations
pp
Finally to address the Departments general concerns regarding the ongoing failure of many regulated entities to regularly review and revise their policies and procedures the proposed implementation specification for maintenance at proposed 45 CFR
print page 952
164308a10iiF would require a regulated entity to review the written policies and procedures required by this standard at least once every 12 months and to modify them as reasonable and appropriate
pp
A covered entitys workforce is its frontline not only in patient care and patient service but also in safeguarding the privacy and security of PHI580
The health care sectors risk landscape continues to grow with the increasing number of interconnected smart devices of all types the increased use of interconnected medical record and billing systems and the increased use of applications and cloud computing This standard reflects the fact that training on data security for workforce members is essential for protecting an organization against cyberattacks
ppAn organizations training program should be an ongoing evolving process and flexible enough to educate workforce members on new cybersecurity threats and how to respond to them As such regulated entities should consider how often to train workforce members on security issues given the risks and threats to their enterprises and how often to send security updates to their workforce members Many regulated entities have determined that twiceannual training and monthly security updates are necessary given their risks analysespp
Regulated entities should apply security updates and reminders to quickly communicate new and emerging cybersecurity threats to workforce members such as new social engineering ploys
eg
fake tech support requests and new phishing scams and malicious software attacks including new ransomware variants Entities need to address what type of training to provide to workforce members on security issues given the risks and threats to their enterprises Computerbased training classroom training monthly newsletters posters email alerts and team discussions are all tools that different organizations use to fulfill their training requirements Entities must also address how to document that training to workforce members was provided including dates and types of training training materials and evidence of workforce participation
pp
HHS has issued many types of training materials on securing PHI581
NIST has also provided detailed guidance for developing and implementing workforce training programs582
Despite this existing guidance regulated entities often fail to provide appropriate training to adequately safeguard ePHI For example in one investigation OCR investigators found evidence that not only had an ambulance company potentially failed to conduct a risk analysis it also potentially failed to implement a security training program or to train any of its employees583
Such failures can contribute to breaches of individuals unsecured ePHI
ppTo ensure security awareness training compliance a regulated entity needs to regularly educate its workforce members on the evolving technological threats to ePHI how to use the technology that the regulated entity has adopted and implemented and the specific procedures workforce members must follow to ensure that the ePHI remains protected Additionally while many educational programs for clinicians provide general training on the HIPAA Rules the curriculums vary widely Without providing its own training on the Security Rule a regulated entity cannot ensure that the training its workforce received elsewhere meets the required standardspp
Given the failure of regulated entities to implement the security awareness and training standard and consistent with existing guidance the Department proposes to provide more detailed requirements for security awareness training Specifically the Department proposes to rename and redesignate the standard for security awareness and training at 45 CFR 164308a5i as the standard for security awareness training at proposed 45 CFR 164308a11i and to add a paragraph heading to clarify the organization of the regulatory text The proposed standard would require a regulated entity to implement security awareness training for all workforce members on protection of ePHI and information systems as necessary and appropriate for the members of the workforce to carry out their assigned functions
ie
rolebased training The proposals to revise this standard would also align with the Departments essential CPG for Basic Cybersecurity Training because they would require a regulated entity to educate users on how to access ePHI and electronic information systems in a manner that protects the confidentiality integrity and availability of ePHI584
Additionally the proposals would align with the essential CPG for Email Security by requiring a regulated entity to train workforce members to guard against detect and report suspected or known security incidents including but not limited to malicious software and social engineering585
ppWe propose four implementation specifications for the proposed security awareness training standard The proposed implementation specification for training at 45 CFR 164308a11iiA would require a regulated entity to establish and implement security awareness training for all workforce members that addresses the followingpp
The Department proposes to replace the implementation specification for periodic security updates 589
with one addressing the timing and frequency of security awareness training at proposed 45 CFR 164308a11iiB Specifically we propose to require a regulated entity to provide such training to each member of the regulated entitys workforce by the compliance date for this rulemaking if finalized and at least once every 12 months thereafter590
For example under this proposal workforce members would receive security awareness training on the protection of ePHI and on the regulated entitys Security Rule policies and procedures that is based on their specific role at least once a year A regulated entity would be required to provide rolebased security awareness training to a new workforce member within a reasonable period of time but no later than 30 days after the workforce member first has access to the regulated entitys relevant electronic information systems591
We also propose to require that the regulated entity provide such training592
For example if the entity implements a new EHR system it would be required to also train its workforce as appropriate on measures to guard against security incidents related to the installation maintenance andor use of the system
ppAdditionally the Department proposes at proposed 45 CFR 164308a11iiC an implementation specification for ongoing education This would require a regulated entity to provide its workforce members with ongoing reminders of their security responsibilities and notice of relevant threats including but not limited to new and emerging malicious software and social engineering Lastly we propose a new implementation specification for documentation at proposed 45 CFR 164308a11iiD that would require a regulated entity to document that it has provided training and ongoing reminders to its workforce membersppAddressing security incidents is an integral part of an overall security program While a regulated entity will never be able to prevent all security incidents implementing the Security Rule standards would reduce the amount and negative consequences of security incidents it encounters Even regulated entities with detailed security policies and procedures and advanced technology may experience security incidents but through sufficient planning and continued monitoring generally can mitigate the negative effects of such incidents on regulated entities and ultimately individuals The security incident procedures standard is intended to help ensure that a regulated entity conducts such planning and monitoring to allow it to mitigate such negative effectspp
The Department has also provided guidance that a regulated entity can use to devise its security incident plans The policies and procedures a regulated entity establishes to prepare for and respond to security incidents can pay dividends with faster recovery times and reduced compromises of ePHI593
A well thoughtout welltested security incident response plan is integral to ensuring the confidentiality integrity and availability of a regulated entitys ePHI A timely response to a security incident can be one of the best ways to prevent mitigate and recover from future cyberattacks For example responding to a single intrusion or inappropriate access can prevent a pattern of repeated malicious actions It is extremely important that a regulated entity analyzes an incident to establish what has occurred and its root cause Doing so will enable the regulated entity to use that information to update its security incident response plans The Department has previously issued guidance addressing such activities as forming a security incident response team identifying and responding to security incidents mitigating harmful effects of and documenting a security incident and breach reporting594
pp
NIST also offers guidance for addressing security incidents595
It describes four key activities with detailed descriptions and sample questions
pp
NIST has also issued comprehensive guidelines for incident handling particularly for analyzing incident related data and determining the appropriate response to each incident596
For example the NIST Cybersecurity Framework addresses these activities as part of the core function of respondactions regarding a detected cybersecurity incident are taken 597
Respond supports the ability of the regulated entity to contain the effects of cybersecurity incidents Outcomes within this Function include incident management analysis mitigation reporting and communication 598
pp
Despite this existing guidance OCRs enforcement experience indicates that many regulated entities have not met the existing standard so we believe that additional specificity regarding their obligations and liability for incident response is warranted Accordingly the Department proposes to redesignate the standard for security incident procedures as 45 CFR 164308a12i to add a paragraph heading to clarify the organization of the regulatory text and to modify the regulatory text to clarify that a regulated entity would be required to implement written policies and procedures to respond to rather than address security incidents Additionally we propose to clarify expectations by adding an implementation specification for planning and testing at proposed 45 CFR 164308a12iiA
1
that would require a regulated entity to establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents599
pp
Internal reporting is an essential component of security incident procedures600
Plans and procedures for
print page 954
reporting of suspected or known security incidents may address to whom when and how such incidents are to be reported The recipients and the content of such reports according to such plans and procedures may vary based on the type of incident and the role of the workforce member making the report We do not propose to dictate the form format or content of such report Rather we believe that regulated entities would be best situated to identify the points of contact for their organization
eg
Chief Information Security Officer IT security team business associate engaged to support incident response activities for the regulated entity for such reports and the type of information they need to determine how to respond to the suspected or known security incident
pp
The proposal to require a regulated entity to establish written security incident response plans and procedures for how it will respond to suspected or known security incidents would align with the enhanced CPG for Third Party Incident Reporting because it would address the procedures for how and when a business associate would report to a covered entity or another business associate known or suspected security incidents as required by proposed 45 CFR 164314a2iC601
pp
Under proposed 45 CFR 164308a12iiA
2 and
3 the regulated entity would be required to implement written procedures for testing and revising the security incident response plans and then using those written procedures review and test its security incident response plans at least once every 12 months and document the results of such tests The regulated entity would also be required to modify the plans and procedures as reasonable and appropriate based on the results of such tests and the regulated entitys circumstances
pp
This proposal if finalized would include requirements that align with the Departments essential CPG for Basic Incident Planning and Preparedness to have effective responses to and recovery from security incidents602
It also aligns with the Departments enhanced CPG for Centralized Incident Planning and Preparedness by requiring a regulated entity to maintain revise and test security incident response plans603
pp
Additionally the Department proposes to redesignate the implementation specification for response and reporting at 45 CFR 164308a6ii as 45 CFR 164308a12iiB and to rename it Response We also propose to modify the existing implementation specification by separating it into two paragraphs one at paragraph a12iiB
1 for identifying and responding to suspected or known security incidents and the other at paragraph a12iiB
2 for mitigating to the extent practicable the harmful effects of suspected or known security incidents The Department also proposes to add three additional paragraphs to this implementation specification Proposed 45 CFR 164308a12iiB
3 would require a regulated entity to identify and remediate to the extent practicable the root causes of suspected or known security incidents while proposed 45 CFR 164308a12iiB
4
would require the regulated entity to eradicate the security incidents that are suspected or known to the regulated entity We would expect eradication to include the removal of malicious software inappropriate materials and any other components of the incident from the regulated entitys relevant electronic information systems604
Finally proposed 45 CFR 164308a12iiB
5 would require a regulated entity to develop and maintain documentation of investigations analyses mitigation and remediation for security incidents that are suspected or known For example verbal reports of a suspected or known security incident would be required to be documented in writing Under proposed 45 CFR 164316b1 if finalized a regulated entity would be required to maintain such documentation for six years from the date of its creation or the date when it last was in effect whichever is later These proposals are consistent with existing guidance described above and with other proposals or existing regulatory standards to secure health information605
pp
The purpose of any contingency plan is to allow an organization to return to its daily operations as quickly as possible after an unforeseen event606
The contingency plan protects resources minimizes customer inconvenience and identifies key staff assigning specific responsibilities in the context of the recovery Contingency plans are critical to protecting the availability integrity and security of data during unexpected adverse events Contingency plans should consider not only how to respond to disasters such as fires and floods but also how to respond to cyberattacks Cyberattacks using malicious software such as ransomware may render an organizations data unreadable or unusable In the event data is compromised by a cyberattack restoring the data from backups may be the only option for recovering the data and restoring normal business operations For example the faulty software update by CrowdStrike made it impossible for health care systems worldwide to use their Windowsbased systems607
There were many instances where surgical procedures and health care appointments were cancelled schedules upended and pharmacies were unable to fill prescriptions Regulated entities need to make and implement contingency plans they would use when such events occur to enable themselves to get back to their core functions of providing or paying for health care
pp
The Department and NIST have issued extensive guidance on contingency planning including detailed descriptions of key activities sample questions for regulated entities to consider when standing up a contingency plan and information on how the results of the risk analysis feed into contingency plans608
Unfortunately many regulated entities have not implemented the required
print page 955
planning and then have been unable to fully recover from ransomware attacks that bring down electronic systems that create receive maintain or transmit ePHI For example a large health system that experienced a ransomware attack had to shut down services at multiple locations and encountered difficulties restoring those services OCRs investigation indicated a potential failure to among other things implement contingency plans609
Such planning is crucial for maintaining the resilience of a regulated entitys health IT
ppTo address these inadequacies in compliance and to protect the confidentiality integrity and availability of ePHI the Department proposes to redesignate the standard for a contingency plan at 45 CFR 164308a7i as proposed 45 CFR 164308a13i to add a paragraph heading to clarify the organization of the regulatory text and to modify the regulatory text to clarify it The modified standard as proposed would require a regulated entity to establish and implement as needed a written contingency plan consisting of written policies and procedures for responding to an emergency or other occurrence including but not limited to fire vandalism system failure natural disaster or security incident that adversely affects relevant electronic information systemspp
The Department proposes a new implementation specification for criticality analysis at proposed 45 CFR 164308a13iiA This would require a regulated entity to perform and document an assessment of the relative criticality of its relevant electronic information systems and technology assets in its relevant electronic information systems The proposal would not limit this analysis to electronic information systems that create receive maintain or transmit ePHI because other electronic information systems andor technology assets may be crucial to ensuring the confidentiality integrity or availability of ePHI providing patient care and supporting other business needs A prioritized list of specific relevant electronic information systems and technology assets in those electronic information systems would help a regulated entity to determine their criticality and the order of restoration610
ppUnder this proposal the implementation specification for establishing and implementing a data backup plan would be redesignated as proposed 45 CFR 164308a13iiB and renamed Data backups It would also be modified to clarify that the procedures to create and maintain exact retrievable copies of ePHI must be in writing and to also require such procedures to include verifying that the ePHI has been copied accurately For example the ability to access ePHI from a remote location in the event of a total failure should be reflected in the procedures specified for data backupsppThe proposed implementation specification for backing up information systems at proposed paragraph a13iiC would require a regulated entity to establish and implement written procedures to create and maintain backups of its relevant electronic information systems including verifying the success of such backups Establishing such procedures would ensure that the ePHI in relevant electronic information systems is both protected and availablepp
Additionally the Department proposes to redesignate the implementation specification for disaster recovering planning as paragraph a13iiD We propose to clarify that a regulated entity would be required to establish and implement as needed written procedures to restore both its critical relevant electronic information systems and data within 72 hours of the loss and to restore the loss of other relevant electronic information systems and data in accordance with its criticality analysis611
ppThe Department proposes to clarify the implementation specification for emergency mode operation planning redesignated as proposed 45 CFR 164308a13iiE by clarifying that procedures must be written We also propose to redesignate the implementation specification for testing and revision procedures as paragraph a13iiF and to clarify that procedures for testing and revising of the required contingency plans must be established in writing We propose to require a regulated entity to review and implement its procedures for testing contingency plans at least once every 12 months to document the results of such tests and to modify those plans as reasonable and appropriate based on the results of those testsppThe final standard we propose under 45 CFR 164308a is a new standard for compliance audits at proposed 45 CFR 164308a14 For this proposed standard the Department proposes to require regulated entities to perform and document an audit of their compliance with each standard and implementation specification of the Security Rule at least once every 12 monthspp
While the Security Rule does not currently require regulated entities to conduct internal or thirdparty compliance audits such activities are important components of a robust cybersecurity program The Government Accountability Office has published guidance on conducting cybersecurity performance audits for Federal agencies612
Audits are typically conducted independently from information security management and the function generally reports to the governing body of the regulated entity This independence can provide an objective view of the regulated entitys policies and practices According to the Institute of Internal Auditors an internal audit provides independent and objective assurance and advice on all matters related to the achievement of objectives 613
An internal audit may be conducted by a business associate of a covered entity or a subcontractor of a business associate These activities provide regulated entities with confidence in the effectiveness of their risk management plan Thus we believe that this proposal would aid a regulated entity in ensuring compliance with the Security Rule and ultimately protecting ePHI We do not propose to specify whether the compliance audit should be performed by the regulated entity or an external party614
pp
Vendor management and identification of risks in a supply chain are essential to controlling the introduction of new threats and risks to a regulated entity615
NIST guidance explains that regulated entities are permitted to include more stringent cybersecurity measures in business associate agreements than those required by the Security Rule616
Such requirements would need to be agreed upon by both parties to the business associate agreement617
The guidance also recommends establishing a process for measuring contract performance and terminating the contract if security requirements are not being met Important considerations include Is there a process for reporting security incidents related to the agreement Are additional assurances of protections for ePHI from the business associate necessary If so where would such additional assurances be documented
eg
in the business associate agreement servicelevel agreement or other documentation and how would they be met
eg
providing documentation of implemented safeguards audits certifications
pp
The Security Rule requires a regulated entity to protect the confidentiality integrity and availability of all ePHI that it creates receives maintains or transmits618
It also requires a regulated entity to obtain written satisfactory assurances that its business associate will appropriately safeguard ePHI before allowing the business associate to create receive maintain or transmit ePHI on its behalf619
However the Security Rule does not require a regulated entity to verify that entities that create receive maintain or transmit ePHI on its behalf are in fact taking the necessary steps to protect such ePHI The lack of such a requirement may leave a gap in protections from risks to ePHI related to regulated entities vendors and supply chains Accordingly the Department proposes several modifications to the Security Rule to provide greater assurance that business associates and their subcontractors are protecting ePHI because a subcontractor to a business associate is also a business associate The Department proposes to redesignate 45 CFR 164308b1 and 2 as proposed 45 CFR 164308b1i and ii respectively Additionally we propose to make a technical correction to the standard for business associate contracts and other arrangements for organizational clarity separating proposed paragraph b1i into paragraphs b1iA and B We believe this is a nonsubstantive change that would have no effects on any regulatory recordkeeping or reporting requirement nor would it change the Departments interpretation of any regulation We also propose to modify both to require a regulated entity to verify that the business associate has deployed the technical safeguards required by 45 CFR 164312 620
in addition to obtaining satisfactory assurances that its business associate would comply with the Security Rule621
To assist regulated entities in complying with the new standard we propose to redesignate the implementation specifications at 45 CFR 164308b3 as 45 CFR 164308b2 and propose to add an implementation specification for written verification at proposed 45 CFR 164308b2ii that would require the regulated entity to obtain written verification from the business associate that the business associate has deployed the required technical safeguards622
The Department proposes to require that the regulated entity obtain this written verification documenting the business associates deployment of the required technical safeguards at least once every 12 months623
Additionally we propose that the verification include a written analysis of the business associates relevant electronic information systems624
The written analysis would be required to be performed by a person with appropriate knowledge of and experience with generally accepted cybersecurity principles and methods for ensuring the confidentiality integrity and availability of ePHI to verify the business associates compliance with each standard and implementation specification in 45 CFR 164312625
We also propose to require that the written verification be accompanied by a written certification by a person who has the authority to act on behalf of the business associate that the analysis has been performed and is accurate626
The proposal would permit the parties to determine the appropriate person to perform the analysis and how that person is engaged or compensated This person may be a member of the covered entitys or business associates workforce or an external party
pp
This proposed new requirement that a regulated entity obtain written verification from its business associates that they have deployed technical safeguards combined with the existing requirement to obtain written satisfactory assurances that they safeguard ePHI aligns with the Departments essential CPG for VendorSupplier Cybersecurity Requirements627
This CPG calls for regulated entities to identify assess and mitigate risks to ePHI used by or disclosed to business associates628
pp
Based on the OCRs investigations and enforcement experience we believe that some regulated entities are not aware that they retain compliance responsibility for implementing requirements of the Security Rule even when they have delegated the functions of designated security official to a business associate Therefore the Department proposes a new standard for delegation to a business associate at proposed 45 CFR 164308b3 The proposed standard would clarify that a regulated entity may permit a business associate to serve as its designated security official629
However a regulated entity that delegates actions activities or assessments required by the Security Rule to a business associate remains liable for compliance with all the applicable provisions of the Security Rule630
pp
The Department requests comment on the foregoing proposals including any benefits drawbacks or unintended consequences We also request comment on the following considerations in particular For any proposed timeframe that a commenter believes is not appropriate we request comment and explanation on a more appropriate timeframe
print page 957
ppa Whether the Department should require a regulated entity to implement any additional administrative safeguards If so please explainppb Whether the Department should not require a regulated entity to implement any of the existing or proposed standards for implementation specifications If so please explainppc Whether there are additional implementation specifications that should be adopted for any of the standards for administrative safeguardsppd Whether the Department should provide any exceptions to the administrative safeguards or related implementation specifications If so please explain when and why any exceptions should applyppe Whether once every 12 months is the appropriate frequency between reviews of policies procedures and other activities required by the other standards for administrative safeguardsppf Whether there are any special considerations for business associates and business associate agreements that the Department should be aware of with respect to administrative safeguardsppg Whether there are any requirements for business associates and business associate agreements that the Department should include in administrative safeguards that it did not proposepph Whether the Department should require covered entities to report to their business associates or business associates to their subcontractors the activation of the covered entities or business associates contingency plans If so please explain the appropriate circumstances of and the appropriate amount of time for such notificationppi Whether once every 12 months is an appropriate length of time in which a covered entity must verify and document that a business associate has deployed technical safeguards pursuant to the requirementsppj Whether the Department should require covered entities to obtain satisfactory assurances and verify that a business associate has implemented physical or other safeguards in addition to deploying technical safeguards before permitting it to create receive maintain or transmit ePHI on its behalfppk Whether on an ongoing basis but at least once every 12 months and when there is a change to a regulated entitys environment or operations that affects ePHI is the appropriate frequency for updating the technology asset inventory and network mapppl Whether on an ongoing basis but at least once every 12 months and when there is a change to the regulated entitys environment or operations that affects ePHI is the appropriate frequency for performing a risk analysisppm Whether there are additional events for which the Department should require a regulated entity to update its risk analysis If so please explainppn Whether the Department should include or exclude any specific circumstances from its explanation of environmental or operational changes when determining whether review or update of the written inventory of technology assets and network map or review of the risk analysis written assessment is warrantedppo Whether the proposed requirement in the standard for evaluation to perform a written technical and nontechnical evaluation within a reasonable period of time before making a change in the regulated entitys environment or operations pursuant to the requirements is sufficiently clear If not how should the Department clarify it For example should the Department require a specific amount of time and if so what length of timeppp Whether at least once every 12 months is the appropriate frequency for reviewing and updating written policies and procedures for patch management sanctions policies and procedures information system activity review workforce security and information access managementppq Whether as reasonable and appropriate in response to changes in the risk analysis but at least once every 12 months is the appropriate frequency for reviews of a regulated entitys written risk management planppr Whether the proposed frequency for security awareness training is appropriatepps Whether the proposed substance of the security awareness training is appropriate and any recommendations for additional required contentppt Whether the proposed timelines for applying patches updates and upgrades are appropriateppu Whether the Department should set a time limit for applying patches updates and upgrades to configurations of relevant electronic information systems to address moderate and low risks If so please explain and provide a recommendationppv Whether the amount of time regulated entities currently retain records of information system activity varies by the type of record and for how long such records are retainedppw Whether the Department should specify the length of time for which records of information system activity should be retained If so please explainpp
x Whether the Department should require that a regulated entity notify other regulated entities of the termination of a workforce members access to ePHI in less than 24 hours after the workforce members termination If so please explain what would be an appropriate period of time
eg
three business hours 12 hours
ppy Whether at least once every 12 months is the appropriate frequency for testing security incident response plans documenting the results and revising such plansppz Whether it is reasonable and appropriate to require that regulated entities restore loss of critical relevant electronic information systems and data in 72 hours or lessppaa Whether the Department should require a regulated entity to restore all of its relevant electronic information systems and data within 72 hoursppbb Whether the Department should require some regulated entities to restore their relevant electronic information systems and data in less than 72 hours If so please explainppcc Whether at least once every 12 months is the appropriate frequency for the testing of contingency plansppdd Whether annual auditing of a regulated entitys compliance with the Security Rule is appropriateppee Whether the Department should specify the level of detail or standard required for the annual compliance audit If so please explainppff Whether the Department should require a regulated entity to obtain written verification of their business associates implementation of the administrative and physical safeguards that are required by the Security Rule in addition to the proposed requirement to obtain verification of implementation of the technical safeguards If so please explainppgg Whether there are other requirements for which the Department should require that the person performing them have a specific level or type of expertise If so please explainpp
A person with physical access to electronic media or a regulated entitys electronic information systems that create receive maintain or transmit or that otherwise affect the confidentiality integrity and availability of ePHI might have the opportunity to change the configurations of its relevant electronic information systems install malicious software or otherwise adversely affect technology assets in its relevant
print page 958
electronic information systems change information or access ePHI or other sensitive information631
Any of these actions has the potential to adversely affect the confidentiality integrity or availability of ePHI which means that physical safeguards for electronic media and a regulated entitys relevant electronic information systems are critical to protecting the security of ePHI Thus the physical safeguards standards address the essential requirements for regulated entities to apply to limit physical access to their relevant electronic information systems to only authorized workforce members As discussed above ePHI is increasingly transmitted using interconnected systems that rely on cloud computing The shift to a cloudbased infrastructure may increase regulated entities reliance on business associates to maintain and access ePHI stored in the cloud632
Additionally the shift to cloud computing enables regulated entities workforce members to access ePHI and relevant electronic information systems from a greater number of locations Accordingly regulated entities must appropriately expand andor ensure that applied physical safeguards take into account these new arrangements
ppSection 164310 includes the four standards with which a regulated entity must comply to physically secure relevant electronic information systems and the premises where they are located These standards require regulated entities to implement physical safeguards for facility access controls workstation use workstation security and device and media controls in a manner that conforms with 45 CFR 164306c the general compliance provision for the security standardspp
As discussed above in greater detail physical safeguards encompass the physical measures and related policies and procedures to protect relevant electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion633
The standard for facility access controls applies to protect the physical premises while the standards for workstation use workstation security and device and media controls are aimed at protecting the electronic information systems and electronic media that create receive maintain or transmit ePHI or that otherwise affect its confidentiality integrity and availability
ppThe standard for facility access controls at 45 CFR 164310a1 requires a regulated entity to implement policies and procedures that limit physical access to electronic information systems and facilities that contain those systems Section 164310a1 also requires a regulated entity to ensure its policies and procedures allow persons who are properly authorized to access its facilitiespp
Under 45 CFR 164310a2 a regulated entity must implement the standard for facility access controls in accordance with four implementation specifications The implementation specification for contingency operations addresses the establishment and implementation as needed of procedures that allow for facility access in support of the restoration of lost data under a disaster recovery plan and emergency mode operations634
Section 164310a2ii contains the specification for a facility security plan and addresses the implementation of policies and procedures to safeguard facilities and equipment in such facilities from unauthorized physical access tampering and theft The implementation of procedures for rolebased access control including for visitors and for access to software programs for testing and revision is addressed in 45 CFR 164310a2iii while 45 CFR 164310a2iv addresses the implementation of policies and procedures for the documentation of repairs and modifications to physical security components of a facility such as hardware walls doors and locks
pp
Section 164310b requires a regulated entity to implement policies and procedures specifying proper workstation functions the manner in which those functions are to be performed and the physical attributes of the environment for where specific workstations or classes of workstation used for accessing ePHI635
This standard is not accompanied by standalone implementation specifications compared to the standards for facility access controls at 45 CFR 164310a and device and media controls at 45 CFR 164310d Section 164310c the standard for workstation security also is not accompanied by standalone addressable or required implementation specifications but it does require a regulated entity to implement physical safeguards that restrict all workstations such as a laptop or desktop computer or any other device that performs similar functions that access ePHI to authorized users636
pp
Device and media controls can help regulated entities respond to and recover from security incidents and breaches637
Proper understanding of and implementation of such controls may enable regulated entities to quickly determine which devices and electronic media may be implicated in an actual or suspected security incident or breach and respond accordingly638
For example if cybercriminals gained access to an organizations network by exploiting a vulnerability present in a particular electronic device a robust and accurate inventory and tracking process could identify how many devices are affected and where they are located With this information a regulated entity should be able to make more effective use of its resources and respond more effectively to an actual or suspected security incident or breach involving such devices Thus it is important for regulated entities to implement the device and media controls required under 45 CFR 164310d Accordingly the standard for device and media controls at 45 CFR 164310d requires a regulated entity to implement policies and procedures to govern how hardware and electronic media containing ePHI are received or removed from a facility and within a facility Section 164310d2 includes two required and two addressable implementation specifications Paragraphs d2i and ii on disposal and media reuse respectively require a regulated entity to implement policies and procedures that address the final disposition of ePHI and the hardware or electronic media on which it is stored and the removal of ePHI before the electronic media is reused Section 164308d2iii addresses the
print page 959
maintenance of a record of the movement of hardware and electronic media and any person responsible for such hardware or electronic media while the provision on data backup and storage at 45 CFR 164310d2iv addresses the creation of a retrievable exact copy of ePHI before moving the equipment
pp
The Department has concerns regarding the effectiveness of the language used in the physical safeguards in 45 CFR 164310 for the same reasons discussed in the context of 45 CFR 164306 and 164316 For example while 45 CFR 164310 contemplates that a regulated entity must implement the standards and implementation specifications required under 45 CFR 164310 in accordance with the general documentation and maintenance requirements found in 45 CFR 164306 and 164316 at least one court has stated that compliance obligations are limited to the plain words of regulatory text and that a requirement to implement does not mean that a requirement must be in place throughout the regulated entitys enterprise639
Additionally the standards for facility access controls workstation use and device and media controls all require a regulated entity to implement policies and procedures while the standard for workstation security requires regulated entities to implement physical safeguards The differences in regulatory text among these provisions could be interpreted to mean that a regulated entitys obligations differ depending on whether a provision requires it to implement only policies and procedures or whether the provision requires the implementation of something more This may confuse regulated entities and lead some to believe that less comprehensive protection is needed for ePHI subject only to policies and procedures
ppThe Department believes that the current Security Rule provides a clear path for regulated entities to protect the confidentiality integrity and availability of ePHI However as discussed above we also believe recent caselaw has created confusion about the steps regulated entities must take to adequately protect the confidentiality integrity and availability of ePHI as required by the statute Further the conditions highlighted by caselaw may also cause regulated entities to misinterpret the regulatory text that connects the current maintenance requirement at 45 CFR 164306e the documentation requirement at 45 CFR 164316 and the requirement to implement physical safeguards For example regulated entities may be confused about how 45 CFR 164316 requires a regulated entity to document the policies and procedures for specific physical safeguard in 45 CFR 164310 or across any other safeguard In this case the regulated entity also might not apply the implementation specifications to retain make available and review documentation of how it has operationalized the physical safeguard Failing to connect these provisions would lead to inadequate protection of ePHI andor an inability to demonstrate compliance with the Security RuleppOur experience enforcing the Security Rule provides examples of the types of breaches that can occur because of absent or insufficient physical safeguardsppGiven the increased portability of devices media workstations and information systems such components may often be located outside of a regulated entitys physical location For example OCR has investigated several incidents involving portable electronic media and mobile workstations that were removed from the regulated entitys physical environment and subsequently lost As a result the Department believes that we should more broadly construe the physical environment where ePHI is stored and accessed because it is essential that regulated entities have policies and procedures in place to address the portability of components of their information systems as well as the ability of workforce members to access such information systems offsite using portable workstationsppAdditionally the standard for device and media controls at 45 CFR 164310d1 applies only to devices and media rather than all technology assets that may be components of a regulated entitys relevant electronic information systems The Department is concerned that a regulated entity may have other types of technology assets that may either create receive maintain or transmit ePHI or otherwise affect its confidentiality integrity or availability and that can be removed from brought to or moved within its facilities The confidentiality integrity or availability of the regulated entitys ePHI could be negatively affected in the absence of written policies and procedures governing the movement of such technology assetspp
Finally we believe that it is important to address several issues in the standards and implementation specifications for the physical safeguards that are also addressed in other proposals addressing the Departments expectations regarding implementation specifications 642
memorializing policies and procedures in writing documenting the implementation of the aforementioned policies and procedures reviewing such policies and procedures on a regular cadence modifying such policies and procedures when reasonable and appropriate 643
and clarifying the scope of the electronic information systems and their components that regulated entities are expected to consider when establishing their policies and procedures644
ppThe Department proposes to retain the four standards that comprise the Security Rules physical safeguards required by 45 CFR 164306 and codified in 45 CFR 164310 However we propose several modifications to 45 CFR 164310 to address the issues identified abovepp
The Department proposes to expand the introductory language at 45 CFR
print page 960
164310 to clarify that the Security Rule requires that physical safeguards be applied to all ePHI in the possession of the regulated entity that is throughout the regulated entitys facilities The Department also proposes to expand this section to expressly require a regulated entity to implement physical safeguards in accordance with not only 45 CFR 164306 but also 45 CFR 164316 to connect the overarching documentation requirements
pp
Consistent with the proposals to revise the general requirements in 45 CFR 164306c and d the Department proposes to remove any distinction between addressable and required implementation specifications in this section such that all specifications would be required Also consistent with changes proposed elsewhere in this NPRM the Department proposes to modify all four physical safeguard standards to require that the requisite policies and procedures be in writing 645
and implemented throughout the enterprise646
Under this proposal a regulated entity that could not produce a written policy describing how it will implement a required physical safeguard and demonstrate that the safeguard is in effect and operational throughout the enterprise would not be in compliance with the standard Consistent with our proposals to require that regulated entities maintain their administrative safeguards the Department also proposes to require a regulated entity to maintain its security measures by reviewing and testing the required security measures at least once every 12 months and by modifying the same as reasonable and appropriate Additionally we propose to modify certain standards and implementation specifications to ensure that regulated entities understand their obligations to ensure the confidentiality integrity and availability of ePHI by implementing physical safeguards to protect their relevant electronic information systems andor the technology assets in their relevant electronic information systems
ppThe Department proposes to modify the standard for facility access controls at 45 CFR 164310a1 to clarify that the policies and procedures required by this standard must be in writing and address physical access to all of a regulated entitys relevant electronic information systems and the facility or facilities in which these systems are housed and to add a paragraph to clarify the organization of the regulatory text The Department also proposes to modify the implementation specifications associated with the standard for facility access controls Specifically we propose to modify the implementation specifications for contingency operations facility security plan and access control and validation procedures at 45 CFR 164310a2i through iii to clarify that we expect a regulated entity to not only establish and implement policies and procedures but also that we expect them to be in writingpp
The Departments proposal would also require that the procedures for contingency operations proposed at 45 CFR 164310a2i support the regulated entitys contingency plan instead of the current requirement specifying that the procedures support the restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency647
This proposal would align the implementation specification for contingency operations with the standard for contingency planning at proposed 45 CFR 164308a13i by specifically ensuring that the written policies and procedures support the required contingency plan It also would avoid duplicating the implementation specification for disaster recovery planning at proposed 45 CFR 164308a13iiD which would require a regulated entity to address the restoration of lost data and systems in the disaster recovery plan component of its contingency plan We propose to modify 45 CFR 164310a2ii to clarify that the written policies and procedures that constitute the facility security plan must apply to all of the regulated entitys facilities and equipment contained within those facilities The Department proposes to retitle the implementation specification for access control and validation procedures at 45 CFR 164310a2iii as Access management and validation procedures and to require regulated entities to establish and implement written procedures to both authorize and manage a persons rolebased access to facilities
ppIn the implementation specification for maintenance records the Department proposes at 45 CFR 164310a2iv to change the provision heading to Physical maintenance records and to add security cameras to the list of examples of physical security components about which a regulated entity is required to implement written policies and procedures to document repairs and modifications Both proposals are consistent with and recognize the evolution of the role that technology plays in managing and granting physical access to facilitiesppConsistent with our proposals to add maintenance requirements where we believe it is necessary for regulated entities to review test and modify their security measures on a particular cadence we also propose to add an implementation specification for maintenance at proposed 45 CFR 164310a2v The maintenance provision would require that for each facility a regulated entity review and test its written policies and procedures at least once every 12 months and to modify those policies and procedures as reasonable and appropriate based on that reviewpp
Further in the standards for workstation use and workstation security at 45 CFR 164310b redesignated as proposed 45 CFR 164310b1 and c respectively the Department proposes several changes that would recognize the increasingly mobile nature of ePHI and workstations that connect to the information systems of regulated entities The purpose of these proposals is to ensure that regulated entities properly consider physical safeguards for all workstations including those that are mobile and not only those that are located in regulated entities facilities The Department also proposes to modify both standards to clarify the organization of the regulatory text The Department proposes to modify the standard for workstation use to clarify that policies and procedures established by a regulated entity to govern the use of workstations be in writing and address all workstations that access ePHI or the regulated entitys relevant electronic information systems These proposed changes are consistent with the Departments longstanding expectations and other proposals in this NPRM described above In 45 CFR 164310b2iC the Department proposes to require a regulated entity to establish and implement written policies and procedures that among other things specify the physical attributes of workstation surroundings including the removal of workstations from a facility and the movement of workstations within and outside of a facility This proposal is consistent with
print page 961
the proposed revision to the definition of workstation discussed above Additionally we propose to add an implementation specification for maintenance at proposed 45 CFR 164310b2ii to require that a regulated entity review and test its written policies and procedures at least once every 12 months and to modify those policies and procedures as reasonable and appropriate based on that review
pp
Relatedly the Department proposes to modify the standard for workstation security at 45 CFR 164310c to require a regulated entity to implement physical safeguards for workstations that access ePHI or relevant electronic information systems to comply with its written policies and procedures for workstation use This proposal would also make clear that such physical safeguards must be modified in response to any modifications to the written policies and procedures for workstation use As part of their policies and procedures for workstation security the Department encourages regulated entities to consider among other things whether there are workstations located in public areas or other areas that are more vulnerable to theft unauthorized use or unauthorized viewing whether such devices should be relocated the physical security controls for workstations that are in use
eg
cable locks privacy screens secured rooms cameras and whether they are easy to use and whether there are additional physical security controls that could reasonably be put into place648
Additionally consistent with the Departments proposal to require that a regulated entity provide rolebased security awareness training on its Security Rule policies and procedures649
the Department expects that such training would address the physical safeguards it has implemented particularly those policies and procedures for mobile devices that are used to create receive maintain or transmit ePHI or that otherwise affect the confidentiality integrity or availability of ePHI
pp
The Department proposes to modify the standard at 45 CFR 164310d1 by changing the heading to Technology asset controls from Device and media controls and replacing hardware and electronic media in 45 CFR 164310d1 and 2 with technology assets We believe that this modification would more accurately capture the various categories of components of a regulated entitys relevant electronic information systems that may be received in removed from or moved within a facility and that also affect the confidentiality integrity or availability of ePHI Thus we believe that this modification would provide regulated entities with a clearer understanding of their compliance obligations with respect to the physical safeguards that should be implemented to protect ePHI when technology assets are received by removed from or moved within a facility While we are not proposing other significant changes to 45 CFR 164310d1 at this time we remind regulated entities to consider the appropriateness of the policies and procedures they have implemented with respect to the movement of technology assets that maintain ePHI into and out of their facilities and the movement of these items within their facilities The processes a regulated entity chooses to implement to govern the movement of technology assets may vary based on the type of technology asset650
For example once installed a server or desktop computer may not need to be moved for the entirety of its lifecycle within the regulated entity while portable electronic devices and media such as smartphones tablets and USB flash drives are designed to be mobile and may move frequently into out of and within a regulated entitys facilities651
Thus the regulated entitys policies and procedures must account for these differences652
Further we note that the proposed definition of workstation includes mobile devices Mobile devices that serve as workstations are subject to the requirements in this paragraph and those in paragraphs b and c
pp
The Department also proposes to modify the standard at 45 CFR 164310d1 to clarify the organization of regulatory text and to clarify its longstanding expectations that policies and procedures must be in writing and to replace contain with maintain consistent with terminology used throughout the HIPAA Rules The Department believes that having written policies for the disposal of ePHI and the technology assets on which it is stored and for the removal of ePHI from electronic media such that the ePHI cannot be recovered continues to be important to ensuring the physical safety of ePHI Improper disposal of technology assets puts the ePHI stored in or on such assets at risk for a potential breach and as discussed elsewhere data breaches can result in substantial costs to regulated entities and the individuals affected by the breach We also propose in the related implementation specifications at 45 CFR 164310d2i and ii to require that written policies and procedures for disposal of ePHI and sanitization of electronic media be tied to current standards for sanitizing electronic media before the media are made available for reuse653
For example photocopiers today are often connected to the same network as workstations and generally store the information including ePHI transmitted to them This capability is a significant change from photocopier capabilities that existed when the Security Rule was first issued in 2003 Under this proposal a regulated entity would be required to include in its written policies and procedures for disposing of ePHI and the technology assets on which it is maintained policies and procedures addressing ePHI maintained on photocopiers consistent with the current standards for disposing and removing ePHI from electronic media654
ppWe have previously explained in guidance that a regulated entity should consider all of the following as part of its risk analysispp
Our guidance describes these considerations in greater detail For example regulated entities should consider how to address the replacement of technology assets including devices and media656
Technology assets that need to be replaced should be decommissioned meaning that they are taken out of service before the final disposition of such assets657
Steps a regulated entity should consider as part of its decommissioning process include ensuring technology assets are securely erased and then either securely destroyed or recycled ensuring that the regulated entitys technology asset inventory is updated to accurately reflect the status of decommissioned technology assets or technology assets slated to be decommissioned and ensuring that privacy is protected through proper migration to another electronic information system or total destruction of the ePHI658
ppThe Department proposes to remove the implementation specifications for accountability and data backup and storage at 45 CFR 164310d2iii and iv We believe that the accountability provisions would be subsumed and replaced by the proposed standard for technology asset inventory at proposed 45 CFR 164308a1i Thus when the proposed new standard and implementation specifications are read together the written policies and procedures that govern the receipt and removal of technology assets that maintain ePHI into and out of a facility and the movement of these assets within the facility should include tracking relevant information in the technology asset inventory Similarly we are proposing to delete the specification for data backup and storage because it is redundant to the administrative safeguard on data backups at proposed 45 CFR 164308a13iiBpp
As referenced above in place of the implementation specifications we are proposing to delete the Department proposes a new implementation specification at proposed 45 CFR 164310d2iii that would require a regulated entity to review and test the written policies and procedures related to the implementation specifications for technology assets at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriate Such environmental or operational changes may range from new and emerging threats to the confidentiality integrity or availability of ePHI
eg
a new virus to the adoption of new technology assets by the regulated entity
eg
a new operating system new types of workstations Given the constant evolution of IT and methods for restoring data that has been disposed of or was on electronic media that has been sanitized the Department believes that it is essential for a regulated entity to at least consider the reasonableness and appropriateness of its policies and procedures for disposal and electronic media sanitation not only annually but also in the face of any environmental or operational changes We expect that pursuant to our proposals to strengthen the standard for risk analysis a regulated entity would be able to identify such environmental and operational changes before they occur
ppThe Department requests comment on the foregoing proposals including any benefits drawbacks or unintended consequences We also request comment on the following considerations in particularppa Whether every 12 months is an appropriate frequency for review of a regulated entitys written policies and procedures for physical safeguards If not please explainppb Whether the written policies and procedures for physical safeguards should be reviewed at different intervals based on the specific standard or implementation specification If so please explainppc Whether the Department should include additional examples in regulatory text at proposed 45 CFR 164310a2iv of physical components of a facility related to security for which there should be written policies and procedures to document repairs and modificationsppd Whether the standard at proposed 45 CFR 164310d1 and its associated implementation specifications at paragraph d2 should apply to technology assets that do not maintain ePHI but do access the regulated entitys relevant electronic information systemsppSection 164312 includes five standards for technical safeguards which are the requirements concerning the implementation of technology and technical policies and procedures to protect the confidentiality integrity and availability of ePHI and related information systems A regulated entity must comply with the standards for technical safeguards in accordance with 45 CFR 164306c the provision that describes the general rules for the security standardspp
Under 45 CFR 164312a1 a regulated entity is required to establish policies and procedures for electronic information systems to allow access only to those persons or software programs that have been granted access rights as specified in 45 CFR 164308a4 Regulated entities may comply with this standard by implementing a combination of access control methods and technical controls consistent with the implementation specifications for this standard The Security Rule does not identify a specific access control method or technology to implement Regardless of the technology or information system used access controls should be appropriate for the workforce members role andor function659
For example a workforce member responsible for monitoring and administering information systems with ePHI such as an administrator or a superuser660
should only have access to ePHI as appropriate for their role andor job function
pp
The implementation specifications that provide instructions for satisfying the access control standard are found at 45 CFR 164312a2 Two are required and two are addressable661
The implementation specifications address unique user identifiers662
emergency access procedures663
automatic logoff664
and encryption and decryption665
The implementation
print page 963
specification for unique user identification requires a regulated entity to assign unique identifiers to users to facilitate the identification of specific users of an information system666
By assigning a unique identifier to each user a regulated entity can track the specific activity of that user when they are logged into an information system and hold the user accountable for functions they perform in the information system when they access that system
pp
Under the implementation specification for emergency access procedures a regulated entity is required to establish procedures such as documented operational practices and instructions to workforce members for obtaining access to necessary ePHI during an emergency and to implement such procedures as needed667
In accordance with this implementation specification a regulated entity must identify the types of situations in which its normal procedures for accessing an information system or application that contains ePHI may not work and establish procedures for obtaining access in those situations668
These procedures must be established prior to an emergency to instruct workforce members on possible ways to gain access to needed ePHI where for example the electrical system has been severely damaged or rendered inoperative or where a software update fails and prevents the regulated entity from accessing ePHI in its EHR
pp
The implementation specification for automatic logoff associated with the standard for access control addresses the need for a regulated entity to when reasonable and appropriate implement electronic procedures that terminate an electronic session after a period of inactivity669
Automatic logoff is an effective way to prevent unauthorized users from accessing ePHI on a workstation when it is left unattended for a period of time670
While many applications have configuration settings that automatically log a user out of the system after a period of inactivity some systems have more limited capabilities and may activate a screen saver that is password protected671
pp
The implementation specification under the standard for access control addresses encryption and decryption and requires regulated entities when it is reasonable and appropriate to implement a mechanism to encrypt and decrypt ePHI672
Encrypting data including ePHI reduces the likelihood that anyone other than the party that has the key to the encryption algorithm would be able to decrypt
ie
translate the data and convert it into plain comprehensible text673
pp
The standard for audit controls requires a regulated entity to implement hardware software andor procedural mechanisms that record and examine activity in electronic information systems that contain or use ePHI Most electronic information systems provide some level of audit controls with a reporting method such as audit reports674
These controls are useful for recording and examining information system activity especially when determining whether a security violation has occurred675
The Security Rule does not identify data that must be gathered by the audit controls or how often the audit reports should be reviewed676
Instead a regulated entity must consider its risk analysis and organizational factors such as current technical infrastructure and hardware and software security capabilities to determine reasonable and appropriate audit controls for information systems that contain or use ePHI677
The audit controls standard has no implementation specifications
pp
Section 164312c1 the standard for integrity requires a regulated entity to implement policies and procedures to protect ePHI from improper alteration or destruction The integrity of data can be compromised by both technical and nontechnical sources Workforce members or business associates may make accidental or intentional changes that improperly alter or destroy ePHI Data can also be altered or destroyed without human intervention such as by electronic media errors or failures678
The purpose of this standard is to establish and implement policies and procedures for protecting ePHI from being compromised regardless of the source Improperly altered or destroyed ePHI can result in clinical quality problems for a covered entity including patient safety issues679
pp
Section 164312c2 contains the addressable implementation specification for the integrity standard that requires a regulated entity when reasonable and appropriate to implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner To determine which electronic mechanisms should be implemented to ensure the integrity of ePHI a regulated entity must consider the various risks to the integrity of ePHI identified during the risk analysis Once a regulated entity has identified risks to the integrity of its data it must identify security measures that will reduce the risks680
ppThe standard for person or entity authentication at 45 CFR 164312d requires a regulated entity to establish policies and procedures for verifying that a person seeking access to ePHI is the one claimed This standard addresses technical controls for ensuring access is allowed only to those persons or software programs that have been granted access rights under the administrative safeguard for information access management at 45 CFR 164308a4 This standard has no implementation specificationspp
Under the standard for transmission security at 45 CFR 164312e1 a regulated entity is required to implement technical security measures to guard against unauthorized access to ePHI when transmitted electronically such as through the internet A regulated entity must identify the available and appropriate means to protect ePHI as it is transmitted select appropriate solutions and document its decisions681
pp
The two addressable implementation specifications for the transmission security standards are under 45 CFR 164312e2 The implementation specification for integrity controls requires a regulated entity when it is reasonable and appropriate to implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until the ePHI has been disposed682
The implementation specification for encryption requires a regulated entity when it is reasonable and appropriate to implement a mechanism to encrypt ePHI
ppWhile the intention of 45 CFR 164312 is for regulated entities to develop and put into place technical controls the Department is aware that regulated entities have not always achieved the degree of protection for ePHI that we intended Absent a definition of implement some regulated entities might interpret the term to mean something other than implementing technical controls to ensure the confidentiality integrity and availability of ePHI This misinterpretation may leave ePHI partially unprotected because regulated entities may not implement safeguards throughout their enterprise As discussed above with respect to both the administrative and physical safeguards the Department is also concerned that regulated entities are not making the connection between the maintenance requirement at 45 CFR 164306d and the requirement to implement technical safeguards and therefore are not reviewing or updating their policies and procedures for technical safeguards Additionally the Department believes that regulated entities may not be recognizing that their obligations under the Security Rule to protect ePHI are not limited to protecting electronic information systems that create receive maintain or transmit ePHI but necessarily include other electronic information systems that affect the confidentiality integrity or availability of ePHIpp
While the Security Rule relies on a flexible and scalable approach to compliance the health care industrys shift to a digital environment has substantially increased both the risk to ePHI and the prevalence of technological solutions for addressing those risks Additionally the cost of such solutions has in many cases decreased over time as is often the case with technology For example when the original Security Rule was published tools to encrypt ePHI had limited availability were more costly and were not userfriendly particularly for small health care providers683
By contrast in 2024 the technical ability to encrypt data may be seamless in many applications inexpensive and widely available in commercial software and hardware products684
Where an encryption solution is not integrated into an application software or hardware thirdparty solutions are often available685
Thus we do not believe that it is appropriate for such provisions to be addressable 686
ppBased on its own investigations and compliance reviews news reports and published studies the Department is aware that many regulated entities have failed to implement adequate technical controls or in some cases any technical controls For examplepp
Some investigations have found indications that regulated entities may implement technical controls that address some but not all users of and technology assets in a relevant electronic information system such as software hardware and persons involved in the development configuration and implementation of technical controls692
And other investigations have suggested that the potential failure of a regulated entity to have security measures in place to protect ePHI from unauthorized access when it is transmitted electronically has resulted in increased risk and breaches of ePHI693
Common network segmentation practices would have substantially reduced the risk to the security ePHI and could have prevented such breaches
pp
Beyond the health care sector threat actors have been able to gain access to networks by compromising user accounts and taking advantage of insufficient network segregation For example the 2014 Home Depot breach involved the compromise of a thirdparty vendors username and password to enter Home Depots network which allowed hackers to obtain elevated rights to navigate to selfcheckout pointofsale system694
The Department is concerned about the potential effects of such incidents in health care where they would jeopardize the confidentiality integrity and availability of ePHI
pp
Finally consistent with the concerns expressed above about the implications of recent caselaw and the uncertainty it might cause among regulated entities assessing whether they have adequately protected their ePHI the Department is concerned that the existing Security Rule may not provide sufficient instruction to regulated entities about
print page 965
how they must maintain specific security measures
ppThe Department retains the requirements for technical safeguards generally and proposes additions and modifications to the existing standards and implementation specificationsppThe Department proposes to expand the primary provision at 45 CFR 164312 to clarify that regulated entities as a general matter must implement and document the implementation of technical safeguards adopted for compliance with the Security Rule This proposal would clarify that the requirement to implement and document technical safeguards would apply to all technical safeguards including technical controls implemented by a regulated entity to protect the confidentiality integrity and availability of all ePHI it creates receives maintains or transmitsppAs noted above the current provision at 45 CFR 164312 does not reference the documentation requirements in 45 CFR 164316 Therefore for clarity we propose to explicitly require in 45 CFR 164312 that documentation of technical safeguards conforms to the requirements in 45 CFR 164316 This proposed change would clarify that a regulated entity must document the policies and procedures required to comply with this rule and how entities considered the flexibility factors in 45 CFR 164306b It would also clarify that a regulated entity must document each action activity and assessment required by the Security Rule The Department considers the documentation requirements and other provisions of 45 CFR 164316 to apply to all of the safeguards including the technical safeguards and this proposal is intended to remove any potential uncertainty among regulated entities Additionally we propose to add maintenance requirements separately to the implementation specifications for particular technical safeguards in 45 CFR 164312 as discussed below and consistent with our proposals to add similar requirements to particular administrative and physical safeguardsppAdditionally as discussed above the Department proposes to remove the distinction between required and addressable implementation specifications and make all implementation specifications required with specific limited exceptions Also as discussed above we propose to modify certain standards and implementation specifications to clarify that the technical safeguards apply to ensure the confidentiality integrity and availability of ePHI which requires a regulated entity to implement the technical safeguards in or on all relevant electronic information systems These proposals are discussed in greater detail belowpp
The Department proposes to clarify the standard for access control at 45 CFR 164312a1 by requiring a regulated entity to deploy technical controls in relevant electronic information systems to allow access only to those users and technology assets that have been granted access rights This proposed modification would ensure that a regulated entity deploys technical controls rather than solely ensuring that it implements technical policies and procedures consistent with our proposals to define deploy and implement 695
Thus the proposal would clarify that a regulated entity is not expected to merely establish a policy and procedure but must also put into place ensure the operation of and verify the continued operation of technical controls for access to its relevant electronic information systems such that the failure to have such technical control in operation throughout its enterprise would be a violation of the new proposed standard Additionally the Departments proposal would clarify that access controls would apply to persons with authorized access and to technology assets
pp
Access controls are one of the key mechanisms by which a regulated entity protects ePHI Such technical controls ensure that access to the regulated entitys electronic information systems is limited to only users and technology assets that have been granted access rights under the policies and procedures adopted in accordance with the standard for information access management under 45 CFR 164308696
The Security Rule does not identify a specific type of access control method or technology to deploy nor are we proposing to do so in this rule697
As discussed above access rights should be rolebased and the technical controls should assist the regulated entity in implementing such policies and procedures For example workforce members responsible for monitoring and administering a regulated entitys relevant electronic information systems such as someone responsible for cybersecurity or providing technical support to users must only have access to ePHI and to the regulated entitys relevant electronic information systems as appropriate for their role and job function
ppWe also propose at 45 CFR 164312a1 to add a paragraph heading to clarify the organization of the regulatory textppThe Department proposes to modify the existing implementation specifications under the standard for access control and to add five new implementation specifications Additionally we propose to redesignate the implementation specification for encryption and decryption as a standardppWe propose to modify the implementation specification for unique user identification at 45 CFR 164312a2i by renaming the implementation specification as Unique identification and adding a requirement to assign a unique identifier for tracking each technology asset These proposed modifications would clarify for regulated entities that the purpose of this requirement is to enable a regulated entity to identify and track unauthorized activity in its relevant electronic information systems Such unauthorized activity may include activity by unauthorized persons or technology assets It may also include activity by persons who are authorized to access the regulated entitys relevant information systems but who access ePHI that they do not need to access for their job or functionpp
The Department also proposes to expand the types of identifiers a regulated entity may assign to users and technology assets beyond names to include numbers andor other identifiers and to clarify that a unique identifier must be assigned to each user and technology asset in the regulated entitys relevant electronic information systems This proposed modification would better meet the goals of this implementation specification by requiring a regulated entity to be able to discern and track activities among all users and technology assets regardless of whether that user or technology asset is a person hardware software program or device The proposed implementation specification for unique identification aligns with the Departments essential CPG for Unique Credentials which calls for regulated entities to use unique credentials to
print page 966
help detect and track anomalous activities698
pp
Additionally we propose to add an implementation specification at proposed 45 CFR 164312a2ii for administrative and increased access privileges Access controls should enable an authorized user to access the minimum necessary information needed to perform their job functions699
Rights andor privileges should be granted to authorized users based on the policies and procedures required under the administrative safeguard for information access management700
For example a workforce member who has certain rolebased administrative access privileges should have separate user identities for nonadministrative access privileges and administrative access privileges Separating a single workforce members user identities based on access privilege substantially limits the risk that an intruder will be able to access ePHI through a workforce members user identity when they are using the administrative access privileges701
A regulated entity may be able to improve the control and review of the use of administrative access privileges such as through a privileged access management system to understand how privileged accounts are used within its environment and help detect and prevent the misuse of privileged accounts702
pp
The proposed implementation specification would require a regulated entity to separate the unique user identities required by the implementation specification for unique user identification based on the type of access privileges used by a specific unique user For example the adoption of health IT that is certified through the ONC Health IT Certification Program as having the technical capability to establish user permissions for accessing and performing actions with electronic health information based on unique identifiers may contribute to a regulated entitys compliance with the proposed new implementation specification for administrative and increased access privileges should the proposal be finalized703
This proposed new implementation specification aligns with the Departments essential CPG for Separate User and Privileged Accounts by addressing the separation of privileged or administrator access rights from common user accounts704
pp
Additionally the Department proposes to redesignate the implementation specification for emergency access procedures at 45 CFR 164312a2ii as proposed 45 CFR 164312a2iii and to modify it to require a regulated entity to establish both written procedures and technical procedures for obtaining necessary ePHI during an emergency and to implement them as needed For example we note that the adoption of health IT that is certified through the ONC Health IT Certification Program as having the technical capability to permit an identified set of users to access electronic health information during an emergency may contribute to a regulated entitys compliance with the proposed implementation specification for emergency access procedures should the proposal be finalized705
pp
Under the Departments proposal the implementation specification for automatic logoff at 45 CFR 164312a2iii would be redesignated as proposed 45 CFR 164312a2iv and modified to require a regulated entity to deploy technical controls that terminate an electronic session after a period of inactivity Deploying a mechanism to automatically terminate an electronic session after a period of inactivity reduces the risk of unauthorized access when a user forgets or is unable to terminate their session706
Failure to deploy automatic logoff not only increases the risk of unauthorized access and potential alteration or destruction of ePHI it also impedes an organizations ability to properly investigate such unauthorized access because it would appear to originate from an authorized user707
pp
The Department proposes that the period of inactivity be both predetermined and reasonable and appropriate When determining the length of the period of inactivity a regulated entity should consider the access privileges of a given user or technology asset the systems being accessed the environment in which the system access occurs and other appropriate factors in determining a reasonable and appropriate time of inactivity before session termination For example in an emergency setting a user may not have time to manually log out of a system User identities with administrative and other highlevel access that present a greater risk to the confidentiality integrity and availability of ePHI should have appropriately shorter periods of inactivity because of the increased risk While many applications have configuration settings for automatic logoff708
a regulated entity must determine whether the default automatic logoff is reasonable and appropriate and make modifications if it is not For example the adoption of health IT that is certified through the ONC Health IT Certification Program as having the technical capability to automatically stop a users access to health information after inactivity for a predetermined period and require a user to reenter their credentials to resume or regain access may contribute to a regulated entitys compliance with the proposed implementation specification for automatic logoff should the proposal be finalized709
pp
Additionally we propose to add an implementation specification for login attempts at proposed 45 CFR 164312a2v The proposal would require a regulated entity to deploy technical controls that disable or suspend the access of a user or technology asset to relevant electronic information systems after a certain number of unsuccessful authentication attempts Although incorrectly keying in a known password by the intended user may occur infrequently a repeated and persistent failure is a strong indication of an attempt at unauthorized access For example brute force attacks are attempts to gain unauthorized access by guessing the password many times in a row710
Technical controls that limit the number of incorrect login attempts by disabling or suspending the access of a user or technology asset to relevant electronic information systems are appropriate to address unsuccessful login attempts711
pp
The proposal would require a regulated entity to determine the number of unsuccessful authentication attempts that would trigger disabling or suspending access to relevant electronic information system The number should
print page 967
be reasonable and appropriate for the type of user or technology asset the electronic information system or technology asset to which access is sought and the type of information maintained on such information system or technology asset For example a regulated entity may determine that any authentication failure of an administrative privileged access account should disable the account because of the level of risk compared to an authentication failure of a nonadministrative privileged account The Department does not propose to define disable or suspend and relies upon the industry understanding that disabling a users access would require intervention to restore the capability to use the user identity while a suspension may prevent additional login attempts for a temporary limited period of time
pp
Consistent with NCVHS recommendation and existing guidance the Department also proposes to add an implementation specification for network segmentation at 45 CFR 164312a2vi that would require a regulated entity to deploy technical controls to segment its relevant electronic information systems in a reasonable and appropriate manner712
Under this proposal a regulated entity with multiple distinct electronic information systems would be required to separate relevant electronic information systems using reasonable and appropriate technical controls Network segmentation is a physical or virtual division of a network into multiple segments creating boundaries between the operational and IT networks to reduce risks such as threats caused by phishing attacks713
For example where a regulated entity operates both a pointofsale system and an EHR on the same network the EHR could be compromised through a successful attack by an intruder moving laterally
ie
within the same network from a previously compromised pointofsale system because the intruders movements were not impeded by network segmentation Accordingly we believe that it is appropriate to require regulated entities to deploy technical controls to segment the networks to which their relevant electronic information systems are connected714
What constitutes reasonable and appropriate network segmentation depends on the regulated entitys risk analysis and how it has implemented its networks and relevant electronic information systems This proposed new implementation specification aligns with the Departments enhanced CPG for Network Segmentation because where the CPG is implemented an intruders ability to freely move within a regulated entitys network and protect ePHI is minimized715
ppThe proposed implementation specification for data controls at proposed 45 CFR 164312a2vii would require a regulated entity to deploy technical controls to allow access to ePHI based on the regulated entitys policies and procedures for granting users and technology assets access relevant electronic information systems as specified in proposed 45 CFR 164308a10 This implementation specification would require a regulated entity to have in place technical controls that distinguish between users and technology assets that are permitted to access the regulated entitys relevant electronic information systems and those that are not permitted to do so and would require that the controls permit or disallow access accordinglypp
Properly deployed networkbased solutions can limit the ability of a hacker to gain access to an organizations network or impede the ability of a hacker already in the network from accessing other electronic information systemsespecially systems containing sensitive data716
Access controls could include rolebased access userbased access or any other access control mechanisms the organization deems appropriate717
Access controls need not be limited to computer systemsfirewalls network segmentation and network access control solutions are effective means of limiting access to relevant electronic information systems718
ppAdditionally we propose to add an implementation specification for maintenance at proposed 45 CFR 164312a2viii Under this proposal a regulated entity would be expressly required to review and test the effectiveness of the procedures and technical controls required by the implementation specifications associated with the standard for access control at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriatepp
Encryption can reduce the risks and costs of unauthorized access to ePHI719
For example if a hacker gains access to unsecured ePHI on a network server or if a device containing unsecured ePHI is stolen a breach of PHI will be presumed and reportable under the Breach Notification Rule720
The Breach Notification Rule applies to unsecured PHI which is PHI that is not rendered unusable unreadable or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance issued under the HITECH Act721
The Departments guidance on rendering unsecured PHI unusable unreadable or indecipherable to persons who are not authorized to access such PHI states that ePHI at rest
ie
stored in an information system or electronic media is considered secured if it is encrypted in a manner consistent with NIST Special Publication 800111 722
SP 800111 The ePHI encrypted in a manner consistent with SP 800111 is not considered unsecured PHI and therefore qualifies for what is commonly known as the Breach Notification safe harbor meaning that it is not subject to the requirements of the Breach Notification Rule723
Thus by encrypting ePHI in a manner consistent with the Secretarys guidance a regulated entity may not only fulfill its encryption obligation under the Security Rule but also make use of the
print page 968
Breach Notification Rules safeharbor provision724
pp
As the use of mobile computing devices
eg
laptops smartphones tablets has become more pervasive the risks to sensitive data stored on such devices also have increased725
And while in 2003 and even in 2013 encryption might have been out of reach for many regulated entities because of cost or a similar reason726
today encryption solutions are generally considered to be widely accessible The cost of such solutions has decreased significantly as has the difficulty in implementing such solutions In fact many applications have encryption solutions embedded in them727
Once enabled a devices encryption solution can protect stored sensitive data including ePHI from unauthorized access in the event the device is lost or stolen The same is true for most software today728
Thus while encryption of a particular regulated entitys ePHI might not have been reasonable and appropriate in 2003 or 2013 the Department believes encryption generally is reasonable and appropriate today729
pp
Because the prevalence of encryption solutions has increased as has their affordability and the role they play in protecting information including ePHI the Department believes it is appropriate to consider requiring encryption and elevating it from an implementation specification to a standard to increase its visibility and prominence Based on this and consistent with NCVHS recommendation the Department proposes to redesignate the implementation specification for encryption and decryption at 45 CFR 164312a2iv as a standard at proposed 45 CFR 164312b1730
The proposed standard would incorporate the requirements of two implementation specifications that address encryptionthe one addressed here and the one at 45 CFR 164312e2ii731
The Department proposes that the new standard would require a regulated entity to configure and implement technical controls to encrypt and decrypt all ePHI in a manner that is consistent with prevailing cryptographic standards This proposed new standard aligns with the Departments essential CPG for Strong Encryption by calling for regulated entities to deploy encryption to protect ePHI and with the recommendation of NCVHS732
We also note that the adoption of health IT that is certified through the ONC Health IT Certification Program as having the technical capability to encrypt and decrypt electronic health information using an encryption algorithm that meets certain requirements may contribute to a regulated entitys compliance with the proposed standard for encryption and decryption should the proposal be finalized733
ppUnder the proposal a regulated entity would need to ensure that an encryption solution that it adopts meets prevailing cryptographic standards prior to using it The Department uses the phrase prevailing cryptographic standards to refer to widely accepted standards for encryption and decryption that are recommended by authoritative sources and that ensure the confidentiality integrity and availability of ePHI at the time the regulated entity performs its risk analysis and establishes or modifies its risk management plan The Department would expect a regulated entity to deploy updated encryption solutions as prevailing cryptographic standards evolve consistent with both of the proposed requirements discussed above 1 to review verify and update its risk analysis in response to changes in its environment that may affect ePHI and 2 to review and modify as reasonable and appropriate its risk management plan in response to changes in its risk analysis Thus a regulated entity using an encryption algorithm that is known to be insecure would not be in compliance with the proposed requirement to deploy an encryption algorithm that meets prevailing cryptographic standards We are not proposing to define prevailing cryptographic standards in regulatory text at this timepp
The Department proposes to add one implementation specification for the proposed standard for encryption and decryption Specifically proposed 45 CFR 164312b2 would require regulated entities to encrypt all ePHI at rest and in transit with limited exceptions734
Thus a regulated entity would be required to encrypt all ePHI it maintains as well as all ePHI it transmits unless an exception applies and the following conditions are met
pp
The first proposed exception at proposed 45 CFR 164312b3i would apply to a technology asset currently used by a regulated entity that does not support encryption according to prevailing cryptographic standards Because the requirements for encryption under the Security Rule today are addressable a regulated entity may be in compliance with the encryption requirement without actual encryption of ePHI if encryption is not reasonable and appropriate provided that the entity meets certain conditions Additionally technology assets in use today may rely on cryptographic standards that are no longer accepted industry practice The Department recognizes that it may take some time for a regulated entity to adopt compliant technology assets Thus we propose this exception for such technology assets that do not support encryption consistent with prevailing cryptographic standards in limited circumstances Specifically to meet this exception a regulated entity would be required to establish a written plan to migrate ePHI to technology assets that support encryption consistent with prevailing cryptographic standards and to implement such plan The regulated entity would be required to establish and implement the written plan within
print page 969
a reasonable and appropriate period of time For example it would not be reasonable or appropriate for a regulated entity to establish a plan to migrate ePHI on a single flash drive within 30 days and not complete migration of that ePHI for a period of a year because migrating ePHI from a flash drive to a more secure medium is a simple and quick process that the regulated entity already determined could be completed within 30 days Thus a year would be an unreasonably long period to leave ePHI insufficiently encrypted particularly after a need to migrate the ePHI has been established In such circumstances the regulated entity would not be complying with the requirements of this proposed exception
pp
The second proposed exception at proposed 45 CFR 164312b3ii would be available for ePHI transmitted in response to an individual request pursuant to 45 CFR 164524 to receive their ePHI in an unencrypted manner Unencrypted manners for an individual to receive their ePHI may include some types of text messaging instant messaging and other applications on a smartphone or another computing device that are capable of making an access request and receiving ePHI735
This exception for individual access requests under 45 CFR 164524 would not apply when the individual would receive their ePHI using technology controlled by the regulated entity such as a patient portal 736
or other technology for the transmission of ePHI
eg
API technology737
Such email or messaging technologies are considered to be among a covered entitys technology assets because they are components of a covered entitys relevant electronic information systems and the requirement to encrypt ePHI would apply
pp
Under the right of access an individual who is the subject of PHI has the right to inspect and request a copy of PHI about them in a designated record set subject to certain exceptions A regulated entity is required to provide such access in the form and format requested by the individual if it is readily producible in such form and format Thus if an individual requests that the regulated entity provide them access in a manner that does not support encryption a regulated entity is generally required to do so if it does not jeopardize the security of the regulated entitys information systems For the exception to apply a regulated entity would be required to have informed the individual of the risks associated with the transmission receipt and storage of unencrypted ePHI when the individual requests unencrypted access and to document that the individual has been informed of such risks738
pp
Consistent with the information blocking regulations the information provided by regulated entities that are also actors must focus on any current privacy andor security risks posed by the technology or the thirdparty developer of the technology be factually accurate unbiased objective and not unfair or deceptive and be provided in a nondiscriminatory manner739
For example a regulated entity that is an actor must provide information to individuals about the privacy and security risks of all mobile health applications in the same manner
pp
We are not proposing to require that the documentation be in any particular form or format Rather the required information could be on a standard form chart note or checkbox as examples The Department does not propose to apply this exception to ePHI transmitted in other forms or formats such as on a CD or other physical device used to maintain and transmit ePHI The proposal would not absolve a regulated entity from compliance with other applicable laws or regulations including the information blocking regulations740
pp
We recognize that emergencies or other occurrences may render it infeasible to encrypt ePHI Thus the third proposed exception at 45 CFR 164312b3iii would apply to certain circumstances in which encryption is infeasible Such circumstances would be limited to when there is emergency or other occurrence that adversely affects a regulated entitys relevant electronic information systems For the proposed exception to apply a regulated entity would be required to implement reasonable and appropriate compensating controls in accordance with and determined by its contingency plan741
The Department would expect this proposed exception to be applicable for a limited period of time and only when encryption is infeasible As noted above the proposed exception to encryption would narrowly apply only when a regulated entitys relevant electronic information system is adversely affected by the emergency or other occurrence The proposed exception would no longer be applicable at such time encryption becomes feasible regardless of whether the emergency or other occurrence continues
pp
The fourth proposed set of exceptions at proposed 45 CFR 164312b3iv would be for ePHI that is created received maintained or transmitted by a medical device
ie
a device within the meaning of section 201h of the Federal Food Drug and Cosmetic Act 21 USC 321h that is authorized by the FDA for marketing We propose three separate exceptions for devices that are authorized by the FDA for marketing pursuant to a submission received before March 29 2023 a submission received on or after March 29 2023 where the device is no longer supported by its manufacturer or a submission received on or after March 29 2023 where the device is supported by its manufacturer Where a device has been authorized by the FDA for marketing pursuant to a submission received before March 29 2023 we propose that the exception at proposed 45 CFR 164312b3ivA would be available only where the regulated entity deploys in a timely manner any updates or patches required or recommended by the manufacturer of the device We also propose a similar exception at proposed 45 CFR 164312b3ivB for devices authorized by the FDA for marketing pursuant to a submission received on or
print page 970
after March 29 2023 where the device is no longer supported by its manufacturer provided that the regulated entity has deployed any updates or patches required or recommended by the manufacturer
pp
We recognize that to comply with this proposal some regulated entities may incur costs for replacing legacy medical devices
ie
medical devices that cannot be reasonably protected against current cybersecurity threats742
We also recognize that legacy devices can pose significant risks to the confidentiality integrity and availability of ePHI743
By limiting these exceptions to devices that have been updated andor patched while they were supported by their manufacturer we believe that this proposal would balance the interest in encouraging regulated entities to dispense with legacy devices with the cost of replacing such devices Additionally the Department believes that regulated entities should already have plans to replace legacy devices that cannot be made cybersecure because of their existing Security Rule obligations We also recognize that at some point most if not all devices will likely become legacy devices and that there may be legitimate reasons not to immediately replace them when the manufacturer ceases to provide support In such cases it will continue to be important for regulated entities to plan for how to address their ongoing Security Rule obligations
pp
Finally we propose an exception proposed 45 CFR 164312b3ivC that would be available for a device authorized by the FDA for marketing pursuant to a submission received on or after March 29 2023 where the device is supported by its manufacturer We understand that the FDA considers security during the review of medical device marketing submissions including those for software that is approved as a medical device and works with device manufacturers to ensure that appropriate cybersecurity protections are built into such devices pursuant to FDAs authority under the Consolidated Appropriations Act 2023744
Thus we do not believe it would be necessary or appropriate for the Security Rule to require encryption for an FDAauthorized medical device that has been authorized by the FDA for marketing pursuant to a submission received on or after March 29 2023 where the device continues to be supported by its manufacturer
ppWhere a proposed exception applies to the proposed encryption requirement the Department also proposes to require that a regulated entity implement alternative measures and compensating controls Specifically we propose at proposed 45 CFR 164312b4i to require a regulated entity to document the existence of an applicable exception and implement reasonable and appropriate compensating controls Under the proposal we would require documentation to occur in realtime meaning when the criteria for the exception exist and at the time compensating controls are implemented For example a regulated entity disclosing ePHI to an individual by unencrypted email in accordance with the right of access would be required to document in accordance with the proposed 45 CFR 164312b4i that 1 before the disclosure the individual has requested to receive ePHI by unencrypted email or unencrypted messaging technology and 2 before the disclosure the regulated entity informed the individual of the risks associated with transmission of unencrypted ePHI The exception would not apply where such individual requests to receive access to their ePHI pursuant to 45 CFR 164524 via email or messaging technologies implemented by the covered entitypp
At proposed 45 CFR 164312b4i the Department proposes to require that where a proposed exception applies a regulated entity would also be required to implement an alternative measure or measures that are reasonable and appropriate compensating controls under proposed 45 CFR 164312b4ii Compensating controls would be implemented in the place of encryption to protect ePHI from unauthorized access745
The Department does not propose to require that compensating controls be limited to technical controls Rather a regulated entity should consider the nature of the exception operating environment and other appropriate circumstances to determine what controls are reasonable and appropriate and implement compensating controls effective for those circumstances For example a regulated entity may use physical access controls such as physically limiting access to a device in combination with other controls to compensate for the absence of encryption
ppProposed paragraph b4iiA would require that if the regulated entity has determined that an exception applies it must secure ePHI by implementing reasonable and appropriate compensating controls that are reviewed and approved by the regulated entitys designated Security Official Because exceptions are a departure from the Security Rule framework the Department proposes to ensure appropriate focus and review by the Security Official of the controls chosen to compensate for the absence of encryptionppWith respect to the exception at proposed 45 CFR 164312b3ivC the Department proposes at paragraph b4iiB to presume that a regulated entity had implemented reasonable and appropriate compensating controls where the regulated entity has deployed the security measures prescribed and as instructed by the FDAauthorized label for the device This would include any updates including patches recommended or required by the manufacturer of the device The proposed language recognizes that while the devices label may not specifically require deployment of an encryption solution it may provide for a specific compensating control and the manner in which that control is to be implemented While not required a regulated entity would be permitted to implement additional alternative security measures and compensating controls in accordance with best practices andor its risk analysispp
Finally at proposed paragraph b4iiC the Department proposes to require that the regulated entitys Security Official review and document the implementation and effectiveness of the compensating controls during any period in which such compensating controls are in use to continue securing ePHI and relevant electronic
print page 971
information systems While regulated entities should review deployed compensating controls on a routine basis the Department proposes to require a regulated entity to periodically review the implementation and effectiveness of compensating controls to ensure the continued protection of ePHI746
For example if a regulated entitys plan to migrate ePHI from hardware that does not support encryption changes such that the use of the unencrypted hardware continues for a longer period of time the regulated entity should review implemented compensating controls to ensure ongoing effectiveness and whether new compensating controls should be deployed We propose to require the designated Security Office conduct such review at least once every 12 months or in response to environmental or operational changes whichever is more frequent Additionally the Department proposes to require that the review be documented in writing and signed If the regulated entitys Security Official review determines that certain compensating controls are no longer effective the Department expects that the regulated entity would adopt new compensating controls that are effective to continue to meet the applicable exception For example a regulated entity would be expected to update any compensating controls for use of an FDAauthorized medical device when and as instructed by the manufacturer of the device
ppWe also propose to add an implementation specification for maintenance at proposed 45 CFR 164312b5 Under this proposal a regulated entity would be expressly required to review and test the effectiveness of the technical controls required by the standard for encryption at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriate This proposal is consistent with others in this NPRM that would require regulated entities to maintain specified administrative physical and technical safeguardspp
The Department believes that the failure to configure technical controls appropriately and to establish and maintain secure baselines for relevant electronic information systems and technology assets in its relevant electronic information systems presents an opportunity for cyberattack and compromise of ePHI747
Accordingly we propose to add a standard for configuration management at proposed 45 CFR 164312c1 The proposed standard would require a regulated entity to establish and deploy technical controls for securing relevant electronic information systems and technology assets in its relevant electronic information systems including workstations in a consistent manner Under this proposal a regulated entity also would be required to establish a baseline
ie
minimum level of security for each relevant electronic information system and technology asset in its relevant electronic information systems and to maintain such information systems and technology assets according to those secure baselines Consistent with our proposals regarding risk analysis and risk management planning the Department intends for a regulated entity to establish its security baseline and to maintain that baseline even when technology changes For example a regulated entity that uses software to access ePHI would be required to update the software with patches as reasonable and appropriate But where a developer ceases to support a software it would be reasonable and appropriate for the regulated entity to take steps to either replace it or to otherwise ensure that its level of security remains consistent with the regulated entitys established baseline Under this proposal if finalized the Department would expect a regulated entity to continually monitor its relevant electronic information systems and technology assets in its relevant electronic information systems to ensure that the secure baselines established by the regulated entity are maintained and take appropriate actions when a relevant electronic information system or technology asset in a relevant electronic information system fails to meet the established baselines A regulated entitys secure baselines would be determined based on its risk analysis and use of security settings that are consistent across its relevant electronic information systems and technology assets in its relevant electronic information systems For example the risk analysis may determine that a manufacturers default settings for a particular technology asset are insufficient Accordingly the regulated entity may establish the baseline for settings that should be applied to the particular asset and similar technologies across the regulated entitys enterprise This proposed standard aligns with the Departments enhanced CPG for Configuration Management which calls for regulated entities to define secure device and system settings It also aligns with the enhanced CPG for Detect and Respond to Relevant Threats and Tactics Techniques and Procedures by calling for regulated entities to include malware protection in their security baseline to detect threats and protect electronic information systems748
Additionally the proposed standard also aligns with the Departments essential CPG for Email Security which addresses the reduction of risks from emailbased threats749
pp
The Department proposes five implementation specifications for the proposed standard for configuration management750
Under the proposed implementation specification for antimalware protection at proposed 45 CFR 164312c2i a regulated entity would be required to deploy technology assets andor technical controls that protect all of the technology assets in its relevant electronic information systems against malicious software such as viruses and ransomware Antimalware software especially when used in combination with other technical controls such as intrusion detectionprevention solutions can also help prevent detect and contain cyberattacks751
This protection would be applied to all of a regulated entitys technology assets in its relevant electronic information systems When determining how to fulfill this proposed obligation regulated entities may consider deploying tools such as antimalware and endpoint detection and response EDR solutions Antimalware tools generally scan a regulated entitys electronic information systems to
print page 972
identify malicious software752
Such tools may also quarantine malicious software if identified As explained by the Office of Management and Budget EDR combines realtime continuous monitoring and collection of endpoint data with rulesbased automated response and analysis capabilities 753
pp
We propose a new implementation specification for software removal at proposed 45 CFR 164312c2ii to require a regulated entity to remove extraneous software from the regulated entitys relevant electronic information systems Software is extraneous if it is unnecessary for the regulated entitys operations It can be a target for attack and older applications may no longer be supported with patches for new vulnerabilities754
Removal of unnecessary software reduces an avenue of attack The Department is not proposing to specify what would constitute necessary and unnecessary software Rather we intend that the regulated entity would consider removal of unwanted or unused software for example default software added by a computer manufacturer or reseller where such software may open an avenue for unnecessary risk because the regulated entity does not intend to use it Accordingly the proposal would require a regulated entity to consider all software on its relevant electronic information systems and any potential avenue of risk and address the risk through software removal where such software is unnecessary for the regulated entitys operations
pp
The proposed implementation specification for configuration at proposed 45 CFR 164312c2iii would require a regulated entity to configure and secure operating systems and software in a manner consistent with the regulated entitys risk analysis Generally a regulated entitys risk analysis should guide its implementation of appropriate technical controls to reduce the risk to ePHI755
Requiring operating systems and software to be maintained in a secure manner would reduce exploitable vulnerabilities756
Often known vulnerabilities can be mitigated by applying vendor patches or upgrading to a newer version757
pp
Under the proposed implementation specification for network ports at proposed 45 CFR 164312c2iv a regulated entity would be required to disable network ports in accordance with the regulated entitys risk analysis758
Successful ransomware deployment often depends on the exploitation of technical vulnerabilities such as unsecured ports759
The proposal to require network ports to be disabled in accordance with the risk analysis would reduce exploitable vulnerabilities760
ppLastly the proposed implementation specification for maintenance at proposed 45 CFR 164312c2v would expressly require a regulated entity to review and test the effectiveness of the technical controls required by the other implementation specifications associated with the standard for configuration management at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriatepp
Audit controls are crucial technical safeguards that are useful for recording and examining activity in electronic information systems especially when determining whether a security violation occurred761
A regulated entity must consider its risk analysis and organizational factors such as current technical infrastructure hardware and software security capabilities to determine reasonable and appropriate audit controls762
However based on OCRs enforcement experience we believe that regulated entities understanding of and compliance with this standard could be improved by providing more specificity
pp
Accordingly the Department proposes to redesignate the standard for audit controls at 45 CFR 164312b as proposed 45 CFR 164312d1 rename it as the standard for audit trail and system log controls and to add a paragraph heading to clarify the organization of the regulatory text We also propose to modify it to require a regulated entity to deploy either or both technology assets and technical controls that record and identify activity in the regulated entitys relevant electronic information systems The proposal would replace procedural mechanisms with technical controls to match the general focus on technical controls in 45 CFR 164312 and would recognize that a regulated entity may be able to meet the requirements of the standard by deploying either or both technology assets
eg
software or technical controls Under the proposal a regulated entity would be required to collect sufficient information to understand what a specific activity in its relevant electronic information systems is such that the regulated entity would be better able to address activity that presents a risk to the confidentiality integrity or availability of ePHI For example a regulated entity should understand that a given activity in a relevant electronic information system is an attempt to access a portable workstation without authorization The proposal also would modify the limitation on the regulated entitys obligation to record and identify activity in its relevant electronic information systems Thus the proposal would require a regulated entity to record and identify any activity that could present a risk to ePHI meaning activity in all of its relevant electronic information systems not only in its electronic information systems that create receive maintain or transmit ePHI In so doing the Department would also require a regulated entity to record and identify activity in its electronic information systems that may affect the confidentiality integrity or availability of ePHI This redesignated standard as proposed aligns more closely with the Departments enhanced CPG for Centralized Log Collection by addressing the deployment of technical controls to record and identify activity in all electronic information systems763
Additionally as an example we note that adoption of health IT certified through the ONC Health IT Certification Program may contribute to a regulated entitys compliance with the proposed standard for audit trail and system log controls where such health IT meets the criteria for auditing actions on health information and recording actions related to electronic health information and audit log status764
pp
The Department proposes four implementation specifications under this proposed standard that are intended to improve the effectiveness of audit controls deployed by a regulated entity The proposed implementation specification for monitoring and identifying activity at proposed 45 CFR 164312d2i would require a regulated entity to deploy technology assets andor technical controls that monitor in realtime
ie
contemporaneously all activity occurring in a regulated entitys relevant electronic information systems and identify indications of unauthorized persons and unauthorized activity as determined by the regulated entitys risk analysis As proposed the technology assets andor technical controls also would be required to alert workforce members of such indications in accordance with the regulated entitys policies and procedures for information system activity review at proposed 45 CFR 164308a7 Unauthorized activity may include actions by technology assets or persons that have not been authorized to access the regulated entitys ePHI or relevant electronic information systems It may also include actions by authorized users or technology assets that are inconsistent with the regulated entitys policies and procedures for information access management at proposed 45 CFR 164308a10 The Department proposes that monitoring be continual and conducted in realtime because asynchronous review would allow for the compromise of ePHI for the period of time between the unauthorized activity and its discovery OCRs enforcement experience has shown that some regulated entities are potentially failing to implement appropriate audit controls or to review information system activity in a timely manner which may have contributed to a reportable breach765
pp
A regulated entity would be required under the proposed implementation specification for recording activity at proposed 45 CFR 164312d2ii to deploy technology assets andor technical controls that record in realtime all activity in the regulated entitys relevant electronic information systems766
While technical assets andor technical controls deployed in accordance with proposed 45 CFR 164312d2i would monitor activity in its relevant electronic information systems recording such activity would enable a regulated entity to assess any activity to better understand the activitys effects The proposed implementation specification at proposed 45 CFR 164312d2iii would require a regulated entity to deploy technology assets andor technical controls to retain records of all activity in its relevant electronic information systems as determined by the regulated entitys policies and procedures for information system activity review at 45 CFR 164308a7iiA The proposed implementation specification for scope of activity at proposed 45 CFR 164312d2iv would clarify what would constitute activity to be monitored and recorded in the regulated entitys relevant electronic information systems as required by the proposed implementation specifications at proposed 45 CFR 164312d2i and ii Specifically the Department proposes that such activities would include but would not be limited to creating accessing receiving transmitting modifying copying or deleting ePHI and creating accessing receiving transmitting modifying copying or deleting relevant electronic information systems and the information
ie
not only ePHI therein
ppWe also propose to add an implementation specification for maintenance at proposed 45 CFR 164312d2iv Under this proposal a regulated entity would be expressly required to review and test the effectiveness of the technology assets andor technical controls required by the respective implementation specifications of this section at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriatepp
Improper alteration or destruction of ePHI even unintentionally can result in clinical quality problems including patient safety issues for a covered entity767
Workforce members or business associates may make accidental or intentional changes that improperly alter or destroy ePHI768
Data can also be altered or destroyed without human intervention such as by electronic media errors or failures769
It is important to protect ePHI from being compromised regardless of the source770
pp
The current standard for integrity at 45 CFR 164312c1 requires implementation of policies and procedures rather than actual deployment of technical controls to ensure integrity of ePHI To improve the effectiveness of this standard the Department proposes to redesignate it as proposed 45 CFR 164312e and modify it for clarity Under the proposal a regulated entity would be required to deploy technical controls to protect ePHI from improper alteration or destruction when at rest and in transit and to review and test the effectiveness of such technical controls at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriate For example the adoption of health IT that is certified through the ONC Health IT Certification Program as having the technical capability to verify that the electronically exchanged health information contained within the health IT has not been altered using a hashing algorithm that meets certain requirements may contribute to a regulated entitys compliance with the proposed standard for integrity771
The Department proposes to remove the implementation specification at 45 CFR 164312c2 because technical controls to corroborate that ePHI has not been altered or destroyed in an unauthorized manner are commonly built into hardware and protocols today Thus it is unnecessary to require a regulated entity to specifically deploy such controls
pp
Authentication ensures that a person is in fact who they claim to be before being allowed access to ePHI by providing proof of identity772
The Department proposes to redesignate the standard for person or entity authentication at 45 CFR 164312d as 45 CFR 164312f1 to rename it Authentication to reflect its broad purpose and to add a paragraph heading to clarify the organization of the regulatory text Additionally consistent with our proposals to define
print page 974
implement and deploy we propose to replace the requirement for a regulated entity to implement procedures with a requirement to deploy technical controls Also consistent with our proposals to clarify that a regulated entitys obligations to ensure the confidentiality integrity and availability extend to all of its relevant electronic information systems we propose to clarify that the regulated entity is to deploy technical controls to verify that a person seeking access to the regulated entitys relevant electronic information systems is the one claimed The Department also proposes to modify the existing standard to clarify that a regulated entity would be required to deploy technical controls to verify that a technology asset seeking access to the regulated entitys relevant electronic information systems is the one claimed Thus the proposed standard for authentication would require a regulated entity to deploy technical controls to verify that a person or technology asset seeking access to ePHI andor the regulated entitys relevant electronic information systems is in fact the person or technology asset that the person or asset claims to be We also propose to remove the reference to an entity because entity is included within the definition of person
pp
The Department proposes four implementation specifications under this standard Consistent with NCVHS recommendation to eliminate the use of default passwords the proposed implementation specification for information access management policies at proposed 45 CFR 164312f2i would require a regulated entity to deploy technical controls in accordance with its information access management policies and procedures including technical controls that require users to adopt unique passwords773
Among other things this proposal would ensure that regulated entities change default passwords Such unique passwords would be required to be consistent with current recommendations of authoritative sources The Department does not propose to define authoritative sources and defers to best practices for setting and maintaining passwords of sufficient strength to ensure the confidentiality integrity and availability of ePHI Under this proposal a regulated entity would need to require its workforce members to change any default passwords to unique passwords that are consistent with current authoritative source recommendations for unique passwords as well as prevent the sharing of passwords among workforce members Default passwords typically factoryset passwords may be discovered in common product documentation and used by attackers to gain access to relevant electronic information systems774
Thus the Department believes that it is crucial for the security of ePHI that a regulated entity eliminate the use of default passwords
pp
In addition to proposing the elimination of default passwords the Department proposes a specific requirement for a regulated entity to deploy MFA in the implementation specification for MFA at proposed 45 CFR 164312f2ii We propose to expressly require MFA as recommended by NCVHS because it increases security by ensuring that a compromise of a single credential does not allow access to unauthorized users775
MFA is an effective way to reduce the risk of brute force attacks and to increase the cost of such attack making such an attack less appealing to intruders776
Further deployment of MFA aligns with the Departments essential CPGs for Email Security and Multifactor Authentication because use of MFA would be applicable to email access and protect assets connected to the internet777
Accordingly proposed 45 CFR 164312f2iiA would require a regulated entity to deploy MFA to all technology assets in its relevant electronic information systems to verify that the person seeking access to its relevant electronic information system is the user that the person claims to be A regulated entity should deploy MFA to all technology assets in its relevant electronic information systems in a manner consistent with its risk analysis MFA allows for the use of different categories of factors as described earlier A decision by a regulated entity to use specific factors during specific circumstances where MFA is deployed will be dependent upon the risks to ePHI identified by the regulated entity and the ability of technology to use such factors to authenticate specific users For example certain behavioral characteristics may not satisfy current standards for MFA however the Department anticipates that it may be reasonable and appropriate in the future for a regulated entity to adopt a solution where users provide such characteristics as one of the factors Additionally a regulated entity may identify varying levels of risk posed by its technology assets and elect to deploy MFA in different ways to address the risk posed by each asset For example consistent with its risk analysis a regulated entity may choose to deploy a single signon SSO authentication solution using MFA to allow users to access multiple local applications while also requiring users to authenticate using MFA to access certain cloudbased services
pp
This proposed implementation specification generally is consistent with ASTPONCs Health Data Technology and Interoperability Patient Engagement Information Sharing and Public Health Interoperability HTI2 NPRMs proposed revisions to the MFA criterion requiring certified health IT to support authentication through multiple elements of the users identity according to todays standards such as those recommended by NIST and enable user to configure enable and disable the MFA capabilities778
Adoption of health IT that is certified through the ONC Health IT Certification Program as meeting the proposed MFA criterion should the proposal be finalized may contribute to a regulated entitys compliance with the proposed implementation specification for MFA in this NPRM
pp
Under proposed 45 CFR 164312f2iiB a regulated entity would be required to deploy MFA for any action that would change a users privileges to the regulated entitys relevant electronic information systems in a manner that would alter the users ability to affect the confidentiality integrity or availability of ePHI These modified privileges may provide a user with a level of access inconsistent with a regulated entitys policies and procedures and increase the risk to ePHI by affording a user who does not need to have access to certain systems or information the opportunity to remove security measures deployed to protect ePHI Because a user may affect the confidentiality integrity or availability of ePHI by accessing a relevant electronic information system a regulated entity would be expected to
print page 975
deploy MFA for changed privileges in both types of systems
ppSimilar to the proposed standard for encryption the Department proposes three exceptions at proposed 45 CFR 164312f2iii to the proposed specific requirement to implement MFA The first proposed exception at proposed 45 CFR 164312f2iiiA would be for a technology asset that does not support MFA but is currently in use by a regulated entity Because the requirements for authentication under the existing Security Rule today do not expressly refer to MFA a regulated entity that is not using MFA to meet the requirement to authenticate user identities may argue that it is in compliance with the authentication standard without using MFA The Department recognizes that it may take some time for a regulated entity to adopt compliant software or hardware and thus we propose an exception where such software or hardware does not support MFA To meet this exception a regulated entity would be required to establish a written plan to migrate ePHI to technology assets that supports MFA and to actually migrate the ePHI to such technology assets in accordance with the written plan Accordingly a regulated entity would be required to establish the plan implement the plan and actually migrate ePHI to technology assets that supports MFA within a reasonable and appropriate period of time For example it would not be reasonable and appropriate for a regulated entity to establish a plan to migrate to a new practice management system that supports MFA and fail to take any steps to perform the migration for an entire year Applying the standard flexibly and at scale a reasonable and appropriate timeframe for a system with 5000 users may be different than one for a solo practitioner however both entities would be expected to progress to completionpp
We recognize that emergencies or other occurrences may render it infeasible for a regulated entity to use MFA so we propose a second exception for when MFA is infeasible during an emergency or other occurrence that adversely affects the regulated entitys relevant electronic information systems or the confidentiality integrity or availability of ePHI779
For the proposed exception to apply a regulated entity would be required to implement reasonable and appropriate compensating controls in accordance with its contingency plan 780
and emergency access procedures781
For example if an optical scanner used by a regulated entity as one of the required factors for MFA is rendered inoperable
eg
is temporarily broken or adversely affected by a cyberattack a compensating control may be to temporarily allow users to log in with their user name and a unique password rather than with a PIN and retinal scan The Department would make this proposed exception applicable only for the limited period of time in which MFA is infeasible for the regulated entity during the emergency or other occurrence regardless of whether the emergency or other occurrence continues
pp
At proposed 45 CFR 164312f2iiiC we propose three exceptions that would be for a technology asset in use that is a device within the meaning of section 201h of the Food Drug and Cosmetic Act that has been authorized for marketing by the FDA The first would be for a device authorized by the FDA for marketing pursuant to a submission received before March 29 2023 while the second would be for a device authorized by the FDA for marketing pursuant to a submission received on or after March 29 2023 that is no longer supported by its manufacturer In both cases the exception would only apply where the regulated entity has deployed any updates or patches required or recommended by the manufacturer of the device Similar to our proposal for exceptions to encryption at proposed 45 CFR 164312b3ivA and B we recognize that some regulated entities may incur costs of replacing legacy devices because of the limitations on the proposed exception to MFA where a device was submitted to the FDA for authorization before March 29 2023 or a device submitted for authorization on or after that date that is no longer supported by its manufacturer782
However as discussed above such devices can pose significant risks to the confidentiality integrity and availability of ePHI783
By limiting these exceptions to devices that have been updated andor patched while they were supported by their manufacturer we believe that this proposal would balance the interest in encouraging regulated entities to dispense with legacy devices with the cost of replacing such devices Additionally the Department believes that regulated entities should already have plans to replace legacy devices that cannot be made cybersecure because of their existing Security Rule obligations As discussed above we also recognize that at some point most if not all devices will likely become legacy devices and that there may be legitimate reasons not to immediately replace them when the manufacturer ceases to provide support In such cases it will continue to be important for regulated entities to plan for how to address their ongoing Security Rule obligations
pp
The third proposed exception to MFA at 45 CFR 164312f2iiiC
3
for devices authorized by the FDA for marketing would be available for those devices authorized for marketing by the FDA pursuant to a submission received on or after March 29 2023 where they are supported by their manufacturer We understand that the FDA considers security during the review of medical device marketing submissions and works with device manufacturers to ensure that appropriate cybersecurity protections are built into such devices pursuant to FDAs authority under the Consolidated Appropriations Act 2023784
Thus we do not believe it would be necessary or appropriate for the Security Rule to require MFA for an FDAauthorized medical device that has been authorized by FDA for marketing pursuant to a submission received on or after March 29 2023 where the device continues to be supported by its manufacturer However these devices may continue to be used by a regulated entity when they are no longer supported consistent with the proposed exception for legacy devices that were approved pursuant to a submission received on or after March 29 2023 as described above
pp
Where a proposed exception would apply to the proposed MFA requirement the Department proposes to require that a regulated entity implement alternative measures and compensating controls785
Specifically when a regulated entity seeks to comply with the Security Rule by meeting one of the proposed exceptions to the proposed MFA requirement the Department proposes to require a regulated entity to document both the existence of the criteria demonstrating that the proposed exception would apply and the rationale for why the proposed exception would apply
print page 976
Additionally the proposal would require a regulated entity to implement reasonable and appropriate compensating controls as described at proposed paragraph f2ivB
pp
The proposed requirements for reasonable and appropriate compensating controls are explained under proposed 45 CFR 164312f2ivB Compensating controls are implemented in the place of MFA to protect ePHI786
The Department does not propose to require that compensating controls be technical controls Rather a regulated entity should consider the nature of the exception operating environment and other appropriate circumstances to determine what controls are reasonable and appropriate and implement compensating controls effective for those circumstances For example if a software program does not support MFA deploying a firewall or increasing the sensitivity of an existing firewall protecting that software may in some circumstances constitute a reasonable and appropriate compensating control787
In some instances physical safeguards may serve as reasonable and appropriate compensating controls For example limiting access to certain components of a relevant electronic information system to workforce members who meet certain requirements may be a reasonable and appropriate compensating control under some circumstances In most cases it would be reasonable and appropriate for a regulated entity to implement multiple compensating controls to ensure that the affected electronic information system is secured
pp
The Department proposes at proposed 45 CFR 164312f2ivB
1 that to comply with an exception at paragraph f2iiiA or B or f2iiiC
1 or
2 the regulated entity would be required to secure the relevant electronic information system with reasonable and appropriate compensating controls that have been reviewed approved and signed by the regulated entitys Security Official Because exceptions are a departure from the designed Security Rule framework the Department intends to ensure appropriate review by the Security Official of controls selected by the regulated entity to compensate for the absence of MFA Merely because a regulated entitys Security Official has reviewed approved and signed off on compensating controls does not mean that those controls are effective The regulated entity would also be required to give due consideration to the circumstances surrounding the exception and implement compensating controls effective for those specific circumstances
pp
With respect to the exception at proposed 45 CFR 164312f2iiiC
3 the Department proposes at proposed 45 CFR 164312f2ivB
2 to presume that a regulated entity had implemented reasonable and appropriate compensating controls where the regulated entity has implemented the security measures prescribed and as instructed by the FDAauthorized label for the device The proposed language recognizes that while the devices label may not specifically require deployment of an MFA solution it may provide for a specific compensating control and the manner in which that control is to be implemented This would include any updates such as patches recommended or required by the manufacturer of the device While not required a regulated entity would be permitted to implement additional alternative security measures and compensating controls in accordance with best practices andor its risk analysis
pp
Additionally the Department proposes at 45 CFR 164312f2ivB
3
that during any period in which compensating controls are in use the regulated entitys Security Official would be required to review the effectiveness of the compensating controls at securing its relevant electronic information systems While regulated entities should review implemented compensating controls on a routine basis the Department intends for a regulated entity to periodically review the implementation and effectiveness of implemented compensating controls to ensure the continued protection of ePHI788
For example if a regulated entitys plan to migrate ePHI from hardware that does not support MFA changes such that the use of the nonMFA hardware continues for a longer period of time the regulated entity should review implemented compensating controls to ensure ongoing effectiveness and whether new compensating controls should be implemented We are proposing to require that the review be conducted at least once every 12 months or in response to an environmental or operational change whichever is more frequent and that the review be documented Additionally the Department proposes to require that the review be documented If the regulated entitys Security Official review determines that certain compensating controls are no longer effective the Department would expect the regulated entity to adopt other compensating controls that are effective to continue to meet the applicable proposed exception
ppAs an example of how proposed 45 CFR 164312f2iii would operate in concert with proposed 45 CFR 164312f2iv a regulated entity experiencing an emergency that adversely affects a relevant electronic information system and renders MFA infeasible would be required to document the followingpp
As part of its documentation a regulated entity would need to include the controls that have been deployed a record of the fact that the compensating controls are in use and a record indicating that the compensating controls have been reviewed and approved by the regulated entitys Security Official Proposed 45 CFR 164312f2ivB
3 would require the Security Official to review and document the effectiveness of the compensating controls at least once every 12 months or in response to an environmental or operational change whichever is more frequent A determination regarding the effectiveness of the technical controls would be based on their ability to secure the regulated entitys ePHI and its relevant electronic information systems
pp
Last we propose to add an implementation specification for maintenance at proposed 45 CFR 164312f2v Under this proposal a regulated entity would be expressly required to review and test the effectiveness of the technical controls required by this standard at least once every 12 months or in response to
print page 977
environmental or operational changes whichever is more frequent and modify as reasonable and appropriate
pp
Transmission security protects against the interception of ePHI in the communications networks used by regulated entities to transmit ePHI789
The Department proposes to redesignate the standard for transmission security as proposed 45 CFR 164312g and to modify the standard consistent with other proposals made elsewhere in this NPRM as described below Specifically we propose to clarify the existing standard by requiring a regulated entity to deploy technical controls to guard against unauthorized access to ePHI in transmission over an electronic communications network For example adoption of health IT that is certified through the ONC Health IT Certification Program as having the technical capability to establish a trusted connection using encrypted and integrity message protection or a trusted connection for transport and deploying such capability may contribute to a regulated entitys compliance with the proposed standard for transmission security790
These proposed changes are consistent with the Departments proposals to replace implement with deploy in the context of technical safeguards to differentiate between implementation of a written policy or procedure and deployment of technical controls
ppConsistent with our proposals to require that regulated entities maintain their technical controls we also propose to require a regulated entity to review and test the effectiveness of its technical controls for guarding against unauthorized access to ePHI that is being transmitted over an electronic communications network We propose that such review and testing occur at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify such technical controls as reasonable and appropriatepp
The Department also proposes to remove the implementation specification for integrity controls at 45 CFR 164312e2i because these requirements are incorporated in the standard for integrity at proposed 45 CFR 164312e discussed above A regulated entity would continue to be required to review the current methods used to transmit ePHI and then deploy appropriate solutions to protect ePHI from improper alteration or destruction791
pp
Hackers can penetrate a regulated entitys network and gain access to ePHI by exploiting publicly known vulnerabilities792
Exploitable vulnerabilities can exist in many parts of the technology infrastructure of a regulated entitys relevant electronic information systems
eg
server desktop and mobile device operating systems application database and web software router firewall and other device firmware793
A regulated entity can identify technical vulnerabilities in multiple complementary ways including
pp
Additionally CISA has compiled a database of free cybersecurity services and tools some provided directly by CISA and others provided by private and public sector organizations797
For example public and private critical infrastructure organizations may avail themselves of CISAs Cyber Hygiene Services798
These services are available at no cost to such organizations and can help regulated entities reduce their risk level identify vulnerabilities that could otherwise go unmanaged and increase the accuracy and effectiveness of their response activities among other benefits putting them in a better place to make riskinformed decisions CISAs Cyber Hygiene Services include both vulnerability scanning and web application scanning CISA also has compiled a specific suite of tools and services for highrisk communities799
pp
To address the potential for a bad actor to exploit publicly known vulnerabilities and consistent with NCVHS recommendation the Department proposes to add a new standard for vulnerability management at 45 CFR 164312h1800
The proposed standard would require a regulated entity to deploy technical controls to identify and address technical vulnerabilities in the regulated entitys relevant electronic information systems The deployment of technical controls should be consistent with the regulated entitys patch management policies and procedures at proposed 45 CFR 164308a4 This proposed standard aligns with the Departments enhanced CPGs for Cybersecurity Testing and Third Party Vulnerability Disclosure by calling for regulated entities to employ multiple processes to discover technical vulnerabilities including vulnerabilities in workstations and in technology assets provided by vendors and service providers801
For example a regulated entity should include a device owned by a person other than the regulated entity
eg
the medical device manufacturer in its vulnerability management activities where the device is deployed on the regulated entitys network The regulated entity should also include all workstations
eg
desktop computers mobile devices that are part of its relevant electronic information systems in its vulnerability management activities
pp
To implement this proposed standard we propose four implementation specifications Proposed 45 CFR 164312h2iA would require a regulated entity to conduct automated scans of the regulated entitys relevant electronic information systems including all of the components of such relevant electronic information systems
eg
workstations private networks to identify technical vulnerabilities Vulnerability scans detect vulnerabilities such as obsolete software
print page 978
and missing patches802
Once identified assessed and prioritized appropriate measures need to be implemented to mitigate these vulnerabilities
eg
apply patches harden systems retire equipment803
Under the proposal the scans would be required to be conducted in accordance with the regulated entitys risk analysis under proposed 45 CFR 164308a2 and no less frequently than once every six months
ppRelatedly proposed 45 CFR 164312h2iB would add an implementation specification for maintenance of the technology assets that conduct the required automated vulnerability scans Under this proposal a regulated entity would be expressly required to review and test the effectiveness of the technology assets that conducts the automated vulnerability scans that would be required by the proposed implementation specification at proposed 45 CFR 164312h2iA at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriatepp
Identification of a known vulnerability in a relevant electronic information system or a component thereof is a necessary precursor for a regulated entity to take action to mitigate the vulnerability A 2019 study on vulnerability and patch management found that 48 percent of respondents reported that their organizations had at least one breach in the preceding two years Of those 60 percent said that the breaches could have occurred because an available patch for a known vulnerability had not been applied804
pp
Accordingly the Department also proposes a new implementation specification for monitoring at proposed 45 CFR 164312h2ii to require that a regulated entity monitor authoritative sources for known vulnerabilities on an ongoing basis and take action to remediate identified vulnerabilities in accordance with the regulated entitys patch management program805
The Department expects such monitoring to be conducted on an ongoing basis and is not proposing to specify a minimum time interval for reviewing sources We are also not proposing to prescribe the specific sources of known vulnerabilities because such sources may change over time and the vulnerabilities for which regulated entities may be monitoring may vary greatly among regulated entities We propose to require that the sources used must be authoritative Examples of authoritative sources of known vulnerabilities would include NISTs National Vulnerability Database 806
and CISAs Known Exploited Vulnerabilities Catalog807
pp
The proposed implementation specification for penetration testing at 45 CFR 164312h2iii would require a regulated entity to conduct periodic testing of the regulated entitys relevant electronic information systems for vulnerabilities commonly referred to as penetration testing Penetration tests identify vulnerabilities in the security features of an application system or network by mimicking realworld attacks 808
and are an effective way to identify weaknesses that could be exploited by an attacker809
The proposal would require such testing to be conducted by qualified persons We propose to describe a qualified person as a person with appropriate knowledge of and experience with generally accepted cybersecurity principles and methods for ensuring the confidentiality integrity and availability of ePHI We believe that within the cybersecurity industry it is understood that a person who is qualified to conduct such penetration testing is an individual who has a combination of one or more qualifying credentials skills or experiences to perform ethical hacking or offensive security of information systems The proposal would require a regulated entity to conduct such testing at least once every 12 months or in accordance with the regulated entitys risk analysis810
whichever is more frequent
pp
Lastly we are proposing a new implementation specification for patch and update installation at 45 CFR 164312h2iv to require a regulated entity to configure and implement technical controls to install software patches and critical updates in a timely manner in accordance with the regulated entitys patch management program811
The proposed standard for patch management an administrative safeguard discussed above would require a regulated entity to establish and implement written policies and procedures for applying patches and updating relevant electronic information system configurations while this proposal would require the regulated entity to implement technical controls to implement those written policies and procedures In other words proposed 45 CFR 164312h2iv addresses the technical controls to effectuate a regulated entitys patch management plan Applying patches for technology assets including workstations is an effective mechanism to mitigate known vulnerabilities and limit the risk of exploitation812
Although older applications or devices may no longer be supported with patches for new vulnerabilities regulated entities still must take appropriate action if a newly discovered vulnerability affects an older application or device If an obsolete unsupported system cannot be upgraded or replaced additional safeguards should be implemented or existing safeguards enhanced to mitigate known vulnerabilities until upgrade or replacement can occur
eg
increase access restrictions remove or restrict network access disable unnecessary features or services813
Deployment of such technical controls would help to ensure that a regulated entitys relevant electronic information systems are updated as quickly as possible after a vulnerability has been identified and a patch released
pp
The proposed standard for patch management discussed above would work in tandem with the proposed standard for vulnerability management to ensure that regulated entities substantially reduce the risk to ePHI from known vulnerabilities814
Together these proposals would clarify that a regulated entity is required to affirmatively seek out information about known vulnerabilities assess the risks to the confidentiality integrity and availability of ePHI and implement effective mechanisms through both policies and procedures and technical controls to reduce the risk as well the actual occurrence of breaches resulting from known vulnerabilities For example known vulnerabilities should be readily identified by a regulated entity through monitoring of
print page 979
authoritative sources for known vulnerabilities such as those referenced above and remediating any identified vulnerabilities When a vulnerability is discovered a regulated entity through its patch management program should have in place a policy and procedure for applying any available patches or implementing reasonable and appropriate compensating controls if a patch is not available Remediation may be as simple as applying a vendoroffered software patch or in the case of software no longer supported by a vendor designing and implementing reasonable and appropriate compensating controls to reduce the risk of the vulnerability The policies and procedures required by the proposed standard for patch management in proposed 45 CFR 164308a4i also would be implemented in part by the proposed implementation specifications associated with the proposed standard for vulnerability management Those proposed implementation specifications would require the deployment of technical controls to ensure the patch management program is carried out automated vulnerability scans and penetration testing all of which may identify when a patch or compensating control has not been put in place The Department envisions that the full implementation of all of the proposed standards and implementation specifications would effectively reduce the risk to ePHI
pp
The Security Rule requires regulated entities to regularly create copies of ePHI to ensure that it can be restored in the event of a loss or disruption815
However OCRs enforcement experience indicates that regulated entities could benefit from a more specific standard Consistent with the proposed standard for contingency planning at 45 CFR 164308a13iiB the Department proposes to add a standard for a new technical safeguard for data backup and recovery This new standard would require a regulated entity to deploy technical controls to create and maintain exact retrievable copies of ePHI The proposed changes would remove the existing implementation specification for this activity from the physical safeguards section and place it within technical safeguards The Department also proposes to modify the language of the existing requirement by removing the limitation that it applies before moving equipment so that it applies broadly and comprehensively Elevating data backup and recovery to a standard would also increase the prominence of this requirement and highlight the liability of regulated entities for creating the capacity to restore systems after a data breach
ppThe Department proposes four new implementation specifications for the data backup and recovery standard The first 45 CFR 164312i2i would require a regulated entity to create copies of ePHI in a manner that ensures that such copies are no more than 48 hours older than the ePHI maintained in the regulated entitys relevant electronic information systems and in accordance with the policies and procedures required by proposed 45 CFR 164308a13iiB The second 45 CFR 164312i2ii would require a regulated entity to deploy technical controls that in realtime monitor and alert workforce members about any failures and error conditions of the backups required by the first implementation specification The third 45 CFR 164312i2iii would require a regulated entity to deploy technical controls that record the success failure and any error conditions of backups required The fourth 45 CFR 164312i2iv would require a regulated entity to test the effectiveness of its backups and document the results at least monthly Specifically a regulated entity would be required to restore a representative sample of backed up ePHI after the ePHI is backed up as required by paragraph i2i and document the results of such test restorations at least monthly Such tests should include verifying regulated entitys ability to access ePHI from a remote locationpp
These activities are included in NIST guidance for Security Rule compliance816
which directs regulated entities to consider the following questions Is the frequency of backups appropriate for the environment Are backup logs reviewed and data restoration tests conducted to ensure the integrity of data backups Is at least one copy of the data backup stored offline to protect against corruption due to ransomware or other similar attacks The potential need for these requirements also has been indicated through the rising number of ransomware attacks and the high number of individuals affected in such incidents The Department believes these new implementation specifications if finalized would provide additional instruction for regulated entities about conducting data backups and enhance the ability of regulated entities to avoid costly work stoppages and interruptions in the delivery of health care when data becomes unavailable because of a disaster security incident or other emergency We believe enhanced measures for data backup would reduce the need to pay ransom to hackers to recover compromised data
ppThe Department also proposes to add a new standard for backup and recovery of relevant electronic information systems at proposed 45 CFR 164312j This proposed standard would require a regulated entity to deploy technical controls to create and maintain backups of relevant electronic information systems It would also require a regulated entity to review and test the effectiveness of such technical controls at least once every six months or in response to environmental or operational changes whichever is more frequent and modify them as reasonable and appropriate The Department would not require a regulated entity to test every relevant electronic information system rather the requirement to test the effectiveness of the controls would permit a regulated entity to review the relevant log files and to test a representative sample of the backup of its relevant electronic information systemspp
This proposed standard would reduce potential gaps in the data that needs to be backed up and recovered to ensure that regulated entities address compliance across relevant electronic information systems It is crucial to a regulated entitys recovery from an emergency or other occurrence including a security incident that adversely affects its relevant electronic information systems to create and maintain backups of such information systems that comprise the infrastructure that maintains and supports the confidentiality integrity and availability of ePHI The Department would expect that the extent of this activity would be affected by the size and complexity of the relevant electronic information systems used by a regulated entity It is also consistent with NIST guidance which directs regulated entities to consider whether backups or images of operating systems devices software and configuration files necessary to support the
print page 980
confidentiality integrity and availability of ePHI817
ppThe Department requests comments on the foregoing proposals including any benefits drawbacks or unintended consequences We also request comment on the following considerations in particularppa Whether there are additional technical safeguards that the Department should require regulated entities to implementppb Whether there are additional implementation specifications that should be adopted for any of the proposed or existing technical safeguardsppc Whether the Department should extend the standard for encryption and decryption and associated implementation specifications to require encryption of all relevant electronic information systemsppd Whether there should be exceptions to any of the proposed or existing technical safeguards or related implementation specifications in addition to those proposed for encryption and decryption and MFA For example are there any proposed or existing standards or implementation specifications with which small or rural regulated entities would have substantial difficulty complying If so please explain the type of regulated entities that would be adversely affected by the requirement the nature of the compliance difficulty and any alternative or compensating measures that such entities are implementing now or could implement in the event of such requirement to address the risk to ePHI posed by the specific standard or implementation specificationppe Whether the exceptions the Department has proposed to the standard for encryption or decryption are appropriate If not please explainppf Data about the frequency and number of requests regulated entities receive pursuant to the individual right of access at 45 CFR 164524 where an individual requests that the regulated entity transmit to the individual or a third party a copy of the individuals ePHI via unencrypted email or other unencrypted messaging technologies Please confirm that these are requests made pursuant to the individual right of access rather than other types of communications such as appointment reminders or requests made pursuant to a valid authorizationppg Whether the Department should provide any additional exceptions to standard for encryption or decryption If so please explainpph Whether there are additional criteria or parameters for encryption that regulated entities would find helpful If yes please explain and provide examplesppi Whether the Department should require review of compensating controls implemented to comply with an exception to the encryption and decryption standard more frequently than once every 12 months where there are no environmental or operational changespp
j With respect to the exception to the standard for encryption and decryption for certain requests made pursuant to the individual right of access whether there are forms and formats the Department should include or exclude from the exception
eg
portable document format PDF If so please explain
ppk Resources that regulated entities have identified to help inform individuals about the risks associated with the unencrypted transmission of ePHI and whether the Department should compile and publish a list of such resourcesppl Whether the Department should define in regulation or guidance what constitutes a prevailing cryptographic standard If so please explainppm Whether the Department should specify the deployment of a particular form or manner of encryption such as the use of particular algorithms protocols or compliance standards If so please explainppn Whether the Department should specify how much time regulated entities have to implement encryption for technology assets that do not support encryption If so please explainppo Whether the Department should provide more detailed requirements for network segmentation such as the types of technologies that should be segmented and how to determine whether certain technologies should be segmented If so please explainppp Whether the exceptions the Department has proposed to the implementation specification for MFA are appropriate If not please explainppq Whether the Department should provide additional exceptions to the implementation specification for MFA If so please explainppr Whether the Department should require a regulated entity to review its compensating controls adopted to comply with the exceptions to the implementation specification for MFA more frequently than once every 12 monthspps The costs and burdens for regulated entities to implement MFAppt Whether the Department should require regulated entities to deploy an endpoint detection and response EDR security information and event management SIEM or other specific solutionppu Whether once every six months is the appropriate frequency for the automated vulnerability scans required under the implementation specification for vulnerability management If not please explainppv Whether the Department should define in regulation or guidance what constitutes an authoritative source of known vulnerabilities If so please explainppw Whether once every 12 months is the appropriate frequency for the penetration testing required under the implementation specification for vulnerability management If not please explainppx For regulated entities that have conducted penetration tests the amount of time and costs of such testspp
The first standard in 45 CFR 164314 contains the requirements for business associate agreements and other arrangements The associated implementation specifications at 45 CFR 164314a2 require that a business associate agreement include provisions compelling a business associate to do all of the following 1 comply with the requirements of the Security Rule 818
2 ensure that any subcontractors that create receive maintain or transmit ePHI on behalf of the business associate agree to comply with the applicable requirements of the Security Rule by also entering into a business associate agreement 819
and 3 report to the covered entity any security incident of which it becomes aware including breaches of unsecured PHI as required by the Breach Notification Rule820
pp
Under 45 CFR 164314a2ii a covered entity that is a governmental entity is in compliance with the requirements of this section if it has in place an arrangement with a business associate that is also a governmental entity where the arrangement meets the
print page 981
analogous requirements of the Privacy Rule at 45 CFR 164504e3821
ppAdditionally 45 CFR 164314a2iii requires that a business associate and its subcontractor enter into a business associate agreement that meets the same requirements as those that apply to a business associate agreement between a covered entity and business associatepp
As described above a business associate agreement must include a provision that requires a business associate to report to the covered entity any known security incident The term security incident includes both attempted and successful unauthorized events in an information system822
The Security Rule does not prescribe the timing and frequency with which a business associate reports a security incident to the covered entity or subcontractor to a business associate823
Instead regulated entities may determine the appropriate timing and frequency as part of their business associate agreement consistent with the requirements of the Breach Notification Rule824
pp
Depending on the size of the regulated entity the number of security incidents it experiences may vary ranging from the occasional incident experienced by a small regulated entity to more than 1000 per hour for a large regulated entity825
Given that such incidents may have little to no effect if the regulated entitys electronic information systems are able to deter it it may not be necessary for a business associate to report the security incidents immediately to a covered entity or a subcontractor to a business associate
pp
Additionally as discussed above regulated entities are required to establish and implement as needed a contingency plan 826
that includes the policies and procedures for responding to an emergency or other occurrence that damages systems that contain ePHI Such emergencies or other occurrences could include a fire vandalism system failure or a natural disaster827
The Department believes that in some instances a security incident would also be an emergency or other occurrence that could require a regulated entity to activate its contingency plan828
As the Department previously explained a contingency plan is the only way to protect the confidentiality integrity and availability of ePHI during unexpected events that may expose ePHI because the usual security measures may be disabled ignored or not observed829
pp
In recent years there has been an increase in the number and types of emergencies or other occurrences that cause damage to systems that contain ePHI and may require a regulated entity to activate its contingency plan For example we have experienced an increase in extreme weather events over the last 40 years as a result of the changing climate830
Additionally as discussed in greater detail above there has been a significant increase in the number of breaches of unsecured PHI reported to the Department over the last five years831
And increasingly ePHI is created received maintained and transmitted using cloudbased software that may be located in a remote location which means that covered entities more frequently rely on business associates to access ePHI832
Not only could the covered entitys ability to access ePHI or the relevant electronic information systems of the business associate that are affected by such an event but the incident could also have repercussions for the covered entitys ePHI or its relevant electronic information systems For example a business associates relevant electronic information systems may become infected with malicious software that spreads across devices connected to a network
eg
the NotPetya malware833
If the covered entity is also connected to the same network providing prompt notice to the covered entity of the security incident and activation of its contingency plan could enable the covered entity to prevent or mitigate damage to the covered entitys relevant electronic information systems
pp
When considered altogether these developments mean that a regulated entity is more likely to experience an emergency or other occurrence that damages systems that contain ePHI than it was in either 2003 834
or 2013835
Unfortunately based on the Departments experience neither the increased risk nor the Security Rules requirement that a business associate notify a covered entity or that a subcontractor notify a business associate of any security incident including breaches of unsecured PHI has been sufficient to encourage prompt notifications by a business associate to the covered entity or of a subcontractor to a business associate that its ability to
print page 982
access ePHI or the electronic information systems that create receive maintain or transmit ePHI may be affected This lack of prompt notification delays a covered entity or business associate from responding and protecting its ePHI and electronic information systems accordingly
pp
To address these risk trends and deficiencies in protections the Department proposes to add an implementation specification at proposed 45 CFR 164314a2iD that would require a business associate agreement to include a provision for a business associate to report to the covered entity activation of its contingency plan that would be required under 45 CFR 164308a13 without unreasonable delay but no later than 24 hours after activation836
This proposal if finalized would not alter the business associates breach reporting obligations under the Breach Notification Rule837
The Department believes that it is necessary to notify the covered entity in a timely manner of the contingency plan activation because of the downstream implications for such activation Receiving such prompt notice could enable the covered entity to take the necessary steps to protect its own relevant electronic information systems as well as to implement its own contingency plan if necessary and appropriate
eg
enable the covered entity to access a remote or offline backup of its ePHI if necessary to ensure that patient care is unaffectedor to reduce the effect on patient care as much as possible For example in 2020 a software company was the target of an attack that used software containing malware to infiltrate the electronic information systems of subsequent users of the software This allowed cybercriminals to gain access to several government systems and thousands of private systems worldwide838
Requiring a business associate to provide prompt notice to the covered entity when the business associate activates its contingency plan could enable regulated entities to maintain individuals confidence in their commitment to protecting the confidentiality integrity and availability of ePHI in the event of an emergency or other occurrence that adversely affects relevant electronic information systems839
Additionally the modified standard would align with the enhanced CPG for Third Party Incident Reporting because this proposal would require a business associate to both report to a covered entity or another business associate activation of its contingency plan within 24 hours of such activation and report known or suspected security incidents840
pp
As discussed above the Department proposes to require a regulated entity to activate its contingency plan to respond to an emergency or other occurrence that adversely affects relevant electronic information systems841
The Department believes that regulated entities activate their contingency plans infrequently because such plans are only activated when there is an emergency or other occurrence that rises to a level beyond a security incident that is thwarted or other event that does not adversely affect the confidentiality integrity or availability of ePHI Thus the need to make the proposed notification would also arise infrequently
pp
For example a business associate may not be required to notify a covered entity within a certain time after a relevant electronic information system receives a basic internet command such as a ping842
which happens frequently This is because a ping in and of itself generally does not adversely affect relevant electronic information systems when it is blocked by firewall policies and thus does not require activation of the regulated entitys contingency plan Instead the business associate would be required to provide such notice in instances where internet commands received by the business associate indicate potential malicious activity such as a denial of service attack leading to activation of its contingency plan because of an event that adversely affects the business associates relevant electronic information systems that create receive maintain or transmit ePHI or adversely affects the confidentiality integrity or availability of its ePHI However in both such instances a business associate would still be required to provide notice to the covered entity of the ping as a security incident in accordance with the business associate agreement843
ppThe proposal itself would only require that the business associate notify the covered entity of its activation of the contingency plan it does not include any specific requirements with respect to the form content or manner of the notice Instead we propose to permit the covered entity and business associate to negotiate such terms and include them in their business associate agreement if they so choosepp
We recognize that when such an emergency or other occurrence transpires the focus of the affected regulated entity must be on activating its contingency plan and restoring access to ePHI and the affected relevant electronic information systems Similarly when the contingency plan activation is in response to a successful security incident844
it may take some time to investigate and determine the cause of the security incident Thus this proposal would not require reporting on the cause of the contingency plan activation it would require reporting solely on the fact that it has activated the plan Accordingly we believe that 24 hours would provide a business associate with sufficient time to do all of the following determine that there is an emergency or other occurrence adversely affecting the business associates relevant electronic information systems determine that it needs to activate its contingency plan identify any covered entities that need to be notified and notify such covered entities
pp
This proposed requirement to provide notice without unreasonable delay but no later than 24 hours after a
print page 983
contingency plan is activated would also apply when a business associate that is a governmental entity enters into an arrangement with a covered entity that is also a governmental entity where such arrangement meets the requirements of the Privacy Rule at 45 CFR 164504e3 in accordance with 45 CFR 164314a2ii and when a business associate enters into a business associate agreement with a subcontractor in accordance with 45 CFR 164314a2iii to notify its business associate when it has activated its contingency plan
ppAdditionally the Department proposes conforming changes to the references of 45 CFR 164308b throughout 45 CFR 164314 consistent with proposals made to modify 45 CFR 164308b The Department does not intend these to be substantive changes but rather an alignment with the proposed structural modifications in 45 CFR 164308bppAs discussed above the Department proposes to remove the term required from the implementation specification at 45 CFR 164314a2 consistent with its proposal to eliminate the distinction between addressable and required implementation specifications We also propose a few miscellaneous nonsubstantive corrections to update citations in the standard at 45 CFR 164314a1i and a2iii We do not believe that these technical amendments would add or change any regulatory recordkeeping or reporting requirements nor would they change the Departments interpretation of any regulationpp
The second standard in 45 CFR 164314 requires that except when ePHI disclosed to a plan sponsor is summary health information 845
or enrollment or disenrollment information846
group health plan 847
documents must provide that the plan sponsor will reasonably and appropriately safeguard ePHI created received maintained or transmitted to or by the plan sponsor on behalf of the group health plan Section 164314b2 requires that the plan documents of a group health plan must be amended to incorporate provisions to require the plan sponsor to
pp
Plan sponsors are not directly liable for compliance with the Security Rule because they are not regulated entities
ie
covered entities or business associates under HIPAA Therefore plan sponsors obligations to apply safeguards to ensure the confidentiality integrity and availability of ePHI are limited to the requirements set forth in the plan documents of its group health plan While 45 CFR 164314b generally requires that plan documents call for the implementation of Security Rulelike safeguards the current provision does not specifically require the group health plan to require the plan sponsor or any agent to whom it provides ePHI to comply with the requirements of the Security Rule Given the concerns we have regarding Security Rule compliance generally by regulated entities the Department is also concerned that group health plans have not sufficiently ensured that plan documents require that plan sponsors reasonably and appropriately safeguard ePHI created received maintained or transmitted to or by the plan sponsor on behalf of the group health plan Additionally the Department is concerned that group health plans may not be monitoring plan sponsors to ensure that ePHI is disclosed to a plan sponsor only if the plan sponsor voluntarily agrees to use and disclose the information only as permitted or required by the regulations853
pp
Plan sponsors may perform certain functions that are integrally related to or similar to the administrative functions of group health plans and in carrying out these functions need access to ePHI held by the group health plan For example plan sponsors may perform plan administration functions on behalf of the group health plan which are specified in plan documents The increase in cybercrime and other emergencies adversely affecting electronic information systems is not limited to regulated entities or to the health care sector plan sponsors are experiencing similar increases in events that require the activation of contingency plans854
And plan sponsors may not be reasonably and appropriately protecting the confidentiality integrity and availability of ePHI absent an express requirement that plan documents obligate a plan sponsor to implement the security measures in the Security Rule Additionally regulated entities may not have the ability to determine whether alternate security measures will accomplish the same result because they do not have access to the information systems of plan sponsors nor would it be appropriate for them to have such access
ppAdditionally the Department believes that prompt notification by a plan sponsor to the group health plan that the ability of the plan sponsor or the group health plan to access ePHI or relevant electronic information systems may be affected by a security incident is important for the same reasons discussed above in 45 CFR 164314a This lack of prompt notification delays a group health plan from responding and protecting its ePHI and relevant electronic information systems accordinglypp
The Department proposes to modify the implementation specifications at 45 CFR 164314b2i through iii to address concerns that group health plans may not recognize that reasonable and appropriate safeguarding of ePHI requires the implementation of security measures that are the same as or at least equivalent to the security measures in the Security Rule First we propose to rename the implementation specifications as Safeguard implementation Separation and
print page 984
Agents respectively We also propose to modify all three implementation specifications to require that plan documents of the group health plan would obligate a plan sponsor or any agent to whom it provides ePHI to implement the administrative physical and technical safeguards of the Security Rule The Department recognizes that plan sponsors may need access to ePHI in certain situations such as when they perform functions that are integrally related to or similar to those performed by group health plans and we believe that such information must be protected by plan sponsors in the same manner in which it is protected by group health plans and other regulated entities855
pp
The security measures we are proposing in this NPRM are consistent with the CISA CrossSector CPGs856
and thus should be consistent with measures plan sponsors are implementing to protect their own electronic information systems regardless of the obligations imposed on them by plan documents For example the Department seeks to ensure that plan sponsors are implementing administrative safeguards such as performing a risk analysis857
to protect the confidentiality integrity and availability of all ePHI in its information systems documenting required policies and procedures and documenting implementation of such administrative safeguards including the required policies and procedures858
Thus requiring plan sponsors to implement the same security measures that regulated entities are implementing would maintain confidence in the commitment of plan sponsors to protecting the confidentiality integrity and availability of ePHI in light of the increasing cybersecurity threats as discussed above
ppAdditionally the Department proposes to rename the implementation specification at 45 CFR 164314b2iv as Security incident awarenesspp
Similar to the discussion above the Department proposes to add a new implementation specification for contingency plan activation at proposed 45 CFR 164314b2v that would require plan documents to include a provision requiring a plan sponsor to report to the group health plan without unreasonable delay but no later than 24 hours after activation of its contingency plan859
As discussed above the Department believes that a group health plan needs to be notified in a timely manner when a plan sponsor activates its contingency plan because of the potential implications on the ability of a group health plan to protect the confidentiality integrity and availability of ePHI in its relevant electronic information systems Accordingly we believe that 24 hours would provide a plan sponsor sufficient time to do all of the following determine that there is an emergency or other occurrence adversely affecting the plan sponsors relevant electronic information systems determine that it needs to activate its contingency plan activate its contingency plan identify any group health plans that need to be notified and notify such group health plans
ppSimilarly as discussed above we propose to permit the group health plan and plan sponsor to negotiate the form content or manner of the notice and include them in their plan documents if they so chooseppThe Department believes that requiring a plan sponsor to provide prompt notice to the group health plan when the plan sponsor activates its contingency plan would enable group health plans and plan sponsors to maintain individuals confidence in their commitment to protecting the confidentiality integrity and availability of ePHIppAdditionally consistent with our proposal to revise 45 CFR 164306 the Department proposes to remove the term required from the implementation specification at 45 CFR 164314b2 consistent with our overall proposal to eliminate the distinction between required and addressable implementation specifications However a regulated entity would still be required to comply with all standards and implementation specifications as applicable to its situation as proposed in 45 CFR 164306cppThe Department requests comment on the foregoing proposals including any benefits drawbacks or unintended consequences We also request comment on the following considerations in particularppa How group health plans currently ensure that plan sponsors implement reasonable and appropriate administrative physical and technical safeguards to protect the confidentiality integrity and availability of ePHIppb Whether it is appropriate for group health plans to require plan sponsors to implement the administrative physical and technical safeguards of the Security Rule If not please explain and provide alternatives for how the Department should ensure the confidentiality integrity and availability of ePHI when it is disclosed to plan sponsorsppc Whether business associates currently notify covered entities or subcontractors notify business associates upon activation of their contingency plans and if so the manner and timing of such noticeppd Whether plan sponsors currently notify group health plans upon activation of their contingency plans and if so the manner and timing of such noticeppe Whether it would be appropriate to require a business associate to notify a covered entity or a subcontractor to notify a business associate within 24 hours of activating its contingency plan If not please explain why and what would be an appropriate amount of time for such notificationppf Whether it would be appropriate to require a plan sponsor to notify a group health plan within 24 hours of activating its contingency plan If not please explain why and what would be an appropriate amount of time for such notificationppg The manner timing frequency and process used by business associates to report security incidents to a covered entity or subcontractors to business associatespph The manner timing frequency and process used by a plan sponsor to report security incidents to a group health planpp
Section 164316a requires a regulated entity to implement reasonable and appropriate policies and procedures that comply with the Security Rule taking into account the size complexity and capabilities of the regulated entity 860
the regulated entitys technical infrastructure hardware and software capabilities 861
the costs of security measures 862
and the probability and criticality of
print page 985
potential risks to ePHI863
Such policies and procedures must be consistent with the other requirements of the Security Rule A regulated entity is permitted to change its policies and procedures but it must document and implement such change in accordance with the Security Rule
ppThe standard and implementation specifications for documentation are in 45 CFR 164316b Paragraph b1 requires a regulated entity to maintain the policies and procedures it implements to comply with the Security Rule in written form Additionally where the Security Rule requires an action activity or assessment to be documented the regulated entity must maintain a written record of the action activity or assessment In both cases the written record may be electronic Paragraph b2 includes the current implementation specifications for the documentation standard Such documentation must be retained for the later of either 1 six years from its creation or 2 the date it was last effective Additionally it must be available to those responsible for implementing the documented policies and procedures Finally regulated entities must periodically review their documentation and update it as needed in response to environmental or operational changes affecting the security of ePHIppAlthough this section currently addresses policies and procedures and documentation it does not require or include standards to govern how regulated entities must implement maintain and document implementation of all security measures Implementing maintaining and documenting implementation of all security measures is important to ensure that regulated entities make wellreasoned decisions about implementing the requirements of this rule Just as the Department believes that it is necessary to consider expanding the definition of security measures to better reflect that security measures should be multilayered we also believe that it is necessary to consider providing a more complete instruction concerning how regulated entities must implement maintain and document their implementation of the required security measurespp
Additionally OCRs own experience in investigations and audits leads us to believe that many regulated entities may not be documenting their security measures or their implementation of those measures864
It is critical for a regulated entity to commit to writing the security measures required by the Security Rule to ensure consistent implementation and compliance with the Security Rule Verbal instructions may be forgotten or misconstrued and what the regulated entity believes to be common knowledge may not be or may be relayed incorrectly between workforce members
ppAdditionally based on OCRs enforcement experience the Department believes that regulated entities may not be periodically reviewing and updating their documentation when they modify their security measures in response to environmental or operational changes affecting the security of their ePHI Given the constant evolution of technology and the everchanging behavior of cybercriminals in response to technological evolution the Department believes that regular review of cybersecurityrelated security measures is essential for protecting the confidentiality integrity and availability of ePHI and relevant electronic information systemsppAs discussed above the Department has proposed to revise other provisions of the Security Rule to clarify the differences between administrative and technical safeguards and between policies and procedures on the one hand and technical controls on the other hand We have also proposed to revise other provisions of the Security Rule to clarify that a regulated entity is required to implement and maintain its administrative physical and technical safeguards including its policies and procedures These proposals clarify that such maintenance requires the review testing and modification of the regulated entitys security measures on a regular cadence meaning that the regulated entitys security measures can be modified at any time Given these proposals the Department believes that we must also propose to revise 45 CFR 164316 to delete the standard for policies and procedures and to modify the Security Rules documentation requirements Accordingly the Department proposes to rename this section as Documentation Requirements and to redesignate the documentation standard as paragraph a We also propose to require that a regulated entity document how it considered the factors in 45 CFR 164306b in the development of its written policies and proceduresppWe also propose to modify the documentation standard to clarify that all required written documentation may be in electronic form Additionally we propose to modify the standards two paragraphs Specifically the Department proposes at proposed 45 CFR 164316a1 to require that a regulated entity document the policies and procedures it has implemented to comply with the Security Rule and as part of that documentation explain how it considered the factors at 45 CFR 164306b in the development of its policies and procedures Relatedly we also propose to modify 45 CFR 164316a2 to require a regulated entity to document all of the actions activities and assessments required by the Security Rule The Department believes that both proposals would help to address two common problems observed in Security Rule investigations a failure by the regulated entity to document its policies and procedures and a failure to document actions activities and assessments taken to comply with the Security Rule Without such documentation it is challenging for a regulated entity to assess and ensure its own compliance Accordingly we believe that our proposals to require a regulated entity to document its implementation of the Security Rule requirements would aid both the regulated entity and the Departmentpp
Consistent with our proposal to redesignate the documentation standard as 45 CFR 164316a we propose to redesignate the implementation specifications for documentation time limits availability and updates as proposed at 45 CFR 164316b1 through 3 respectively Under proposed 45 CFR 164316b3 the Department proposes to require a regulated entity to update its documentation at least once every 12 months and within a reasonable and appropriate period of time after a security measure is modified865
As
print page 986
discussed above the Department recognizes that the health care environment has changed in a way that necessitates thorough and frequent review of and updates to documentation By proposing to specify how often documentation must be updated the Department would clarify that we expect regulated entities to review and update their documentation at regular intervals in addition to doing so in response any changes to a security measure Cybersecurity and data protection is an evolving process which makes formal updated and detailed documentation imperative for data protection By reviewing and updating its documentation including its written policies and procedures at least annually and in response to changes to its security measures a regulated entity should have a full understanding of its implemented security measures and be able to determine which measures should be updated to protect the confidentiality integrity and availability of ePHI
ppAs discussed above and consistent with the proposed changes to 45 CFR 164306 the Department is proposing to remove the term required from 45 CFR 164316b1 through 3ppThe Department requests comment on the foregoing proposals including any benefits drawbacks or unintended consequences We also request comment on the following consideration in particularppa Whether it would be appropriate to require regulated entities to review and update documentation for security measures at least once every 12 months If not please explainppb Whether it is clear that 45 CFR 164316 provides regulated entities with directions on when and how they are to document all security measures across all safeguard requirements If not please explainppc Whether it is feasible for regulated entities to document all of the actions activities and assessments required by the Security Rule as proposed at 45 CFR 164316a2 If not please explainpp
Section 164318 established the compliance dates for the initial implementation of the security standards for health plans health care clearinghouses and health care providers in 2005 and 2006866
Covered entities have been required to comply with the security standards for almost 20 years and the initial implementation of the security standards is no longer applicable Because of this the Department believes that these provisions are no longer necessary
ppThe Department proposes to remove the information in 45 CFR 164318 and replace the language with provisions for transitioning to the revised Security Rule should the proposals included in this NPRM be adoptedpp
The Department understands that regulated entities may be concerned with the anticipated administrative burden and cost of revising their business associate agreements or other written arrangements to comply with a revised Security Rule For example a regulated entity would need to update its business associate agreements to add a provision specifying that the business associate will report to the covered entity 867
that it activated its contingency plan no later than 24 hours after activation of such plan868
A regulated entity may have existing contracts that are not set to terminate or expire until after the compliance date for a final rule modifying the Security Rule and we understand that a sixmonth compliance period may not provide enough time to reopen and renegotiate all contracts in addition to ensuring that all regulated entities are compliant with the revised Security Rule Accordingly the Department proposes to relieve some of the burden on regulated entities by adding a specified period of transition for certain existing contracts
pp
The Departments authority to provide a transition period is expressed in 45 CFR 160104c which allows the Secretary to establish the compliance date for any modified standard or implementation specification considering the extent of the modification and the time needed to comply with the modification869
ppGiven these considerations to allow regulated entities enough time to update thousands of existing business associate agreements or other written arrangements the Department proposes to provide additional time to update the contracts required by 45 CFR 164314a1ppSpecifically the Department proposes to add new transition provisions under 45 CFR 164318 to allow regulated entities to continue to operate under certain existing business associate agreements or other written arrangements until the earlier of 1 the date such contract or other arrangement either is renewed on or after the compliance date of the final rule or 2 a year after the effective date of the final rule The additional transition period would be available to regulated entities if both of the following conditions are met 1 prior to the publication date of the final rule the covered entity or business associate had an existing business associate agreement or other written arrangement with a business associate or subcontractor respectively that complied with the Security Rule prior to the effective date of a final rule revising the Security Rule and 2 such contract or arrangement would not be renewed or modified between the effective date and the compliance date of the final rulepp
Under the proposed transition provisions a business associate would be permitted to create receive maintain or transmit ePHI pursuant to an existing business associate agreement or other written arrangement with another regulated entity that does not require the regulated entity to obtain satisfactory assurances that meet the requirements of the revised Security Rule for up to one year after the revised Security Rule becomes effective assuming that a final Security Rule is published and that the agreement is compliant with the Security Rule at the time the final rule is published and that it is not renewed or modified between the effective and compliance dates870
The transition provisions would also allow for the business associate to create receive maintain or transmit ePHI on behalf of another regulated entity where the existing business associate agreement does not require that the regulated entity verify that the
print page 987
business associate has deployed technical safeguards in accordance with the Security Rule under the same circumstances as those described above871
pp
During the transition period the Department proposes to allow a business associate to create receive maintain or transmit ePHI pursuant to a business associate agreement or other written arrangement with another regulated entity without including in the agreement that the business associate will 1 comply with the revised Security Rule 872
2 ensure that any subcontractors that create receive maintain or transmit ePHI on behalf of the business associate agree to comply with the revised Security Rule by entering into a business associate agreement or other arrangement that meets the requirements of the revised rule 873
and 3 report to the covered entity 874
activation of its contingency plan875
ppAdditionally the Department intends that in cases where a contract renews automatically without any change in terms or other action by the parties also known as evergreen contracts such contracts would be eligible for the extension if they automatically renew between the effective and compliance dates Thus regulated entities with an evergreen contract will be deemed to be in compliance with the Security Rules requirements for business associate agreements or other written arrangements and such deemed compliance would not terminate when these contracts automatically renew These transition provisions would apply to written contracts or other written arrangements as specified abovepp
These transition provisions would apply only to the requirement to amend contracts or other arrangements with business associates and they would not affect any other compliance obligations under the Security Rule For example beginning on the compliance date of the final rule assuming a final rule is published and that it is finalized as proposed a business associate would be required to implement and document its implementation of the administrative physical and technical safeguards required by a revised Security Rule except with respect to 45 CFR 164308b and 164314a even if the business associates contract with the covered entity 876
has not yet been amended
ppGiven the possibility of a similar burden on group health plans and plan sponsors to update plan documents by the compliance date the Department is considering but not proposing a similar transition provision for plan documents We are not proposing such provisions at this time because unlike business associates plan sponsors do not have independent obligations under the Security Rule Instead the obligations of plan sponsors are based entirely on the content of the plan documents Accordingly if the plan documents are not updated plan sponsors are not obligated to comply with the requirements of the Security Rule because they are not regulated entitiesppIn particular the Department is considering but not proposing at this time adding a new paragraph d introductory text under 45 CFR 164318 with the heading Standard Effect of prior plan documents for group health plans stating that notwithstanding any other provisions of the subpart a group health plan may allow a plan sponsor to create receive maintain or transmit electronic protected health information pursuant to a written plan document with such group health plan that does not comply with 164314b only in accordance with paragraph d1 The Department is also considering adding a new paragraph d1 under 45 CFR 164318 with the heading Implementation specification Plan documents for group health plans stating that the requirements of paragraph b apply to the plan document between a group health plan and a plan sponsor in the same manner as such requirements apply to written contracts or other arrangements between a covered entity and a business associateppSimilarly the Department is considering but not proposing at this time adding a new paragraph d2 under 45 CFR 164318 with the heading Group health plan responsibilities stating that nothing in the section shall alter the requirements of a group health plan or plan sponsor to comply with the applicable provisions of the part other than 164314bppThe Department requests comment on the foregoing proposals including any benefits drawbacks or unintended consequences We also request comment on the following considerations in particularppa Whether the Departments proposal to provide regulated entities with additional time to revise business associate agreements or other written contracts is appropriate If not please explainppb Whether the Department should also provide group health plans and plan sponsors additional time to revise plan documents by adding a transition provision to grandfather certain existing plan documents for a specified period of timeppc Whether the Department should consider additional constraints or specificity for a new paragraph d to allow group health plans more time to comply with the Security Rule requirements for plan documentsppThe Department intends that if any provisions of this subpart including the provisions of this NPRM if finalized were held to be invalid or unenforceable facially or as applied to any person plaintiff or stayed pending further judicial or agency action such provision shall be severable from other provisions of this subpart and from other rules and regulations currently in effect and not affect the remainder of this subpart It is also our intent that unless such provision shall be held to be utterly invalid or unenforceable it shall be construed to give the provision maximum effect to the provision permitted by law including in the application of the provision to other persons not similarly situated or to other dissimilar circumstances from those where the provision may be held to be invalid or unenforceableppThe provisions of this subpart including the proposals of this NPRM are intended to operate independently of each other even if multiple provisions serve the same or similar general purposes or policy goals Where a provision is necessarily dependent on another the context generally makes that clear such as by crossreference to a particular standard requirement or implementation specification Where a provision that is dependent on one that is stayed or held invalid or unenforceable as described in the preceding paragraph is included in paragraph or section within 45 CFR part 160 or 164 we intend that other provisions of such paragraphs or sections that operate independently of said provision would remain in effectpp
The Department intends the individual standards in 45 CFR 164308 164310 164312 164314 and 164316 to apply separately to govern how a regulated entity must protect the security of all ePHI it creates receives
print page 988
maintains or transmits Accordingly if finalized this provision would provide that if any one or several standards in 45 CFR 164308 164310 164312 164314 and 164316 are deemed invalid by a court or nonapplicable to a particular person or circumstance all remaining standards shall be unaffected and shall remain in force and any remaining component of the adjudicated provision not invalid or found to be unenforceable or inapplicable shall be considered by the Department to be still in effect
ppFor example the standard for risk analysis proposed in 45 CFR 164308a2 would protect ePHI from risks and vulnerabilities to the confidentiality integrity and availability of ePHI while the modified standard for workforce security proposed in 45 CFR 164308a9 would protect ePHI from inappropriate access by a regulated entitys workforce An invalidated standard for workforce security would not render the entire rule unworkable because a regulated entity could still meet the requirement to conduct the risk analysis without regard to whether the entity meets the requirements included in the standard for workforce security Similarly were a court to invalidate the Departments proposal in 45 CFR 164310a1 requiring that implemented policies and procedures to limit physical access to relevant electronic information systems and the facility or facilities in which they are housed be in writing a regulated entity could still meet a requirement to implement the policies and procedures Similar considerations apply to the proposal for written policies and procedures in proposed 45 CFR 164316a and to proposals that are deemed inapplicable to certain persons or circumstancesppFurther the Department believes it is necessary to clarify how regulated entities would continue to apply implementation specifications in the event a court invalidates or deems inapplicable a governing standard over a specific implementation specification or if a court invalidates or deems inapplicable one or several implementation specifications without taking adverse action on the governing standard The Department does not interpret that this severability proposal if finalized would apply to implementation specifications in the same manner as it would apply to standards Because the implementation specifications are regulatory instructions on how a regulated entity is to comply with a particular standard if any standard is stricken all implementation specifications underneath are similarly stricken Conversely the Department does not intend for the overarching standard to be affected by a courts decision to invalidate or make a determination of nonapplicability to particular person or circumstance all implementation specifications under a particular standard The Security Rule would still retain its flexible and scalable approach and therefore a regulated entity could use any reasonable and appropriate security measure to implement the standard consistent with 45 CFR 164306b even if all implementation specifications under the standard are strickenpp
If a court invalidates or deems inapplicable less than all implementation specifications under a specific standard
ie
only one or several the ability of a regulated entity to execute the remaining implementation specifications depends on whether the remaining implementation specifications are dependent on one another or operate together to impose requirements on regulated entities For example several proposed implementation specifications under the standard for facility access controls at 45 CFR 164310a1 would require a regulated entity to both establish and implement written procedures pertaining to specific requirements such as contingency operations facility security planning and access control and validation and then subsequently review the written policies and procedures every 12 months Should a court invalidate or deem inapplicable the implementation specification to establish and implement written policies procedures the secondary specification requiring review of said procedures would also become invalid
ppThe Department believes that each definition is independent of all other definitionsppThis list of examples is not intended to be exhaustive The absence from this list of any particular provision should not be construed to mean that the Department considers that provision to be not severable from other parts of the ruleppTo ensure that our intent for severability of provisions is clear in the CFR the Department proposes to add a section on severability at 45 CFR 164320 Proposed 45 CFR 164320 would state our intent that if any provision of this subpart is held to be invalid or unenforceable it shall be construed to give maximum effect to the provision permitted by law unless the holding shall be one of utter invalidity or unenforceability in which case the provision shall be severable from this subpart and shall not affect the remainder thereof or the application of the provision to other persons not similarly situated or to other dissimilar circumstancesppThe Department requests comment on the foregoing proposal including any benefits drawbacks or unintended consequencesppTechnology is constantly evolving able to perform increasingly complex tasks including those with the potential to improve health care and communication between individuals and care providers These new and evolved technologies will continue to transform health care in a variety of ways including providing regulated entities with new tools for faster and more accurate diagnoses effective treatments and more efficient administrationpp
As a regulated entity considers the application of new technologies or the use of existing tools in innovative ways it also must consider whether these technologies create receive maintain or transmit ePHI and if so how to secure them The Security Rule was designed to be technologyneutral for this very reason and continues to provide the foundation for ensuring the confidentiality integrity and availability of all ePHI as technology changes877
As a result while the technology may be new or developing securing ePHI involved with the technology can be successfully executed through compliance with the Security Rule
pp
Before implementing new and emerging technologies a regulated entity must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality integrity and availability of ePHI878
It must then implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level879
Such administrative physical and technical safeguards apply to all instances of ePHI maintained or transmitted by the regulated entity regardless of the technology used Below we discuss some examples of new technologies such as quantum computing AI and virtual and augmented reality VR and AR and
print page 989
how the Security Rule would apply in each case
pp
Several Federal agencies have considered the potential benefits and drawbacks of quantum information science880
that is the study of the impacts of quantum physics properties on information science Those properties can increase computational power and speed significantly over classical computers provide precision measurements enhance sensing capabilities and increase the accuracy of position navigation and timing services 881
According to NIST In recent years there has been a substantial amount of research on quantum computersmachines that exploit quantum mechanical phenomena to solve mathematical problems that are difficult or intractable for conventional computers 882
pp
However the increase in computational capability threatens the security of asymmetric cryptography883
which is critical to encryption solutions a key protection for ePHI and other sensitive information today Scientists warn that when such quantum computers are built they will have the ability to break many of the systems for asymmetric cryptography that are in use today884
Thus experts anticipate that quantum computing will adversely affect the confidentiality and integrity of digital communications885
The goal of postquantum cryptography also called quantumresistant cryptography is to develop cryptographic systems that are secure against both quantum and classical computers and can interoperate with existing communications protocols and networks 886
A recent National Security Memorandum affirmed that alongside its potential benefits quantum computing also poses significant risks to the economic and national security of the United States including the potential to break much of the publickey cryptography used on digital systems across the United States and around the world 887
Accordingly the White House has directed Federal agencies to take specific steps to mitigate the threat of cryptanalytically relevant quantum computers through a timely and equitable transition of the Nations cryptographic systems to interoperable quantumresistant cryptography 888
pp
NCVHS examined these security issues and provided recommendations to the Department for applying the safeguards of the HIPAA Rules to potential quantum computing threats Specifically NCVHS declared that incorporation of recent Administration guidance for Federal agencies on vulnerable cryptographic systems is necessary to strengthen the Technical Safeguards within the Security Rule 889
This joint guidance developed by NIST CISA and NSA encourages the early planning for migration to postquantum cryptographic standards by developing a QuantumReadiness Road map 890
It also recommends that organizations prepare a cryptographic inventory discuss postquantum roadmaps with technology vendors consider their supply chains readiness for quantum computing and consider the responsibilities of their technology vendors with respect to preparing for quantum readiness891
ppThe Department encourages regulated entities to incorporate these activities as part of their ongoing risk management programs For example the steps presented in the joint guidancesurveying the environment for potential risks and vulnerabilities that endanger ePHI identifying workforce members with responsibility for addressing them inventorying quantumvulnerable systems including that inventory in its risk analysis and risk management and working with technology vendors to ensure their readinessare all activities that already are required by the administrative safeguards of the Security RuleppWe believe these obligations would be clarified by the proposals in this NPRM For example the Department proposes to require that a regulated entity not only conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality integrity and availability of the ePHI it creates receives maintains or transmits but would add an express requirement that the assessment be comprehensive and in writing We also propose to specify that the required assessment include among other things identification of all reasonably anticipated threats and potential vulnerabilities and predisposing conditions making a reasonable determination and documentation of the likelihood that each identified threat will exploit the identified vulnerabilities and performing a written assessment of the risk level for each identified threat and vulnerability Under the NPRM a regulated entity would be expected to as part of the risk analysis consider whether quantum computing poses a reasonably anticipated threat to the confidentiality integrity or availability of its ePHI and whether there is a vulnerability or predisposing condition that corresponds to that threat and to document those considerations make a reasonable determination and document the likelihood that the threat will exploit the identified vulnerabilities and assign a risk level to the identified threat and vulnerabilitypp
Section 238g of the John S McCain National Defense Authorization Act for Fiscal Year 2019 defined AI to include the following 892
pp
AI requires enormous amounts of data to develop but it also has enormous potential benefits The Department has previously stated that these technologies have the potential to drive innovation increase market competition and vastly improve care for patients and populations 893
According to experts AI is unlocking new possibilities by advancing medicine in entirely unimaginable ways and solving some of the grand global healthcare challenges 894
And FDA agrees AI technologies are transforming health care by producing diagnostic therapeutic and prognostic medical recommendations or decisions in some cases independently informed by the vast amount of data generated during the delivery of health care 895
In medical devices areas for AI application include
pp
For example clinicians are using AI to distill large volumes of EHR information about a complex patient into a summarized note that they can use to consider diagnoses and treatment AI also has been used for aid in the detection of diabetic retinopathy screening for breast and lung cancer and classification of skin conditions897
Others are using ambient AI scribes a technology that uses microphones to transcribe encounters with patients in realtime898
This tool creates clinical documentation that clinicians can later edit which can lead to improved interactions with patients and reduced time on documentation899
Newer AI tools may search medical records for relevant information regarding common conditions and other risk factors 900
or offer relevant questions for clinicians to pose to make an accurate diagnosis901
pp
Unfortunately AI can also be used to harm individuals both intentionally and unintentionally Bad actors are using generative AI to threaten the privacy and security of ePHI more effectively through phishing and other social engineering As explained by NCVHS AI tools can create mass scale cyberattacks that are highly effective and major threats to ePHI 902
Experts anticipate that AI will ultimately pioneer the malicious use of Offensive AIhighly sophisticated and malicious attack codethat will be able to mutate itself as it learns about its environment and to expertly compromise systems with minimal chance of detection 903
Such experts are concerned about the level of destruction that will lie in its wake and compare it to an arms race that can only escalate904
Indeed it seems likely that regulated entities will need to invest in AI to defend against malicious use of AI in the future905
pp
After assessing current and potential AI threats NCVHS recommended that the Department clarify how the HIPAA Rules apply to AI906
We agree with their assessment and recommendation Specifically ePHI including ePHI in AI training data prediction models and algorithm data that is maintained by a regulated entity for covered functions is protected by the HIPAA Rules and all applicable standards and specifications907
For example generative AI tools have produced in their output the names and personal information of persons included in the tools sources of training data908
Similar uses of generative AI by regulated entities including the training of AI models on patient data could result in impermissible uses and disclosures including exposure to bad actors that can exploit the information909
As part of its risk analysis and risk management activities a regulated entity must consider the risk associated with different uses and data910
Accordingly we expect that a regulated entity interested in using AI would include the use of such tools in its risk analyses and associated risk management activities The regulated entitys risk analysis must include consideration of among other things the type and amount of ePHI accessed by the AI tool to whom the data is disclosed and to whom the output is provided The NIST AI Risk Management Framework is a helpful resource for regulated entities to better
print page 991
understand measure and manage risks effects and harms of AI911
pp
The Security Rule requires a regulated entity to conduct repeated risk analyses that consider any changes to its environment or operations such as updates or changes in technology or clinical administration and to apply all reasonable updated protections to safeguard ePHI912
Accordingly as technology such as AI evolves the Department would expect a regulated entity to perform a risk analysis to consider the effects of such changes on the confidentiality integrity and availability of ePHI As NCVHS observed It is important to conduct risk analyses on AI throughout the life cycle of the system 913
We believe the proposals in this NPRM would clarify our expectations for when and how regulated entities need to consider prepare for and address such changes For example the Department proposes to expressly require that a regulated entity develop a written inventory of its technology assets Under this proposal the Department would expect that AI software used to create receive maintain or transmit ePHI or that interacts with ePHI including where ePHI is used to train the AI software would be listed as part of its technology asset inventory which feeds into the regulated entitys risk analysis Making AI safe and secure with respect to ePHI requires efforts in a variety of areasbiotechnology cybersecurity critical infrastructureto address risks914
The Federal Government seeks to ensure that the collection use and retention of ePHI is lawful and secure and that it mitigates privacy and confidentiality risks Across the administration Federal agencies are considering potential uses for AI as well as their benefits and risks consistent with EO 11410 and its principles to advance and govern the development and use of AI915
These principles include making AI safe and secure and protecting privacy and civil liberties For example the Department finalized regulations earlier this year that improve transparency by health IT developers of certified health IT including those that are business associates that supply a particular type of AIpredictive decision support interventions DSIs916
Specifically the regulations require such health IT developers to provide greater transparency about the design development training evaluation and use of such predictive DSIs917
This approach promotes responsible AI and makes it possible for covered entities to access a consistent baseline set of information about the algorithms they use to support their decision making and to assess such algorithms for fairness appropriateness validity effectiveness and safety918
ppAdditionally the Department proposes to require that regulated entities monitor authoritative sources for known vulnerabilities and to remediate such vulnerabilities in accordance with their patch management program We also propose to require that patches updates and upgrades that address critical and high risks be applied promptly Together these proposals would support the rapid response to vulnerabilities that will be necessary as AI becomes more prevalent Thus the Department believes that the adoption of the cybersecurity best practices proposed in this NPRM is an important first step to ensuring that AI tools are deployed by regulated entities in a manner that protects the confidentiality integrity and availability of ePHIpp
Research on VR and AR technologies is widespread and has produced numerous applications in the health care fields Such technologies are being used in medical education and patient care including ARassisted surgeries VRbased pain management therapies and immersive patient education tools919
Additionally innovators are working on ways to incorporate AI with VR and AR for improved diagnostics and treatment planning920
pp
However as with quantum computing and AI VR and AR technologies raise new privacy and security concerns VR and AR involve the use of diverse technologies and the collection of a wide array of sensitive information including comprehensive biometric data921
According to experts VR and AR present distinct security challenges encompassing typical vulnerabilities associated with electronic devices as well as potential risks of physical harm and leakage of highly sensitive data 922
VR like any connected computing device is susceptible to standard cybersecurity concerns and various types of cyberthreats necessitating proactive anticipation 923
pp
These cybersecurity risks such as hacking social engineering malicious software and ransomware can be mitigated through holistic risk analysis and risk management consistent with the Security Rule administrative standards in 45 CFR 164308 In addition patch management924
access control925
authentication926
and appropriate business associate agreements 927
are examples of some of the required safeguards that would apply to VR and AR systems
pp
We believe the proposals in this NPRM to clarify these safeguards would substantially improve the ability of regulated entities to address these cybersecurity risks For example the Department proposes to require that a regulated entity obtains from a business associate written verification that the business associate has deployed the technical safeguards required by the Security Rule including a written analysis of the business associates information systems from a person with
print page 992
appropriate knowledge of and experience with generally accepted cybersecurity principles and methods for ensuring the confidentiality integrity and availability of ePHI verifying compliance with the requirements of 45 CFR 164312 and a written certification that the analysis has been performed and is accurate Under this proposal a regulated entity would be required to obtain such verification from a business associatedeveloper of VRAR software ensuring that ePHI that is created received maintained or transmitted using the VRAR software is protected to the same extent as ePHI that is created received maintained or transmitted using other technology assets that are components of the regulated entitys relevant electronic information systems
pp
Many regulated entities are piloting innovative technologies Such entities generally have separate departments that research develop test and deploy such technologies928
Regulated entities might consider integrating workforce members with expertise in security and privacy into their technology development groups to ensure that privacy and security including the Security Rulerequired safeguards are embedded into the design of new and emerging technologies929
Doing so can help improve security while boosting quality efficiency and productivity 930
ppThe Department requests comment on the foregoing discussion of how the Security Rule protects ePHI used in new and developing technologies including any benefits drawbacks or unintended consequences We also request comment on the following considerations in particularppa Whether the Departments understanding of how the Security Rule applies to new technologies involving ePHI is not comprehensive and if so what issues should also be consideredppb Whether there are technologies that currently or in the future may harm the security and privacy of ePHI in ways that the Security Rule could not mitigate without modification and if so what modifications would be requiredppc Whether there are additional policy or technical tools that the Department may use to address the security of ePHI in new technologiespp
The Department of Health and Human Services HHS or Department has examined the effects of this proposed rule under Executive Order EO 12866 Regulatory Planning and Review931
EO 13563 Improving Regulation and Regulatory Review932
EO 14094 Modernizing Regulatory Review933
the Regulatory Flexibility Act 934
RFA the Unfunded Mandates Reform Act of 1995 935
UMRA and EO 13132 on Federalism936
EOs 12866 and 13563 direct the Department to assess all costs and benefits of available regulatory alternatives and when regulation is necessary to select regulatory approaches that maximize net benefits including potential economic environmental public health and safety and other advantages distributive effects and equity The proposed rule meets the criteria as significant under section 3f1 of EO 12866 as amended by EO 14094
ppThe RFA requires us to analyze regulatory options that would minimize any significant effect of a rule on small entities As discussed in greater detail below this analysis concludes and the Secretary certifies that the notice of proposed rulemaking NPRM if adopted would not result in a significant economic effect on a substantial number of small entitiespp
The UMRA section 202a generally requires us to prepare a written statement which includes an assessment of anticipated costs and benefits before proposing any rule that includes any Federal mandate that may result in the expenditure by State local and Tribal governments in the aggregate or by the private sector of 100000000 or more adjusted annually for inflation in any 1 year 937
The current threshold after adjustment for inflation is 183 million using the most current 2024 Implicit Price Deflator for the Gross Domestic Product UMRA does not address the total cost of a rule Rather it addresses certain categories of cost mainly Federal mandate costs resulting from imposing enforceable duties on State local or Tribal governments or the private sector or increasing the stringency of conditions in or decreasing the funding of State local or Tribal governments under entitlement programs
pp
This proposed rule if adopted would impose mandates that would result in the expenditure by State local and Tribal governments in the aggregate or by the private sector of more than 183 million in any one year The impact analysis in this proposed rule addresses such effects both qualitatively and quantitatively Each covered entity and business associate collectively regulated entity including government entities that meet the definition of covered entity
eg
State Medicaid agencies would be required to conduct a Security Rule compliance audit report to covered entities or business associates as applicable upon activation of their contingency plan deploy multifactor authentication MFA in and penetration testing of relevant electronic information systems complete network segmentation disable unused ports and remove extraneous software update cybersecurity policies and procedures revise business associate agreements and update workforce training Business associates would be required to conduct an analysis and provide verification of their compliance with technical safeguards and covered entities would be required to obtain verification from business associates and business associates from their subcontractors Additionally group health plans would need to revise plan documents to require plan sponsors to comply with administrative physical and technical safeguards according to the Security Rule standards Finally through contractual language health plan sponsors would need to enhance safeguards for electronic protected health information ePHI according to the Security Rule standards Costs for all regulated entities to change their policies and procedures alone would increase costs above the UMRA threshold in one year and costs of health plan sponsors would increase total costs further Although Medicaid makes Federal matching funds available for States for certain administrative costs these are limited to costs specific to operating the Medicaid program There are no Federal funds directed at Health Insurance Portability and Accountability Act of 1996 HIPAA compliance activities
pp
The Department believes that pursuant to Subtitle E of the Small Business Regulatory Enforcement
print page 993
Fairness Act of 1996938
the Office of Management and Budgets OMBs Office of Information and Regulatory Affairs would be likely to determine that when finalized this rule meets the criteria set forth in 5 USC 8042 because it is projected to have an annualized effect on the economy of more than 100000000
ppThe Justification for this Rulemaking and Summary of Proposed Rule Provisions section at the beginning of this preamble contain a summary of this rule and describe the reasons it is needed We present a detailed analysis belowpp
The Department identified ten categories of quantifiable costs arising from these proposals that would apply to all regulated entities 1 conducting a Security Rule compliance audit 2 obtaining written verification from their business associates or subcontractors that the business associates or subcontractors respectively have conducted the required verification of compliance with technical safeguards 3 notifying other regulated entities when workforce members access to ePHI is terminated 4 completing network segmentation 5 disabling ports and removing extraneous software 6 deploying MFA 7 deploying penetration testing 8 updating policies and procedures 9 updating workforce training programs and 10 revising business associate agreements Additionally group health plans would be required to update plan documents to require health plan sponsors compliance with the administrative physical and technical safeguards according to the Security Rule and notification of group health plans when health plan sponsors activate their contingency plan Business associates would have additional obligations to verify compliance with technical safeguards and provide it in writing to covered entities and subcontractors to business associates and to notify covered entities upon activation of their contingency plans Finally although plan sponsors are not directly subject to the HIPAA Rules by virtue of the plan document requirements the Department estimates that certain group health plan sponsors
eg
employers that provide group health benefits would likely incur some quantifiable costs to improve safeguards for their electronic information systems that affect the confidentiality integrity or availability of ePHI and to notify group health plans upon activation of plan sponsors contingency plan
ppThe Department estimates that the firstyear costs attributable to this proposed rule total approximately 9 billion These costs are associated with regulated entities and health plan sponsors engaging in the regulatory actions described above For years two through five estimated annual costs of approximately 6 billion are attributable to costs of recurring compliance activities Table 1 reports the present value and annualized estimates of the costs of this proposed rule covering a 5year time horizon Using a 2 percent discount rate the Department estimates that this proposed rule would result in annualized costs of 68 billion for regulated entities and health plan sponsors combinedppTable 1Accounting Table Costs of the Proposed Rule Billions
appAs a result of the proposed changes in this NPRM the enhanced security posture of regulated entities would likely reduce the number of breaches of ePHI and mitigate the effects of breaches that nonetheless occur The Department has partially quantified these effects and presents them in a breakeven analysis The breakeven analysis estimates that if the proposed changes in the NPRM reduce the number of individuals affected by breaches by 7 to 16 percent the revised Security Rule would pay for itself Alternatively the same cost savings may be achieved by lowering the cost per affected individuals ePHI by 7 percent 35 to 16 percent 82 respectivelyppThe changes to the Security Rule would likely result in important benefits and some costs that the Department is unable to fully quantify at this time As explained further below unquantified benefits include reductions in reputational financial and legal harm from breaches of individuals ePHI reductions in disruptions to health care delivery increased confidence among parties to health care business transactions and improved quality of health careppTable 2Potential NonQuantified BenefitsppThe Department also recognizes that there may be some costs that are not readily quantifiable notably actions that regulated entities may take to comply with existing requirements more fully as a result of proposed clarifications For example this would include completing a technology asset inventory which is a baseline expectation for the existing requirement of conducting a risk assessment documenting completion of existing requirements adding more specificity to the required contingency plan such as designating staff roles with specific responsibilities when a contingency occurs testing safeguards as part of reviewing and updating policies and procedures and technical controls and deploying encryption for ePHI in a more concerted manner including documenting provision of notification in response to individuals access requests for transmission of ePHI in an unencrypted manner and has been informed of the risks associated with the transmission receipt and storage of unencrypted ePHI These activities are specified in the NPRM but they would be more in the nature of clarifications to and increased specificity of existing requirements Because the degree of additional effort by regulated entities to meet these requirements would be dependent on multiple factors and likely to be highly variable the additional cost is difficult to quantifyppWe acknowledge that there may be a small burden associated with documenting that an individual was informed of the risks of unencrypted transmission of ePHI however we believe there are few requests that fall into this category Because we do not have a basis to make an estimate we have requested data on potential burdens associated with this proposed exception to the proposed standard for encryption in the preamble discussion of 45 CFR 164312pp
The cost of complying with the exceptions to encryption and MFA for medical devices authorized by the US Food Drug Administration for marketing may depend in part on the extent to which a regulated entity relies on legacy devices because the regulated entity may be required to adopt compensating controls New devices are likely to have encryption and MFA built into them not requiring compensating controls The Department is unable to estimate the range of costs to adopt compensating controls for legacy devices because there is no reliable data to accurately assess the extent to which legacy devices are used in the United States939
The Department requests comment on the number of legacy devices in use and the costs of applying compensating controls to such devices
ppThe Security Rule in conjunction with the Privacy and Breach Notification Rules protects the privacy and security of individuals PHI that is individually identifiable health information IIHI The Security Rules protections are limited to ePHI while the Privacy and Breach Notification Rules protect both electronic and nonelectronic PHI The Security Rule establishes standards to protect individuals ePHI and requires reasonable and appropriate administrative physical and technical safeguards The Security Rule specifies a series of administrative physical and technical security requirements that must be performed or implemented for regulated entities to safeguard ePHI Specifically entities regulated by the Security Rule must 1 ensure the confidentiality integrity and availability of all ePHI they create receive maintain or transmit 2 protect against reasonably anticipated threats to the security and integrity of the information 3 protect against reasonably anticipated impermissible uses or disclosures and 4 ensure compliance by their workforce A major goal of the Security Rule is protecting the security of individuals health information while allowing for the development of a health information system to improve the efficiency and effectiveness of the health care systemppThe Administrative Simplification provisions of HIPAA title II provide the Secretary of HHS with the authority to publish standards for the privacy and security of health information The Department first proposed standards for the security of ePHI on August 12 1998 and published a final rule on February 20 2003 The Department modified the Security Rule in 2013 Recently as the preamble to this NPRM discusses changes in the health care environment and insufficient compliance by regulated entities with the existing Security Rule require the modifications proposed herepp
For purposes of this Regulatory Impact Analysis RIA the proposed rule adopts the list of covered entities with an updated count and certain cost assumptions identified in the Departments Information Collection Request ICR associated with the HIPAA Privacy Rule to Support Reproductive Health Care Privacy 2024 ICR940
The Department also relies on certain estimates and assumptions from the 1998 Proposed Rule 941
that remain relevant the 2003 Final Rule942
and the 2013 Omnibus Rule943
as referenced in the analysis that follows
ppThe Department quantitatively analyzes and monetizes the effect that this proposed rule would have on the actions of regulated entities to conduct a Security Rule compliance audit provide or obtain verification of business associates compliance with technical safeguards notify other regulated entities when workforce members access to ePHI is altered or terminated notify covered entities or business associates as applicable upon activation of a contingency plan complete network segmentation disable unused ports and remove extraneous software deploy MFA and penetration testing update health plan documents update policies and procedures update workforce training and revise business associate agreements The Department also quantitatively analyzes the effects on group health plan sponsors for ensuring that safeguards for their relevant electronic information systems meet Security Rule standards and notifying group health plans upon activation of the plan sponsors contingency plansppAdditionally the Department quantitatively analyzes the benefits of the proposed modifications to regulated entities due to an expected reduction in costs of remediation of breaches and risk of breaches by regulated entitiesppThe Department analyzes the remaining benefits and costs qualitatively because many of the proposed modifications are clarifications of existing requirements and predicting other concrete actions that such a diverse scope of regulated entities might take in response to this rule is inherently uncertainpp
The Department bases its assumptions for calculating estimated costs and benefits on several publicly available datasets including data from the US Census Bureau Census the US Department of Labors DOL Bureau of Labor Statistics the Small Business Administration SBA and the Departments Centers for Medicare
print page 995
Medicaid Services CMS and Agency for Healthcare Research and Quality AHRQ For the purposes of this analysis the Department assumes that employee benefits plus indirect costs equal approximately 100 percent of pretax wages and adjusts the hourly wage rates by multiplying by two for a fully loaded hourly wage rate The Department adopts this as the estimate of the hourly value of time for changes in time use for onthejob activities
pp
Implementing the proposals likely would require regulated entities to engage workforce members or consultants for certain activities The Department assumes that an information security analyst would perform most of the activities proposed in the NPRM consistent with the existing Security Rule requirements The Department expects that a computer and information systems manager would revise policies and procedures a training and development specialist would revise the necessary workforce training a lawyer would revise business associate agreements and a compensation and benefits manager would revise health plan documents for plan sponsors To the extent that these assumptions affect the Departments estimate of costs the Department solicits comment on its assumptions particularly assumptions in which the Department identifies the level of workforce member
eg
analyst manager licensed professional that would be engaged in activities and the amount of time that particular types of workforce members spend conducting activities related to this RIA as further described below Table 3 lists pay rates for occupations referenced in the cost estimates for the NPRM
ppTable 3Occupational Pay Rates 944pp
The Department
assumes that most regulated entities would be able to incorporate changes to their workforce training into existing cybersecurity awareness training programs and Security Rule training rather than conduct a separate training because the total time frame for compliance from date of publication of a final rule would be 240 days945
pp
The changes proposed in this NPRM would apply to covered entities
ie
health care providers that conduct covered electronic transactions health plans and health care clearinghouses and their business associates including subcontractors The Department estimates the number of covered entities to be 822600 business establishments see table 4 By calculating costs for establishments rather than firms946
some burdens may be overestimated because certain costs would be borne by a parent organization rather than each separate facility Similarly benefits and transfers would be overestimated because entity assumptions flow through to those quantifications However decisions about the level of an organization that is responsible for implementing certain requirements likely varies across the health care industry The Department requests data on the extent to which certain burdens are borne by each facility versus an umbrella organization
pp
According to Census data947
there are 954 Direct Health and Medical Insurance Carrier firms out of a total 5822 Insurance Carrier firms such that health and medical insurance firms make up approximately 164 percent of insurance firms 9545822948
Also according to Census data there are 2506 Third Party Administration of Insurance and Pension Funds firms and 8375 establishments This category also includes clearinghouses The Department assumes that 164 percent of these firms service health and medical insurance because that is equivalent to the share of insurance firms that are health and medical As a result the Department estimates that 411 firms categorized as Third Party Administrators are affected by the proposals in this NPRM 2506 164 Similarly the Department estimates that 1374 associated establishments would be affected by the proposals in this NPRM 8375 total establishments 164 Most of these are business associates Based on data from the Departments HIPAA audits and experience administering the HIPAA Rules we are aware of approximately 36 clearinghouses See table 4 below
pp
There were 56289 community pharmacies including 19261 pharmacy and drug store firms operating in the US in 2023949
Small pharmacies generally use pharmacy services administration organizations PSAOs to provide administrative services such as conducting negotiations Based on information from industry the Department estimates that the proposed rule would affect fewer than 10 PSAOs and we include this within the estimated 1 million business associates affected by the proposals in this NPRM950
The Department assumes that
print page 996
costs affecting pharmacies are incurred at each pharmacy and drug store establishment and each PSAO
ppTable 4Estimated Number Type and Size Threshold of Covered Entitiespp
The Department also estimated the percentage of rural and urban health care providers by matching health care provider data from CMS951
Health Resources Services Administration952
and the Statistics of US Businesses SUSB 953
with county population data from the US Census Bureau954
We determined whether a health care provider was rural or urban based on OMBs standards for delineating metropolitan and micropolitan statistical areas955
Consistent with OMBs standard we considered a county to be rural if it has fewer than 50000 inhabitants956
This includes micropolitan areas towns and cities between 10000 and 49999 and counties outside of metropolitan statistical areas and micropolitan areas Based on this analysis we estimate that 78 percent of health care providers operate in rural areas
pp
The Department adopts the estimate of approximately 1000000 business associates including subcontractors as stated in the 2024 ICR and the 2013 Modifications to the HIPAA Privacy Security Enforcement and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health HITECH Act and the Genetic Information Nondiscrimination Act and Other Modifications to the HIPAA Rules final rule957
We considered whether to increase this figure in our updates but did not do so because many business associates serve multiple covered entities We lack sufficient data to estimate the number of such businesses more precisely but we believe that the number of business associates is highly dynamic and dependent on multiple market factors including expansion and consolidation among various lines of business changing laws and legal interpretations and emerging technologies We include subcontractors of business associates within our estimate because they are business associates of business associates
ppThe Department welcomes comments on the number or types of regulated entities that would be affected by the proposals in this proposed rule and the extent to which they may experience costs or other burdens not already accounted for in the cost estimates The Department also requests comment on the number of health plan documents that would need to be revised if any The Department additionally requests detailed comment on any situations other than those identified here in which covered entities or business associates would be affected by the proposals in this rulemakingpp
Within this NPRM the Department is for the first time including estimates of health plan sponsors potential costs of compliance with specific
print page 997
administrative physical and technical safeguards of the Security Rule The Department relied on data from AHRQ and the US Census to estimate the number of firms offering group health plans 19 million958
and multiplied that by the percentage that offer at least one selfinsured plan to calculate the number of plan sponsors that would be likely to receive ePHI and be subject to the requirements of 45 CFR 164314b 1943484 382 742411 We solicit comments on whether group health plans or thirdparty administrators address any Security Rule requirements for plan sponsors so the plan sponsors would not have an additional burden or would have a smaller burden than estimated below
pp
The number of individuals potentially affected by the proposed changes to the Security Rule includes most of the United States population approximately 337 million specifically those who have received any health care in the past seven years and whose ePHI is likely created received maintained or transmitted by a regulated entity Statistics about the number of individuals affected by breaches of PHI provide insight into known instances where safeguards were breached although the effects of the Security Rule extend farther than that to all ePHI Data from the 2022 Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Year 2022 959
revealed nearly 42 million individuals affected by breaches of PHI in that year Thirdparty sources reported approximately 133 million individuals affected by health care breaches in 2023960
According to UnitedHealth Group the 2024 breach of its clearinghouse subsidiary Change Healthcare may have affected approximately onethird of the US population or 112 million individuals961
The Department believes that the range of individuals potentially affected by the proposed regulatory changes would be from 42 million to 337 million
ppThe Department has reported HIPAAHITECH breach data annually since 2009 Table 5 shows the data as reported to Congress for the past five years We relied on this data combined with breach cost data from industry sources to analyze the potential savings of the NPRMppTable 5Breaches of PHIppBelow the Department provides the basis for its estimated quantifiable costs resulting from the proposed changes to specific provisions of the Security Rule Many of the estimates are based on assumptions formed through OCRs experience with compliance and enforcement and accounts from stakeholders For each cost the Department provides its main estimate as well as additional high and low estimates for some costs to account for any uncertainty in the compliance approach of regulated entitiesppAll estimates in this section are based on subject matter expertise The Department requests information or data points from commenters to further refine its estimates and assumptionspp
The Department estimates that all regulated entities would need to conduct a Security Rule Compliance Audit because this would be a new requirement under proposed 45 CFR 164308a14 Although some regulated entities have mistakenly conducted such an audit in lieu of a risk analysis the Department believes that costs for the compliance audit as a separate requirement should be attributed to the proposed changes in the NPRM Further because this would be an annual requirement the Department is including this as a recurring cost The Department estimates that regulated entities would need an average of 2 hours of labor by an information systems analyst to conduct the compliance audit based on the assumption that regulated entities have already documented Security Rule compliance activities as currently required This would result in total estimated costs of 437205288 1822600 regulated entities 2 hours 11994 The respective low and high estimates would be 025 and 25 hours of information systems analyst labor resulting in respective total estimated costs of 546506611 1822600 regulated entities 025 hours 11994 and 546506610 1822600 regulated entities 25 hours 11994
print page 998
ppFor proposed 45 CFR 164308b the Department estimates that business associates that handle ePHI would need to spend an average of 2 hours with a low estimate of 025 hours and high estimate of 25 hours analyzing how their cybersecurity measures comply with the proposed requirements for technical safeguards and producing a verification report for covered entities at the hourly wage rate of an information security analyst This estimate assumes that business associates have already documented existing safeguards policies and procedures so that the costs attributable to the new requirement are incremental and would total approximately 239880000 1 million business associates 2 hours 11994 with a low estimate of 29985000 1 million business associates 025 hours 11994 and high estimate of 299850000 1 million business associates 25 hours 11994ppUnder 45 CFR 164308b the Department further estimates that each covered entity would need to spend an average of 30 minutes with 15 minutes as a low estimate and 90 minutes as a high estimate requesting and obtaining compliance reports from its business associates about their deployment of technical safeguards required by the Security Rule at the hourly wage of an information security analyst This assumes that in most instances business associates would produce the required verification for covered entities without being prompted by a request because they would be required to do so by the Security Rule as proposed in the NPRM It further assumes that covered entities have readily available means of contacting business associates such as via email and that the contact could be a single email draft sent in a batch The average time burden per entity depends on verification frequency likely influenced by entities average number of business associates and how frequently entities change business associates The low estimate assumes that entities verify less frequently whereas the high estimate assumes entities verify more frequently At the wage rate of an information security analyst this would result in estimated total costs for covered entities of 49331322 822600 covered entities 05 hours 11994 with a low estimate of 24665661 822600 covered entities 025 hours 11994 and high estimate of 147993966 822600 covered entities 15 hours 11994ppThe proposed requirement to obtain verification of compliance with technical safeguards also would apply to business associates with respect to their subcontractors However we believe that a much smaller number of business associates rely on subcontractors compared to the number of covered entities that rely on business associates to conduct activities on their behalf Thus we estimate that on average business associates would need 5 minutes annually to obtain verification from their subcontractors that the subcontractors have complied with technical safeguards as required by the Security Rule The estimate includes only the time needed for business associates to send a mass email to subcontractors because we have already addressed the burden on business associates of producing the verification in the previous section and that estimate includes burdens on subcontractors The high estimate for this activity would be an average of 15 minutes per business associate and a low estimate would be for business associates to 2 minutes on this activity At the wage rate of an information security analyst this would add estimated total costs for business associates of 9995000 1000000 business associates 0083 hours 11994 with a high estimate of 29985000 1000000 business associates 25 hours 11994pp
The Department estimates that regulated entities are likely to incur additional costs to implement a process to notify other regulated entities when a workforce members access to ePHI is terminated or changed under proposed 45 CFR 164308a9ii This estimate assumes that notifications will take an average of 1 hour annually per regulated entity This results in new estimated costs totaling 84021860 1822600 regulated entities 1 hour 4610962
ppThe Department estimates that on average regulated entities would have an information security analyst spend 15 hours deploying MFA as specifically required under proposed 45 CFR 164312f2ii This would be a onetime firstyear burden that includes an average of 30 minutes for a regulated entity to select an MFA solution that allows them to meet the requirements of the proposal without creating workflow disruptions or delays This estimate would vary depending on how prevalent MFA is in the industry when and if the requirements of the NPRM are finalized As a widely accepted information security practice the Department believes that many large entities have already deployed MFA and the costs range from zero to only a few dollars per user The low estimate would be 01 hours on average assuming that many entities already have some form of MFA and the high estimate would be 175 hours assuming that few entities have MFA At the loaded wage rate of an information security analyst the total estimated cost would be 327903966 1822600 regulated entities 15 hours 11994 with a low estimated total of 218602644 1822600 regulated entities 1 hour 11994 and a high estimated total of 382554627 1822600 regulated entities 175 hours 11994 The Department applies this cost in the first year only because minimal additional labor is needed to maintain this safeguard once it has been deployedpp
The Department believes that most large regulated entities and many mediumsized regulated entities have segmented their information networks to some degree however additional actions may be needed to more fully protect ePHI as required under proposed 45 CFR 164312a2vi Further small entities may not have been aware of the importance of segmenting networks or taken steps to segment their networks The Department estimates that each regulated entity would spend an average of 45 hours to set up network segmentation in the first year of compliance with a final rule with a low estimate of 4 hours and a high estimate of 5 hours at the hourly wage of an information security analyst The Department further assumes that in the following years the burden to maintain the segmented network would be minimal and incorporated into the maintenance requirements The total first year estimated cost of the network segmentation requirement would be 983711898 1822600 regulated entities 45 hours 11994 with a low estimated total of 874410576 1822600 regulated entities 4 hours
print page 999
11994 and a high estimate of 1093013220 1822600 regulated entities 5 hours 11994
pp
The Department believes that large regulated entities have already disabled unused network ports and removed extraneous software as part of existing configuration requirements However the Department believes that small and mediumsized regulated entities are less likely to have performed these actions and thus would incur a new burden to implement these aspects of configuration management proposed at 45 CFR 164312c2ii and iv The Department estimates that 629796 establishments are owned by small and mediumsized covered entities963
which is approximately 7656 percent of all covered entities 629796822600 The Department applies that percentage to the estimated number of business associates 07656 1000000 to arrive at the estimated number of regulated entities with quantifiably increased burdens from these proposed requirements to disable unused ports and remove extraneous software We estimate that for these 1395396 regulated entities 629796 covered entities 765600 business associates an average annual burden of 30 minutes would be needed at the wage rate of an information security analyst to make needed changes to configuration management specifically disabling unused ports and removing extraneous software This would result in estimated total cost increases of 83681898 13953960 regulated entities 05 hours 11994 with a low estimate of 41840949 1395396 regulated entities 025 hours 11994 based on an estimated annual burden of 15 minutes per affected entity and a high estimate of 109301322 1822600 regulated entities 050 hours 11994 based on an estimated annual burden of 30 minutes for all regulated entities
ppThe Department estimates that each regulated entity would spend an average of 3 hours conducting penetration testing with a low estimate of 2 hours and a high estimate of 10 hours at the hourly wage of an information security analyst The Department expects that there might be a high degree of variability between entities depending on their size and technological sophistication Large entities have more endpoints to test and thus have greater exposure The Department also believes there is room for significant variability in the effort that regulated entities may apply to this activity At the wage rate of an information security analyst this would result in estimated total annual costs for regulated entities of 655807932 1822600 regulated entities 3 hours 11994 with a low estimated total of 437205288 1822600 regulated entities 2 hours 11994 and high estimated total of 2186026440 1822600 regulated entities 10 hours 11994ppThe Department estimates that business associates would need to notify other regulated entities in the event that they activate their contingency plan once business associate agreements are revised according to proposed 45 CFR 164314a2iD The Department believes this is unlikely to occur more frequently than once per year and that the time to do so would be minimal because the proposed requirement does not specify the means or scope of such notification The Department estimates that business associates would need an average of 30 minutes with 15 minutes as a low estimate and 45 minutes as a high estimate to report to other regulated entities as applicable when their contingency plan is activated at the wage rate of an information security analyst for a total annual cost of 59970000 1000000 business associates 05 hours 11994 with a low estimated total of 29985000 1000000 business associates 025 hours 11994 and high estimated total of 89955000 1000000 business associates 075 hours 11994ppThe Department estimates that health care insurers and thirdparty administrators would need to revise health plan documents to reflect that health plan sponsors that receive ePHI that is not limited to summary health information or disenrollment information are protecting ePHI with the administrative physical and technical safeguards detailed in the Security Rule as proposed These 6162 entities collectively would be responsible for updating approximately 742411 health plan documents at the wage rate of a compensation and benefits manager The Departments estimate assumes that on average each plan document requires 30 minutes to update for a total estimated cost of 53876766 1742411 05 hours 14514 The Department has attributed these costs solely to health plans and not health plan sponsors because the health plan is the regulated entityppThe Department anticipates that regulated entities would need to develop new or modified policies and procedures for the proposed new requirements to obtain or provide verification of business associates compliance with the Security Rules requirements for technical safeguards conducting a Security Rule compliance audit and reporting the activation of a contingency plan as well as other proposed changes depending on the regulated entities existing policies and procedures The Department estimates that the costs associated with developing such policies and procedures would be the labor of a computer and information systems manager for an average of 35 hours with 25 hours as a low estimate and 6 hours as a high estimate depending on the number of entities with written policies and procedures and their degree of specificity This would result in total annual costs of 1108432416 1822600 regulated entities 35 hours 17376 with a low estimated total of 791737440 1822600 regulated entities 25 hours 17376 and high estimated total of 1900169856 1822600 regulated entities 6 hours 17376 The existing rule requires updates to policies and procedures in response to environmental or operational changes affecting the security of the ePHI and as a result the Department is estimating additional costs for new policies related to this proposed rule as an incremental increasepp
The Department anticipates that regulated entities would be able to incorporate new content into existing Security Rule training programs and that the costs associated with doing so would be attributed to the labor of a training specialist for an estimated 2 hours for total annual costs of 252247840 1822600 regulated entities 2 hours 6920 The low estimate for this activity is 126123920 1822600 regulated entities 1 hour 6920 and the high estimate is 378371760 1822600 regulated entities 3 hours 6920 Many of the changes in the NPRM require the
print page 1000
adoption of standard cybersecurity practices as applied specifically to address the confidentiality integrity and availability of ePHI so we expect that an information security analyst would be familiar with this content These estimated costs would address any required revisions to training for workforce members within the first year of compliance with a final rule Any further recurring component is likely to be implemented into regularly scheduled employee training and thus would not be directly attributable to the proposals in this NPRM
pp
The NPRM proposes to provide a transition period in proposed 45 CFR 164318 for regulated entities to revise business associate agreements to comply with the proposed changes to the requirements of the Security Rule The proposed transition period would allow regulated entities to revise existing agreements by the earlier of the contract renewal date that falls after the compliance date of a final rule or within one year of the rules effective date For a large share of existing agreements this would allow regulated entities to complete the revisions on a rolling basis according to the dates they are renewed The Department estimates that 1822600 964
business associate agreements would need to be revised if this NPRM is adopted and that on average the portion of this activity that results from the rules modifications would take an hour of a lawyers time for each regulated entity This would result in annual costs of 309258768 1822600 regulated entities 1 hour 16968 The Department recognizes that this estimate may not fully account for all revised business associate agreements However the Department believes that in some instances one hour of time is more than would be needed We also believe it is likely that for some regulated entities a professional other than a lawyer would be responsible for the revised agreements at a lower hourly wage For some large business associates the Department believes that a single agreement is used for most of its customers The Departments estimates assume that most agreements would be revised within the first year and accounts for all of them within that time period This would be considered a onetime cost in other words it is not carried over into future years As with all the estimates in this NPRM the Department invites comments about the assumptions underlying the proposed cost projections
pp
Proposed 45 CFR 164314b2 would mandate that group health plan documents require their health plan sponsors who receive ePHI that is not limited to summary health information or enrollment or disenrollment information to deploy the administrative physical and technical safeguards for ePHI required by the Security Rule and notify their group health plans upon activation of the plan sponsors contingency plan Currently plan documents must require such health plan sponsors to have safeguards in place but not necessarily the safeguards specified in the Security Rule965
The Department estimates that an additional 5242 hours of labor would be needed for each affected health plan sponsor to bring its security safeguards for ePHI into compliance with the Security Rule standards and to notify group health plans when its contingency plan is activated over and above the actions attributable to safeguards already in place for ePHI and for sponsors electronic information systems generally The Security Rule compliance activities attributed to group health plan sponsors are shown in table 7 below
ppMost compliance activities would be performed by a workforce member at the hourly wage rate of an information security analyst 11994 while documentation of maintenance would be performed at the rate of a management analyst 11108 and notification of termination or change of workforce members access to ePHI would be performed by an office administrative assistant 4610 This would result in estimated total first year costs for health plan sponsors of 4658781219 as shown in detail in table 7ppThe Department summarizes in tables 6 and 7 the estimated costs that regulated entities approximately 4655 million and plan sponsors approximately 4659 million respectively would experience in the first year of implementing the proposed regulatory changes The Department anticipates that these costs would be for the following activities conducting a Security Rule compliance audit obtaining verification of business associates and subcontractors compliance with technical safeguards providing verification of business associates compliance with technical safeguards providing notification of termination or change of workforce members access to ePHI deploying MFA and penetration testing segmenting networks disabling unused ports removing extraneous software notifying covered entities or business associates as applicable upon activation of a contingency plan and updating health plan documents policies and procedures workforce training and business associate agreements These costs would also include health plan sponsors deploying safeguards for their relevant electronic information systems to meet Security Rule standards and notifying group health plans upon activation of a plan sponsors contingency planppTable 6First Year Cost Estimates for Regulated Entities Proposed Compliance Obligations
appThe Department presents the estimated cost of health plan sponsors compliance with the proposed new requirements in table 7 belowppTable 7First Year Cost Estimates of Health Plan Sponsors Proposed Compliance Obligations
appTogether regulated entities and affected health plan sponsors estimated first year costs of compliance with the proposals in the NPRM would be approximately 9314 million or 9 billionppThe covered entities that are operated by the Department would be affected by the changes in a similar manner to other covered entities and such costs have been factored into the estimates above The Department has not identified other costs to the Department related to the changes in the NPRM A reduction in the number of large breaches affecting 500 or more individuals per incident would benefit the Department by enabling it to focus its resources on a smaller number of breach investigations and potentially resolve such investigations more quicklypp
A key goal of strengthening the cybersecurity posture of regulated entities is to reduce the number and severity of security incidents including breaches of ePHI The Department believes that compliance with the proposed changes which align with industry guidelines and best practices would benefit regulated entities by reducing the cost of breaches Although the costs of implementing the proposed cybersecurity measures would be significant the costs of responding to breaches of ePHI are much higher According to industry data the average cost of a health care breach in 2023 rose to 1093 million the highest among all industries studied966
and the per record cost of a breach involving personally identifiable information across all industries was 183967
These costs include detection and investigation activities notification activities postbreach response activities and activities attempting to minimize the loss of business Thus the benefits of the proposed rule would be to reduce the harms of health care breaches described in the preamble The Department believes that implementing the changes in the NPRM would reduce both the incidence of breaches in health care and the costs of mitigating breaches when they occur
pp
The Department also analyzed the potential cost savings of proposals that
print page 1002
correspond to major factors affecting the costs of large breaches as identified in published reports968
The Department estimates that at a minimum performing the following actions would quantifiably reduce costs 1 encryption 2 penetration testing 3 requiring MFA and notification of termination of access to ePHI 4 increasing employee training and 5 reducing noncompliance with regulations These factors would account for an estimated 236 percent decrease in large breach costs969
For health care breaches this corresponds to an estimated cost savings of 26 million per large breach in high incidence years and 21 million per large breach in low incidence years
pp
A fundamental benefit of the proposed rule would be to decrease the effects of breaches on individuals who are the subjects of ePHI namely patients and health plan members Breaches of ePHI may cause harm to individuals in many ways including loss of reputation and personal dignity and financial and medical fraud which may result in false debts impaired credit and even health threats from misuse of health insurance credentials by another individual Healthcare data which includes medical histories and personal identification can last a lifetime The information collected can be used for ransom to commit tax frauds to provide supporting disability documentation to send fake bills to insurance providers to obtain healthcare prescription drugs medical treatment and to obtain government benefits like Medicare and Medicaid 970
Hackers can use stolen personal medical and financial data to take out a bank loan in the victims name and change direct deposit information in payroll systems allowing them to steal wages as well971
In addition medical identity fraud can impact the victims credit score and health insurance premiums and may result in unexpected legal fees972
Medical identity fraud also enables thieves to obtain medical treatment using the victims stolen ePHI This can lead to the thiefs medical conditions being incorporated into the victims medical records and impacting the victims ability to receive appropriate medical treatment based on accurate records in the future or any care at all depending on whether the thief has exhausted the victims insurance benefits973
Overall recovering compromised ePHI and addressing the consequences of breached information can be a long and arduous process that can cost victims large amounts of time energy and money974
pp
Breaches of ePHI maintained by health care systems can also pose a threat to the medical wellbeing of affected individuals Cyberattacks on health care organizations can include the deployment of malware that compromises the function of both internal and external medical devices Such software can alter the dosages of sensitive medicines or shut down devices while they are in use thus affecting patient care975
Some of the medical devices that are vulnerable to malicious software attacks include insulin pumps and cardiac implant devices976
The consequences of a cyberattack on such a medical device can be fatal
pp
Cyberattacks on relevant electronic information systems also hinder the efficiency of hospitals and limit the quality of care provided to patients Breaches of relevant electronic information systems negatively affect the routine functions of health care organizations They can affect the availability of ePHI and relevant electronic information systems and redirect critical resources from patient care to addressing the cybersecurity attack A 2020 cyberattack on a large covered entity disrupted communication and clinician access to medical records including to individualized chemotherapy plan templates and tools for communicating during treatment preparation and delivery977
In the first week following the attack the hospitals ability to provide critical outpatient care was reduced by 40 percent and infusion visit volume decreased by 52 percent Many patients had to be transferred to other sites to minimize delays in receiving critical medications The effects of this data breach are not unique to this provider There is evidence that cyberattacks on health care organizations decrease the number of patients they are able to treat in a given day and staff utilization978
Decreases in efficiency and number of treated patients also cause health care facilities to lose revenue because of their inability to provide care during a cybersecurity event
pp
Similar to the effects of breaches of ePHI on individuals health care organizations and facilities also experience reputational and financial impacts because of cybersecurity attacks Hospitals can lose the communitys trust and be subject to lawsuits from individuals whose data was compromised979
Organizations that experience cybersecurity attacks can experience reputational harm and other monetary costs such as those associated with providing breach notifications paying fines to regulators and damages to individuals and providing credit monitoring and identity theftrelated services980
The harm to an organizations reputation is difficult to quantify but it can also affect the quality of care administered to individuals981
Privacy and security of ePHI are paramount to individuals feeling safe and at ease sharing their IIHI with clinicians Security breaches can negatively impact a patients confidence in a health care organization if they believe their information and privacy may be compromised This can cause them to delay seeking treatment or
print page 1003
withhold information from health care practitioners ultimately compromising the decisionmaking capacity of their health care provider to administer the best quality of care982
Decreasing the number and scope of health care breaches would reduce the harms of such breaches and would be a significant benefit of the proposals in the NPRM
ppKey inputs to the estimation of costs of this proposed rule include the numbers of regulated entities and health plan sponsors The Department has not previously quantified the costs of Security Rule compliance for health plan sponsors because the existing requirements are for plan documents to require such sponsors to implement administrative physical and technical safeguards but not necessarily to comply with the specific requirements of the Security Rule Therefore the proposed requirement to comply with the proposed changes to the Security Rule along with the number of affected plan sponsors approximately 740000 results in a significant increase in overall cost estimates compared to the existing rule The benefits of improved security for ePHI accrue to individuals regulated entities and health plan sponsors and are significant The Department has discussed the benefits aboveppThe Department seeks to reduce the risk and mitigate the effects of breaches of ePHI and related information systems through the proposals included in this NPRM Because the frequency and magnitude of cybersecurity events are inherently difficult to predict we chose to conduct a breakeven analysis in lieu of a cost savings analysis The Department solicits comments with any information and data on the incidence and negative consequences of cybersecurity breachespp
The
Department examined two different data points the annual number of individuals affected by health care breaches and the annual number of large breaches Additionally the Department considered a high and a low baseline based on the number of breaches and affected individuals per year The Department calculated the high baseline as the average of the three highest values in the 6 years of available data 2018 to 2023 shown in table 8 and the low baseline as the average of the three lowest values
ppTable 8Data on Breaches of
e
PHIpp
The high baseline used 669 breaches and a total of 71 million individuals affected and the low baseline used 440 breaches and 29 million individuals affected984
The high baseline represents years with higher incidence of breaches whereas the low baseline represents years with lower incidence
pp
For each data point the Department calculated the number of breaches or affected individuals by which the affected universe would have to decrease for the proposed rule to fully offset the annualized costs of regulated entities985
Table 9 and the discussion that follows analyses the costs and cost savings based on the number of individuals affected by breaches in a year and the cost per individuals ePHI or medical record
ppTable 9BreakEven Thresholds by Number of Affected IndividualsppThe analysis in table 9 suggests that this NPRM would break even cost savings would match monetized costs incurred if the number of affected individuals is reduced by approximately 45 million In years with a high incidence of breaches this would be a reduction of approximately 7 percent and in lowincidence years this would be a decrease of 164 percent Thus if the proposed changes in the NPRM reduce the number of affected individuals by 7 to 16 percent the rule would pay for itself Alternatively the same cost savings may be achieved by lowering the cost per affected individuals ePHI by 7 percent 35 and 16 percent 82 respectivelyppTable 10 analyzes the potential cost savings for regulated entities based on the annual number of large breaches of ePHI and the cost per breach as shown belowppTable 10BreakEven Thresholds by Number of Large BreachesppIn table 10 the Department assumes that the average cost per breach in industry reports 111 million calculated as the average of the three highest values in table 9 adjusted for inflation refers to large breaches of ePHI The analysis in table 10 suggests that the NPRM would break even if the annual number of large breaches is reduced by approximately 202 In highincidence years this would be a reduction of approximately 30 percent and in lowincidence years this would be a decrease of 59 percent Alternatively the same cost savings may be achieved by lowering the cost per breach by 30 percent 34 million and 9 percent 66 million respectivelyppThe Department welcomes public comment on any benefits or drawbacks of the following alternatives it considered but did not propose while developing this proposed rule We also request comment on whether the Department should reconsider any of the alternatives considered and if so whyppWe considered not proposing revisions to the Security Rule However the Department believes that not revising the Security Rule would result in continued increases in both the number and size of breaches Such increases would result in an exponential increase in costs as shown in table 8 above If the modifications to the Security Rule result in even modest improvements to the security of ePHI the reduction in the number andor size of breaches would reduce the overall costs associated with breaches including the costs of mitigating harm resulting from such breachespp
The Department considered proposing a separate standard for regulated entities to secure email transmissions In the Departments Cybersecurity Performance Goals986
the Department identifies email security as an essential goal for reducing risk from common emailbased threats such as email spoofing phishing and fraud Therein the Department points to basic email protection controls identified in the Health Industry Cybersecurity Practices such as spamvirus checking and realtime deny lists as well as strategies that may be deployed across small medium and large organizations including MFA for email access email encryption workforce education and advance tooling
eg
URL click protection via analytics attachment sandboxing987
pp
The Department is aware of the threat that email poses to the information systems of regulated entities and to the confidentiality integrity and availability of ePHI988
However the Department believes that it is important that the Security Rule remain technologyneutral and that the security measures we propose in this NPRM apply to a regulated entitys information systems broadly including email programs For example in this NPRM the Department proposes to require regulated entities to encrypt all ePHI at rest and in transit and proposes a transmission security standard in which regulated entities would be required to deploy technical controls to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network989
Therefore the Department believes it is unnecessary to promulgate a separate standard for email security Because the other technical controls such as encryption and MFA are already incorporated into the requirements that would protect relevant electronic information systems the Department believes that adopting a separate secure email standard would duplicate costs without creating a net benefit
pp
Additionally the Department considered whether to heighten the existing expectation 990
for regulated entities to inform individuals before transmitting ePHI to the individual via unencrypted email in response to a request for access under 45 CFR 164524 by this means We considered whether to require such notification for different types of requests such as different categories of PHI
eg
billing lab results etc determining whether the individual had already received such notice or providing notification upon each disclosure Instead the Department has proposed to clarify that notification must be provided for each request made by the individual under the individual right of access at 45 CFR 164524 for their ePHI to be transmitted via unsecure email We believe that requiring a regulated entity to determine whether the individual had already received such notification would be more burdensome than incorporating the notification into the access request process and instead have proposed We estimate that this could increase burdens for providing access via unsecure means by approximately one minute per request of this type We lack data to estimate the number of requests for access via unsecure means
pp
Consistent with the requirement that the Secretary adopt security standards that take into account the needs and capabilities of small health care providers and rural health care providers991
the Department considered excepting small and rural health care providers from the requirement to perform penetration testing at proposed 45 CFR 164308h2iii to lower anticipated costs of the rule for such providers The Department estimates that approximately 90 percent of providers are small based on revenue Thus the estimated cost reduction from this exemption as compared to the proposed requirement for all regulated entities would be approximately 266389139 822600 9 3 hours 11994 wage of an information security analyst annually While the Department is aware of the cost implications of this requirement for small and rural health care providers we also believe that penetration testing is a critical component of managing vulnerability to cyberthreats across the health care sector Additionally we believe that setting different requirements for cybersecurity for small and rural health care providers would lead such health care providers to believe that they can limit their investment in cybersecurity Given that a significant amount of health care is provided by small and rural health care providers limiting their investment in cybersecurity would create a sizable gap in security protections Such a gap has the potential to increase such providers attractiveness to cybercriminals
ppThe Department also considered proposing to permit small and rural health care providers to adopt alternate compensating controls in lieu of the specified implementation specifications to meet certain standards After careful consideration the Department concluded that it potentially could be just as costly to identify and adopt compensating controls that are reasonable and appropriate for small and rural health care practices Small and rural health care providers would likely need to either hire personnel or contract with cybersecurity experts to identify potential compensating controls that would meet the relevant standard and provide implementation support Accordingly the Department declines to put forward such proposals at this timepp
The Department considered the requirements of the Federal Information Security Modernization Act FISMA 992
and whether compliance with FISMA by Federal agencies that are also regulated entities would be comparable to meeting the proposals in this NPRM FISMA requires each Federal agency to develop document and implement an agencywide program to provide information security for the information and information systems that support the operations and assets of the agency including those provided or managed by another agency contractor or other source993
After careful consideration the Department does not believe that a regulated entitys compliance with FISMA would necessarily ensure compliance with all applicable proposed requirements in this NPRM because FISMAs requirements and the Security Rules requirements are designed to serve different purposes FISMA primarily focuses on securing Federal information systems while the Security Rule applies specifically to ePHI This NPRM contains specific proposed requirements not found in FISMA which are tailored to ensure the confidentiality integrity and availability of ePHI Therefore although the Department believes that FISMA requirements are consistent with those in the Security Rule and the proposals in this NPRM we decline to propose that compliance with FISMA requirements would be a comparable alternative to compliance with the proposals in this NPRM Instead we believe that FISMA requirements complement the Security Rule and the proposed requirements and will facilitate the ability of regulated entities that are also subject to FISMA to fulfill their compliance with the HIPAA Rules
pp
The Department considered proposing additional modifications to the definition of information system The Security Rule currently defines the term information system as an interconnected set of information resources under the same direct management control that shares common functionality and includes hardware software information data applications communications and people994
This definition is based on the definition of general support system or system in the appendix to the 1996 version of OMB Circular A130 Security of Federal Automated Information Systems995
We considered proposing to remove the phrase under the same direct management control as a potential way to clarify the application of the definition to cloudbased computing Cloud computing applications play an important role in health care today For example many health care providers have implemented cloudbased electronic health records EHRs and practice management systems These applications are used to create receive maintain and transmit ePHI and as such should be included as components of a covered entitys relevant electronic information system a term which is based upon the term information system After careful consideration we have decided to retain the phrase under the same direct
print page 1006
management control and instead clarify in the preamble how the definition of information system applies in cloud computing environments The Department also requests comment on the definition of information system and the extent of control a regulated entity has with respect to applications in cloud computing environments
pp
We also considered proposing to adopt the definition of information system in the Paperwork Reduction Act of 1995 PRA and the current operative version of OMB Circular A130996
The PRA and OMB Circular A130 define information system as a discrete set of information resources organized for the collection processing maintenance use sharing dissemination or disposition of information The Department declined to adopt this definition because the existing definition in the Security Rule based on the definition of system in the 1996 version of OMB Circular A130 more accurately reflects the typical components of an information system and the full extent of resources that are addressed by the Security Rule Additionally the definition of information system in the PRA and current operative version of OMB Circular A130 contains some terms that are defined by the HIPAA Rules and some that are not As a result adopting this definition would require the Department to propose definitions to such additional terms and to ensure that the manner in which the terms with existing definitions are used is consistent with those existing definitions and we are concerned that such change could cause significant confusion for regulated entities
ppWe do not believe that either of the alternative definitions considered would have generated a quantifiable change in costs because the alternatives would be clarifications to existing requirements and would not have changed the scope of the Security Rules applicabilitypp
The Department considered proposing an exception to the MFA authentication requirement that would permit regulated entities in the future to adopt other technologies in lieu of MFA that might offer a more secure method of authenticating user identity997
Based on discussions with cybersecurity experts the Department believes that MFA is likely to remain the most secure method for authenticating user identity in future years It may take different forms but it will still at its core meet the definition of MFA proposed in this NPRM for the foreseeable future998
ppWhile the Department acknowledges that technology will continue to evolve we are unable to predict when and whether future technology will address identity verification and exceed the level of protection offered by MFA This uncertainty renders us unable to articulate requirements specific enough to justify a purposeful exception Because of the uncertainty surrounding new technologies we are also unable to estimate costs of adopting this alternative Our current view is that proposing and codifying such an exception would be premature but we will revisit the proposed specific requirement for MFA if adopted and reconsider the need for an exception should a more secure technology emergeppThe Department considered requiring regulated entities to comply with all of the proposals in this NPRM by the compliance date rather than proposing transition provisions for existing business associate agreements or other contractual arrangements Had the Department taken that approach we would have proposed that regulated entities update all existing business associate agreements by the proposed compliance date to comply with all applicable proposed requirements in this NPRM While the Department believes that many of the proposals in this NPRM are consistent with the Security Rule as it currently exists we are also concerned that too many regulated entities are not currently compliant with the Security Rule Given the demonstrable increase in breaches we believe that it is more important for regulated entities to first improve their cybersecurity posture by coming into compliance with all applicable proposed requirements in this NPRM if adopted Upon doing so the Department anticipates that regulated entities will be better positioned to evaluate their contractual needs and to modify existing business associate agreements For this reason the Department has proposed the transition provisions in proposed 45 CFR 164318 Not allowing for a transition period could have an opportunity cost whereby regulated entities spend their limited time revising business associate agreements instead of enhancing their cybersecurity posture The Department believes that this could result in duplicative costs because some regulated entities may identify the need for additional changes to business associate agreements after they have fully evaluated their changed cybersecurity needs The Department estimates that small regulated entities may be more likely to experience that outcome without a transition period and thus the alternative of no transition period would cause a potential onetime increase in costs of 278332891 1822600 regulated entities 9 1 hour 16968 lawyer hourly wageppRelatedly the Department considered proposing similar transition provisions for group health plans and plan sponsors that would provide these entities with additional time to update plan documents to align with new proposed requirements in this NPRM if adopted However the Department believes that affected plans and plan sponsors would be able to complete any necessary updates by the proposed compliance date The Department believes that updating plan documents is not as complex a task as evaluating potential new contractual needs to meet business associate obligations Additionally plan sponsors do not have Security Rule obligations independent of plan documents and thus would not be obligated to implement the requirements proposed in this NPRM absent updates to the plan documents The result of a transition period for updating plan documents would be merely to delay compliance with the changed Security Rule requirements and therefore delay improvements to their cybersecurity posture not to reduce costs Accordingly we are not proposing such transition provisions in this NPRMpp
The Department has examined the economic implications of this proposed rule as required by the RFA If a rule has a significant economic impact on a substantial number of small entities the RFA requires agencies to analyze regulatory options that would reduce the economic effect of the rule on small entities As discussed in greater detail below this analysis concludes and the Secretary proposes to certify that the proposed rule if finalized would not
print page 1007
result in a significant economic effect on a substantial number of small entities
pp
For purposes of the RFA small entities include small businesses nonprofit organizations and small governmental jurisdictions The Act defines small entities as 1 a proprietary firm meeting the size standards of the SBA 2 a nonprofit organization that is not dominant in its field and 3 a small government jurisdiction of less than 50000 population The Department has determined that roughly 90 percent or more of all health care providers meet the SBA size standard for a small business as shown in table 4 or are a nonprofit organization Therefore the Department estimates that there would be 740348 small entities affected by the proposals in this proposed rule999
The SBA size standard for health care providers ranges between a maximum of 9 million and 47 million in annual receipts depending upon the type of entity as shown in table 4 above1000
pp
With respect to health insurers the SBA size standard is a maximum of 47 million in annual receipts and for pharmacy benefits and clearinghouses it is 455 million1001
While some insurers are classified as nonprofit it is possible they are dominant in their market For example a number of Blue CrossBlue Shield insurers are organized as nonprofit entities and yet they dominate the health insurance market in the States where they are licensed1002
pp
With respect to business associates they provide a wide range of services for covered entities including computer infrastructure clearinghouse activities leased office equipment and professional services such as legal accounting business planning and marketing The SBA size thresholds for these industries ranges from 155 million for lawyers to 47 million for clearinghouses1003
pp
For the reasons stated below the Department does not expect that the cost of compliance would be significant for small entities Nor does the Department expect that the cost of compliance would fall disproportionately on small entities Although many of the regulated entities affected by the proposals in this proposed rule are small entities they would not bear a disproportionate cost burden compared to the other entities subject to the rule The projected total costs are discussed in detail in the RIA The Department does not view this as a substantial burden because the result of the changes would be annualized costs per regulated entity of approximately 1235 23 billion 1004
1822600 regulated entities The perentity costs represent the costs per establishment As a result smaller entities costs are lower because they have fewer establishments Larger regulated entities
ie
firms that have multiple facilities
ie
establishments would experience higher costs than the average cost per establishment because each firm would need to apply the proposals to all of their establishments In the context of the RFA HHS generally considers an economic impact exceeding 3 percent of annual revenue to be significant and 5 percent or more of the affected small entities within an identified industry to represent a substantial number
pp
More than 5 percent of the small covered entities listed under the NAICS codes in table 4 are oneestablishment firms with fewer than five employees1005
so the analysis must determine how the effects of the quantified costs on oneestablishment firms compare to their revenues As explained above the cost for a oneestablishment firm is 1235 so only small firms whose revenues are below 41167 1235003 would experience an effect exceeding 3 percent
ppAmong the NAICS codes for health care providers the small firms with the lowest revenues are oneestablishment HMO Health Maintenance Organization Medical Centers NAICS 621491 with fewer than five employees which had an estimated average yearly revenue in 2021 of 108000 Residential Intellectual and Developmental Disability Facilities NAICS 623210 had the second lowest revenues for oneestablishment firms with fewer than five employees with 180000 Offices of Mental Health Practitioners NAICS 621330 have the third lowest revenues for oneestablishment firms with fewer than five employees with 189000 Thus the Department believes that almost all regulated entities have annual revenues that exceed these amountsppThe Department acknowledges that there may be very small firmsnamely firms without employeeswhose revenues are below 41167 We believe that such firms would comply with the regulation by purchasing services from software and webhosting companies whose costs may increase as a result of the proposed changes Such software and webhosting companies would be business associates and thus costs to them are already accounted for We believe that to the extent that these business associates decide to recover their minor cost increases by raising the prices of the services sold to nonemployer firms these incremental costs passed through to their smallfirm customers would be negligible because they will be spread among many nonemployer firmspp
The Department has separately analyzed the effects of the NPRM on health plan sponsors and does not view the projected costs as a significant burden because the proposed changes would result in annualized costs per plan sponsor of approximately 6133 4552995816742411 health plan sponsors The quantified impact of 6133 per health plan sponsor would only apply to those sponsors whose annual revenue is 204433 or less1006
The Department believes there are few if any group health plan sponsors with annual revenues below this amount because the average revenue of a US business with 14 employees is 387000 1007
and employers with 01 employees are unlikely to sponsor a group health plan
pp
Accordingly the Department believes that this proposed rule if adopted would be unlikely to affect a substantial
print page 1008
number of small entities that meet the RFA threshold Thus this analysis concludes and the Secretary proposes to certify that the NPRM would not result in a significant economic effect on a substantial number of small entities
pp
HIPAA requires the Department to consider the needs and capabilities of small and rural health care providers1008
As we explained in our 2003 analysis of the effect of the Security Rule on small and rural health care providers the scalability provisions preclude the need to precisely define those categories1009
We have long considered the effect of our rules on small businesses in the Small Entity Analysis discussed above However because of the breadth of changes proposed in this NPRM the Department has considered more closely how it would affect rural health care providers There are approximately 2000 rural hospitals1010
comprising nearly 30 percent of all hospitals 205774651011
and the Department estimates approximately 7 to 8 percent of all health care providers operate in rural areas counties or micropolitan areas with fewer than 50000 inhabitants See Regulated Entities Affected in Section VA2 Baseline Conditions above
pp
Because rural health care providers are more likely to be small businesses they would be affected in a manner similar to small entities as demonstrated in the Small Entity Analysis above Likewise to the extent that Tribal health care providers are in rural areas which many are1012
our analysis of the effects on rural health care providers generally also applies However Tribal health providers have the benefit of access to centralized supportive services for health IT and EHR adoption which other rural providers may lack1013
A primary barrier to both adoption of health information technology health IT and deployment of cybersecurity safeguards in rural communities is limited access to highspeed internet Rural health care providers such as hospitals have adopted EHRs at a lower rate than nonrural hospitals1014
and thus may also have fewer electronic information systems that are subject to the Security Rule requirements which could ease some burdens of compliance However as EHR adoption has increased in rural hospitals1015
so too have the risks of cybersecurity attacks1016
Rural health care providers are more likely to have limited resources to update legacy information technology IT systems implement new or changed regulatory requirements and respond to large breaches Additionally the health IT workforce is more limited in rural areas which may affect the ability of rural health care providers to access inperson technical assistance Because most rural hospitals are located more than 35 miles from another hospital responding to cyberattacks may be more challenging1017
We request comment on the burdens these proposals would impose on rural health care providers including rural hospitals
pp
Rural health care providers and other regulated entities can avail themselves of grants and incentives to improve broadband access and adoption of health IT1018
For cybersecurity in particular the White House in partnership with private companies announced the availability of direct assistance to rural health care providers on cybersecurity in the form of grants discounts and technical advice1019
Additionally CISA has compiled a list of free services and tools available to regulated entities from private and public sector entities CISA also has published in partnership with the Joint Cyber Defense Collaborative a list of cybersecurity resources especially focused on highrisk communities1020
And the Advanced Research Projects Agency for Health announced plans to invest 50 million to develop an autonomous solution for addressing cyberthreats to assist hospitals in defending their information systems1021
pp
Cybersecurity is as essential for small and rural health care providers and their business associates as it is for large and urban regulated entities The seamless flow of data and increased connectivity means that threats to one health care provider do not affect only that one health care provider regardless of size or location The effects on patient care may be greater in rural environments where fewer alternatives exist if care is delayed or denied as a result of a cyberattack or malfunction1022
As discussed in the preamble the factors described at 45 CFR 164306b2 provide the flexibility for small and rural providers in particular to adopt security measures that are reasonable and appropriate for their circumstances
pp
As required by EO 13132 on Federalism1023
the Department has examined the provisions in the proposed regulation for their effects on the relationship between the Federal Government and the States EO 13132 establishes certain requirements that an agency must meet when it promulgates a proposed rule and subsequent final rule that imposes substantial direct requirement costs on State and local governments preempts State law or otherwise has federalism implications In the Departments view the proposed rule would not have any federalism implications
pp
The federalism implications of the Security Rule were also assessed as required by EO 13132 and published as part of the preambles to the final rules on February 20 2003 1024
and January
print page 1009
25 20131025
Regarding preemption HIPAA dictates the relationship between State law and HIPAA regulatory requirements1026
The Health Information Technology for Economic and Clinical Health Act of 2009 HITECH Act provides that the HIPAA preemption provisions shall apply to the HITECH Act provisions and requirements1027
As explained by the House report that accompanied the American Recovery and Reinvestment Act of 2009 the HITECH Act would not only apply HIPAAs preemption provisions to the HITECH Act requirements but it would also preserve the HIPAA privacy and security standards to the extent that they are consistent with the HITECH Act1028
pp
A requirement standard or implementation specification adopted in accordance with HIPAA and the HIPAA Rules supersedes any contrary provision of State law subject to certain exceptions1029
Specifically State law would be preempted under the Security Rule only when 1 a regulated entity finds it impossible to comply with both State and Federal requirements or 2 the provision of State law stands as an obstacle to accomplishing and executing the purposes and objectives of the Administrative Simplification provisions or the HITECH Act1030
Although a few States
eg
California and New York have promulgated or are in the process of promulgating regulations pertaining to cybersecurity in health care that may be more stringent than the Security Rule the Department believes that a regulated entity could comply with both sets of requirements by adhering to the more stringent standard Thus in such cases the State law would not be an obstacle to the accomplishment and execution of HIPAA or the HITECH Act
ppThe proposed modifications to the Security Rule would further the Congressional intent to improve the Medicare and Medicaid programs by the development of health information systems that are private and secure The Departments proposals promote the safety efficiency and effectiveness of the health care system by refining the security standards established by Congress and implemented in the 2003 and 2013 Final Rules The statute contemplated that the security measures adopted by all regulated entities including State and local governments would evolve over time in accordance with the security risks they face and the NPRM proposals are in the nature of enhancing these existing requirements Thus the Department does not believe that the rule would impose substantial direct compliance costs on State and local governments that are not required by statuteppThe Department anticipates that the most significant direct costs on State and local governments would be for conducting a Security Rule compliance audit notifying covered entities or business associates as applicable upon activation of a contingency plan notifying covered entities of changes or termination of workforce members access to ePHI deploying MFA removing extraneous software and penetration testing providing or obtaining verification of business associates compliance with technical safeguards updating health plan documents updating policies and procedures and updating workforce training However the costs involved can be attributed to the statutory requirements of the Administrative Simplification provisions of HIPAA and would be similar in kind to those borne by nongovernmentoperated regulated entities which the proposed RIA above addresses in detailppIn considering the principles in and requirements of EO 13132 the Department believes that these proposed modifications to the Security Rule would not significantly affect the rights roles and responsibilities of the States and requests comment on this analysispp
Section 654 of the Treasury and General Government Appropriations Act of 1999 1031
requires Federal departments and agencies to determine whether a proposed policy or regulation could affect family wellbeing If the determination is affirmative then the Department or agency must prepare an impact assessment to address criteria specified in the law This proposed rule is expected to strengthen family wellbeing because it would ensure a baseline of security measures for individuals PHI and medical information and decisions based on that information are at the heart of family decision making If finalized the provisions in this proposed rule may be carried out only by the Federal Government because it would modify Federal law on cybersecurity in health care ensuring that American families have confidence that the privacy of their PHI is secured by consistent safeguards regardless of the State where they are located when health care is provided Such health care privacy and is vital for individuals who seek or access health care
pp
Under the PRA1032
agencies are required to submit to OMB for review and approval any reporting or recordkeeping requirements inherent in a proposed or final rule and are required to publish such proposed requirements for public comment To fairly evaluate whether an information collection should be approved by the OMB section 3506c2A of the PRA requires that the Department solicit comment on the following issues
pp1 Whether the information collection is necessary and useful to carry out the proper functions of the agencypp2 The accuracy of the agencys estimate of the information collection burdenpp3 The quality utility and clarity of the information to be collectedpp4 Recommendations to minimize the information collection burden on the affected public including automated collection techniquesppThe PRA requires consideration of the time effort and financial resources necessary to meet the information collection requirements referenced in this section The Department solicits public comments on its assumptions and burden estimates in this NPRM as summarized belowpp
In this RIA the Department proposes to revise certain information collection requirements associated with this NPRM and as such would revise the information collection last prepared in 2024 and approved under OMB control 094500031033
The proposed revisions to the information collection describe all new and adjusted information
print page 1010
collection requirements for regulated entities pursuant to the implementing regulation for HIPAA at 45 CFR parts 160 and 164 the HIPAA Privacy Security Breach Notification and Enforcement Rules HIPAA Rules
ppThe estimated annual labor burden presented by the regulatory modifications is 77067552 burden hours at a firstyear cost of 9314106174 These figures respectively represent the sum of 37781637 new burden hours at a cost of 4655324954 for compliance by regulated entities and 39285915 new burden hours at a cost of 4658781219 for compliance by health plan sponsorspp
The overall total burden for respondents to comply with the information collection requirements of all of the HIPAA Privacy Security and Breach Notification Rules including new burdens presented by proposed program changes is estimated to be 925144023 burden hours at a cost of 109085104674 plus 163499411 in capital costs for a total estimated annual burden of 109248604085 after the effective date of the final rule This estimate is based on a total of 1202562864 responses for a total of 2565011 respondents The total burden for the HIPAA Rules including the changes proposed in this NPRM would result in a decrease of 28838213 burden hours and a cost increase of 1911898144 in comparison to the baseline in the ICR associated with the 2024 Privacy Rule to Support Reproductive Health Care Privacy1034
This is the result of multiples changes such as decreasing burden hours for some existing requirements increasing the estimated number of covered entities adding new Security Rule requirements and expanding the pool of respondents for the Security Rule by adding requirements for health plan sponsors
ppDetails describing the burden analysis for the proposals associated with this RIA are presented below and explained further in the ICR associated with the NPRMppBelow is a summary of the significant program changes and adjustments proposed since the approved 2024 ICR because the ICR addresses regulatory burdens associated with the full suite of HIPAA Rules the changes and adjustments include updated data and estimates for some provisions of the HIPAA Rules that are not affected by this proposed rule These program changes and adjustments form the bases for the burden estimates presented in the ICR associated with this NPRMpp1 Updating the number of covered entitiespp2 Updating hourly wage ratespp3 Adjusting downward the number of estimated requests for an exception to Federal preemption of State law to the prior baseline of 1 request per yearpp4 Adjusting downward the estimated hourly burden for regulated entities to report security incidents not breaches from 20 hours per monthly report to 10 hours per monthly reportpp5 Updating the number of research disclosuresppIn addition to the adjustments above the Department proposes to add new annual estimated burdens as a result of program changes as followspp1 A burden of 2 hours for each regulated entity to conduct a Security Rule compliance auditpp2 A burden of 2 hours for each business associate including each subcontractor to provide verification of compliance with technical safeguardspp3 A burden of 5 hours for each covered entity to obtain verification of business associates compliance with technical safeguardspp4 A burden of 083 hours for each business associate to obtain verification of subcontractors compliance with technical safeguardspp5 A burden of 1 hour for each regulated entity to provide notification to other regulated entities of workforce members termination of access to ePHIpp6 A burden of 15 hours for each regulated entity to deploy MFApp7 A burden of 45 hours for each regulated entity to perform network segmentationpp8 A burden of 5 hours for approximately 7656 percent of regulated entities to disable unused ports and remove extraneous softwarepp9 A burden of 3 hours for each regulated entity to conduct penetration testingpp10 A burden of 5 hours for each regulated entity to notify covered entities or business associates as applicable upon activation of a contingency planpp11 A burden of 5 hours for each insurer and thirdparty administrator to update health plan documentspp12 A burden of 2 hours for each regulated entity to update the content of its cybersecurity awareness and Security Rule training programpp13 A burden of 35 hours for each regulated entity to update its policies and procedurespp14 A burden of 1 hour for each regulated entity to update business associate agreementspp15 A burden of 5292 hours for each health plan sponsor to modify safeguards for its relevant electronic information systems to meet Security Rule standardsppFor the reasons stated in the preamble the Department of Health and Human Services proposes to amend 45 CFR subtitle A subchapter C parts 160 and 164 as set forth belowpp1 The authority citation for part 160 continues to read as follows pp
Authority
42 USC 1302a 42 USC 1320d1320d9 sec 264 Pub L 104191 110 Stat 20332034 42 USC 1320d2 note 5 USC 552 secs 1340013424 Pub L 1115 123 Stat 258279 and sec 1104 of Pub L 111148 124 Stat 146154
pp2 Amend 160103 by revising the definition of Electronic media to read as follows pp
Electronic media
means
pp
1 Electronic storage material on which data may be recorded maintained or processed This includes but is not limited to hard drives
print page 1011
removable media magnetic tape optical disk and any other form of digital memory or storage
pp2 Transmission media used to exchange information already in electronic storage material Transmission media includes but is not limited to the internet extranet or intranet leased lines dialup lines private and public networks and the physical movement of removabletransportable electronic storage materialpp1 The authority citation for part 164 continues to read as follows pp
Authority
42 USC 1302a 42 USC 1320d1320d9 sec 264 Pub L 104191 110 Stat 20332034 42 USC 1320d2note and secs 1340013424 Pub L 1115 123 Stat 258279
pp2 Revise and republish subpart C to read as follows ppAppendix A to Subpart C of Part 164Security Standards Matrixpp
Authority
42 USC 1320d2 and 1320d4 42 USC 17931
ppA covered entity or business associate must comply with the applicable standards implementation specifications and requirements of this subpart with respect to electronic protected health information of a covered entityppAs used in this subpart the following terms have the following meaningspp
Access
means the ability or the means necessary to read write modify delete transmit or communicate datainformation or otherwise use any component of an information system This definition applies to access as used in this subpart not as used in subpart D or E of this part
pp
Administrative safeguards
are administrative actions and related policies and procedures to manage the selection development implementation and maintenance including updating and modifying of security measures to protect electronic protected health information and to manage the conduct of the covered entitys or business associates workforce in relation to the protection of that information
pp
Authentication
means the corroboration that a person or technology asset is the one they are claiming to be
pp
Availability
means the property that data or information is accessible and useable upon demand by an authorized person or technology asset
pp
Confidentiality
means the property that data or information is not made available or disclosed to unauthorized persons technology assets or processes
pp
Deploy
means to configure technology for use and implement such technology
pp
Electronic information system
means interconnected set of electronic information resources under the same direct management control that shares common functionality An electronic information system generally includes technology assets such as hardware software electronic media information and data
pp
Encryption
means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key
pp
Facility
means the physical premises and the interior and exterior of a buildings
pp
Implement
means to put into effect and be in use operational and function as expected throughout the covered entity or business associate
pp
Information system
means an interconnected set of information resources under the same direct management control that shares common functionality An information system generally includes hardware software information data communications and people
pp
Integrity
means the property that data or information have not been altered or destroyed in an unauthorized manner
pp
Malicious software
means software or firmware intended to perform an unauthorized action or activity that will have adverse impact on an electronic information system andor the confidentiality integrity or availability of electronic protected health information Examples include but are not limited to viruses worms Trojan horses spyware and some forms of adware
pp
Multifactor authentication
means authentication of the users identity through verification of at least two of the following three categories
pp1 Information known by the user including but not limited to a password or personal identification number PINpp2 Item possessed by the user including but not limited to a token or a smart identification cardpp3 Personal characteristic of the user including but not limited to fingerprint facial recognition gait typing cadence or other biometric or behavioral characteristicspp
Password
means confidential authentication information composed of a string of characters such as letters numbers spaces and other symbols
pp
Physical safeguards
are physical measures and related policies and procedures to protect a covered entitys or business associates relevant electronic information systems and related facilities and equipment from natural and environmental hazards and unauthorized intrusion
pp
Relevant electronic information system
means an electronic information system that creates receives maintains or transmits electronic protected health information or that otherwise affects the confidentiality integrity or availability of electronic protected health information
pp
Risk
means the extent to which the confidentiality integrity or availability of electronic protected health information is threatened by a potential circumstance or event
pp
Security
or
security measures
encompass all of the administrative physical and technical safeguards in or applied to an information system
pp
Security incident
means any of the following
pp1 The attempted or successful unauthorized access use disclosure modification or destruction of information in an information systempp2 The attempted or successful unauthorized interference with system operations in an information systempp
Technical controls
means the technical mechanisms contained in the hardware software or firmware components of an electronic information system that are primarily implemented and executed by the electronic information system to protect the information system and data therein
pp
Technical safeguards
means the technology technical controls and related policies and procedures governing the use of the technology that protects and controls access to electronic protected health information
pp
Technology asset
means the components of an electronic information system including but not
print page 1012
limited to hardware software electronic media information and data
pp
Threat
means any circumstance or event with the potential to adversely affect the confidentiality integrity or availability of electronic protected health information
pp
User
means a person with authorized access
pp
Vulnerability
means a flaw or weakness in an information system information system security procedures design implementation or technical controls that could be intentionally exploited or accidentally triggered by a threat
pp
Workstation
means an electronic computing device and electronic media stored in its immediate environment Workstation includes but is not limited to the following types of devices a server desktop computer laptop computer virtual device and mobile device such as a smart phone or tablet
pp
a
General requirements
Each covered entity and business associate must do the following with respect to all electronic protected health information it creates receives maintains or transmits
pp1 Ensure the confidentiality integrity and availability of the electronic protected health informationpp2 Protect against any reasonably anticipated threats or hazards to the confidentiality integrity or availability of the electronic protected health informationpp3 Protect against any reasonably anticipated uses or disclosures of the electronic protected health information that are not permitted or required under subpart E of this partpp4 Ensure compliance by its workforce with this subpart and all administrative physical and technical safeguards implemented in accordance with this subpartpp
b
Flexibility of approach
1 Covered entities and business associates may use any reasonable and appropriate security measures that allow the covered entity or business associate to implement the standards and implementation specifications as specified in this subpart
pp2 In deciding which security measures to use a covered entity or business associate must take into account all of the following factorsppi The size complexity and capabilities of the covered entity or business associateppii The covered entitys or the business associates technical infrastructure hardware and software security capabilitiesppiii The costs of security measuresppiv The probability and criticality of potential risks to electronic protected health informationppv The effectiveness of the security measure in supporting the resiliency of the covered entity or business associatepp
c
Standards and implementation specifications
A covered entity or business associate must comply with the applicable standards including their implementation specifications as provided in this subpart
ppa A covered entity or business associate must in accordance with 164306 and 164316 implement all of the following administrative safeguards to protect the confidentiality integrity and availability of all electronic protected health information that it creates receives maintains or transmitspp
1
Standard Technology asset inventory
i
General
Conduct and maintain an accurate and thorough written inventory and a network map of the covered entitys or business associates electronic information systems and all technology assets that may affect the confidentiality integrity or availability of electronic protected health information
pp
ii
Implementation specifications
A
Inventory
Develop a written inventory of the covered entitys or business associates technology assets that contains the identification version person accountable and location of each technology asset
pp
B
Network map
Develop a network map that illustrates the movement of electronic protected health information throughout the covered entitys or business associates electronic information systems including but not limited to how electronic protected health information enters and exits such information systems and is accessed from outside of such information systems
pp
C
Maintenance
Review and update the written inventory of technology assets required by paragraph a1iiA of this section and the network map required by paragraph a1iiB of this section in the following circumstances
pp
1 On an ongoing basis but at least once every 12 months
pp
2 When there is a change in the covered entitys or business associates environment or operations that may affect electronic protected health information including but not limited to the adoption of new technology assets the upgrading updating or patching of technology assets newly recognized threats to the confidentiality integrity or availability of electronic protected health information a sale transfer merger or consolidation of all or part of the covered entity or business associate with another person a security incident that affects the confidentiality integrity and availability of electronic protected health information and relevant changes in Federal State Tribal or territorial law
pp
2
Standard Risk analysis
i
General
Conduct an accurate and comprehensive written assessment of the potential risks and vulnerabilities to the confidentiality integrity and availability of all electronic protected health information created received maintained or transmitted by the covered entity or business associate
pp
ii
Implementation specifications
A
Assessment
The written assessment must include at a minimum all of the following
pp
1 A review of the technology asset inventory required by paragraph a1iiA of this section and the network map required by paragraph a1iiB of this section to identify where electronic protected health information may be created received maintained or transmitted within the covered entitys or business associates electronic information systems
pp
2 Identification of all reasonably anticipated threats to the confidentiality integrity and availability of electronic protected health information that the covered entity or business associate creates receives maintains or transmits
pp
3 Identification of potential vulnerabilities and predisposing conditions to the covered entitys or business associates relevant electronic information systems
pp
4 An assessment and documentation of the security measures the covered entity or business associate uses to ensure the confidentiality integrity and availability of the electronic protected health information created received maintained or transmitted by the covered entity or business associate
pp
5 A reasonable determination of the likelihood that each threat identified in accordance with paragraph a2iiA
2 of this section will exploit the vulnerabilities identified in accordance with paragraph a2iiA
3 of this section
pp
6 A reasonable determination of the potential impact of each threat identified in accordance with paragraph a2iiA
2 of this section successfully exploiting the vulnerabilities identified in accordance with paragraph a2iiA
3 of this section
print page 1013
pp
7 An assessment of risk level for each threat identified in accordance with paragraph a2iiA
2 of this section and vulnerability identified in accordance with paragraph a2iiA
3 of this section based on the determinations made in accordance with paragraphs a2iiA
5 and
6 of this section
pp
8 An assessment of the risks to electronic protected health information posed by entering into or continuing a business associate contract or other written arrangement with any prospective or current business associate respectively based on the written verification obtained from the prospective or current business associate in accordance with paragraph b1 of this section
pp
B
Maintenance
Review verify and update the written assessment on an ongoing basis but at least once every 12 months and in accordance with paragraph a1iiC
2 of this section in response to a change in the covered entitys or business associates environment or operations that may affect electronic protected health information
pp
3
Standard Evaluation
i
General
Perform a written technical and nontechnical evaluation to determine whether a change in the covered entitys or business associates environment or operations may affect the confidentiality integrity or availability of electronic protected health information
pp
ii
Implementation specifications
A
Performance
Perform a written technical and nontechnical evaluation within a reasonable period of time before making a change in the covered entitys or business associates environment or operations as described in paragraph a1iiC
2 of this section
pp
B
Response
Respond to the written technical and nontechnical evaluation in accordance with the covered entitys or business associates risk management plan required by paragraph a5iiA of this section
pp
4
Standard Patch management
i
General
Implement written policies and procedures for applying patches and updating the configurations of the covered entitys or business associates relevant electronic information systems
pp
ii
Implementation specifications
A
Policies and procedures
Establish written policies and procedures for identifying prioritizing acquiring installing evaluating and verifying the timely installation of patches updates and upgrades throughout the covered entitys or business associates relevant electronic information systems
pp
B
Maintenance
Review and test written policies and procedures required by paragraph a4iiA of this section at least once every 12 months and modify such policies and procedures as reasonable and appropriate
pp
C
Application
Patch update and upgrade the configurations of relevant electronic information systems in accordance with the written policies and procedures required by paragraph a4iiA of this section and based on the results of the covered entitys or business associates risk analysis required by paragraph a2 of this section the vulnerability scans required by 164312h2i the monitoring of authoritative sources required by 164312h2ii and penetration tests required by 164312h2iii within a reasonable and appropriate period of time as follows except to the extent that an exception at paragraph a4iiD of this section applies
pp
1 Within 15 calendar days of identifying the need to patch update or upgrade the configuration of a relevant electronic information system to address a critical risk in accordance with this paragraph a4iiC where a patch update or upgrade is available or where a patch update or upgrade is not available within 15 calendar days of a patch update or upgrade becoming available
pp
2 Within 30 calendar days of identifying the need to patch update or upgrade the configuration of a relevant electronic information system to address a high risk in accordance with this paragraph a4iiC where a patch update or upgrade is available or where a patch update or upgrade is not available within 30 calendar days of a patch update or upgrade becoming available
pp
3 As determined by and documented in the covered entitys or business associates policies and procedures under paragraph a4iiA of this section for all other patches updates and upgrades to the configuration of a relevant electronic information system
pp
D
Exceptions
This paragraph a4iiD applies only to the extent that a covered entity or business associate documents that an exception in this paragraph a4iiD applies and that all other applicable conditions are met
pp
1 A patch update or upgrade to the configuration of a relevant electronic information system is not available to address a risk identified in the risk analysis under paragraph a2 of this section
pp
2 The only available patch update or upgrade would adversely affect the confidentiality integrity or availability of electronic protected health information
pp
E
Alternative measures
Where an exception at paragraph a4iiD of this section applies a covered entity or business associate must document in realtime the existence of an applicable exception and implement reasonable and appropriate compensating controls in accordance with paragraph a4iiF of this section
pp
F
Compensating controls
To the extent that a covered entity or business associate determines that an exception at paragraph a4iiD of this section applies a covered entity or business associate must implement reasonable and appropriate security measures to address the identified risk in a timely manner as required by paragraph a5iiD of this section until a patch update or upgrade that does not adversely affect the confidentiality integrity or availability of electronic protected health information becomes available
pp
5
Standard Risk management
i
General
Implement security measures sufficient to reduce risks and vulnerabilities to all electronic protected health information to a reasonable and appropriate level
pp
ii
Implementation specifications
A
Planning
Establish and implement a written risk management plan for reducing risks to all electronic protected health information including but not limited to those risks identified by the risk analysis under paragraph a2iiA of this section to a reasonable and appropriate level
pp
B
Maintenance
Review the written risk management plan required by paragraph a5iiA of this section at least once every 12 months and as reasonable and appropriate in response to changes in the risk analysis made in accordance with paragraph a2iiB of this section and modify as reasonable and appropriate
pp
C
Priorities
The written risk management plan must prioritize the risks identified in the risk analysis required by paragraph a2iiA of this section based on the risk levels determined by such risk analysis
pp
D
Implementation
Implement security measures in a timely manner to address the risks identified in the covered entitys or business associates risk analysis in accordance with the priorities established under paragraph a5iiC of this section
pp
6
Standard Sanction policy
i
General
Apply appropriate sanctions against workforce members who fail to comply with the security policies and
print page 1014
procedures of the covered entity or business associate
pp
ii
Implementation specifications
A
Policies and procedures
Establish written policies and procedures for sanctioning workforce members who fail to comply with the security policies and procedures of the covered entity or business associate
pp
B
Modifications
Review written sanctions policies and procedures at least once every 12 months and modify as reasonable and appropriate
pp
C
Application
Apply and document appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate in accordance with the written policies and procedures for sanctioning workforce members required by paragraph a6iiA of this section
pp
7
Standard Information system activity review
i
General
Implement written policies and procedures for regularly reviewing records of activity in the covered entitys or business associates relevant electronic information systems
pp
ii
Implementation specifications
A
Policies and procedures
Establish written policies and procedures for retaining and reviewing records of activity in the covered entitys or business associates relevant electronic information systems by persons and technology assets including the frequency for reviewing such records
pp
B
Scope
Records of activity in the covered entitys or business associates relevant electronic information systems by persons andor technology assets include but are not limited to audit trails event logs firewall logs system logs data backup logs access reports antimalware logs and security incident tracking reports
pp
C
Record review
Review records of activity in a covered entitys or business associates relevant electronic information systems by persons and technology assets as often as reasonable and appropriate for the type of report or log and document such review
pp
D
Record retention
Retain records of activity in the covered entitys or business associates relevant electronic information systems by persons and technology assets for a period of time that is reasonable and appropriate for the type of report or log
pp
E
Response
Where a suspected or known security incident is identified during the review required by paragraph a7iiC of this section respond in accordance with the covered entitys or business associates security incident response plan required by paragraph a12iiA
1 of this section
pp
F
Maintenance
Review and test the written policies and procedures required by paragraph a7iiA of this section at least once every 12 months and modify as reasonable and appropriate
pp
8
Standard Assigned security responsibility
In writing identify the security official who is responsible for the development and implementation of the policies and procedures written or otherwise and deployment of technical controls required by this subpart for the covered entity or business associate
pp
9
Standard Workforce security
i
General
Implement written policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information and relevant electronic information systems and to prevent those workforce members who are not authorized to have access from obtaining access to electronic protected health information and relevant electronic information systems
pp
ii
Implementation specifications
A
Authorization andor supervision
Establish and implement written procedures for the authorization andor supervision of workforce members who access electronic protected health information or relevant electronic information systems or who work in facilities where electronic protected health information or relevant electronic information systems might be accessed
pp
B
Workforce clearance procedure
Establish and implement written procedures to determine that the access of a workforce member to electronic protected health information or relevant electronic information systems is appropriate in accordance with paragraph a10iiB of this section
pp
C
Modification and termination procedures
1 Establish and implement written procedures in accordance with paragraph a9iiC
2 of this section to terminate a workforce members access to electronic protected health information and relevant electronic information systems and to facilities where electronic protected health information or relevant electronic information systems might be accessed
pp
2 A workforce members access must be terminated as soon as possible but no later than one hour after the employment of or other arrangement with a workforce member ends
pp
D
Notification
1 Establish and implement written procedures in accordance with paragraph a9iiD
2 of this section to notify another covered entity or business associate of a change in or termination of access where the workforce member is or was authorized to access such electronic protected health information or relevant electronic information systems by the covered entity or business associate making the notification
pp
2 Notification must occur as soon as possible but no later than 24 hours after a change in or termination of a workforce members authorization to access electronic protected health information or relevant electronic information systems maintained by such other covered entity or business associate
pp
E
Maintenance
Review and test written policies and procedures required under paragraph a9iiA through D of this section at least once every 12 months and modify as reasonable and appropriate
pp
10
Standard Information access management
i
General
Establish and implement written policies and procedures for authorizing access to electronic protected health information and relevant electronic information systems that are consistent with the applicable requirements of subpart E of this part
pp
ii
Implementation specifications
A
Isolating health care clearinghouse functions
If a health care clearinghouse is part of a larger organization the clearinghouse must establish and implement written policies and procedures that protect the electronic protected health information and relevant electronic information systems of the clearinghouse from unauthorized access by the larger organization
pp
B
Access authorization
Establish and implement written policies and procedures for granting and revising access to electronic protected health information and relevant electronic information systems as necessary and appropriate for each prospective user and technology asset to carry out their assigned functions
pp
C
Authentication management
Establish and implement written policies and procedures for verifying the identities of users and technology assets prior to accessing the covered entitys or business associates relevant electronic information systems including written policies and procedures for implementing multifactor authentication technical controls required by 164312f2ii through v
pp
D
Access determination and modification
Establish and implement written policies and procedures that based upon the covered entitys or the business associates access authorization policies determine document review and modify the access of each user and technology asset to specific components
print page 1015
of the covered entitys or business associates relevant electronic information systems
pp
E
Network segmentation
Establish and implement written policies and procedures that ensure that a covered entitys or business associates relevant electronic information systems are segmented to limit access to electronic protected health information to authorized workstations
pp
F
Maintenance
Review and test the written policies and procedures required by this paragraph a10ii at least once every 12 months and modify as reasonable and appropriate
pp
11
Standard Security awareness training
i
General
Implement security awareness training for all workforce members on protection of electronic protected health information and information systems as necessary and appropriate for the members of the workforce to carry out their assigned functions
pp
ii
Implementation specifications
A
Training
A covered entity or business associate must develop and implement security awareness training for all workforce members that addresses all of the following
pp
1 The written policies and procedures with respect to electronic protected health information required by this subpart as necessary and appropriate for the workforce members to carry out their assigned functions
pp
2 Guarding against detecting and reporting suspected or known security incidents including but not limited to malicious software and social engineering
pp
3 The written policies and procedures for accessing the covered entitys or business associates relevant electronic information systems including but not limited to safeguarding passwords setting unique passwords of sufficient strength to ensure the confidentiality integrity and availability of electronic protected health information and limitations on sharing passwords
pp
B
Timing
A covered entity or business associate must provide security awareness training as follows
pp
1 As required by paragraph a11iiA of this section to each member of its workforce by no later than the compliance date and at least once every 12 months thereafter
pp
2 As required by paragraph a11iiA of this section to each new member of its workforce within a reasonable period of time but no later than 30 days after the person first has access to the covered entitys or business associates relevant electronic information systems
pp
3 On a material change to the policies or procedures required by this subpart to each member of its workforce whose functions are affected by such change within a reasonable period of time but no later than 30 days after the material change occurs
pp
C
Ongoing education
A covered entity or business associate must provide its workforce members ongoing reminders of their security responsibilities and notifications of relevant threats including but not limited to new and emerging malicious software and social engineering
pp
D
Documentation
A covered entity or business associate must document that the training required by paragraph a11iiA of this section and ongoing reminders required by paragraph a11iiC of this section have been provided
pp
12
Standard Security incident procedures
i
General
Implement written policies and procedures to respond to security incidents
pp
ii
Implementation specifications
A
Planning and testing
1 Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the covered entity or business associate will respond to suspected or known security incidents in accordance with paragraph a12iiB of this section
pp
2 Implement written procedures for testing and revising security incident response plans required by paragraph a12iiA
1 of this section
pp
3 Review and test security incident response plans and procedures required by paragraph a12iiA
1 of this section at least once every 12 months document the results of such tests and modify security incident response plans and procedures as reasonable and appropriate
pp
B
Response
1 Identify and respond to suspected or known security incidents
pp
2 Mitigate to the extent practicable harmful effects of security incidents that are suspected or known to the covered entity or business associate
pp
3 Identify and remediate to the extent practicable the root causes of security incidents that are suspected or known to the covered entity or business associate
pp
4 Eradicate the security incidents that are suspected or known to the covered entity or business associate
pp
5 For suspected and known security incidents develop and maintain documentation of investigations analyses mitigation and remediation
pp
13
Standard Contingency plan
i
General
Establish and implement as needed a written contingency plan consisting of written policies and procedures for responding to an emergency or other occurrenceincluding but not limited to fire vandalism system failure natural disaster or security incidentthat adversely affects relevant electronic information systems
pp
ii
Implementation specifications
A
Criticality analysis
Perform and document an assessment of the relative criticality of the covered entitys or business associates relevant electronic information systems and technology assets in its relevant electronic information systems
pp
B
Data backups
Establish and implement written procedures to create and maintain exact retrievable copies of electronic protected health information including verification that the electronic protected health information has been copied accurately
pp
C
Information systems backups
Establish and implement written procedures to create and maintain backups of the covered entitys or business associates relevant electronic information systems including verification of success of backups
pp
D
Disaster recovery plan
1 Establish and implement as needed written procedures to restore loss of the covered entitys or business associates critical relevant electronic information systems and data within 72 hours of the loss
pp
2 Establish and implement as needed written procedures to restore loss of the covered entitys or business associates other relevant electronic information systems and data in accordance with the criticality analysis required by paragraph a13iiA of this section
pp
E
Emergency mode operation plan
Establish and implement as needed written procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode
pp
F
Testing and revision procedures
1 Establish written procedures for testing and revising contingency plans as required by this paragraph a13 in accordance with paragraph a13iiF
2 of this section
pp
2 Review and test contingency plans required by this paragraph a13 at least once every 12 months document the results of such tests and modify such contingency plans as reasonable and appropriate in accordance with the results of those tests
print page 1016
pp
14
Standard Compliance audit
Perform and document an audit at least once every 12 months of the covered entitys or business associates compliance with each standard and implementation specification in this subpart
pp
b1
Standard Business associate contracts and other arrangements
iA A covered entity may permit a business associate to create receive maintain or transmit electronic protected health information on the covered entitys behalf only if the covered entity obtains satisfactory assurances in accordance with 164314a that the business associate will comply with this subpart and verifies that the business associate has deployed technical safeguards in accordance with the requirements of 164312
ppB A covered entity is not required to obtain such satisfactory assurances or verification from a business associate that is a subcontractorppii A business associate may permit a business associate that is a subcontractor to create receive maintain or transmit electronic protected health information on its behalf only if the business associate obtains satisfactory assurances in accordance with 164314a that the subcontractor will comply with the requirements of this subpart and verifies that the business associate that is a subcontractor has deployed technical safeguards in accordance with the requirements of 164312pp
2
Implementation specifications
i
Written contract or other arrangement
Document the satisfactory assurances required by paragraph b1i or ii of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of 164314a
pp
ii
Written verification
Obtain written verification from the business associate at least once every 12 months that the business associate has deployed the technical safeguards as required by 164312 through both of the following
ppA A written analysis of the business associates relevant electronic information systems by a person with appropriate knowledge of and experience with generally accepted cybersecurity principles and methods for ensuring the confidentiality integrity and availability of electronic protected health information to verify compliance with each standard and implementation specification in 164312ppB A written certification that the analysis has been performed and is accurate by a person who has the authority to act on behalf of the business associatepp
3
Standard Delegation to business associate
i A covered entity or business associate may permit a business associate to serve as their designated security official
ppii A covered entity or business associate that delegates actions activities or assessments required by this subpart to a business associate remains liable for compliance with all applicable provisions of this subpartppEach covered entity and business associate must in accordance with 164306 and 164316 implement all of the following physical safeguards to protect the confidentiality integrity and availability of all electronic protected health information that it creates receives maintains or transmitspp
a
Standard Facility access controls
1
General
Establish and implement written policies and procedures to limit physical access to all of its relevant electronic information systems and the facility or facilities in which they are housed while ensuring that properly authorized access is allowed
pp
2
Implementation specifications
i
Contingency operations
Establish and implement as needed written procedures that allow facility access in support of the covered entitys or business associates contingency plan required by 164308a13
pp
ii
Facility security plan
Establish and implement written policies and procedures to safeguard all facilities and the equipment therein from unauthorized physical access tampering and theft
pp
iii
Access management and validation procedures
Establish and implement written procedures to authorize and manage a persons access to facilities based on their role or function including visitor management
pp
iv
Physical maintenance records
Establish and implement written policies and procedures to document repairs and modifications to the physical components of a facility that are related to security including but not limited to hardware walls doors locks and security cameras
pp
v
Maintenance
For each facility review and test the written policies and procedures required by this paragraph a2 at least once every 12 months and modify such policies and procedures as reasonable and appropriate
pp
b
Standard Workstation use
1
General
Establish and implement written policies and procedures that govern the use of workstations that access electronic protected health information or the covered entitys or business associates relevant electronic information systems
pp
2
Implementation specifications
i
Policies and procedures
The written policies and procedures must specify all of the following with respect to a workstation that accesses electronic protected health information or the covered entitys or business associates relevant electronic information systems
ppA The functions for which a workstation may be usedppB The manner in which a workstation may be used to perform those functionsppC The physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information including the removal of such workstations from a facility and the movement of such workstations within and outside of a facilitypp
ii
Maintenance
Review and test written policies and procedures at least once every 12 months and modify as reasonable and appropriate
pp
c
Standard Workstation security
Implement and modify physical safeguards for all workstations that access electronic protected health information or relevant electronic information systems to address the written policies and procedures for workstation use required by paragraph b of this section and restrict access to authorized users
pp
d
Standard Technology asset controls
1
General
Establish and implement written policies and procedures that govern the receipt and removal of technology assets that maintain electronic protected health information into and out of a facility and the movement of these assets within the facility
pp
2
Implementation specifications
i
Disposal
Establish and implement written policies and procedures for disposal of electronic protected health information and the technology assets on which it is maintained based on current standards for disposing of such technology assets
pp
ii
Media sanitization
Establish and implement written procedures for removal of electronic protected health information from electronic media such that the electronic protected health information cannot be recovered based on current standards for sanitizing electronic media before the media are made available for reuse
pp
iii
Maintenance
Review and test the written policies and procedures required by paragraphs d2i and ii
print page 1017
of this section at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriate
ppEach covered entity or business associate must in accordance with 164306 and 164316 implement all of the following technical safeguards including technical controls to protect the confidentiality integrity and availability of all electronic protected health information that it creates receives maintains or transmitspp
a
Standard Access control
1
General
Deploy technical controls in relevant electronic information systems to allow access only to users and technology assets that have been granted access rights
pp
2
Implementation specifications
i
Unique identification
Assign a unique name number andor other identifier for tracking each user and technology asset in the covered entity or business associates relevant electronic information systems
pp
ii
Administrative and increased access privileges
Separate user identities from identities used for administrative and other increased access privileges
pp
iii
Emergency access procedure
Establish and implement as needed written and technical procedures for obtaining necessary electronic protected health information during an emergency
pp
iv
Automatic logoff
Deploy technical controls that terminate an electronic session after a predetermined time of inactivity that is reasonable and appropriate
pp
v
Login attempts
Deploy technical controls that disable or suspend the access of a user or technology asset to relevant electronic information systems after a reasonable and appropriate predetermined number of unsuccessful authentication attempts
pp
vi
Network segmentation
Deploy technical controls to ensure that the covered entitys or business associates relevant electronic information systems are segmented in a reasonable and appropriate manner
pp
vii
Data controls
Deploy technical controls to allow access to electronic protected health information only to those users and technology assets that have been granted access rights to the covered entitys or business associates relevant electronic information systems as specified in 164308a10
pp
viii
Maintenance
Review and test the effectiveness of the procedures and technical controls required by this paragraph a2 at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriate
pp
b
Standard Encryption and decryption
1
General
Deploy technical controls to encrypt and decrypt electronic protected health information using encryption that meets prevailing cryptographic standards
pp
2
Implementation specification
Encrypt all electronic protected health information at rest and in transit except to the extent that an exception at paragraph b3 of this section applies
pp
3
Exceptions
This paragraph b3 applies only to the electronic protected health information directly affected by one or more of the following exceptions and only to the extent that the covered entity or business associate documents that an exception applies and that all other applicable conditions are met
ppi The technology asset in use does not support encryption of the electronic protected health information consistent with prevailing cryptographic standards and the covered entity or business associate establishes and implements a written plan to migrate electronic protected health information to a technology asset that supports encryption consistent with prevailing cryptographic standards within a reasonable and appropriate period of timeppii An individual requests pursuant to 164524 to receive their electronic protected health information in an unencrypted manner and has been informed of the risks associated with the transmission receipt and storage of unencrypted electronic protected health information This exception does not apply where such individual will receive their electronic protected health information pursuant to 164524 and the technology used by the individual to receive the electronic protected health information is controlled by the covered entity or its business associateppiii During an emergency or other occurrence that adversely affects the covered entitys or business associates relevant electronic information systems in which encryption is infeasible and the covered entity or business associate implements reasonable and appropriate compensating controls in accordance with and determined by the covered entitys or business associates contingency plan under 164308a13ppiv The technology asset in use is a device under section 201h of the Food Drug and Cosmetic Act 21 USC 321h that has been authorized for marketing by the Food and Drug Administration as followsppA Pursuant to a submission received before March 29 2023 provided that the covered entity or business associate deploys in a timely manner any updates or patches required or recommended by the manufacturer of the deviceppB Pursuant to a submission received on or after March 29 2023 where the device is no longer supported by its manufacturer provided that the covered entity or business associate has deployed any updates or patches required or recommended by the manufacturer of the deviceppC Pursuant to a submission received on or after March 29 2023 where the device is supported by its manufacturerpp
4
Alternative measures
i
Alternative measures
Where an exception at paragraph b3 of this section applies a covered entity or business associate must document in realtime the existence of an applicable exception and implement reasonable and appropriate compensating controls in accordance with paragraph b4ii of this section
pp
ii
Compensating controls
A To the extent that a covered entity or business associate determines that an exception at paragraph b3i ii or iii or b3ivA or B of this section applies the covered entity or business associate must secure such electronic protected health information by implementing reasonable and appropriate compensating controls reviewed and approved by the covered entitys or business associates designated Security Official
ppB To the extent that a covered entity or business associate determines that an exception at paragraph b3ivC of this section applies the covered entity or business associate shall be presumed to have implemented reasonable and appropriate compensating controls where the covered entity or business associate has deployed the security measures prescribed and as instructed by the authorized label for the device including any updates or patches recommended or required by the manufacturer of the devicepp
C To the extent that a covered entity or business associate is implementing compensating controls under this paragraph b4ii the implementation and effectiveness of compensating controls must be reviewed documented and signed by the designated Security Official at least once every 12 months or in response to environmental or operational changes whichever is more frequent to continue securing electronic protected health information and relevant electronic information systems
print page 1018
pp
5
Maintenance
Review and test the effectiveness of the technical controls required by this paragraph b at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriate
pp
c
Standard Configuration management
1
General
Establish and deploy technical controls for securing the covered entitys or business associates relevant electronic information systems and technology assets in its relevant electronic information systems including workstations in a consistent manner and maintain such electronic information systems and technology assets according to the covered entitys or business associates established secure baselines
pp
2
Implementation specifications
i
Antimalware protection
Deploy technology assets andor technical controls that protect all of the covered entitys or business associates technology assets in its relevant electronic information systems against malicious software including but not limited to viruses and ransomware
pp
ii
Software removal
Remove extraneous software from the covered entitys or business associates relevant electronic information systems
pp
iii
Configuration
Configure and secure operating systems and software consistent with the covered entitys or business associates risk analysis under 164308a2
pp
iv
Network ports
Disable network ports in accordance with the covered entitys or business associates risk analysis under 164308a2
pp
v
Maintenance
Review and test the effectiveness of the technical controls required by this paragraph c at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriate
pp
d
Standard Audit trail and system log controls
1
General
Deploy technology assets andor technical controls that record and identify activity in the covered entitys or business associates relevant electronic information systems
pp
2
Implementation specifications
i
Monitor and identify
The covered entity or business associate must deploy technology assets andor technical controls that monitor in realtime all activity in its relevant electronic information systems identify indications of unauthorized persons or unauthorized activity as determined by the covered entitys or business associates risk analysis under 164308a2 and alert workforce members of such indications in accordance with the policies and procedures required by 164308a7
pp
ii
Record
The covered entity or business associate must deploy technology assets andor technical controls that record in realtime all activity in its relevant electronic information systems
pp
iii
Retain
The covered entity or business associate must deploy technology assets andor technical controls to retain records of all activity in its relevant electronic information systems as determined by the covered entitys or business associates policies and procedures for information system activity review at 164308a7iiA
pp
iv
Scope
Activity includes creating accessing receiving transmitting modifying copying or deleting any of the following
ppA Electronic protected health informationppB Relevant electronic information systems and the information thereinpp
v
Maintenance
Review and test the effectiveness of the technology assets andor technical controls required by this paragraph d at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriate
pp
e
Standard Integrity
Deploy technical controls to protect electronic protected health information from improper alteration or destruction both at rest and in transit and review and test the effectiveness of such technical controls at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriate
pp
f
Standard Authentication
1
General
Deploy technical controls to verify that a person or technology asset seeking access to electronic protected health information andor the covered entitys or business associates relevant electronic information systems is the one claimed
pp
2
Implementation specifications
i
Information access management policies
Deploy technical controls in accordance with the covered entitys or business associates information access management policies and procedures under 164308a10 including technical controls that require users to adopt unique passwords that are consistent with the current recommendations of authoritative sources
pp
ii
Multifactor authentication
A Deploy multifactor authentication to all technology assets in the covered entitys or business associates relevant electronic information systems to verify that a person seeking access to the relevant electronic information systems is the user that the person claims to be
ppB Deploy multifactor authentication for any action that would change a users privileges to the covered entitys or business associates relevant electronic information systems in a manner that would alter the users ability to affect the confidentiality integrity or availability of electronic protected health informationpp
iii
Exceptions
Deployment of multifactor authentication is not required in any of the following circumstances
ppA The technology asset in use does not support multifactor authentication and the covered entity or business associate establishes and implements a written plan to migrate electronic protected health information to a technology asset that supports multifactor authentication within a reasonable and appropriate period of timeppB During an emergency or other occurrence that adversely affects the covered entitys or business associates relevant electronic information systems or the confidentiality integrity or availability of electronic protected health information in which multifactor authentication is infeasible and the covered entity or business associate implements reasonable and appropriate compensating controls in accordance with its emergency access procedures under paragraph a2iii of this section and the covered entitys or business associates contingency plan under 164308a13ppC The technology asset in use is a device under section 201h of the Food Drug and Cosmetic Act 21 USC 321h that has been authorized for marketing by the Food and Drug Administration as followspp
1 Pursuant to a submission received before March 29 2023 provided that the covered entity or business associate has deployed any updates or patches required or recommended by the manufacturer of the device
pp
2 Pursuant to a submission received on or after March 29 2023 where the device is no longer supported by its manufacturer provided that the covered entity or business associate has deployed any updates or patches required or recommended by the manufacturer of the device
pp
3 Pursuant to a submission received on or after March 29 2023 where the device is supported by its manufacturer
pp
iv
Alternative measures
A
Alternative measures
Where an exception at paragraph f2iii of this
print page 1019
section applies a covered entity or business associate must document in realtime the existence of an applicable exception and implement reasonable and appropriate compensating controls as required by paragraph f2ivB of this section
pp
B
Compensating controls
1 To the extent that a covered entity or business associate determines that an exception at paragraph f2iiiA or B or f2iiiC
1 or
2 of this section applies the covered entity or business associate must secure its relevant electronic information systems by implementing reasonable and appropriate compensating controls reviewed approved and signed by the covered entitys or business associates designated Security Official
pp
2 To the extent that a covered entity or business associate determines that an exception at paragraph f2iiiC
3 of this section applies the covered entity or business associate shall be presumed to have implemented reasonable and appropriate compensating controls where the covered entity or business associate has deployed the security measures prescribed and as instructed by the authorized label for the device including any updates or patches recommended or required by the manufacturer of the device
pp
3 To the extent that a covered entity or business associate is implementing compensating controls under this paragraph f2ivB the effectiveness of compensating controls must be reviewed and documented by the designated Security Official at least once every 12 months or in response to environmental or operational changes whichever is more frequent to continue securing electronic protected health information and its relevant electronic information systems
pp
v
Maintenance
Review and test the effectiveness of the technical controls required by this paragraph f at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriate
pp
g
Standard Transmission security
Deploy technical controls to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network and review and test the effectiveness of such technical controls at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriate
pp
h
Standard Vulnerability management
1
General
Deploy technical controls in accordance with the covered entitys or business associates patch management policies and procedures required by 164308a4iiA to identify and address technical vulnerabilities in the covered entitys or business associates relevant electronic information systems
pp
2
Implementation specifications
i
Vulnerability scanning
A Conduct automated vulnerability scans to identify technical vulnerabilities in the covered entitys or business associates relevant electronic information systems in accordance with the covered entitys or business associates risk analysis required by 164308a2 or at least once every six months whichever is more frequent
ppB Review and test the effectiveness of the technology assets that conducts the automated vulnerability scans required by paragraph h2iA of this section at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriatepp
ii
Monitoring
Monitor authoritative sources for known vulnerabilities on an ongoing basis and remediate such vulnerabilities in accordance with the covered entitys or business associates patch management program under 164308a4
pp
iii
Penetration testing
Perform penetration testing of the covered entitys or business associates relevant electronic information systems by a qualified person
ppA A qualified person is a person with appropriate knowledge of and experience with generally accepted cybersecurity principles and methods for ensuring the confidentiality integrity and availability of electronic protected health informationppB Penetration testing must be performed at least once every 12 months or in accordance with the covered entitys or business associates risk analysis required by 164308a2 whichever is more frequentpp
iv
Patch and update installation
Deploy technical controls in accordance with the covered entitys or business associates patch management program under 164308a4 to ensure timely installation of software patches and critical updates as reasonable and appropriate
pp
i
Standard Data backup and recovery
1
General
Deploy technical controls to create and maintain exact retrievable copies of electronic protected health information
pp
2
Implementation specifications
i
Data backup
Create backups of electronic protected health information in accordance with the policies and procedures required by 164308a13iiB and with such frequency to ensure retrievable copies of electronic protected health information are no more than 48 hours older than the electronic protected health information maintained in the covered entity or business associates relevant electronic information systems
pp
ii
Monitor and identify
Deploy technical controls that in realtime monitor and alert workforce members about any failures and error conditions of the backups required by paragraph i2i of this section
pp
iii
Record
Deploy technical controls that record the success failure and any error conditions of backups required by paragraph i2i of this section
pp
iv
Testing
Restore a representative sample of electronic protected health information backed up as required by paragraph i2i of this section and document the results of such test restorations at least monthly
pp
j
Standard Information systems backup and recovery
Deploy technical controls to create and maintain backups of relevant electronic information systems and review and test the effectiveness of such technical controls at least once every six months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriate
pp
a1
Standard Business associate contracts or other arrangements
The contract or other arrangement required by 164308b2 must meet the requirements of paragraph a2i ii or iii of this section as applicable
pp
2
Implementation specifications
i
Business associate contracts
The contract must provide that the business associate will do all of the following
ppA Comply with the applicable requirements of this subpartppB In accordance with 164308b1ii ensure that any subcontractors that create receive maintain or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this sectionppC Report to the covered entity any security incident of which it becomes aware including breaches of unsecured electronic protected health information as required by 164410pp
D Report to the covered entity activation of its contingency plan under 164308a13 without unreasonable
print page 1020
delay and in no case later than 24 hours after activation of the contingency plan
pp
ii
Other arrangements
The covered entity is in compliance with paragraph a1 of this section if it has another arrangement in place that meets the requirements of 164504e3
pp
iii
Business associate contracts with subcontractors
The requirements of paragraphs a2i and ii of this section apply to the contract or other arrangement between a business associate and a subcontractor required by 164308b1ii in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate
pp
b1
Standard Requirements for group health plans
Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to 164504f1ii or iii or as authorized under 164508 a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created received maintained or transmitted to or by the plan sponsor on behalf of the group health plan
pp
2
Implementation specifications
The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to do all of the following
pp
i
Safeguard implementation
Implement the administrative physical and technical safeguards that covered entities and business associates are required to implement under 164308a 164310 and 164312
pp
ii
Separation
Ensure that the adequate separation required by 164504f2iii is supported by the administrative physical and technical safeguards implemented in accordance with paragraph b2i of this section
pp
iii
Agents
Ensure that any agent to whom it provides this information agrees to implement the administrative physical and technical safeguards in accordance with paragraph b2i of this section
pp
iv
Security incident awareness
Report to the group health plan any security incident of which it becomes aware
pp
v
Contingency plan activation
Report to the group health plan activation of its contingency plan adopted in accordance with 164308a13 as required by paragraph b2i of this section without unreasonable delay and in no case later than 24 hours after activation of the contingency plan
pp
a
Standard Documentation
A covered entity or business associate must do all of the following in written form which may be electronic taking into consideration the factors in 164306b
pp1 Document the policies and procedures required to comply with this subpart and how the covered entity or business associate considered the factors at 164306b in the development of such policies and procedurespp2 Document each action activity or assessment required by this subpartpp
b
Implementation specifications
1
Time limit
Retain the documentation required by paragraph a of this section for 6 years from the date of its creation or the date when it last was in effect whichever is later
pp
2
Availability
Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains
pp
3
Updates
Review and update documentation at least once every 12 months and within a reasonable and appropriate period of time after a security measure is modified
pp
a
Standard Effect of prior contracts or other arrangements with business associates
Notwithstanding any other provisions of this subpart a covered entity or business associate with respect to a subcontractor may allow a business associate to create receive maintain or transmit electronic protected health information pursuant to a written contract or other arrangement with such business associate that does not comply with 164308b and 164314a only in accordance with paragraph b of this section
pp
b
Implementation specification Deemed compliance
1
Qualification
Notwithstanding other sections of this subpart a covered entity or business associate with respect to a subcontractor is deemed to be in compliance with the documentation and contract requirements of 164308b and 164314a with respect to a particular business associate relationship for the time period set forth in paragraph b2 of this section if both of the following apply
pp
i Prior to DATE OF PUBLICATION OF THE FINAL RULE IN THE
Federal Register
such covered entity or business associate with respect to a subcontractor has entered into and is operating pursuant to a written contract or other written arrangement with the business associate that complies with the applicable provisions of 164308b and 164314a that were in effect on such date
pp
ii The contract or other arrangement is not renewed or modified from DATE 60 DAYS AFTER DATE OF PUBLICATION OF THE FINAL RULE IN THE
Federal Register
until DATE 240 DAYS AFTER DATE OF PUBLICATION OF THE FINAL RULE IN THE
Federal Register
pp
2
Limited deemed compliance period
A prior contract or other arrangement that meets the qualification requirements at paragraph b1 of this section shall be deemed compliant until the earlier of the following dates
pp
i The date such contract or other arrangement is renewed on or after DATE 240 DAYS AFTER DATE OF PUBLICATION OF THE FINAL RULE IN THE
Federal Register
pp
ii DATE 1 YEAR AND 60 DAYS AFTER DATE OF PUBLICATION OF THE FINAL RULE IN THE
Federal Register
pp
c
Covered entity and business associate responsibilities
Nothing in this section shall alter the requirements of a covered entity or business associate to comply with applicable provisions of this part other than 164308b and 164314a
ppIf any provision of this subpart is held to be invalid or unenforceable by its terms or as applied to any person or circumstance or stayed pending further agency action it shall be construed so as to give it maximum effect permitted by law unless such holding shall be one of utter invalidity or unenforceability in which event such provision shall be severable from this subpart and shall not affect the remainder thereof or the application of such provision to other persons not similarly situated or to other dissimilar circumstancesppDated December 20 2024ppXavier BecerrappSecretary Department of Health and Human Servicespp1
Subtitle F of title II of HIPAA Pub L 104191 110 Stat 1936 Aug 21 1996 added a new part C to title XI of the Social Security Act of 1935 SSA Public Law 74271 49 Stat 620 Aug 14 1935
see
sections 11711179 of the SSA codified at 42 USC 1320d1320d8 as well as promulgating section 264 of HIPAA codified at 42 USC 1320d2 note which authorizes the Secretary to promulgate regulations with respect to the privacy of individually identifiable health information The Privacy Rule has subsequently been amended pursuant to the Genetic Information Nondiscrimination Act of 2008 title I section 105 Public Law 110233 122 Stat 881 May 21 2008 codified at 42 USC 2000ff and the Health Information Technology for Economic and Clinical Health HITECH Act of 2009 Public Law 1115 123 Stat 226 Feb 17 2009 codified at 42 USC 139w402
pp2
45 CFR part 160 subparts A and C of 45 CFR part 164 For a history of the Security Rule
see
section IIB Regulatory History
pp3
See also
the HIPAA Privacy Rule 45 CFR part 160 and subparts A and E of 45 CFR part 164 HIPAA Breach Notification Rule 45 CFR part 164 subpart D and the HIPAA Enforcement Rule 45 CFR part 160 subparts C through E
pp4
45 CFR 160103 definition of Protected health information
pp5
45 CFR 160103 definition of Individually identifiable health information
pp6
At times throughout this NPRM the Department uses the terms health information or individuals health information to refer generically to health information pertaining to an individual or individuals In contrast the Departments use of the term IIHI refers to a category of health information defined in HIPAA and PHI is used to refer specifically to a category of IIHI that is defined by and subject to the requirements of the HIPAA Rules The HIPAA Rules exclude from the definition of PHI IIHI in employment records held by a covered entity in its role as employer IIHI in education records and certain treatment records covered by the Family Educational Rights and Privacy Act codified at 20 USC 1232g and IIHI regarding a person who has been deceased for more than 50 years 45 CFR 160103 definition of Protected health information
pp7
45 CFR 160103 definition of Electronic protected health information
pp8
See68 FR 8334 Feb 20 2003 and 78 FR 5566 Jan 25 2013
pp9
In this NPRM we and our denote the Department
pp10
See
Breach Portal Notice to the Secretary of HHS Breach of Unsecured Protected Health Information Office for Civil Rights US Department of Health and Human Services
httpsocrportalhhsgovocrbreachbreachreportjsfpp11
Presidential Memorandum on National Security Memorandum on Critical Infrastructure Security and Resilience National Security MemorandumNSM22 The White House Apr 30 2024
httpswwwwhitehousegovbriefingroompresidentialactions20240430nationalsecuritymemorandumoncriticalinfrastructuresecurityandresilience
Critical infrastructure comprises the physical and virtual assets and systems so vital to the Nation that their incapacity or destruction would have a debilitating impact on national security national economic security or national public health or safety
pp12
Id
charging an SRMA with serving as the primary Federal liaison to their designated critical infrastructure and conducting sectorspecific risk management and resilience activities
pp13
Idpp14
See eg
New York State Register 46 NY Reg 710 Division of Administrative Rules New York State Department of State Oct 2 2024
httpsdosnygovsystemfilesdocuments202410100224pdf
Invitation for Preliminary Comments on Proposed Rulemaking Cybersecurity Audits Risk Assessments and Automated Decisionmaking California Privacy Protection Agency Feb 10 2023
httpscppacagovregulationspdfinvitationforcommentspr022023pdf see also
Cal Civ Code Section 1798185
pp15
The NIST Cybersecurity Framework CSF 20 National Institute of Standards and Technology US Department of Commerce Feb 26 2024
httpsdoiorg106028NISTCSWP29pp16
Health Industry Cybersecurity Practices Managing Threats and Protecting Patients US Department of Health and Human Services and the Healthcare Public Health Sector Coordinating Council 2023
https405dhhsgovDocumentsHICPMain508pdfpp17
Start with Security A Guide for Business Federal Trade Commission Aug 2023
httpswwwftcgovsystemfilesftcgovpdf920astartwithsecurityenaug2023508final0pdfpp18
Cybersecurity Performance Goals US Department of Health and Human Services Jan 2024
httpshphcyberhhsgovperformancegoalshtmlpp19
Sec 1174b1 of the SSA 45 CFR 160104
pp20
See
sec 261 of Public Law 104191 110 Stat 1936 codified at 42 USC 1320d note
pp21
See
A Guide to the Rulemaking Process Office of the Federal Register 2011 p 8
httpswwwfederalregistergovuploads201101therulemakingprocesspdfpp22
See78 FR 5566 5569 Jan 25 2013
pp23
See42 USC 1320d4b2
pp24
45 CFR 164306d3i and d3iiA
pp25
45 CFR 164306d3iiB
pp26
See45 CFR 160104c1 which requires the Secretary to provide at least a 180day period for regulated entities to comply with modifications to standards and implementation specifications in the HIPAA Rules
pp27
45 CFR 164314a1
pp28
Public Law 104191 110 Stat 1936 Aug 21 1996 codified at 42 USC 201 note
pp29
See
HR Rep No 104496 at 6667 1996
pp30
Public Law 104191 110 Stat 1936 Aug 21 1996
pp31
Sec 262a of Public Law 104191 110 Stat 2021 Aug 21 1996 codified at 42 USC 1320d
pp32
Sec 261 of Public Law 104191 110 Stat 2021 Aug 21 1996 as amended by sec 1104a of Public Law 111148 124 Stat 146 Mar 23 2010 codified at 42 USC 1320d note
pp33
On a resolution waiving points of order against the Conference Report to HR 3103 members debated an erosion of privacy balanced against the administrative simplification provisions Thus from HIPAAs inception privacy has been a central concern to be addressed as legislative changes eased disclosures of PHI
See
142 Cong Rec H9777 and H9780
pp34
142 Cong Rec S951516 daily ed Aug 2 1996 statement of Sen Simon
pp35
See
HR Rep No 104496 Part 1 at 99100 Mar 25 1996
pp36
See
sec 262a of Public Law 104191 110 Stat 2021 adding section 1172 to the SSA codified at 42 USC 1320d1
see also
section 13404 of the American Recovery and Reinvestment Act ARRA of 2009 Public Law 1115 123 Stat 115 Feb 17 2009 codified at 42 USC 17934 applying privacy provisions and penalties to business associates of covered entities The Department codified the term covered entity and defined it using these three categories of persons 45 CFR 164103
pp37
42 USC 1320d2d2
pp38
42 USC 1320d2d2A
pp39
42 USC 1320d2d2B
pp40
42 USC 1320d2d2C
pp41
Sec 262a of Public Law 104191 110 Stat 2024 adding sec 1173a codified at 42 USC 1320d2a1
pp42
Sec 262a of Public Law 104191 110 Stat 2025 adding sec 1173d codified at 42 USC 1320d2d
pp43
Sec 262a of Public Law 104191 110 Stat 2026 adding sec 1174a codified at 42 USC 1320d3a
pp44
Sec 262a of Public Law 104191 110 Stat 2025 adding sec 1173d1 codified at 42 USC 1320d2d1
pp45
Idpp46
Sec 262a of Public Law 104191 110 Stat 2026 adding sec 1174b1 codified at 42 USC 1320d3
pp47
Sec 1102 of the SSA codified at 42 USC 1302
pp48
Sec 262a of Public Law 104191 110 Stat 2023 adding sec 1172 codified at 42 USC 1320d1
pp49
Idpp50
Title XIII of Division A and title IV of Division B of ARRA of 2009 Public Law 1115 123 Stat 115 Feb 17 2009 codified at 42 USC 201 note
pp51
Id see also
Subtitle B of title XIII of the HITECH Act codified at 42 USC 1791117912 42 USC 300jj3138
pp52
See
HR Rep No 1117 at 74 2009 accompanying HR 629 111th Cong
pp53
HR 629 Energy and Commerce Recovery and Reinvestment Act of 2009 introduced in the House on Jan 22 2009 contained nearly identical provisions to subtitle D of the HITECH Act
pp54
C Stephen Redhead The Health Information Technology for Economic and Clinical Health HITECH Act Congressional Research Service p 8 2009
httpscrsreportscongressgovproductpdfRR401619 id
at 9 Health IT which generally refers to the use of computer applications in medical practice is widely viewed as a necessary and vital component of health care reform
pp55
Subtitle D of title XIII of the HITECH Act codified at 42 USC 17921 42 USC 1793117941 and 42 USC 1795117953
pp56
See
S Rept 1113 111th Cong accompanying S 336 111th Cong at 59 2009
pp57
Sec 13401 of Public Law 1115 123 Stat 260 codified at 42 USC 17931
pp58
Sec 13401a of Public Law 1115 123 Stat 260 codified at 42 USC 17931
pp59
Sec 13401c of Public Law 1115 123 Stat 260 codified at 42 USC 17931
pp60
Sec 13421b of the HITECH Act codified at 42 USC 17951
pp61
Sec 3009a1A of the PHSA as added by sec 13101 of the HITECH Act codified at 42 USC 300jj19a1
pp62
SeePublic Law 116321 134 Stat 5072 adding sec 13412 Jan 5 2021 codified at 42 USC 17941
see also42 USC 17931
et seqpp63
SeePublic Law 116321 134 Stat 5072 adding sec 13412 Jan 5 2021 codified at 42 USC 17941
see also
sec 13401 of Public Law 1115 123 Stat 260 codified at 42 USC 17931 The HITECH Act adopts the same definition of business associate as the HIPAA Rules 45 CFR 160103 definition of Business associate
pp64
The Security Rule is codified at 45 CFR part 160 and subparts A and C of 45 CFR part 164
pp65
See45 CFR 164306a1
pp66
See45 CFR 164306a2
pp67
See45 CFR 164306a3
pp68
See45 CFR 164306a4
pp69
See
sec 262a of Public Law 104191 110 Stat 2025 Aug 21 1996 adding sec 1173d codified at 42 USC 1320d2d
pp70
63 FR 43242 Aug 12 1998
pp71
Id
at 43244
pp72
Id
at 43244 43249 4326061
pp73
Id
at 43249
pp74
See68 FR 8334 8335 Feb 20 2003
pp75
Id see also63 FR 43242 43249 Aug 12 1998
pp76
63 FR 43242 43250 Aug 12 1998
pp77
Idpp78
Id
at 4324950
pp79
Id
at 43250
pp80
45 CFR parts 160 and subparts A and C of 45 CFR part 164 68 FR 8334 Feb 20 2003
pp81
68 FR 8334 8335 837172 Feb 20 2003
pp82
Idpp83
Idpp84
Id
at 8335
pp85
Idpp86
Id
at 8336
pp87
Id
at 8343
pp88
Id
at 8346
pp89
Idpp90
Idpp91
Idpp92
Idpp93
Id
at 8336
pp94
Statement of Organization Functions and Delegations of Authority Centers for Medicare Medicaid Services 68 FR 60694 Oct 23 2003
pp95
Office for Civil Rights Delegation of Authority US Department of Health and Human Services 74 FR 38630 Aug 4 2009
see also
Statement of Organization Functions and Delegations of Authority Centers for Medicare Medicaid Services 74 FR 38663 Aug 4 2009
pp96
75 FR 40868 July 14 2010
pp97
Id
at 40871
pp98
Idpp99
78 FR 5565 Jan 25 2013 In addition to finalizing requirements of the HITECH Act that were proposed in the NPRM the Department adopted modifications to the Enforcement Rule not previously adopted in an earlier interim final rule 74 FR 56123 Oct 30 2009 and to the Breach Notification Rule not previously adopted in an interim final rule 74 FR 42739 Aug 24 2009 The Department also finalized previously proposed Privacy Rule modifications as required by the Genetic Information Nondiscrimination Act of 2008 74 FR 51698 Oct 7 2009
pp100
78 FR 5565 5589 Jan 25 2013
pp101
Sec 13401 of Public Law 1115 123 Stat 260 Feb 17 2009 codified at 42 USC 17931
pp102
78 FR 5565 5590 Jan 25 2013
see also45 CFR 164314a
pp103
78 FR 5565 5589 Jan 25 2013
pp104
68 FR 8334 8341 Feb 20 2003
pp105
78 FR 5565 5589 Jan 25 2013
pp106
Id
at 5590
pp107
Id
citing 45 CFR 164308b
pp108
As technology has evolved and cybercriminals have become more sophisticated protective measures including technology have been developed to prevent and mitigate such risks For example certain health IT may be certified through the ONC Health IT Certification Program as meeting certain criteria that address the security of information created received maintained or transmitted by that health IT
See45 CFR 170550h
pp109
45 CFR 164306b
pp110
45 CFR 164310a1
pp111
45 CFR 164310a2
pp112
National Trends in Hospital and Physician Adoption of Electronic Health Records The Office of the National Coordinator for Health Information Technology US Department of Health and Human Services
httpswwwhealthitgovdataquickstatsnationaltrendshospitalandphysicianadoptionelectronichealthrecordspp113
See
20202025 Federal Health IT Strategic Plan The Office of the National Coordinator for Health Information Technology US Department of Health and Human Services p 6 Oct 2020
httpswwwhealthitgovsitesdefaultfilespage202010Federal20Health20IT20Strategic20Plan20202025pdfpp114
Among other things the Cures Act provided ONC in collaboration with NIST and other relevant agencies within the Department with the authority to convene publicprivate and publicpublic partnerships to build consensus and develop or support a trusted exchange framework including a common agreement among health information networks nationally The purpose of this work is to ensure full networktonetwork exchange of health information Sec 4003b of Public Law 114255 130 Stat 1165 Dec 13 2016 codified at 42 USC 300jj11c The Cures Act also provides penalties for any developer of certified health IT health information exchange or network and appropriate disincentives for any health care provider determined by the Inspector General to have committed information blocking Sec 4004b2 of Public Law 114255 130 Stat 1165 Dec 13 2016 codified at 42 USC 300jj52
pp115
See
Frequently Asked Question Health Information Exchange The Benefits The Office of the National Coordinator for Health Information Technology US Department of Health and Human Services
httpswwwhealthitgovfaqwhyhealthinformationexchangeimportantpp116
See
Genevieve P Kanter et al Beyond Security PatchesFundamental Incentive Problems in Health Care Cybersecurity JAMA Health Forum Volume 2 Issue 10 p e212969 Oct 8 2021
httpsjamanetworkcomjournalsjamahealthforumfullarticle2784981
Chon Abraham et al Muddling through cybersecurity Insights from the US healthcare industry Business Horizons Volume 62 Issue 4 p 539548 p 539 JulyAug 2019
httpswwwsciencedirectcomsciencearticleabspiiS0007681319300436
Eric Perakslis Responding to the Escalating Cybersecurity Threat to Health Care The New England Journal of Medicine Volume 387 Issue 9 Sept 1 2022
httpswwwnejmorgdoiabs101056NEJMp2205144
Anthony James Cartwright The elephant in the room cybersecurity in healthcare Journal of Clinical Monitoring and Computing Volume 37 Issue 5 p 11231132 Apr 24 2023
httpslinkspringercomarticle101007s10877023010135pp117
Report on Improving Cybersecurity In The Health Care Industry Health Care Industry Cybersecurity Task Force p 1 June 2017
httpswwwphegovpreparednessplanningcybertfdocumentsreport2017pdfpp118
The NIST Cybersecurity Framework CSF 20
supra
note 15
pp119
Health Industry Cybersecurity Practices Managing Threats and Protecting Patients
supra
note 16
pp120
Cybersecurity Performance Goals
supra
note 18
pp121
See
20162017 HIPAA Audits Industry Report Office for Civil Rights US Department of Health and Human Services Dec 2020
httpswwwhhsgovsitesdefaultfileshipaaauditsindustryreportpdfpp122
See
sec 262 of Public Law 104191 110 Stat 2023 Aug 21 1996 codified at 42 USC 1320d1f added sec 1172f of the SSA
see also
About NCVHS National Committee on Vital and Health Statistics
wwwncvhshhsgovpp123
See
Letter from NCVHS Chair Jacki Monson to HHS Secretary Xavier Becerra May 10 2022
httpsncvhshhsgovwpcontentuploads202205NCVHSRecommendationstoStrengthenCybersecurityinHC05102022508pdf see also
Letter from NCVHS Chair Jacki Monson to HHS Secretary Xavier Becerra Nov 29 2023
httpsncvhshhsgovwpcontentuploads202401LettertotheSecretaryRecommendationstoStrengthentheHIPAASecurityRule508pdfpp124
42 USC 1320d1f
pp125
Subtitle F of title II of HIPAA Public Law 104191 110 Stat 1936 Aug 21 1996
pp126
Sec 261 of Public Law 104191 110 Stat 2021 Aug 21 1996 as amended by sec 1104a of Public Law 111148 124 Stat 146 Mar 23 2010 codified at 42 USC 1320d note
pp127
See
statement of Sen Simon
supra
note 34
see also
155 Cong Rec H1562 statement of Rep Markey stating that ARRA includes provisions for health IT with builtin privacy and security Implementation of the Health Information Technology for Economic and Clinical Health HITECH Act Hearing Before the House Committee on Energy and Commerce Subcommittee on Health 111th Cong 1112 2010 statement of Rep Schakowsky explaining that the HITECH Act strengthened Federal privacy and security laws to protect personal identifying information from misuse to ensure that individuals would be willing to use electronic records
pp128
Statement of Sen Simon
supra
note 34
pp129
See
section 1173d2 of HIPAA codified at 42 USC 1320d2d2 and section 13401 of ARRA codified at 42 USC 17931a and 45 CFR 164306
pp130
See
Hadi Ghayoomi et al Assessing resilience of hospitals to cyberattack Digital Health p 2 2021
httpsdoiorg10117720552076211059366
Beyond Security PatchesFundamental Incentive Problems in Health Care Cybersecurity
supra
note 116 Jessica Brewer et al An Insight into the Current Security Posture of Healthcare IT A National Security Concern The Institute for Critical Infrastructure Technology p 3 2019
httpswwwicitechorgpostaninsightintothecurrentsecuritypostureofhealthcareitanationalsecurityconcernpp131
Cost of a Data Breach Report 2023 IBM p 13 2023 explaining that the average cost of a health care data breach was 713 million in 2020
httpswwwibmcomreportsdatabreachpp132
Report on Improving Cybersecurity In The Health Care Industry
supra
note 117 p 1415
pp133
Idpp134
An Insight into the Current Security Posture of Healthcare IT A National Security Concern
supra
note 130 p 3
pp135
See eg Caleb J Kumar New Dangers in the New World Cyber Attacks in the Healthcare Industry Intersect Volume 10 No 3 p 3 2017pp136
An Insight into the Current Security Posture of Healthcare IT A National Security Concern
supra
note 130 p 3
pp137
Report on Improving Cybersecurity In The Health Care Industry
supra
note 117 p 2
pp138
Id
at 18
pp139
CISA INSIGHTS Provide Medical Care Is In Critical Condition Analysis and Stakeholder Decision Support to Minimize Further Harm Cybersecurity Infrastructure Security Agency US Department of Homeland Security p 1215 Sept 2021
httpswwwcisagovsitesdefaultfilespublicationsCISAInsightProvideMedicalCareSep2021pdfpp140
Idpp141
See
Assessing resilience of hospitals to cyberattack
supra
note 130 Claire C McGlave et al Hacked to Pieces The Effects of Ransomware Attacks on Hospitals and Patients SSRN Oct 4 2023
httpspapersssrncomsol3paperscfmabstractid4579292pp142
Hacked to Pieces The Effects of Ransomware Attacks on Hospitals and Patients
supra
note 141 p 14
pp143
The 2024 Study on Cyber Insecurity In Healthcare The Cost and Impact on Patient Safety and Care Ponemon Institute p 3 2024 The report sponsored by Proofpoint Inc included survey responses from 648 IT and IT security practitioners at USbased health care organizations
pp144
Id
at p 5
pp145
See
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 p 1 citing several media reports that attributed patient deaths to cybersecurity attacks
pp146
Id
citing Joseph Marks Ransomware attack might have caused another death The Washington Post Oct 1 2021
httpswwwwashingtonpostcompolitics20211001ransomwareattackmighthavecausedanotherdeath
pp147
Assessing resilience of hospitals to cyberattack
supra
note 130 p 2
pp148
Kerri Reeves Cyberattacks Not a Matter of If but When Radiology Matters MarApr 2024
httpswwwproquestcomscholarlyjournalscyberattacksnotmatterifwhendocview2957757956se2accountid12786pp149
Idpp150
Mitchell Tarka et al The crippling effects of a cyberattack at an academic level 1 trauma center An orthopedic perspective Injury p 10951101 2023
httpspubmedncbinlmnihgov36801172pp151
Idpp152
Assessing resilience of hospitals to cyberattack
supra
note 130 p 13
pp153
See
Paige Minemyer AMA 80 of docs have lost revenue amid disruptions from Change Healthcare cyberattack Fierce Healthcare Apr 10 2024
httpswwwfiercehealthcarecompracticesama80docshavelostrevenueamiddisruptionschangehealthcarecyberattack
AHA survey Change Healthcare cyberattack having significant disruptions on patient care hospitals finances Mar 15 2024
httpswwwahaorgnewsnews20240315ahasurveychangehealthcarecyberattackhavingsignificantdisruptionspatientcarehospitalsfinances see also
Sean Lyngaas Were hemorrhaging money US health clinics try to stay open after unprecedented cyberattack CNN Mar 9 2024
httpswwwcnncom20240309techmedicalsupplychaincybersecurityindexhtmlpp154
Christian Dameff et al Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US JAMA Network Open May 8 2023
httpsjamanetworkcomjournalsjamanetworkopenfullarticle2804585pp155
Idpp156
On July 29 2024 the Department announced that the Office of the National Coordinator for Health Information Technology was being renamed the Assistant Secretary for Technology Policy and Office of the National Coordinator for Health Information Technology In this NPRM we continue to use ONC for publications cited that predate the renaming of that office 89 FR 60903 July 29 2024
pp157
See eg45 CFR 170315d6 7 12 and 13 For more information on the ONC Health IT Certification Program visit
httpswwwhealthitgovtopiccertificationehrscertificationhealthitpp158
The ONC Health IT Certification Program specifies at 45 CFR 170550h the privacy and security certification framework for Health IT Modules Section 170550h identifies a mandatory minimum set of the certification criteria that ONCAuthorized Certification Bodies ONC ACBs must ensure are also included as part of specific Health IT Modules that are presented for certification
See
Certification Companion Guide Privacy and Security The Office of the National Coordinator for Health Information Technology US Department of Health and Human Services May 7 2024
httpswwwhealthitgovsitesdefaultfiles2015EdCCGPrivacyandSecuritypdfpp159
See45 CFR 171102 definition of Electronic health information
pp160
See eg
Medicare Promoting Interoperability Program 42 CFR 49524 eligible hospitals and critical access hospitals must use certified electronic health record technology CEHRT with limited exceptions to comply with the programs meaningful use requirements Meritbased Incentive Payment System MIPS Promoting Interoperability performance category 42 CFR 4141375 requiring MIPS eligible clinicians to use CEHRT as defined in 42 CFR 4141305 to comply with reporting requirements for the Promoting Interoperability performance category
pp161
See eg
Health Industry Cybersecurity Practices Managing Threats and Protecting Patients
supra
note 16
pp162
See eg
The NIST Cybersecurity Framework CSF 20
supra
note 15
pp163
See eg
Cybersecurity Performance Goals
supra
note 18
pp164
See eg
CrossSector Cybersecurity Performance Goals Cybersecurity Infrastructure Security Agency US Department of Homeland Security Mar 2023
httpswwwcisagovsitesdefaultfiles202303CISACPGREPORTv101FINALpdfpp165
See generally45 CFR 164308a The NIST Cybersecurity Framework CSF 20
supra
note 15 Cybersecurity Performance Goals
supra
note 18
pp166
Derrick Tin et al Cyberthreats A primer for health care professionals The American Journal of Emergency Medicine p 182183 Apr 2023
httpsdoiorg101016jajem202304001pp167
SeePublic Law 104191 110 Stat 2021 Aug 21 1996 codified at 42 USC 1320d note Sec 4101 of ARRA Public Law 1115 123 Stat 467 Feb 17 2009 amending sec 1848 of the SSA codified at 42 USC 1395w4
pp168
JaWanna Henry et al ONC Data Brief Adoption of Electronic Health Record Systems among US NonFederal Acute Care Hospitals 20082015 The Office of the National Coordinator for Health Information Technology US Department of Health and Human Services p 1 May 2016
httpswwwhealthitgovsitesdefaultfilesbriefs2015hospitaladoptiondbv17pdf
A Basic EHR collects information on patient demographics problem lists medication lists and discharge summaries It also includes computerized provider order entry for medications and enables clinicians to view certain reports
Id
at Appendix
pp169
ONC Data Brief Adoption of Electronic Health Record Systems among US NonFederal Acute Care Hospitals 20082015
supra
note 168 p 1 When used here certified EHR Technology means EHR technology that meets the technological capability functionality and security requirements adopted by the Department as certification criteria at 45 CFR part 170
see also
Certified EHR Technology The Office of the National Coordinator for Health Information Technology US Department of Health and Human Services Sept 6 2013
httpswwwcmsgovmedicareregulationsguidancepromotinginteroperabilityprogramscertifiedehrtechnology
In order to efficiently capture and share patient data health care providers need certified electronic health record EHR technology CEHRT that stores data in a structured format Structured data allows health care providers to easily retrieve and transfer patient information and use the EHR in ways that can aid patient care
pp170
See
sec 4003b and 4004b2 of Public Law 114255 130 Stat 1165 Dec 13 2016 codified at 42 USC 300jj11c and 42 USC 300jj52
pp171
Dustin Charles et al ONC Data Brief Interoperability among US Nonfederal Acute Care Hospitals 2014 The Office of the National Coordinator for Health Information Technology US Department of Health and Human Services p 1 Aug 2015
httpswwwhealthitgovsitesdefaultfilesbriefsoncdatabrief25interoperabilityv16final081115pdfpp172
Meghan Hufstader Gabriel et al ONC Data Brief Interoperable Exchange of Patient Health Information Among US Hospitals 2023 The Office of the National Coordinator for Health Information Technology US Department of Health and Human Services p 1 May 2024
httpswwwhealthitgovsitesdefaultfiles202405InteroperableExchangeofPatientHealthInformationAmongUSHospitals2023pdfpp173
Wesley Barker et al ONC Data Brief Hospital Capabilities to Enable Patient Electronic Access to Health Information 2021 The Office of the National Coordinator for Health Information Technology US Department of Health and Human Services p 2 and 5 Oct 2022 estimates based on nonFederal acute care hospitals and applications configured to meet the application programming interface API specifications in the hospitals EHR
httpswwwhealthitgovsitesdefaultfiles202212hospitalcapabilitiestoenablepatientaccessONCDB2021Updatedpdfpp174
Catherine Strawley et al ONC Data Brief Hospital Use of APIs to Enable Data Sharing Between EHRs and Apps The Office of the National Coordinator for Health Information Technology US Department of Health and Human Services p 2 Sept 2023 estimates based on nonFederal acute care hospitals using standardsbased APIs to enable patient access
httpswwwhealthitgovsitesdefaultfiles202309DB68Hospital20Use20of20APIs20to20Enable20Data20Sharing508pdfpp175
See
Determination That A Public Health Emergency Exists Nationwide as the Result of the 2019 Novel Coronavirus Administration for Strategic Preparedness Response US Department of Health and Human Services Jan 31 2020
httpsasprhhsgovlegalPHEPages2019nCoVaspx
Renewal of Determination that a Public Health Emergency Exists As a Result of the Continued Consequences of the Coronavirus Disease 2019 COVID19 Pandemic Administration for Strategic Preparedness Response US Department of Health and Human Services Feb 9 2023
httpsasprhhsgovlegalPHEPagesCOVID199Feb2023aspx
Notification of Enforcement Discretion for Telehealth Remote
Communications During the COVID19 Nationwide Public Health Emergency Office for Civil Rights US Department of Health and Human Services Jan 20 2021
httpswwwhhsgovhipaaforprofessionalsspecialtopicsemergencypreparednessnotificationenforcementdiscretiontelehealthindexhtmlpp176
Yuriy Pylypchuk et al ONC Data Brief Use of Telemedicine among OfficeBased Physicians 2021 The Office of the National Coordinator for Health Information Technology US Department of Health and Human Services p 1 Mar 2023
httpswwwhealthitgovsitesdefaultfiles202304DB65TelemedicinePhysicians508pdfpp177
Nduma N Basil Health Records Database and Inherent Security Concerns A Review of the Literature Cureus p 3 Oct 11 2022 The increase in networked medical equipment and devices implies that if there is a security breach in the form of hacking then traffic on the network can slow down and interfere with the delivery of healthcare services
httpswwwncbinlmnihgovpmcarticlesPMC9647912pp178
Idpp179
Guidance Document Information for Healthcare Organizations about FDAs Guidance for Industry Cybersecurity for Networked Medical Devices Containing OffTheShelf OTS Software US Food Drug Administration US Department of Health and Human Services Feb 2005
httpswwwfdagovregulatoryinformationsearchfdaguidancedocumentsinformationhealthcareorganizationsaboutfdasguidanceindustrycybersecuritynetworkedmedicalpp180
Elizabeth Gourd Increase in healthcare cyberattacks affecting patients with cancer The Lancet p 1215 Sept 2021
httpsdoiorg101016S1470204521004514pp181
See
Mayo Clinic
httpswwwmayoclinicorgpp182
An ethical hacker is a cybersecurity researcher who uses penetration testing techniques to test an organizations cybersecurity and information technology IT security
See
Ed Tittel How to Become a White Hat Hacker Business News Daily June 17 2024
httpswwwbusinessnewsdailycom10713whitehathackercareerhtmlpp183
See
Foued Badrouchi et al Cybersecurity Vulnerabilities in Biomedical Devices A Hierarchical Layered Framework Internet of Things Use Cases for the Healthcare Industry p 15758 2020
see also
Monte Reel et al Its Way Too Easy to Hack the Hospital Bloomberg Businessweek Nov 2015
httpswwwbloombergcomfeatures2015hospitalhackpp184
See
Cybersecurity Vulnerabilities in Biomedical Devices A Hierarchical Layered Framework
supra
note 183 p 15758
pp185
See also
Its Way Too Easy to Hack the Hospital
supra
note 183 Nicole M Thomasian et al Cybersecurity in the internet of Medical Things Health Policy and Technology Sept 2021
httpsdoiorg101016jhlpt2021100549pp186
Cybersecurity in the internet of Medical Things
supra
note 185
pp187
Idpp188
Idpp189
Idpp190
Report to Congressional Committees Medical Device Cybersecurity Agencies Need to Update Agreement to Ensure Effective Coordination US Government Accountability Office p 1 Dec 2023
httpswwwgaogovassetsd24106683pdfpp191
Medical Device Interoperability US Food Drug Administration US Department of Health and Human Services
httpswwwfdagovmedicaldevicesdigitalhealthcenterexcellencemedicaldeviceinteroperabilitypp192
Guidance for Industry and Food Drug Administration Staff Cybersecurity in Medical Devices Quality System Considerations and Content of Premarket Submissions US Food Drug Administration US Department of Health and Human Services Sept 27 2023
httpswwwfdagovmedia119933downloadpp193
45 CFR 160103 definition of Health care provider
pp194
Where an application developer meets the HIPAA Rules definition of health care provider and engages in standard electronic transactions such as billing an insurance company for its services it is a covered entity for the purposes of the HIPAA Rules including the Security Rule Where an application developer is not regulated under the HIPAA Rules other Federal laws may apply to the application developer or the application such as the FTC Act
See eg
FTC Act codified at 15 USC 4158
pp195
See eg
Kea Turner et al Sharing patientgenerated data with healthcare providers findings from a 2019 national survey Journal of the American Medical Informatics Association p 371376 Nov 12 2020
httpsdoiorg101093jamiaocaa272
Accenture Federal Services Conceptualizing a Data Infrastructure for the Capture Use and Sharing of PatientGenerated Health Data in Care Delivery and Research through 2024 The Office of the National Coordinator for Health Information Technology US Department of Health and Human Services p 5 Jan 2018
httpswwwhealthitgovsitesdefaultfilesoncpghdfinalwhitepaperpdf see also
Jolaade Kalinowski et al Smart device ownership and use of social media wearable trackers and health apps among Black women with hypertension in the United States JMIR Cardio preprint
httpspreprintsjmirorgpreprint59243pp196
See
Conceptualizing a Data Infrastructure for the Capture Use and Sharing of PatientGenerated Health Data in Care Delivery and Research through 2024
supra
note 195 p 1 Asos Mahmood et al mHealth Apps Use and Their Associations With Healthcare DecisionMaking and Health Communication Among Informal Caregivers Evidence From the National Cancer Institutes Health Information National Trends Survey American Journal of Health Promotion p 4052 Jan 2024
httpsjournalssagepubcomhhsnihidmoclcorgdoi10117708901171231202861pp197
See88 FR 75191 Nov 1 2023 Ritu Agarwal et al Augmenting physicians with artificial intelligence to transform healthcare Challenges and opportunities Journal of Economics Management Strategy p 360374 Mar 2024
httpsonlinelibrarywileycomhhsnihidmoclcorgdoi101111jems12555
Becca Beets et al Surveying Public Perceptions of Artificial Intelligence in Health Care in the United States Systematic Review Journal of Medical internet Research 2023
httpsdoiorg10219640337pp198
Michael E Matheny et al Artificial Intelligence in Health Care A Report from the National Academy of Medicine Journal of the American Medical Association p 50910 2020
httpsjamanetworkcomhhsnihidmoclcorgjournalsjamafullarticle2757958pp199
2023 HIMSS Healthcare Cybersecurity Survey Healthcare Information and Management Systems Society p 19 Mar 1 2024
httpswwwhimssorgsiteshdefilesmediafile202403012023himsscybersecuritysurveyxpdfpp200
Id
at 16 Generative AI is a type of software that uses statistical models that generalize the patterns and structures of existing data to either reorganize existing data or create new content Risk In Focus Generative AI And The 2024 Election Cycle Cybersecurity Infrastructure Security Agency US Department of Homeland Security
httpswwwcisagovsitesdefaultfiles202405ConsolidatedRiskinFocusGenAIElectionsV2508cpdfpp201
2023 HIMSS Healthcare Cybersecurity Survey
supra
note 199 p 22
pp202
See
Lizzie Roehrs CSL Professor explores DNA as data storage University of Illinois UrbanaChampaign The Grainger College of Engineering Coordinated Science Laboratory Aug 25 2020
httpscslillinoisedunewsandmediacslprofessorexploresdnadatastorage
Cheng Kai Lim et al A biological camera that captures and stores images directly into DNA nature communications July 3 2023
httpswwwnaturecomarticless4146702338876w
Devasier Bennet et al Current and emerging opportunities in biological mediumbased computing and digital data storage Nano Select p 883 May 2022
httpsdoiorghhsnihidmoclcorg101002nano202100275pp203
88 FR 75191 Nov 1 2023
pp204
Id
at 75214
pp205
See
HHS Artificial Intelligence AI Strategy AI Council AI Community of Practice US Department of Health and Human Services June 6 2024
httpswwwhhsgovprogramstopicsitesaistrategyindexhtml
About the HHS Office of the Chief Artificial Intelligence Officer OCAIO US Department of Health and Human Services June 6 2024
httpswwwhhsgovprogramstopicsitesaiocaioindexhtml see also
Advancing Governance Innovation and Risk Management for Agency Use of Artificial Intelligence M2410 Office of Management and Budget Executive Office of the President Mar 28 2024
httpswwwwhitehousegovwpcontentuploads202403M2410AdvancingGovernanceInnovationandRiskManagementforAgencyUseofArtificialIntelligencepdfpp206
See eg89 FR 37522 37642 May 6 2024 and 89 FR 1192 1244 Jan 9 2024
pp207
John Riggi The importance of cybersecurity in protecting patient safety American Hospital Association Center for Health Innovation
httpswwwahaorgcentercybersecurityandriskadvisoryservicesimportancecybersecurityprotectingpatientsafety In 2016 PHI was valued at 50 times the worth of financial information on the black market Diane Doebele Koch Is the HIPAA Security Rule Enough to Protect Electronic Personal Health Information PHI in the Cyber Age Journal of Health Care Finance p 22 Spring 2016 citing Beth Kutscher Healthcare underspends on Cybersecurity as attacks accelerate Modern Healthcare Mar 3 2016
httpswwwmodernhealthcarecomarticle20160303NEWS160309922healthcareunderspendsoncybersecurityasattacksaccelerate New Dangers in the New World Cyber Attacks in the Healthcare Industry
supra
note 135 p 3 stolen medical data sells for 1020 times more than credit card data
pp208
Gilbert MunozCornejo et al Analyzing the urbanrural divide the role of location time and breach characteristics in US hospital security incidents 20122021 Discover Health Systems June 17 2024
httpslinkspringercomarticle101007s44250024001056textSpecifically2C20our20study20shows20thattrend20of20breaches20over20timepp209
Lynne Coventry et al Cybersecurity in healthcare A narrative review of trends threats and ways forward Maturitas p 46 July 2018
httpswwwmaturitasorgarticleS0378512218301658abstractpp210
Idpp211
See
Breach Portal Notice to the Secretary of HHS Breach of Unsecured Protected Health Information
supra
note 10
pp212
Idpp213
Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Year 2022 Office for Civil Rights US Department of Health and Human Services p 89 2022
httpswwwhhsgovsitesdefaultfilesbreachreporttocongress2022pdfpp214
Change Healthcare is a health care clearinghouse and a subsidiary of UnitedHealth Group
httpswwwchangehealthcarecom
On the morning of Feb 21 2024 Optum another subsidiary of UnitedHealth Group reported that it was experiencing enterprisewide connectivity issues By that afternoon the announcement changed to a network interruption related to a cyber security issue and explained that once Change Healthcare became aware of the outside threat in the interest of protecting our partners and patients we took immediate action to disconnect our systems to prevent further impact
See
Optum Solution Status Optum Inc UnitedHealth Group
httpssolutionstatusoptumcomincidentshqpjz25fn3n7
last accessed on July 16 2024 On Mar 13 2024 the Department announced that it would be initiating an investigation into the incident
See
Letter from OCR Director Melanie Fontes Rainer to Colleagues Mar 13 2024
httpswwwhhsgovsitesdefaultfilescyberattackchangehealthcarepdf
Andrew Witty UnitedHealth Group Chief Executive Officer in his testimony to Congress estimated that the breach of Change Healthcare may involve the PHI of onethird of Americans Hacking Americas Health Care Assessing the Change Healthcare Cyber Attack and Whats Next Subcommittee on Oversight and Investigations of the Committee on Energy and Commerce Hearing Before the Committee on Finance May 1 2024
httpswwwfinancesenategovhearingshackingamericashealthcareassessingthechangehealthcarecyberattackandwhatsnext
Change Healthcare filed its breach report with the Department on July 19 2024 Breach Portal Notice to the Secretary of HHS Breach of Unsecured Protected Health Information
supra
note 10 Change Healthcares breach report currently identifies 100 million individuals as the approximate number of individuals affected
httpsocrportalhhsgovocrbreachbreachreportjsf
However Change Healthcare is still determining the number of individuals affected The posting on the HHS Breach Portal will be amended if Change Healthcare updates the total number of individuals affected by this breach Change Healthcare Cybersecurity Incident Frequently Asked Questions Office for Civil Rights US Department of Health and Human Services
httpswwwhhsgovhipaaforprofessionalsspecialtopicschangehealthcarecybersecurityincidentfrequentlyaskedquestionsindexhtmlpp215
internet Crime Report internet Crime Complaint Center Federal Bureau of Investigation p 13 2023
httpswwwic3govMediaPDFAnnualReport2023IC3Reportpdfpp216
Report on Improving Cybersecurity In The Health Care Industry
supra
note 117 p 16
pp217
Chon Abraham et al Muddling through cybersecurity Insights from the US healthcare industry
supra
note 116 p 539548 540
pp218
Ransomware Attacks Surge in 2023 Attacks on Healthcare Sector Nearly Double The Cyber Threat Intelligence Integration Center Office of the Director of National Intelligence Feb 28 2024
httpswwwdnigovfilesCTIICdocumentsproductsRansomwareAttacksSurgein2023pdfpp219
Report on Improving Cybersecurity In The Health Care Industry
supra
note 117 p 14
pp220
Idpp221
Presidential Memorandum on National Security Memorandum on Critical Infrastructure Security and Resilience
supra
note 11
pp222
2024 Data Breach Investigations Report Healthcare Snapshot Verizon Business p 12 May 1 2024 The report describes misdelivery as sending information to the wrong recipient whether by electronic or physical means
httpswwwverizoncombusinessresourcesreportsdbir2024industriesintrohealthcaredatabreachespp223
Press release HHS Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation for 475 Million Office for Civil Rights US Department of Health and Human Services Feb 6 2024
httpswwwhhsgovaboutnews20240206hhsofficecivilrightssettlesmaliciousinsidercybersecurityinvestigationhtmlpp224
Press release Snooping in Medical Records by Hospital Security Guards Leads to 240000 HIPAA Settlement Office for Civil Rights US Department of Health and Human Services June 15 2023
httpswwwhhsgovaboutnews20230615snoopingmedicalrecordsbyhospitalsecurityguardsleads240000hipaasettlementhtmlpp225
Remediation and Guidance Hub Falcon Content Update for Windows Hosts CrowdStrike
httpswwwcrowdstrikecomfalconcontentupdateremediationandguidancehubpp226
See
Data Integrity Detecting and Responding to Ransomware and Other Destructive Events NIST Special Publication 180026A National Institute of Standards and Technology US Department of Commerce p 1 Dec 2020
httpsnvlpubsnistgovnistpubsSpecialPublicationsNISTSP180026pdfpp227
Likely eCrime Actor Uses Filenames Capitalizing on July 19 2024 Falcon Sensor Content Issues in Operation Targeting LATAMBased CrowdStrike Customers CrowdStrike Blog July 20 2024
httpswwwcrowdstrikecombloglikelyecrimeactorcapitalizingonfalconsensorissuespp228
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 p 2 explaining that NCVHS conducted an inquiry into whether compliance with the Security Rule had improved since the Department released the results of its 20162017 audit of selected provisions of the Security Rule and found that not much had changed Muddling through cybersecurity Insights from the US healthcare industry
supra
note 116 p 540 There is enough evidence to suggest that US healthcare organizations lack a deliberate organized and comprehensive cyberresilience strategy
pp229
See
Susan Kiser et al Ransomware Healthcare Industry at Risk Journal of Business and Accounting p 6566 Fall 2021 Meghan Hufstader Gabriel Data Breach Locations Types and Associated Characteristics Among US Hospitals American Journal of Managed Care p 78 Feb 2018 Is the HIPAA Security Rule Enough to Protect Electronic Personal Health Information PHI in the Cyber Age
supra
note 207 p 2023
pp230
Chris Hayhurst On Guard Staying Vigilant Against Medical Device Vulnerabilities Biomedical Instrumentation Technology Volume 54 Issue 3 p 169 MayJune 2020 Report on Improving Cybersecurity In The Health Care Industry
supra
note 117 p 2
pp231
2021 HIMSS Healthcare Cybersecurity Survey Healthcare Information and Management Systems Society p 18 Jan 28 2022
httpswwwhimssorgsiteshdefilesmediafile202201282021himsscybersecuritysurveypdfpp232
Muddling through cybersecurity Insights from the US healthcare industry
supra
note 116 p 543
pp233
Id
at 542
pp234
See68 FR 8334 8352 Feb 20 2003 In the preamble to the 2003 Security Rule the Department explained that it had determined that an inventory requirement was unnecessary because it is redundant of other requirements We assumed that covered entities and later all regulated entities would have performed this activity by virtue of having implemented the security measures required under the security management process standard
pp235
Muddling through cybersecurity Insights from the US healthcare industry
supra
note 116 p 542543
pp236
Eric C Reese Healthcares cybersecurity stakes reach alarming levels Health Facilities Management Magazine Volume 76 Issue 8 p 22 Nov 2022
pp237
68 FR 8334 8343 Feb 20 2003
pp238
45 CFR 164308a1iiA
pp239
45 CFR 164308a1iiB 20162017 HIPAA Audits Industry Report
supra
note 121 p 4
pp240
20162017 HIPAA Audits Industry Report
supra
note 121 p 4
pp241
Id
at 11
pp242
Id
at 27
pp243
Id
at 30
pp244
Id
at 27 and 30
pp245
See
OCR News Releases Bulletins Office for Civil Rights US Department of Health and Human Services
httpswwwhhsgovocrnewsroomindexhtmlpp246
See
Resolution Agreement Doctors Management Services Inc Office for Civil Rights US Department of Health and Human Services Oct 31 2023
httpswwwhhsgovhipaaforprofessionalscomplianceenforcementagreementsdmsracapindexhtml
Press Release HHS Office for Civil Rights Settles Ransomware CyberAttack Investigation Office for Civil Rights US Department of Health and Human Services Oct 31 2023
httpswwwhhsgovaboutnews20231031hhsofficecivilrightssettlesransomwarecyberattackinvestigationhtml see also
Breach Portal Notice to the Secretary of HHS Breach of Unsecured Protected Health Information
supra
note 10
pp247
HHS Office for Civil Rights Settles Ransomware CyberAttack Investigation
supra
note 246
pp248
See
Resolution Agreement Montefiore Medical Center Office for Civil Rights US Department of Health and Human Services Nov 17 2023
httpswwwhhsgovhipaaforprofessionalscomplianceenforcementagreementsmontieforeindexhtml
HHS Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation for 475 Million
supra
note 223
pp249
Muddling through cybersecurity Insights from the US healthcare industry
supra
note 116 p 541 Start with Security A Guide for Business
supra
note 17
pp250
See45 CFR 164312a1 and e1 PRDS1 and 2 Framework for Improving Critical Infrastructure Cybersecurity Cybersecurity Framework CSF Version 11 National Institute of Standards and Technology US Department of Commerce Apr 16 2018
httpsnvlpubsnistgovnistpubsCSWPNISTCSWP04162018pdf
PRDS01 and 02 The NIST Cybersecurity Framework CSF 20
supra
note 15
pp251
2021 HIMSS Healthcare Cybersecurity Survey
supra
note 231 p 23
pp252
See
Hacking Americas Health Care Assessing the Change Healthcare Cyber Attack and Whats Next
supra
note 214 According to CEO Andrew Witty intruders used compromised credentials to remotely access an application used to enable remote access to desktops which did not have MFA The Departments investigation into the Change Healthcare breach is ongoing and no conclusion has been reached with respect to its cause or whether Change Healthcare was in violation of the Security Rule
pp253
45 CFR 164308a4iiB and 164312a1 The NIST Cybersecurity Framework CSF 20
supra
note 15 Framework for Improving Critical Infrastructure Cybersecurity
supra
note 250
pp254
RSMA The NIST Cybersecurity Framework CSF 20
supra
note 15
pp255
PRIP9 Framework for Improving Critical Infrastructure Cybersecurity
supra
note 250
pp256
45 CFR 164304 definition of Security incident The definition of security incident includes both attempted and successful incidents A successful incident is one in which a threat actor is able to without authorization access use disclose modify or destroy information or interfere with system operations in an information system
pp257
See eg
Montefiore Medical Center
supra
note 248
pp258
University of Texas MD Anderson Cancer Center
v
US Department of Health and Human Services
985 F3d 472 478 5th Cir 2021
pp259
Idpp260
Idpp261
Sec 1173d2B of Pub L 104191 110 Stat 2026 Aug 21 1996 codified at 42 USC 1320d2
pp262
68 FR 8334 8336 Feb 20 2003
pp263
42 USC 17931a 78 FR 5566 Jan 25 2013
pp264
78 FR 5566 Jan 25 2013
pp265
Id
at 5591
pp266
See68 FR 8334 8341 Feb 20 2003
pp267
Id
at 8344
pp268
See
20162017 HIPAA Audits Industry Report
supra
note 121 p 4 Most covered entities failed to meet the requirements for other selected provisions in the audit such as adequately safeguarding protected health information PHI OCR also found that most covered entities and business associates failed to implement the HIPAA Security Rule requirements for risk analysis and risk management Enforcement Highlights Office for Civil Rights US Department of Health and Human Services
httpswwwhhsgovhipaaforprofessionalscomplianceenforcementdataenforcementhighlightsindexhtmlpp269
See eg
Montefiore Medical Center
supra
note 248 Doctors Management Services Inc
supra
note 246
pp270
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 p 2 detailing the inquiry undertaken by NCVHS into the scope and breadth of security risks and how to best address those challenges
pp271
Idpp272
See42 USC 1320d1f
pp273
See
Letter from NCVHS Chair Jacki Monson 2022
supra note 123
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123
pp274
See
Letter from NCVHS Chair Jacki Monson 2022
supra
note 123 p 4 citing a survey performed by a College of Healthcare Information Management Executives CHIME as explained at Jill McKeon 32 of Healthcare Organizations Have a Comprehensive Security Program Health IT Security Nov 22 2021
httpshealthitsecuritycomnews32ofhealthcareorganizationshaveacomprehensivesecurityprogram
pp275
See
Letter from NCVHS Chair Jacki Monson 2022
supra
note 123 p 4
see also
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 1
pp276
See
Letter from NCVHS Chair Jacki Monson 2022
supra
note 123 p 510
see also
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 2
pp277
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 14
pp278
Id
at Appendix p 45
pp279
Id
at Appendix p 46
pp280
Id
at Appendix p 67
pp281
Id
at Appendix p 78
pp282
Id
at 910
pp283
The Department has issued among other things a video presentation on trends in real world cyberattacks a cybersecurity checklist and infographic guidance on ransomware a crosswalk with the NIST CSF and an ongoing series of newsletters on various topics pertaining to cybersecurity
See
Cyber Security Guidance Material Office for Civil Rights US Department of Health and Human Services
httpswwwhhsgovhipaaforprofessionalssecurityguidancecybersecurityindexhtmlpp284
See87 FR 19833 Apr 6 2022
pp285
See
proposed 45 CFR 164306b2v
pp286
68 FR 8334 8336 Feb 20 2003
pp287
Id
at 8346
pp288
Id
At that time the Security Rule applied directly only to covered entities As discussed above Congress later extended the application of the Security Rule directly to business associates
pp289
68 FR 8334 8343 Feb 20 2003
pp290
Idpp291
78 FR 5566 5589 Jan 25 2013
pp292
42 USC 1320d2d1Av
pp293
See
Why Health Care is Harder to Access in Rural America US Government Accountability Office May 16 2023 When local hospitals close in rural areas residents have to travel more than 20 miles further to receive common health care and 40 miles further to receive less common health care such as substance use disorder treatment Such rural areas generally have fewer health care providers overall
httpswwwgaogovblogwhyhealthcareharderaccessruralamericapp294
See
A National Staffing Emergency in Rural Health Care American Hospital Association Dec 19 2023
httpswwwahaorgadvancinghealthpodcast20231220nationalstaffingemergencyruralhealthcarepp295
See
Debi Primeau How Small Organizations Handle HIPAA Compliance Journal of the American Health Information Management Association Volume 88 Issue 4 p 1821 19 Apr 2017 Kat Jercich Rural hospitals are more vulnerable to cyberattacksheres how they can protect themselves Healthcare IT News Sept 8 2021
see also
Tami Lichtenberg Recovering from a Cybersecurity Attack and Protecting the Future in Small Rural Health Organizations Oct 4 2023
httpswwwruralhealthinfoorgruralmonitorcybersecurityattackspp296
See
How Small Organizations Handle HIPAA Compliance
supra
note 295 p 19 Rural hospitals are more vulnerable to cyberattacksheres how they can protect themselves
supra
note 295
pp297
Too Small to Be Attacked by Cybercriminals Not So Fast SameDay Surgery Volume 43 Issue 7 July 2019
httpswwwreliasmediacomarticles144561toosmalltobeattackedbycybercriminalsnotsofastpp298
Percent of Hospitals By Type that Possess Certified Health IT Health IT QuickStat 52 Sept 2018
httpswwwhealthitgovdataquickstatspercenthospitalstypepossesscertifiedhealthit
Officebased Physician Electronic Health Record Adoption Health IT QuickStat 50
httpswwwhealthitgovdataquickstatsofficebasedphysicianelectronichealthrecordadoptionpp299
How Small Organizations Handle HIPAA Compliance
supra
note 295 p 19
pp300
See idpp301
Id see also
Recovering from a Cybersecurity Attack and Protecting the Future in Small Rural Health Organizations
supra
note 295
pp302
Too Small to Be Attacked by Cybercriminals Not So Fast
supra
note 297
pp303
Recovering from a Cybersecurity Attack and Protecting the Future in Small Rural Health Organizations
supra
note 295
pp304
Idpp305
Idpp306
See eg
Fact Sheet BidenHarris Administration Bolsters Protections for Americans Access to Healthcare Through Strengthening Cybersecurity The White House June 10 2024
httpswwwwhitehousegovbriefingroomstatementsreleases20240610factsheetbidenharrisadministrationbolstersprotectionsforamericansaccesstohealthcarethroughstrengtheningcybersecurity
How Do Ransomware Attacks Impact Rural Hospitals National Institute for Health Care Management Foundation p 1 2024
httpsnihcmorgassetsarticlesFINALNIHCMRIHannahNeprash20240801132728ushqpdfpp307
How Do Ransomware Attacks Impact Rural Hospitals
supra
note 306 p 2
pp308
Idpp309
Idpp310
Kevin Collier An Illinois hospital is the first health care facility to link its closing to a ransomware attack NBC News June 12 2023
httpswwwnbcnewscomtechsecurityillinoishospitallinksclosureransomwareattackrcna85983pp311
Idpp312
Fact Sheet BidenHarris Administration Bolsters Protections for Americans Access to Healthcare Through Strengthening Cybersecurity
supra
note 306
pp313
See eg
Free Cybersecurity Services and Tools Cybersecurity Infrastructure Security Agency US Department of Homeland Security
httpswwwcisagovresourcestoolsresourcesfreecybersecurityservicesandtools
Cyber Hygiene Services Cybersecurity Infrastructure Security Agency US Department of Homeland Security
httpswwwcisagovcyberhygieneservices
Cybersecurity Resources for HighRisk Communities Cybersecurity Infrastructure Security Agency US Department of Homeland Security
httpswwwcisagovaudienceshighriskcommunitiescybersecurityresourceshighriskcommunitiespp314
See eg45 CFR 164306
pp315
See
sec 261 of Pub L 104191 110 Stat 2021 Aug 21 1996 as amended by sec 1104a of Pub L 111148 124 Stat 146 Mar 23 2010 codified at 42 USC 1320d note
pp316
Idpp317
42 USC 1320d1c1 and 2
pp318
42 USC 1320d1c2B
pp319
See42 USC 1320d7 definition of Standard
pp320
See42 USC 1320d2a1
pp321
65 FR 50312 50320 Aug 17 2000
see also42 USC 1320d2b c and d sec 264c of HIPAA
pp322
65 FR 50312 50320 Aug 17 2000
pp323
45 CFR 160103 definition of Standard
pp324
63 FR 43242 43249 Aug 12 1998 68 FR 8334 8341 Feb 20 2003
pp325
78 FR 5566 558991 569395 Jan 25 2013
pp326
63 FR 43249 Aug 12 1998 68 FR 8341 Feb 20 2003
pp327
42 USC 1320d2d1A
pp328
ANSINISTITL Standard National Institute of Standards and Technology US Department of Commerce Feb 3 2023
httpswwwnistgovprogramsprojectsansinistitlstandardpp329
See
section 13412a of the HITECH Act as amended by section 1 of Public Law 116321 134 Stat 5072 Jan 5 2021 codified at 42 USC 17941a1
pp330
Idpp331
See
Letter from NCVHS Chair Jacki Monson 2022
supra
note 123 Letter from NCVHS Chair Jacki Monson 2023
supra
note 123
pp332
42 USC 1320d1f
pp333
42 USC 1320d1c3Aii
pp334
45 CFR 160103 definition of Electronic media
pp335
78 FR 5566 Jan 25 2013
pp336
Id
at 5576
pp337
Idpp338
Idpp339
A standard telephone line often described as a traditional landline uses circuitswitched voice communication service technologies through the Public Switched Telephone Network The information transmitted through such traditional telephones is not electronic
pp340
VoIP technologies convert audio into a digital signal that is then transmitted over the internet
See
Voice Over internet Protocol VoIP Federal Communications Commission
httpswwwfccgovgeneralvoiceoverinternetprotocolvoippp341
A 2022 report by the Federal Communications Commission stated that the number of fixed retail switchedaccess lines declined over the past three years at a compound annual rate of 123 while interconnected VoIP subscriptions increased at a compound annual growth rate of 07
See
2022 COMMUNICATIONS MARKETPLACE REPORT Federal Communications Commission p 122 Dec 30 2022
httpsdocsfccgovpublicattachmentsFCC22103A1pdfpp342
See
NIST Privacy Framework A Tool for Improving Privacy Through Enterprise Risk Management Version 10 National Institute of Standards and Technology US Department of Commerce p 29 Jan 16 2020 see definition of data processing
httpsnvlpubsnistgovnistpubsCSWPNISTCSWP01162020pdfpp343
See
Maithilee Joshi et al Delegated Authorization Framework for EHR Services Using AttributeBased Encryption IEEE Transactions on Services Computing Volume 14 No 6 p 1 2021 discussing that health care providers are increasingly using Cloudbased EHR services to manage ePHI which increases the possibility of attacks on ePHI
httpsebiquityumbcedugetapublication1126pdf see also
Security Standards Technical Safeguards HIPAA Security Series Office for Civil Rights US Department of Health and Human Services May 2005 revised Mar 2007 The goal of encryption is to protect ePHI from being accessed and viewed by unauthorized users
httpswwwhhsgovsitesdefaultfilesocrprivacyhipaaadministrativesecurityruletechsafeguardspdflanguageespp344
The Department previously acknowledged that information transmitted by a telephone voice response system in response to a telephone request and some voice technology digitally produced from an information system and transmitted by telephone are both covered by this definition See 68 FR 8334 8342 Feb 20 2003 75 FR 40868 40874 July 14 2010 and 78 FR 5566 5575 Jan 25 2013
pp345
78 FR 5566 55755576 Jan 25 2013
pp346
45 CFR 164304 definition of Access
pp347
45 CFR 164304 definition of User
pp348
45 CFR 164304 definition of Security incident
pp349
45 CFR 164308a3i proposed 45 CFR 164308a9i
pp350
45 CFR 164304 definition of Administrative safeguards
pp351
45 CFR 164304 definitions of Administrative safeguards Physical safeguards and Technical safeguards
pp352
See also
Special Publication 80082r3 Guide to Operational Technology Security National Institute of Standards and Technology section 621 p 97 Identity Management and Access Control PRAC discussing the need of organizations to apply authentication controls for users devices and processes within the technology environment September 2023
pp353
While the Department also regulates adoption and meaningful use of certified EHR technology such as the actions of the enduser with respect to having and meaningfully using certified health IT to meet certain requirements such as those requirements for the Promoting Interoperability performance category of the Meritbased Incentive Payment System MIPS sections 1848q2Biv and 1848o2 of the SSA the definitions proposed in this NPRM would apply only to regulated entities compliance with the Security Rule
pp354
University of Texas MD Anderson Cancer Center supra
note 258 p 478
pp355
Idpp356
See
proposed 45 CFR 164308b1i and ii and b2ii
pp357
See
proposed 45 CFR 164312a1
pp358
See
proposed 45 CFR 164312a2iv
pp359
See45 CFR 164310a1
pp360
See45 CFR 164312a1
pp361
45 CFR 164304 definition of Physical safeguards
pp362
See
NIST definition of malware Glossary Computer Security Resource Center National Institute for Standards and Technology US Department of Commerce
httpscsrcnistgovglossarytermmalwarepp363
Health Industry Cybersecurity Practices Managing Threats and Protecting Patients
supra
note 16
pp364
Id
at 15
pp365
Idpp366
Cybersecurity Performance Goals
supra
note 18
pp367
Idpp368
See
HIPAA and Cybersecurity Authentication Cybersecurity Newsletter Office for Civil Rights US Department of Health and Human Services June 2023
httpswwwhhsgovhipaaforprofessionalssecurityguidancecybersecuritynewsletterjune2023indexhtmlpp369
Id
citing Implementing PhishingResistant MFA Cybersecurity Infrastructure Security Agency US Department of Homeland Security Oct 2022
httpswwwcisagovsitesdefaultfilespublicationsfactsheetimplementingphishingresistantmfa508cpdf NIST also has issued draft defined characteristics for phishingresistant authenticators
See
David Temoshok et al Digital Identity Guidelines NIST Special Publication 800634 2pd Second Public Draft National Institute of Standards and Technology US Department of Commerce p 36 Aug 21 2024
httpscsrcnistgovpubssp8006342pdpp370
See
proposed 45 CFR 164312f2ii
pp371
See
HIPAA and Cybersecurity Authentication
supra
note 368 citing David Temoshok et al Digital Identity Guidelines NIST Special Publication 800634 Initial Public Draft National Institute of Standards and Technology US Department of Commerce p 17 Dec 2022
httpsnvlpubsnistgovnistpubsSpecialPublicationsNISTSP800634ipdpdf
pp372
NIST defines token as a portable usercontrolled physical device
eg
smart card or memory stick used to store cryptographic information and possibly also perform cryptographic functions
See
NIST definition of token Glossary Computer Security Resource Center National Institute of Standards and Technology US Department of Commerce citing Elaine Barker et al Recommendation for Key Management Part 2Best Practices for Key Management Organizations NIST Special Publication 80057 Part 2 Revision 1 National Institute of Standards and Technology US Department of Commerce May 2019
httpscsrcnistgovglossarytermtokentextNIST20SP208002D632D320under20Tokenpossibly20also20perform20cryptographic20functionspp373
Letter from NCVHS Chair Jacki Monson 2022
supra
note 123 p 7
pp374
See
Digital Identity Guidelines Authentication and Lifecycle Management NIST Special Publication 80063B National Institute of Standard and Technology section 533 Use of Biometrics Oct 16 2023
httpspagesnistgov800633sp80063bhtmlsec5
We recognize that some of the example characteristics may not satisfy todays standards however the Department anticipates that they may in the future and proposes that they be included as examples such that regulated entities will be permitted to use them when the relevant standards are updated to allow for such use
pp375
45 CFR 164304 definition of Password
pp376
See45 CFR 164304 definition of Facility
pp377
45 CFR 164306
pp378
See eg
Steve Alder 89 Million Banner Health Data Breach Settlement Gets Final Approval The HIPAA Journal Apr 27 2020
httpswwwhipaajournalcom89millionbannerhealthdatabreachsettlementgetsfinalapproval
describing a settlement to cover claims stemming from an attack on a health systems payment processing system used in the food and beverage outlets of its hospitals
pp379
63 FR 8334 8340 Feb 20 2003
pp380
45 CFR 164308a1iA
pp381
45 CFR 164308a1iB Section 164306a requires regulated entities to comply with four general requirements to protect ePHI
pp382
See
NIST definition of risk Glossary Computer Security Resource Center National Institute of Standards and Technology US Department of Commerce citing William Newhouse et al Multifactor Authentication for ECommerce NIST Special Publication 180017 National Institute of Standards and Technology US Department of Commerce July 2019
httpscsrcnistgovglossarytermriskpp383
45 CFR 164304b2iv
pp384
45 CFR 164308a1iiA proposed 45 CFR 164308a2i
pp385
45 CFR 164304 definition of Security or Security measures
pp386
45 CFR 164304 definition of Security or Security measures
pp387
See
NIST definition of firewall Glossary Computer Security Resource Center National Institute of Standards and Technology US Department of Commerce
httpscsrcnistgovglossarytermfirewallpp388
See generally University of Texas MD Anderson Cancer Center supra
note 258 p 478
pp389
For example in the 2003 Final Rule we explained that in developing technical safeguards the Department proposed technical security services requirements and specific technical security mechanisms with implementation specifications without carving out or limiting these items to policies and procedures about the requirements
See68 FR 8334 8354 Feb 20 2003
pp390
45 CFR 164304 definition of Technical safeguards
pp391
Proposed 45 CFR164308a2iiA
2
pp392
See
NIST definition of threat Glossary Computer Security Resource Center National Institute of Standards and Technology US Department of Commerce
httpscsrcnistgovglossarytermthreatpp393
See45 CFR 160502 of the 2003 interim final rule 68 FR 18895 18898 Apr 17 2003
pp394
45 CFR 160103 definition of Person
pp395
45 CFR 164304 definition of User
pp396
See
Defending Against Common CyberAttacks Cybersecurity Newsletter Office for Civil Rights US Department of Health and Human
Services Mar 2022
httpswwwhhsgovhipaaforprofessionalssecurityguidancecybersecuritynewsletterfirstquarter2022indexhtmlpp397
Idpp398
Id
The National Vulnerability Database is the US government repository of standardsbased vulnerability management data
See
National Vulnerability Database National Institute of Standards and Technology US Department of Commerce
httpsnvdnistgovpp399
Known Exploited Vulnerabilities Catalog Cybersecurity Infrastructure Security Agency US Department of Homeland Security
httpswwwcisagovknownexploitedvulnerabilitiescatalogpp400
See
NIST definition of vulnerability Glossary Computer Security Resource Center National Institute of Standards and Technology US Department of Commerce
httpscsrcnistgovglossarytermvulnerabilitypp401
Proposed 45 CFR 164308a2iiA
7
pp402
Proposed 45 CFR 164308a4i
pp403
Proposed 45 CFR 164312h1
pp404
45 CFR 164304 definition of Workstation
pp405
See eg45 CFR 164310b and c
pp406
See42 USC 1320d2d
pp407
See42 USC 1320d2d2A
pp408
See 42 USC 1320d2d2Bi
pp409
See42 USC 1320d2d2Bii
pp410
See42 USC 1320d2d2C
pp411
The factors are 1 the technical capabilities of records systems used to maintain health information 2 the costs of security measures 3 the need for training 4 the value of audit trails in computerized record systems and 5 the needs and capabilities of small and rural health care providers
See42 USC 1320d2d1Aiv
pp412
See University of Texas MD Anderson Cancer Center supra
note 258 p 478
pp413
68 FR 8334 8343 Feb 20 2023
pp414
See
What is the difference between addressable and required implementation specifications in the Security Rule Office for Civil Rights US Department of Health and Human Services HIPAA FAQ 2020 Dec 28 2022
httpswwwhhsgovhipaaforprofessionalsfaq2020whatisthedifferencebetweenaddressableandrequiredimplementationspecificationsindexhtmlpp415
See45 CFR 164306d3 What is the difference between addressable and required implementation specifications in the Security Rule
supra
note 414
pp416
The Department has consistently attempted to dispel the notion that addressable implementation specifications are optional
See eg
Security 101 for Covered Entities HIPAA Security Series Centers for Medicare Medicaid Services p 6 Nov 2004 revised Mar 2007
httpswwwhhsgovsitesdefaultfilesocrprivacyhipaaadministrativesecurityrulesecurity101pdflanguagees Controlling Access to ePHI For Whose Eyes Only Cybersecurity Newsletter
Office for Civil Rights US Department of Health and Human Services July 14 2021
httpswwwhhsgovhipaaforprofessionalssecurityguidancecybersecuritynewslettersummer2021indexhtml and HIPAA Security Rule Facility Access ControlsWhat are they and how do you implement them Cybersecurity Newsletter
Office for Civil Rights US Department of Health and Human Services
Aug 2024 httpswwwhhsgovhipaaforprofessionalssecurityguidancecybersecuritynewsletteraugust2024indexhtmlpp417
Letter from NCVHS Chair Jacki Monson 2022
supra
note 123 p 2
pp418
Id
at Appendix p 4
pp419
Idpp420
Id
at 5
pp421
See68 FR 8334 8336 Feb 20 2003
pp422
68 FR 8334 8341 Feb 20 2003
see also
Jennifer Cawthra et al Data Integrity Identifying and Protecting Assets Against Ransomware and Other Destructive Events NIST Special Publication 180025A National Institute of Standards and Technology US Department of Commerce p 1 Dec 2020 The CIA triad represents the three pillars of information security confidentiality integrity and availability
httpswwwnccoenistgovpublication180025VolAindexhtmlpp423
42 USC 1320d2d2A and C
pp424
Section 164530c includes the Privacy Rule standard and implementation specification for safeguarding PHI It requires covered entities to have in place appropriate administrative physical and technical safeguards to protect the privacy of PHI Additionally it requires covered entities to reasonably safeguard PHI from intentional or unintentional uses or disclosures that violate the Privacy Rule and to limit incidental uses or disclosures made pursuant to a permissible or required use or disclosure of PHI
pp425
42 USC 1320d2d
pp426
Joint Task Force Managing Information Security Risk Organization Mission and Information System View NIST Special Publication 80039 Appendix B National Institute of Standards and Technology US Department of Commerce p B5 Mar 2011
httpsnvlpubsnistgovnistpubsLegacySPnistspecialpublication80039pdfpp427
Ron Ross et al Developing CyberResilient Systems A Systems Security Engineering Approach NIST Special Publication 800160 Volume 2 Revision 1 National Institute of Standards and Technology US Department of Commerce p 1 Dec 2021
httpsnvlpubsnistgovnistpubsSpecialPublicationsNISTSP800160v2r1pdfpp428
Proposed 45 CFR 164308a12i
pp429
Proposed 45 CFR 164308a13i
pp430
Proposed 45 CFR 164308a4i
pp431
Proposed 45 CFR 164312h1
pp432
See
Letter from NCVHS Chair Jacki Monson 2022
supra
note 123 p 510
pp433
See68 FR 8334 8344 Feb 20 2003
pp434
See45 CFR 164502b and 164514d
pp435
45 CFR 164308a5iiA
pp436
45 CFR 164308a5iiB
pp437
45 CFR 164308a5iiC
pp438
45 CFR 164308a5iiD
pp439
45 CFR 164308a7iiA
pp440
45 CFR 164308a7iiB
pp441
45 CFR 164308b3
pp442
See
proposed revisions to 45 CFR 164316 for a more fulsome discussion of documentation requirements
pp443
See
proposed revisions to 45 CFR 164306c and d for a more fulsome discussion of the distinction between required and addressable implementation specifications
pp444
See
The NIST Cybersecurity Framework CSF 20
supra
note 15
pp445
See78 FR 5566 55725573 Jan 25 2013 explaining reasons for adopting proposal to apply the business associate provisions of the HIPAA Rules to subcontractors and thus provides in the definition of business associate that a business associate includes a subcontractor that creates receives maintains or transmits protected health information on behalf of the business associate
pp446
See eg
OCR information about the Change Healthcare cybersecurity incident Change Healthcare Cybersecurity Incident Frequently Asked Questions US Department of Health and Human Services July 30 2024
httpswwwhhsgovhipaaforprofessionalsspecialtopicschangehealthcarecybersecurityincidentfrequentlyaskedquestionsindexhtmlpp447
See
Guidance on HIPAA Cloud Computing Office for Civil Rights US Department of Health and Human Services A covered entity or business associate that engages a cloud service provider CSP should understand the cloud computing environment or solution offered by a particular CSP so that the covered entity or business associate can appropriately conduct its own risk analysis and establish risk management policies as well as enter into appropriate business associate agreements
httpswwwhhsgovhipaaforprofessionalsspecialtopicshealthinformationtechnologycloudcomputingindexhtmlpp448
Cybersecurity Performance Goals
supra
note 18
pp449
See
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 5
pp450
See68 FR 8333 8352 Feb 20 2003
pp451
See
Making a List and Checking it Twice HIPAA and IT Asset Inventories Cybersecurity Newsletter Office for Civil Rights US Department of Health and Human Services Aug 25 2020
httpswwwhhsgovhipaaforprofessionalssecurityguidancecybersecuritynewslettersummer2020indexhtmlpp452
Idpp453
See
The NIST Cybersecurity Framework CSF 20
supra
note 15 p 3
pp454
Proposed 45 CFR 164308a1iiA
pp455
Idpp456
See eg
New York State Register
supra
note 14
pp457
Making a List and Checking it Twice HIPAA and IT Asset Inventories
supra
note 451
pp458
Idpp459
NIST defines the Internet of Things as the network of devices that contain the hardware software firmware and actuators which allow the devices to connect interact and freely exchange data and information NIST definition of Internet of Things Glossary Computer Security Resource Center National Institute of Standards and Technology US Department of Commerce
httpscsrcnistgovglossaryterminternetofthingspp460
See
Guidance on Risk Analysis Office for Civil Rights US Department of Health and Human Services July 22 2019
httpswwwhhsgovhipaaforprofessionalssecurityguidanceguidanceriskanalysisindexhtmllanguageespp461
Id see also
Jeffrey A Marron Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide NIST Special Publication 80066 Revision 2 National Institute of Standards and Technology US Department of Commerce p2884 Feb 2024
httpsnvlpubsnistgovnistpubsSpecialPublicationsNISTSP80066r2pdfpp462
See
Guidance on Risk Analysis
supra
note 460
pp463
See idpp464
See
Security Risk Assessment Tool Office for Civil Rights and Office of the National Coordinator for Health Information Technology US Department of Health and Human Services updated Sept 5 2023
httpswwwhealthitgovtopicprivacysecurityandhipaasecurityriskassessmenttoolpp465
See
HIPAA Security Rule National Institute of Standards and Technology US Department of Commerce Jan 3 2011 updated July 21 2022
httpswwwnistgovprogramsprojectssecurityhealthinformationtechnologyhipaasecurityrulepp466
See
HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework Office for Civil Rights US Department of Health and Human Services June 2020
httpswwwhhsgovguidancesitesdefaultfileshhsguidancedocumentsnistcsftohipaasecurityrulecrosswalk02222016finalpdfpp467
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461
pp468
See idpp469
This component of the assessment would be accomplished under the NPRM if adopted through compliance with the proposed standard for technology asset inventory at proposed 45 CFR 164308a1i Under the current Security Rule we consider the technology asset inventory to be a component of the standard for risk analysis
pp470
Risk Analyses vs Gap AnalysesWhat is the difference Cybersecurity Newsletter Office for Civil Rights US Department of Health and Human Services Apr 2018
httpswwwhhsgovsitesdefaultfilescybersecuritynewsletterapril2018pdfpp471
Joint Task Force Guide for Conducting Risk Assessments NIST Special Publication 80030 Revision 1 National Institute of Standards and
Technology US Department of Commerce Sept 2012
httpsnvlpubsnistgovnistpubsLegacySPnistspecialpublication80030r1pdfpp472
Id
at Appendix I
see also
Reducing the Significant Risk of Known Exploited Vulnerabilities Cybersecurity Infrastructure Security Agency US Department of Homeland Security Nov 3 2021
httpswwwcisagovsitesdefaultfilespublicationsReducingtheSignificantRiskofKnownExploitedVulnerabilities211103pdfpp473
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461 p 1622
pp474
20162017 HIPAA Audits Industry Report
supra
note 121
pp475
Idpp476
Press Release HHS Office for Civil Rights Settles HIPAA Security Rule Failures for 950000 US Department of Health and Human Services July 1 2024
httpsprodwwwhhsgovcloudhhsgovaboutnews20240701hhsofficecivilrightssettleshipaasecurityrulefailures950000htmlpp477
See
Montefiore Medical Center
supra
note 248
pp478
See
Doctors Management Services Inc
supra
note 246
pp479
See
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 46
pp480
Proposed 45 CFR 164308a2iiA
pp481
Proposed 45 CFR 164308a2iiA
1
pp482
Proposed 45 CFR 164308a2iiA
2
pp483
Proposed 45 CFR 164308a2iiA
3
pp484
Proposed 45 CFR 164308a2iiA
4
pp485
Proposed 45 CFR 164308a2iiA
5
pp486
Proposed 45 CFR 164308a2iiA
6
pp487
Proposed 45 CFR 164308a2iiA
7
pp488
Proposed 45 CFR 164308a2iiA
8
pp489
See
NCVHS recommendation to test at multiple points in the life cycle of a system including at every significant change throughout the life of the system Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 6
pp490
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461 Security Rule Guidance Material Office for Civil Rights US Department of Health and Human Services Feb 16 2024
httpswwwhhsgovhipaaforprofessionalssecurityguidanceindexhtmllanguageespp491
See
Defending Against Common CyberAttacks
supra
note 396
pp492
It may not be reasonable and appropriate for a regulated entity to patch software or update a system configuration where the risk of introducing a change is greater than the status quo risk or where the regulated entity does not own or manage a networked device For example instances where it might not be reasonable and appropriate to patch or update an information system include 1 where a system needs to run continuously for mission critical support and is not patched or updated during its lifetime and 2 where the regulated entitys testing of such patch or update indicates potential adverse impacts or where industry is reporting adverse impacts of such patch or update This does not negate the regulated entitys need to address the vulnerability with a compensating control For example where a hospital discovers a vulnerability on a device that is connected to its network but owned and managed by a business associate the hospital may not have access to install a patch but it should employ a compensating control such as disabling or limiting that devices access to the hospitals network
pp493
See
Guidance on Software Vulnerabilities and Patching Cybersecurity Newsletter Office for Civil Rights US Department of Health and Human Services June 2018
httpswwwhhsgovsitesdefaultfilesjune2018newslettersoftwarepatchespdfpp494
See
Securing Your Legacy System Security Cybersecurity Newsletter Office for Civil Rights US Department of Health and Human Services Oct 2021
httpswwwhhsgovhipaaforprofessionalssecurityguidancecybersecuritynewsletterfall2021indexhtmlpp495
See
Guidance on Software Vulnerabilities and Patching
supra
note 493
pp496
See
Murugiah Souppaya et al Guide to Enterprise Patch Management Planning Preventive Maintenance for Technology NIST Special Publication 80040 Revision 4 National Institute of Standards and Technology US Department of Commerce Apr 2022
httpsnvlpubsnistgovnistpubsSpecialPublicationsNISTSP80040r4pdfpp497
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 1 Letter from NCVHS Chair Jacki Monson 2022
supra
note 123 p 89
pp498
An explanation of risk rating is provided above in the discussion of the proposed standard for risk analysis and associated implementation specifications
pp499
Cybersecurity Performance Goals
supra
note 18
pp500
See
proposed 45 CFR 164308a2
pp501
Cybersecurity Performance Goals
supra
note 18
pp502
See
6 Basics of Risk Analysis and Risk Management HIPAA Security Series Volume 2 Paper 6 Centers for Medicare Medicaid Services June 2005 revised Mar 2007
httpswwwhhsgovsitesdefaultfilesocrprivacyhipaaadministrativesecurityruleriskassessmentpdflanguageespp503
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461
pp504
See id
at 18
pp505
See id
at 25
pp506
Idpp507
See
proposed 45 CFR 164306d and 164316b1
pp508
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461 p 27
pp509
See id
at 31
pp510
See idpp511
The 2024 Study on Cyber Insecurity in Health Care The Cost and Impact on Patient Safety and Care
supra
note 143 p 7
pp512
See
How Sanction Policies Can Support HIPAA Compliance Cybersecurity Newsletter Office for Civil Rights US Department of Health and Human Services Oct 2023
httpswwwhhsgovhipaaforprofessionalssecurityguidancecybersecuritynewsletteroctober2023indexhtmlftn10pp513
68 FR 8334 8347 Feb 20 2003
pp514
65 FR 82462 82747 Dec 28 2000
pp515
68 FR 8334 8347 Feb 20 2003
pp516
65 FR 82462 82562 Dec 28 2000
pp517
See
Security Standards Administrative Safeguards HIPAA Security Series Volume 2 Paper 2 Centers for Medicare Medicaid Services May 2005 revised Mar 2007
httpswwwhhsgovsitesdefaultfilesocrprivacyhipaaadministrativesecurityruleadminsafeguardspdf see also
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461 p 33
pp518
Records of sanction activity should be retained for at least six years
See45 CFR 164316 and 164530e2
pp519
See65 FR 82462 82562 Dec 28 2000
pp520
Idpp521
Idpp522
See
Security Standards Administrative Safeguards
supra
note 517
pp523
See45 CFR 164308a1iiC 164530e1
see also65 FR 82462 82747 Dec 28 2000 All members of a covered entitys workforce are subject to sanctions for violations
pp524
Workstations may also be referred to as endpoints
See
Memorandum on Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Systems through Endpoint Detection and Response Office of Management and Budget Executive Office of the President p 1 Oct 8 2021
httpswwwwhitehousegovwpcontentuploads202110M2201pdfpp525
See
Security Standards Administrative Safeguards
supra
note 517 p 56
pp526
See id
at 6
pp527
Idpp528
See
Managing Malicious Insider Threats Cybersecurity Newsletter Office for Civil Rights US Department of Health and Human Services Aug 2019
httpswwwhhsgovhipaaforprofessionalssecurityguidancecybersecuritynewslettersummer2019indexhtmlpp529
Idpp530
Idpp531
Idpp532
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461 p 33
pp533
See id
at 34
pp534
See idpp535
See
Security Standards Administrative Safeguards
supra
note 517 p 7
see also
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461 p 3034
pp536
See
Press Release HHS Office for Civil Rights Settles HIPAA Security Rule Failures for 950000 US Department of Health and Human Services July 1 2024
httpsprodwwwhhsgovcloudhhsgovaboutnews20240701hhsofficecivilrightssettleshipaasecurityrulefailures950000htmlpp537
See
Montefiore Medical Center
supra
note 248
pp538
See45 CFR 164308a1iiD
pp539
See
Doctors Management Services Inc
supra
note 246
pp540
Idpp541
See
proposed 45 CFR 164308a12iiB
pp542
See
Security Standards Administrative Safeguards
supra
note 517 p 7
pp543
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461
pp544
See
Press Release City Health Department failed to terminate former employees access to protected health information US Department of Health and Human Services Oct 30 2020
httpspublic3pagefreezercomcontentHHSgov31122020T0851httpswwwhhsgovaboutnews20201030cityhealthdepartmentfailedterminateformeremployeesaccessprotectedhealthinformationhtmlpp545
See
Security Standards Administrative Safeguards
supra
note 517 p 811
pp546
See
Summary of the HIPAA Security Rule US Department of Health and Human Services Oct 19 2022
httpswwwhhsgovhipaaforprofessionalssecuritylawsregulationsindexhtmlpp547
See45 CFR 164502b and 164514d
pp548
See
Security Standards Administrative Safeguards
supra
note 517 p 9
pp549
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461
pp550
See id
at 36
pp551
See
proposed 45 CFR 164308a9i
pp552
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461 p 36
pp553
See idpp554
See
Security Standards Administrative Safeguards
supra
note 517 p 10
pp555
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461 p 37
pp556
See
Insider Threats and Termination Procedures Cybersecurity Newsletter Office for Civil Rights US Department of Health and Human Services Nov 2017
httpswwwhhsgovsitesdefaultfilesnovembercybersecuritynewsletter11292017pdfpp557
See
Managing Malicious Insider Threats
supra
note 528
pp558
Idpp559
See45 CFR 164308a4iiC
pp560
See
Security Standards Administrative Safeguards
supra
note 517 p 1011
pp561
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461
pp562
See
proposed 45 CFR 164308a9iiA
pp563
See
proposed 45 CFR 164308a9iiB
pp564
See
proposed 45 CFR 164308a9iiE
pp565
Cybersecurity Performance Goals
supra
note 18
pp566
See
Security Standards Administrative Safeguards
supra
note 517 p11
pp567
See eg
Resolution Agreement Banner Health Office for Civil Rights US Department of Health and Human Services Dec 20 2022
httpswwwhhsgovhipaaforprofessionalscomplianceenforcementagreementsbannerhealthracapindexhtml
Montefiore Medical Center
supra
note 248
pp568
See45 CFR 164502b and 164514d
pp569
See
Press Release OCR Imposes a 215 Million Civil Money Penalty against Jackson Health System for HIPAA Violation US Department of Health and Human Services Oct 19 2019
httpspublic3pagefreezercombrowseHHSgov31122020T0851httpswwwhhsgovaboutnews20191023ocrimposesa215millioncivilmoneypenaltyagainstjhsforhipaaviolationshtml see also
Notice of Proposed Determination Jackson Health System Office for Civil Rights US Department of Health and Human Services July 22 2019
httpspublic3pagefreezercombrowseHHSgov31122020T0851httpswwwhhsgovsitesdefaultfilesjacksonhealthsystemnoticeoffinaldetermination508pdf
Notice of Final Determination Jackson Health System Office for Civil Rights US Department of Health and Human Services Oct 15 2019
httpspublic3pagefreezercombrowseHHSgov31122020T0851httpswwwhhsgovsitesdefaultfilesjacksonhealthsystemnoticeoffinaldetermination508pdfpp570
See
Press Release HHS Office for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking US Department of Health and Human Services Feb 2 2023
httpswwwhhsgovaboutnews20230202hhsofficeforcivilrightssettleshipaainvestigationwitharizonahospitalsystemhtmlpp571
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461
pp572
45 CFR 160103 definition of Health care clearinghouse
pp573
45 CFR 164500b
see also
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461 p 38
pp574
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461 p 38
pp575
45 CFR 164308a4iiC
pp576
45 CFR 164308a4iiB
pp577
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461
pp578
See45 CFR 164308a3 proposed 45 CFR 164308a9i
pp579
See
proposed 45 CFR 164312f2ii through iv
pp580
See
Train Your Workforce so They Dont Get Caught by a Phish Cybersecurity Newsletter Office for Civil Rights US Department of Health and Human Services July 2017
httpswwwhhsgovsitesdefaultfilesjuly2017ocrcybernewsletterpdfpp581
See
Training Materials Office for Civil Rights US Department of Health and Human Services
httpswwwhhsgovhipaaforprofessionalstrainingindexhtmlpp582
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461
pp583
See
Resolution Agreement West Georgia Ambulance Inc Office for Civil Rights US Department of Health and Human Services Dec 23 2019
httpswwwhhsgovsitesdefaultfileswestgeorgiaracappdfpp584
Cybersecurity Performance Goals
supra
note 18
pp585
Idpp586
Proposed 45 CFR 164308a11iiA
1
pp587
Proposed 45 CFR 164308a11iiA
2
pp588
Proposed 45 CFR 164308a11iiA
3 Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 1 Letter from NCVHS Chair Jacki Monson 2022
supra
note 123 p 67
pp589
45 CFR 164308a5iiA
pp590
Proposed 45 CFR 164308a11iiB
1
pp591
Proposed 45 CFR 164308a11iiB
2
pp592
Proposed 45 CFR 164308a11iiB
3
pp593
See
HIPAA Security Rule Security Incident Procedures Cybersecurity Newsletter Office for Civil Rights US Department of Health and Human Services Oct 2022
httpswwwhhsgovhipaaforprofessionalssecurityguidancecybersecuritynewsletteroctober2022indexhtmlpp594
Idpp595
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461
pp596
See
Paul Cichonski et al Computer Security Incident Handling Guide Recommendations of the National Institute of Standards and Technology NIST Special Publication 80061 Revision 2 National Institute of Standards and Technology US Department of Commerce Aug 2012
httpswwwnistgovprivacyframeworknistsp80061pp597
The NIST Cybersecurity Framework CSF 20 removed emphasis on Actions regarding a detected cybersecurity incident are taken in original
supra
note 15 p 9
pp598
Idpp599
Proposed 45 CFR 164308a12iiA
1
pp600
See eg
Joint Task Force Security and Privacy Controls for Information Systems and
Organizations NIST Special Publication 80053 Revision 5 National Institute of Standards and Technology US Department of Commerce p 157 Sept 2020
httpsnvlpubsnistgovnistpubsSpecialPublicationsNISTSP80053r5pdfpp601
Cybersecurity Performance Goals
supra
note 18
see also
proposed 45 CFR 164314a2iC
pp602
Cybersecurity Performance Goals
supra
note 18
pp603
Idpp604
See
Computer Security Incident Handling Guide Recommendations of the National Institute of Standards and Technology
supra
note 597
pp605
See eg
New York State Register
supra
note 14 Invitation for Preliminary Comments on Proposed Rulemaking Cybersecurity Audits Risk Assessments and Automated Decisionmaking
supra
note 14
see also
Cal Civ Code Section 1798185
pp606
See
Plan A B Contingency Plan Cybersecurity Newsletter Office for Civil Rights US Department of Health and Human Services Mar 2018
httpswwwhhsgovsitesdefaultfilesmarch2018ocrcybernewslettercontingencyplanningpdfpp607
See
Kate Conger et al What Is Crowdstrike New York Times July 19 2024
httpswwwnytimescom20240719businesswhatiscrowdstrikehtmlsearchResultPosition2 see also
Remediation and Guidance Hub Falcon Content Update for Windows Hosts July 31 2024
httpswwwcrowdstrikecomfalconcontentupdateremediationandguidancehubpp608
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461
see also
Security Standards Administrative Safeguards
supra
note 517 p 1922
pp609
See
Press Release HHS Office for Civil Rights Settles HIPAA Security Rule Failures for 950000 US Department of Health and Human Services July 1 2024
httpsprodwwwhhsgovcloudhhsgovaboutnews20240701hhsofficecivilrightssettleshipaasecurityrulefailures950000htmlpp610
See
Security Standards Administrative Safeguards
supra
note 517 p 22
pp611
See
proposed 45 CFR 164308a13iiA
pp612
See
Cybersecurity Program Audit Guide GAO23104705 US Government Accountability Office p 1 Sept 28 2023
httpswwwgaogovproductsgao23104705 see also
Security and Privacy Controls for Information Systems and Organizations
supra
note 600
pp613
See
The IIAs Three Lines Model An update of the Three Lines of Defense The Institute of Internal Auditors p 4 Sept 9 2020
httpswwwtheiiaorgglobalassetsdocumentsresourcestheiiasthreelinesmodelanupdateofthethreelinesofdefensejuly2020threelinesmodelupdatedenglishpdfpp614
We believe that health plans that are subject to HIPAA and to the Employee Retirement Income Security Act of 1974 could comply with the proposed compliance audit requirement and follow the Employee Benefits Security Administrations Cybersecurity Program Best Practices which specifies that all such plans have a reliable annual third party audit of security controls Cybersecurity Program Best Practices Employee Benefits Security Administration US Department of Labor p 1 2 Apr 2021
httpswwwdolgov
sitesdolgovfilesebsapdffilesbestpracticespdf
Cybersecurity Guidance Update Employee Benefits Security Administration US Department of Labor Sept 6 2024
httpswwwdolgovagenciesebsakeytopicsretirementbenefitscybersecuritycomplianceassistancerelease202401pp615
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461
pp616
Id
at 54
pp617
Idpp618
See45 CFR 164306a1
pp619
See45 CFR 164308b
pp620
See
proposed 45 CFR 164308b1i and ii
pp621
Idpp622
See
proposed 45 CFR 164308b2ii
pp623
Idpp624
Proposed 45 CFR 164308b2iiA
pp625
Idpp626
Proposed 45 CFR 164308b2iiB
pp627
Cybersecurity Performance Goals
supra
note 18
see also
proposed 45 CFR 164308b2i
pp628
Cybersecurity Performance Goals
supra
note 18
pp629
Proposed 45 CFR 164308b3i
pp630
Proposed 45 CFR 164308b3ii
pp631
Considerations for Securing Electronic Media and Devices Office for Civil Rights US Department of Health and Human Services p 1 Aug 2018
httpswwwhhsgovsitesdefaultfilescybersecuritynewsletteraugust2018deviceandmediacontrolspdfpp632
See eg
Sonali Sachdeva et al Unraveling the role of cloud computing in health care system and biomedical sciences Heliyon Apr 2 2024 These days numerous commercial merchants are intermingling with hospitals as well as healthcare providers to establish healthcarebased cloud computing networks
httpswwwncbinlmnihgovhhsnihidmoclcorgpmcarticlesPMC11004887 see also id
Microsoft Google and Amazon have instantly realized that the majority of hospitals will not continue working with servers that are privately owned as well as controlled Increase in healthcare cyberattacks affecting patients with cancer
supra
note 180 In 2021 an attack against oncology services targeted data stored in cloudbased systems and affected patients in several States
pp633
See45 CFR 164304 definition of Physical safeguards
pp634
45 CFR 164310a2i
pp635
45 CFR 164310b
pp636
45 CFR 164310c
pp637
Considerations for Securing Electronic Media and Devices
supra
note 631 p 2
pp638
Idpp639
See University of Texas MD Anderson Cancer Center supra
note 258 p 479
pp640
Resolution Agreement Advocate Health Care Network Medical Group Office for Civil Rights US Department of Health and Human Services July 8 2016
pp641
Resolution Agreement University of Rochester Medical Center Office for Civil Rights US Department of Health and Human Services Oct 30 2019 describing a violation of the standard for device and media controls
pp642
See
discussion of 45 CFR 164306
pp643
See University of Texas MD Anderson Cancer Center supra
note 258
pp644
See45 CFR 164304 proposed definitions of Relevant electronic information systems and Technology assets
pp645
See
discussion of proposals to revise 45 CFR 164316
pp646
See45 CFR 164304 proposed definition of Implement
pp647
See
proposed 45 CFR 164308a13
pp648
See
Workstation Security Dont Forget About Physical Security Office for Civil Rights US Department of Health and Human Services p 2 May 2018
httpswwwhhsgovsitesdefaultfilescybersecuritynewslettermay2018workstationsecuritypdfpp649
See
proposed 45 CFR 164308a11iiA
1
pp650
Considerations for Securing Electronic Media and Devices
supra
note 631 p 1
pp651
Idpp652
See id
for a list of questions that regulated entities should consider when developing their policies and procedures regarding device and media controls
pp653
See
Richard Kissel et al Guidelines for Media Sanitization NIST Special Publication 80088 Revision 1 National Institute of Standards and Technology US Department of Commerce Dec 2014
httpscsrcnistgovpublicationsdetailsp80088rev1final see also
Proper Disposal of Electronic Devices Cybersecurity Infrastructure Security Agency US Department of Homeland Security Feb 1 2021
httpswwwcisagovnewseventsnewsproperdisposalelectronicdevicespp654
See
Guidelines for Media Sanitization
supra
note 653
see also
Proper Disposal of Electronic Devices
supra
note 653
pp655
Guidance on Disposing of Electronic Devices and Media Office for Civil Rights US Department of Health and Human Services p 1 July 2018
httpswwwhhsgovsitesdefaultfilescybersecuritynewsletterjuly2018Disposalpdfpp656
Id
at 2
pp657
Idpp658
Idpp659
Security Standards Technical Safeguards
supra
note 343 p 4
pp660
A superuser is a user that is authorized and therefore trusted to perform securityrelevant functions that ordinary users are not authorized to perform NIST definition of superuser Glossary Computer Security Resource Center National Institute of Standards and Technology US Department of Commerce
httpscsrcnistgovglossarytermsuperuserpp661
See45 CFR 164306d for an explanation of required and addressable implementation specifications
pp662
45 CFR 164312a2i
pp663
45 CFR 164312a2ii
pp664
45 CFR 164312a2iii
pp665
45 CFR 164312a2iv
pp666
45 CFR 164312a2i
pp667
45 CFR 164312a2ii
pp668
Security Standards Technical Safeguards
supra
note 343 p 5
pp669
45 CFR 164312a2iii
pp670
Security Standards Technical Safeguards
supra
note 343 p 6
pp671
Idpp672
45 CFR 164312a2iv
pp673
Security Standards Technical Safeguards
supra
note 343 p 7
pp674
Understanding the Importance of Audit Controls Cybersecurity Newsletter Office for Civil Rights US Department of Health and Human Services p 1 Jan 2017
httpswwwhhsgovsitesdefaultfilesjanuary2017cybernewsletterpdflanguageespp675
Idpp676
Id
at 2
pp677
Idpp678
Security Standards Technical Safeguards
supra
note 343 p 7
pp679
Idpp680
Id
at 9
pp681
Id
at 10
pp682
45 CFR 164312e2i
pp683
68 FR 8334 8357 Feb 20 2003
pp684
For example the ONC Health IT Certification Program requires that certified health IT certified to the enduser device encryption certification criterion at 45 CFR 170315d7 must encrypt electronic health information stored on enduser devices after use of the technology on those devices stops or prevent electronic health information from being locally stored on enduser devices after use of the technology on those devices stops
See also
Security Standards Technical Safeguards
supra
note 343 p 7
pp685
How to Protect the Data that is Stored on Your Devices Cybersecurity Infrastructure Security Agency US Department of Homeland Security access July 26 2024
httpswwwcisagovresourcestoolstraininghowprotectdatastoredyourdevices see also
Karen Scarfone et al Information Technology Laboratory ITL Bulletin August 2020 Security Considerations for Exchanging Files Over the internet National Institute of Standards and Technology US Department of Commerce Aug 2020
httpscsrcnistgovfilespubsshareditlbitlbul202008pdfpp686
45 CFR 164306d
pp687
Banner Health
supra
note 567
pp688
Resolution Agreement Lifespan Office for Civil Rights US Department of Health and Human Services June 26 2020
httpswwwhhsgovsitesdefaultfileslifespanracapsignedpdfpp689
Resolution Agreement Yakima Valley Memorial Hospital Office for Civil Rights US Department of Health and Human Services May 15 2023
httpswwwhhsgovhipaaforprofessionalscomplianceenforcementagreementsyakimaracapindexhtmlpp690
Idpp691
See
Montefiore Medical Center
supra
note 248
pp692
See eg
HHS Office for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking
supra
note 570
pp693
Idpp694
The Home Depot Reports Findings in Payment Data Breach Investigation Home Depot Nov 6 2014
httpsirhomedepotcomnewsreleases201411062014014517315pp695
See45 CFR 164304 proposed definitions of Deploy and Implement
pp696
Security Standards Technical Safeguards
supra
note 343 p 3
pp697
Id
at 4
pp698
Cybersecurity Performance Goals
supra
note 18
pp699
Id
at 34
pp700
See45 CFR 164308a4 and proposed 45 CFR 164308a10
pp701
See
Controlling Access to ePHI For Whose Eyes Only
supra
note 416
pp702
Defending Against Common CyberAttacks
supra
note 396
pp703
See45 CFR 170315d1
pp704
Cybersecurity Performance Goals
supra
note 18
pp705
See45 CFR 170315d6
pp706
Controlling Access to ePHI For Whose Eyes Only
supra
note 416
pp707
Idpp708
For example Windows 10 operating system allows users to customize security options to automatically logout a user after a specified period of inactivity
pp709
See45 CFR 170315d5
pp710
Brute Force Attacks Conducted by Cyber Actors Cybersecurity Infrastructure Security Agency US Department of Homeland Security May 6 2020
httpswwwcisagovnewseventsalerts20180327bruteforceattacksconductedcyberactorspp711
Security and Privacy Controls for Information Systems and Organizations
supra
note 600 p 39
pp712
See
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 3 recommending that the Department require network segmentation as part of a layered security approach segregating network components based on user characteristics such as corporate network compared to business associate network Layering Network Security Through Segmentation Cybersecurity Infrastructure Security Agency US Department of Homeland Security
httpswwwcisagovsitesdefaultfilespublicationslayeringnetworksecuritysegmentationinfographic5080pdf
Health Industry Cybersecurity Practices Managing Threats and Protecting Patients
supra
note 16 pp 23 and 31 PRIR01 The NIST Cybersecurity Framework CSF 20
supra
note 15
pp713
Layering Network Security Through Segmentation
supra
note 712
pp714
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 3
pp715
Cybersecurity Performance Goals
supra
note 18
pp716
Controlling Access to ePHI For Whose Eyes Only
supra
note 416
pp717
Idpp718
Idpp719
Idpp720
See45 CFR 402 The presumption applies unless it can be rebutted in accordance with the breach risk assessment described in 45 CFR 1644022
pp721
45 CFR 164402
pp722
Karen Scarfone et al Guide to Storage Encryption Technologies for End User Devices Recommendations of the National Institute of Standards and Technology NIST Special Publication 800111 National Institute of Standards and Technology US Department of Commerce Nov 2007
httpsnvlpubsnistgovnistpubsLegacySPnistspecialpublication800111pdfpp723
74 FR 19600 1900919010 Apr 27 2009
pp724
45 CFR 164402
pp725
Controlling Access to ePHI For Whose Eyes Only
supra
note 416
pp726
See68 FR 8334 8357 Feb 20 2003
pp727
Controlling Access to ePHI For Whose Eyes Only
supra
note 416
pp728
Idpp729
See
discussion of 45 CFR 164312
infrapp730
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 2
pp731
The Department is also proposing to delete the implementation specification for encryption at 45 CFR 164312e2ii because we are proposing to address the substantive requirements of that implementation specification in proposed 45 CFR 164312b2
pp732
Cybersecurity Performance Goals
supra
note 18 Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 2
pp733
See45 CFR 170315d7 and 170210a
pp734
For example adoption of health IT that is certified through the ONC Health IT Certification Program as having the technical capability to encrypt or prevent the local storage of electronic health information stored on enduser devices after use of the technology on those devices stops may contribute to a regulated entitys compliance with the proposed implementation specification for encryption and decryption
See45 CFR 170315d7 Additionally the proposed implementation specification generally is consistent with the Health Data Technology and Interoperability Patient Engagement Information Sharing and Public Health Interoperability HTI2 NPRM proposal to modify 45 CFR 170315d7 should it be finalized to include requirements that authentication credentials be protected using industrystandard encryption and decryption
See89 FR 6353637 63778 Aug 5 2024
pp735
Messaging in the context of telehealth is discussed in Department guidance on telehealth
See
Guidance on How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for AudioOnly Telehealth Office for Civil Rights US Department of Health and Human Services June 13 2022
httpswwwhhsgovhipaaforprofessionalsprivacyguidancehipaaaudiotelehealthindexhtmlpp736
For example health IT certified through the ONC Health IT Certification Program as meeting the view download and transmit to 3rd party certification criterion must be able to create and transmit continuity of care document summaries to patients through email via an encrypted method of electronic transmission
See45 CFR 170315e1
pp737
The ONC Health IT Certification Program sets forth at 45 CFR 170550h the privacy and security certification framework for Health IT Modules Section 170550h identifies a mandatory minimum set of the certification criteria that ONC ACBs must ensure are also included as part of specific Health IT Modules that are presented for certification For example to meet the standardized API for patient and population services certification criterion the ONC Health IT Certification Program requires that a Health IT Module presented for testing and certification must demonstrate the ability to establish a secure and trusted connection with an application requesting data for patients
See45 CFR 170315g10
see also45 CFR 170215
pp738
See
Resource for Health Care Providers on Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth Office for Civil Rights US Department of Health and Human Services Oct 17 2023
httpswwwhhsgovhipaaforprofessionalsprivacyguidanceresourcehealthcareproviderseducatingpatientsindexhtmlpp739
See45 CFR part 171 85 FR 25642 25815 May 1 2020
pp740
See eg45 CFR part 171
pp741
45 CFR 164308a13
pp742
See
Next Steps Toward Managing Legacy Medical Device Cybersecurity Risks MITRE Corporation Nov 2023
httpswwwmitreorgsitesdefaultfiles202311PR233695ManagingLegacyMedicalDevice20CybersecurityRiskspdf
Principles and Practices for the Cybersecurity of Legacy Medical Devices International Medical Device Regulators Forum p 8 Apr 11 2023
httpswwwimdrforgsitesdefaultfiles202304IMDRF20Principles20and20Practices20 of20Cybersecurity20for2020Legacy20 Medical20Devices20Final2028N70291pdfpp743
Cybersecurity US Food Drug Administration US Department of Health and Human Services
httpswwwfdagovmedicaldevicesdigitalhealthcenterexcellencecybersecuritypp744
See
sec 3305 of Public Law 117328 126 Stat 5832 Dec 29 2022 codified at 21 USC 360n2
see also
Cybersecurity in Medical Devices Frequently Asked Questions FAQs US Food Drug Administration US Department of Health and Human Services
httpswwwfdagovmedicaldevicesdigitalhealthcenterexcellencecybersecuritymedicaldevicesfrequentlyaskedquestionsfaqspp745
Celia Paulsen et al Glossary of Key Information Security Terms NIST Interagency and Internal Reports 7298 Revision 3 National Institute of Standards and Technology US Department of Commerce July 3 2019
httpsnvlpubsnistgovnistpubsir2019NISTIR7298r3pdfpp746
The Department does not propose to require that the periodic review include a review of whether the conditions of the exception continue to apply because when the conditions qualifying for an exception change such that an exception no longer applies a regulated entity would be expected to resume compliance with the standard for encryption and decryption and the associated implementation specifications without exception
pp747
Defending Against Common CyberAttacks
supra
note 396
see also
HIPAA and Cybersecurity Authentication
supra
note 368
pp748
Cybersecurity Performance Goals
supra
note 18
pp749
Idpp750
See
proposed 45 CFR 164312c2
pp751
What Happened to My Data Update on Preventing Mitigating and Responding to Ransomware Cybersecurity Newsletter Office for Civil Rights US Department of Health and Human Services Dec 2019
httpswwwhhsgovhipaaforprofessionalssecurityguidancecybersecuritynewsletterfall2019indexhtmlpp752
See
Understanding AntiVirus Software Cybersecurity Infrastructure Security Agency US Dept of Homeland Security June 30 2009 rev Sept 27 2019
httpswwwcisagovnewseventsnewsunderstandingantivirussoftwarepp753
Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Systems through Endpoint Detection and Response M2201 Office of Management and Budget Executive Office of the President p 1 Oct 8 2021
httpswwwwhitehousegovwpcontentuploads202110M2201pdfpp754
Defending Against Common CyberAttacks
supra
note 396
pp755
Idpp756
Idpp757
Idpp758
See
proposed 45 CFR 164308a2
pp759
What Happened to My Data Update on Preventing Mitigating and Responding to Ransomware
supra
note 751
pp760
Defending Against Common CyberAttacks
supra
note 396
pp761
Security Standards Technical Safeguards
supra
note 343 p 7
pp762
Idpp763
Cybersecurity Performance Goals
supra
note 18
pp764
The criterion for auditing actions on health information requires adoption of health IT that has
the technical capability to record actions related to electronic health information restrict the ability for auditing to be disabled to a limited set of users if the technology permits detect whether an audit log has been altered and not allow actions recorded related to electronic health information to be changed overwritten or deleted by technology
See45 CFR 170315d10
see45 CFR 170315d2
see also45 CFR 170210e
pp765
See eg
Montefiore Medical Center
supra
note 248
pp766
See
proposed 45 CFR 164308a2
pp767
Security Standards Technical Safeguards
supra
note 343 p 8
pp768
Idpp769
Idpp770
Idpp771
45 CFR 170315d8
pp772
Security Standards Technical Safeguards
supra
note 343 p 9
pp773
Letter from NCVHS Chair Jacki Monson 2022
supra
note 123 p 6
pp774
Risks of Default Passwords on the internet Cybersecurity Infrastructure Security Agency US Department of Homeland Security Oct 7 2016
httpswwwcisagovnewseventsalerts20130624risksdefaultpasswordsinternetpp775
MultiFactor Authentication Cybersecurity Infrastructure Security Agency US Department of Homeland Security Jan 5 2022
httpswwwcisagovsitesdefaultfilespublicationsMFAFactSheetJan22508pdf
Letter from NCVHS Chair Jacki Monson 2022
supra
note 123 pp 78
pp776
Letter from NCVHS Chair Jacki Monson 2022
supra
note 123 pp 78
pp777
Cybersecurity Performance Goals
supra
note 18
pp778
See89 FR 63498 63574 63506 63528 Aug 5 2024 proposed 45 CFR 170315d13ii of ASTPONCs HTI2 NPRM
pp779
See
proposed 45 CFR 164312f2iiiB
pp780
See
proposed 45 CFR 164308a13
pp781
See
proposed 45 CFR 164312a2iii
pp782
See
Next Steps Toward Managing Legacy Medical Device Cybersecurity Risks
supra
note 742 Principles and Practices for the Cybersecurity of Legacy Medical Devices
supra
note 742 p 8
pp783
Cybersecurity
supra
note 743
pp784
See
sec 3305 of Public Law 117328 126 Stat 5832 Dec 29 2022 codified at 21 USC 360n2
see also
Cybersecurity in Medical Devices Frequently Asked Questions FAQs
supra
note 744
pp785
Proposed 45 CFR 164312f2ivA
pp786
Glossary of Key Information Security Terms
supra
note 745
pp787
Securing Your Legacy System Security
supra
note 494
pp788
The Department does not propose that the periodic review include a review that the conditions of the exception continue to apply because a regulated entity would be expected to resume compliance with the implementation specification of multifactor authentication when such exception no longer applies
pp789
Glossary of Key Information Security Terms
supra
note 745
pp790
See45 CFR 170315d9
pp791
Security Standards Technical Safeguards
supra
note 343 p 1011
pp792
Defending Against Common CyberAttacks
supra
note 396
pp793
Idpp794
See
Cybersecurity Alerts Advisories Cybersecurity Infrastructure Security Agency US Department of Homeland Security
httpswwwcisagovnewseventscybersecurityadvisoriespp795
See
Bulletins Cybersecurity Infrastructure Security Agency US Department of Homeland Security
httpswwwcisagovnewseventsbulletinspp796
See
Health Sector Cybersecurity Coordination Center HC3 Office of the Chief Information Officer US Department of Health and Human Services
httpswwwhhsgovaboutagenciesasaociohc3indexhtmlpp797
Free Cybersecurity Services and Tools
supra
note 313
pp798
Cyber Hygiene Services
supra
note 313
pp799
Cybersecurity Resources for HighRisk Communities
supra
note 313
pp800
Letter from NCVHS Chair Jacki Monson 2022
supra
note 123 p 89
pp801
Cybersecurity Performance Goals
supra
note 18
pp802
Defending Against Common CyberAttacks
supra
note 396
pp803
Idpp804
This study is not specific to health care Costs and Consequences of Gaps in Vulnerability Response ServiceNow and Ponemon Institute p 3 2019
httpswwwservicenowcomcontentdamservicenowassetspublicenusdoctyperesourcecenteranalystreportponemonstateofvulnerabilityresponsepdfpp805
See
proposed 45 CFR 164308a4
pp806
National Vulnerability Database
supra
note 398
pp807
Known Exploited Vulnerabilities Catalog
supra
note 399
pp808
Glossary of Key Information Security Terms
supra
note 745
pp809
Defending Against Common CyberAttacks
supra
note 396
pp810
See
proposed 45 CFR 164308a2
pp811
See
proposed 45 CFR 164308a5
pp812
Defending Against Common CyberAttacks
supra
note 396
pp813
See
Securing Your Legacy System Security
supra
note 494
pp814
See
proposed 45 CFR 164308a5 and 164312h1
pp815
See
Plan A B Contingency Plan
supra
note 606
pp816
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461 p 49
pp817
Idpp818
45 CFR 164314a2iA
pp819
45 CFR 164314a2iB
pp820
45 CFR 164314a2iC
pp821
Section 164504e provides that when a covered entity and its business associate are both governmental entities they do not have to negotiate a business associate agreement and may provide adequate assurances for its uses and disclosures of PHI if they enter into a memorandum of understanding or adopt a regulation that has the force and effect of law that incorporates the requirements of a business associate agreement 65 FR 82462 82597 82677 Dec 28 2000
see also68 FR 8334 8360 Feb 20 2003 164314a provisions are drawn from and intended to support the analogous privacy protections provided for by 45 CFR 164504e and discussed in the 2000 Privacy Rule 78 FR 5566 5590 Jan 25 2013 removed the specific requirements under 45 CFR 164314 for a memorandum of understanding when both a covered entity and business associate are government entities and referred to the parallel requirements of the Privacy Rule at 45 CFR 164504e3
pp822
45 CFR 164304 definition of Security incident
pp823
See45 CFR 164314a
pp824
Where a business associate experiences a security incident that meets the definition of a breach at 45 CFR 164402 the business associate must comply with the requirements of the Breach Notification Rule
See45 CFR part 160 and subparts A and D of 45 CFR part 164 Specifically the Breach Notification Rule requires a business associate to report a breach of unsecured PHI to a covered entity without unreasonable delay and in no case later than 60 days from the discovery of the breach
See45 CFR 164410b
pp825
Testimony of Andrew Witty
supra
note 214 According to CEO Andrew Witty intruders attempt to gain access to UnitedHealth Groups electronic information systems every 70 seconds or more than 450000 times per year
pp826
45 CFR 164308a7i
pp827
Idpp828
See45 CFR 164308a7i proposed 45 CFR 164308a13i
pp829
68 FR 8334 8351 Feb 20 2003
pp830
Since 1980 the United States has experienced 265 weather and climate disasters in which the overall damages reached or exceeded US1 billion Kristie L Ebi et al Extreme Weather and Climate Change Population Health and Health System Implications Annual Review of Public Health Jan 2021
httpspubmedncbinlmnihgov33406378 see also
Climate Change Indicators US and Global Temperature US Environmental Protection Agency June 27 2024 2023 was the warmest year on record and 20142023 was the warmest decade on record since thermometerbased observations began
httpswwwepagovclimateindicatorsclimatechangeindicatorsusandglobaltemperaturepp831
Annual Report to Congress on HIPAA Privacy Security and Breach Notification Rule Compliance For Calendar Year 2022 Office for Civil Rights US Department of Health and Human Services p 8 2022 From 2018 to 2022 the number of breaches affecting fewer than 500 individuals increased 1 percent and breaches affecting 500 or more individuals rose 107 percent
httpswwwhhsgovsitesdefaultfilescompliancereporttocongress2022pdfpp832
Unraveling the role of cloud computing in health care system and biomedical sciences
supra
note 632 These days numerous commercial merchants are intermingling with hospitals as well as healthcare providers to establish healthcarebased cloud computing networks
see also id
Microsoft Google and Amazon have instantly realized that the majority of hospitals will not continue working with servers that are privately owned as well as controlled Increase in healthcare cyberattacks affecting patients with cancer
supra
note 180 In 2021 an attack against oncology services targeted data stored in cloudbased systems and affected patients in several States
pp833
Nicole Perlroth et al Cyberattack Hits Ukraine Then Spreads Internationally The New York Times June 27 2017 discussing a worldwide ransomware attack in 2017
httpswwwnytimescom20170627technologyransomwarehackershtmlpp834
See68 FR 8334 Feb 20 2003
pp835
See78 FR 5566 Jan 25 2013
pp836
A subcontractor of a business associate also would be required to make such report to the business associate
See45 CFR 164314a2iii applying the requirements in paragraphs a2i and ii to business associate agreements between business associates and subcontractors in the same manner as they apply to business associate agreements between covered entities and business associates
pp837
See45 CFR 164410
pp838
Saheed Oladimeji et al SolarWinds hack explained Everything you need to know TechTarget Nov 3 2023 SolarWinds is a software company and one of its products that was part of a supply chain attack is an IT performance monitoring system that had privileged access to IT systems
httpswwwtechtargetcomwhatisfeatureSolarWindshackexplainedEverythingyouneedtoknowpp839
As discussed in greater detail above the Department is proposing to renumber the standard for the contingency plan as 45 CFR 164308a13 and to require a written contingency plan for responding to an emergency or other occurrence that adversely affects relevant electronic information systems as opposed to the current standard which applies when the emergency or other occurrence damages information systems that contain ePHI
pp840
Proposed 45 CFR 164314a2iC and D Cybersecurity Performance Goals
supra
note 18
pp841
Proposed 45 CFR 164308a13i
pp842
The ping command is a network diagnostic and firewalls often block incoming pings to prevent attackers from learning more about the organizations network Karen Scarfone et al Guidelines on Firewalls and Firewall Policy NIST Special Publication 80041 Revision 1 National Institute of Standards and Technology US Department of Commerce p 31 Sept 2009
httpsdoiorg106028NISTSP80041r1pp843
45 CFR 164314a2iC
pp844
While we are proposing in this NPRM in 45 CFR 164308a13i to specifically include a security incident as an example of an emergency or occurrence that may damage a relevant electronic information system for which a contingency plan would be required we believe that this is a clarification rather than a change
pp845
See45 CFR 164504f1ii
pp846
See45 CFR 164504f1iii
pp847
45 CFR 160103 definition of Group health plan
pp848
45 CFR 164314b2i
pp849
45 CFR 164504f2iii requires the plan documents to describe an employee or class of employee who receives PHI for payment health care operations or other matters related to the group health plan restrict access to PHI and use of PHI by such employees to the plan administration functions that the plan sponsor performs for the group health plan and provide an effective mechanism for resolving any issues of noncompliance by such persons
pp850
45 CFR 164314b2ii
pp851
45 CFR 164314b2iii
pp852
45 CFR 164314b2iv
pp853
65 FR 82462 82508 Dec 28 2000
pp854
See
2024 Data Breach Investigations Report Verizon Business 2024
httpswwwverizoncombusinessresourcesreportsdbirpp855
65 FR 82462 82508 Dec 28 2000
see also68 FR 8334 8360 Feb 20 2003 164314b provisions are drawn from and intended to support the analogous privacy protections provided for by 45 CFR 164504f and discussed in the 2000 Privacy Rule
pp856
CrossSector Cybersecurity Performance Goals
supra
note 164
pp857
Proposed 45 CFR 164308a2i
pp858
Proposed 45 CFR 164308 164310 164312 and 164316
pp859
The plan sponsor would implement a contingency plan because it is one of the requirements of the administrative safeguards of the Security Rule and would be implemented based on the proposed requirements in 45 CFR 164314b2i
pp860
45 CFR 164306b2i
pp861
45 CFR 164306b2ii
pp862
45 CFR 164306b2iii
pp863
45 CFR 164306b2iv
pp864
See
Resolution Agreement Peachstate Health Management Inc Office for Civil Rights US Department of Health and Human Services Apr 28 2021
httpswwwhhsgovhipaaforprofessionalscomplianceenforcementagreementspeachstateindexhtml
West Georgia Ambulance Inc
supra
note 583
see also
20162017 HIPAA Audits Industry Report
supra
note 121 p 27 the Department found that only 31 percent of regulated entities audited had safeguarded ePHI through risk analysis activities including developing and implementing policies and procedures
pp865
In 2003 the Department declined a commenters suggestion to change the term periodically to at least annually At that time we said that documentation must be updated as needed to reflect security measures currently in effect and that the requirement allowed individual entities to establish review and update cycles as deemed necessary because it would vary dependent
upon a given entitys size configuration environment operational changes and the security measures implemented 68 FR 8334 8361 Feb 20 2003
pp866
HIPAA set forth the compliance dates for the initial standards 42 USC 1320d4
see also68 FR 8334 8351 Feb 20 2003
pp867
Similarly a business associate subcontractor would need to report to the business associate
See
Business Associate Contracts Office for Civil Rights US Department of Health and Human Services June 16 2017 A business associate also is a subcontractor that creates receives maintains or transmits PHI on behalf of another business associate
httpswwwhhsgovhipaaforprofessionalscoveredentitiessamplebusinessassociateagreementprovisionsindexhtmlpp868
Proposed 45 CFR 164314a2iD
pp869
The Department has previously included transition provisions to ensure that important functions of the health care system were not impeded
See eg65 FR 82462 Dec 28 2000 67 FR 53182 Aug 14 2002 78 FR 5566 Jan 25 2013
pp870
See
proposed 45 CFR 164308b1i
pp871
See idpp872
45 CFR 164314a2iA
pp873
45 CFR 164314a2iB
pp874
Or to the business associate from a business associate subcontractor
pp875
Proposed 45 CFR 164314a2iD
pp876
Or business associates contract with the subcontractor
pp877
45 CFR 164306a
pp878
45 CFR 164508a1iiA
pp879
45 CFR 164308a1iiB
pp880
See
PostQuantum Cryptography Quantum Background US Department of Homeland Security last accessed July 23 2024
httpswwwdhsgovquantum see also
QuantumReadiness Migration to PostQuantum Cryptography Cybersecurity Infrastructure Security Agency National Security Agency and National Institute of Standards and Technology p 1 Aug 21 2023
httpsmediadefensegov2023Aug212003284212110CSIQUANTUMREADINESSPDFpp881
PostQuantum Cryptography Quantum Background
supra
note 880
pp882
See
PostQuantum Cryptography PQC Computer Security Resource Center National Institute of Standards and Technology US Department of Commerce July 19 2024
httpswwwnistgovpqcryptopp883
See
PostQuantum Cryptography Quantum Background
supra
note 880
pp884
See
PostQuantum Cryptography PQC
supra
note 882
pp885
Idpp886
See id
removed emphasis from postquantum cryptography in original
pp887
National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems National Security MemorandumNSM10 The White House May 4 2022
httpswwwwhitehousegovbriefingroomstatementsreleases20220504nationalsecuritymemorandumonpromotingunitedstatesleadershipinquantumcomputingwhilemitigatingriskstovulnerablecryptographicsystemspp888
Idpp889
See
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 2 providing NCVHS recommendations to strengthen the HIPAA Security Rule
pp890
See
QuantumReadiness Migration to PostQuantum Cryptography Cybersecurity Infrastructure Security Agency National Security Agency and National Institute of Standards and Technology p 1 Aug 21 2023
httpsmediadefensegov2023Aug212003284212110CSIQUANTUMREADINESSPDFpp891
Idpp892
Sec 238g of Public Law 115232 132 Stat 169798 Aug 13 2018 10 USC 2358 note definition of AI
pp893
Kathryn Marchesini et al Getting the Best out of Algorithms in Health Care HealthITbuzz Assistant Secretary for Technology Policy US Department of Health and Human Services June 15 2022
httpswwwhealthitgovbuzzblogelectronichealthandmedicalrecordsgettingthebestoutofalgorithmsinhealthcarepp894
See
Nazish Khalid et al Privacypreserving artificial intelligence in healthcare Techniques and applications Computers in Biology and Medicine Volume 158 p 1 May 2023
httpswwwsciencedirectcomsciencearticlepiiS001048252300313XrefpdfdownloadfrRR2rr8a7dac430d6d07d5pp895
See
Artificial Intelligence Program Research on AIMachine Learning MLBased Medical Devices US Food Drug Administration US Department of Health and Human Services June 10 2024
httpswwwfdagovmedicaldevicesmedicaldeviceregulatoryscienceresearchprogramsconductedoselartificialintelligenceprogramresearchaimlbasedmedicaldevicespp896
Idpp897
See
Michael D Howell et al Three Epochs of Artificial Intelligence in Health Care Journal of the American Medical Association Volume 331 Number 3 Jan 16 2024
httpsjamanetworkcomjournalsjamafullarticle2813874pp898
See
Aaron A Tierney et al Ambient Artificial Intelligence Scribes to Alleviate the Burden of Clinical Documentation New England Journal of Medicine Catalyst Feb 21 2024
httpscatalystnejmorgdoifull101056CAT230404pp899
Idpp900
Julia AdlerMilstein et al NextGeneration Artificial Intelligence for Diagnosis From Predicting Diagnostic Labels to Wayfinding Journal of the American Medical Association Dec 9 2021
httpsjamanetworkcomhhsnihidmoclcorgjournalsjamafullarticle2787207pp901
Idpp902
See
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 8 providing NCVHS recommendations to strengthen the HIPAA Security Rule s
ee also
William Dixon et al 3 ways AI will change the nature of cyber attacks World Economic Forum June 19 2019
httpswwwweforumorgagenda201906aiispoweringanewgenerationofcyberattackitsalsoourbestdefencepp903
3 ways AI will change the nature of cyber attacks
supra
note 902
pp904
Idpp905
Idpp906
Idpp907
Where a regulated entity is maintaining ePHI for research purposes as described by 45 CFR 164512i the regulated entity is not performing a covered function
pp908
See
Jordan Pearson ChatGPT Can Reveal Personal Information From Real People Google Researchers Show Vice Nov 29 2023
httpswwwvicecomenarticlechatgptcanrevealpersonalinformationfromrealpeoplegoogleresearchersshow see also
Bridget McArthur AI chatbot blamed for psychosocial workplace training gaffe at Bunbury prison ABC Southwest Aug 20 2024
httpswwwabcnetaunews20240821aichatbotpsychosocialtrainingbunburyregionalprison104230980pp909
See
Nick Easen Why generative AI presents a fundamental security risk Raconteur Sept 9 2024
httpswwwraconteurnettechnologywhygenerativeaipresentsafundamentalsecuritythreatpp910
See45 CFR 164308a1iiA and B proposed 45 CFR 164308a2i and a5i
pp911
Artificial Intelligence Risk Management Framework AI RMF 10 NIST AI 1001 National Institute of Standards and Technology US Department of Commerce Jan 2023
httpsnvlpubsnistgovnistpubsaiNISTAI1001pdf see also
Joint Guidance on Deploying AI System Securely Cybersecurity Infrastructure Security Agency US Department of Homeland Security Apr 15 2024
httpswwwcisagovnewseventsalerts20240415jointguidancedeployingaisystemssecurelypp912
45 CFR 164508
pp913
See
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 8
pp914
88 FR 75191 Nov 1 2023
pp915
Idpp916
89 FR 1192 Jan 9 2024
pp917
Idpp918
Health Data Technology and Interoperability Certification Program Updates Algorithm Transparency and Information Sharing HTI1 final rule The Office of the National Coordinator for Health IT US Department of Health and Human Services Mar 7 2024
httpswwwhealthitgovtopiclawsregulationandpolicyhealthdatatechnologyandinteroperabilitycertificationprogramtextONC27s20HTI2D120final20ruleimplementation20specifications2C20and20certification20criteriapp919
See
Tarun Kumar Vashishth et al Virtual Reality VR and Augmented Reality AR Transforming Medical Applications Oct 2023
httpswwwresearchgatenetpublication374814301VirtualRealityVRandAugmentedRealityARTransformingMedicalApplicationspp920
Idpp921
See
Evangelia Manika et al AR and VR devices in the healthcare business legal and ethical challenges International Bar Association July 6 2023
httpswwwibanetorgARVRdevicesinthehealthcarebusiness see also
Sajin Somarajan Minimizing ARVR Security And Privacy Risks Infosys Digital Experience accessed July 23 2024
httpsblogsinfosyscomdigitalexperiencemobilityminimizingarvrsecurityandprivacyriskshtmlpp922
See
AR and VR devices in the healthcare business legal and ethical challenges
supra
note 921
see also
Minimizing ARVR Security And Privacy Risks
supra
note 921
pp923
See
AR and VR devices in the healthcare business legal and ethical challenges
supra
note 921
see also
Minimizing ARVR Security And Privacy Risks
supra
note 921
pp924
See
proposed 45 CFR 164308a4i
pp925
45 CFR 164312a1
pp926
45 CFR 164312d
see
proposed 45 CFR 164308a10iiC and 164312f1
pp927
45 CFR 164308b and 164314a
pp928
See
Raj Mehta et al The future of cyber in the future of health The evolving role of cybersecurity in health care Deloitte 2020
httpswww2deloittecomusenpagesadvisoryarticlesfutureofcybersecurityhealthcarehtmlpp929
Idpp930
Id
regarding DevSecOps
pp931
58 FR 51735 Oct 4 1993
pp932
76 FR 3821 Jan 21 2011
pp933
88 FR 21879 Apr 11 2023
pp934
Public Law 96354 94 Stat 1164 Sept 19 1980 codified at 5 USC 601612
pp935
Public Law 1044 109 Stat 48 Mar 22 1995 codified at 2 USC 1501
pp936
64 FR 43255 Aug 4 1999
pp937
Sec 202 of Public Law 1044 109 Stat 64 Mar 22 1995 codified at 2 USC 1532a
pp938
Also referred to as the Congressional Review Act 5 USC 801
et seqpp939
Next Steps Toward Managing Legacy Medical Device Cybersecurity Risks
supra
note 742 p 6
pp940
View ICR Office of Information and Regulatory Affairs Office of Management and Budget July 9 2024
httpswwwreginfogovpublicdoPRAViewICRrefnbr2024010945002pp941
63 FR 43242 Aug 12 1998
pp942
68 FR 8334 Feb 20 2003
pp943
78 FR 5566 Jan 25 2013
pp944
See
Occupational employment and wagesMay 2023 US Department of Labor Bureau of Labor Statistics Table 1 National employment and wage data from the Occupational Employment and Wage Statistics survey by occupation Apr 3 2024
httpswwwblsgovnewsreleasepdfocwagepdfpp945
This includes 60 days from publication of a final rule to the effective date and an additional 180 days until the compliance date
pp946
A firm may be an umbrella organization that encompasses multiple establishments
pp947
2021 Statistics of US Businesses SUSB Annual Data Tables by Establishment Industry United States Census Bureau US States 6digit NAICS Dec 2023
httpswwwcensusgovdatatables2021econsusb2021susbannualhtmlpp948
This percentage was rounded
pp949
See
2023 NCPA Digest sponsored by Cardinal Health National Community Pharmacists Association Table 5 p 9 2023
httpswwwcardinalhealthcomcontentdamcorpwebdocumentsReportcardinalhealth2023ncpadigestpdf see also
2021 Statistics of US Businesses SUSB Annual Data Tables by Establishment Industry
supra
note 947
pp950
See
Scott Pace The Role and Value of Pharmacy Services Administrative Organizations PSAOs Impact Management Group p 3 July 20 2022
httpscontentnaicorgsitesdefaultfilescallmaterialsThe20Role20and20Value20of20Pharmacy20Services20Administrative20July202022pdf see also
The Role of Pharmacy Services Administrative Organizations for Independent Retail and Small Chain Pharmacies Avalere Health p 4 Sept 30 2021
httpsdocumentsncslorgwwwncsl
FoundationsponsorviewsTheRoleofPSAOsIndependentPharmaciespdf
pp951
See
Provider of Services FileInternet Quality Improvement and Evaluation SystemHome Health Agency Ambulatory Surgical Center and Hospice Providers Centers for Medicare Medicaid Services 2024
httpsdatacmsgovprovidercharacteristicshospitalsandotherfacilitiesproviderofservicesfileinternetqualityimprovementandevaluationsystemhomehealthagencyambulatorysurgicalcenterandhospiceproviders
Provider of Services FileHospital NonHospital Facilities Centers for Medicare Medicaid Services 2024
httpsdatacmsgovprovidercharacteristicshospitalsandotherfacilitiesproviderofservicesfilehospitalnonhospitalfacilitiespp952
See
Area Health Resources Files Health Resources Services Administration US Department of Health and Human Services 20222023 County Level Data
httpsdatahrsagovdatadownloaddataAHRFAHRFpp953
See
2021 Statistics of US Businesses SUSB Annual Data Tables by Establishment Industry
supra
note 947
pp954
See
Delineation Files US Census Bureau US Department of Commerce 2023
httpswwwcensusgovgeographiesreferencefilestimeseriesdemometromicrodelineationfileshtmlpp955
See generally86 FR 37770 July 16 2021
pp956
See86 FR 37770 37778 July 16 2021
pp957
78 FR 5565 Jan 25 2013
pp958
See
Medical Expenditure Panel SurveyInsurance Component Tables IA1 and IA2 Agency for Healthcare Research and Quality 2023
httpsmepsahrqgovdatastatssummtablesinsrnationalseries12023ic23iagpdfgl116xft35gaMTE0MDI5NzI0LjE3MDk2NjQ0NDMga45NDTD15CJMTczMTEwMzQ4OS4yLjEuMTczMTEwMzUzNS4xNC4wLjA
showing the number of establishments and percent offering health plans and County Business Patterns 2021 United States Census Bureau April 27 2023
httpswwwcensusgovdatadatasets2021econcbp2021cbphtml
providing the ratio of firms to establishments We assume one health plan sponsor per firm that offers a selfinsured group health plan
pp959
See
Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Year 2022
supra
note 213 p 9 2023
pp960
See
Steve Alder December 2023 Healthcare Data Breach Report The HIPAA Journal Jan 18 2024
httpswwwhipaajournalcomdecember2023healthcaredatabreachreportpp961
See
What We Learned Change Healthcare Cyber Attack US House of Representatives Committee on Energy Commerce May 3 2024
httpsenergycommercehousegovpostswhatwelearnedchangehealthcarecyberattackpp962
See
table 3 wage rate for Office and Administrative Support Occupations
pp963
As defined by having 500 or fewer employees
See
2021 Statistics of US Businesses SUSB Annual Data Tables by Establishment Industry
supra
note 947
pp964
This is the estimated total number of covered entities and business associates
pp965
See45 CFR 164314b requiring that a group health plan ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created received maintained or transmitted to or by the plan sponsor on behalf of the group health plan
pp966
See
Cost of a Data Breach Report 2023
supra
note 131 p 13
pp967
Id
at 18
pp968
The impact factor costs and cost savings are based on estimates for all breaches from the annual IBM Security and Ponemon Institute Costs of a Data Breach Reports for years 20182023
See id
at p 28
pp969
The Department calculated the percentage decrease as a share of the sum of factor costs from the average breach cost 218915 180358 187703 221593 2328674450000 0236
pp970
See
New Dangers in the New World Cyber Attacks in the Healthcare Industry
supra
note 135 p 3
pp971
See
Is the HIPAA Security Rule Enough to Protect Electronic Personal Health Information PHI in the Cyber Age
supra
note 207
see also
Adam Wright et al The Big Phish Cyberattacks Against US Healthcare Systems Journal of General Internal Medicine Volume 31 p 11151118 May 13 2016
httpswwwncbinlmnihgovpmcarticlesPMC5023604pp972
See
Thomas Clifford Provider Liability and Medical Identity Theft Can I Get Your Insurance Number Northwestern Journal of Law Social Policy Volume 12 p 45 2016
httpsscholarlycommonslawnorthwesternedunjlspvol12iss12pp973
Idpp974
Idpp975
See
Assessing resilience of hospitals to cyberattack
supra
note 130
see also
Ashley Carman MEDJACK tactic allows cyber criminals to enter healthcare networks undetected SC Media June 4 2015 Medjack means a medical device hijack that attackers use to exploit outdated and unpatched medical devices
httpswwwscmagazinecomnewsmedjacktacticallowscybercriminalstoenterhealthcarenetworksundetectedpp976
See
New Dangers in the New World Cyber Attacks in the Healthcare Industry
supra
note 135
pp977
See
Steven Ades et al Cancer Care in the Wake of a Cyberattack How to Prepare and What to Expect JCO Oncology Practice Volume 18 p 2324 Aug 2 2021
httpspubmedncbinlmnihgov34339260pp978
See
Assessing resilience of hospitals to cyberattack
supra
note 130
pp979
See
Mohammed Alkinoon et al Measuring Health Care Data Breaches Information Security Applications Volume 13009 p 265277 Aug 11 2021
httpsdlacmorgdoi101007978303089432022pp980
See
The Big Phish Cyberattacks Against US Healthcare Systems
supra
note 971 p 11151118
pp981
See
Health Records Database and Inherent Security Concerns A Review of the Literature
supra
note 177
pp982
Id see also
Victoria Kisekka et al The Effectiveness of Health Care Information Technologies Evaluation of Trust Security Beliefs and Privacy as Determinants of Health Care Outcomes Journal of Medical Internet Research Volume 20 Apr 11 2018
httpspubmedncbinlmnihgov29643052pp983
For this analysis a record is the ePHI of one individual
pp984
See
Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Year 2022
supra
note 213 p 9 2023 December 2023 Healthcare Data Breach Report
supra
note 960
pp985
The breakeven calculations presented here only include regulated entities because breach data is not available for health plan sponsors Including sponsors and assuming they have the same rate of breaches would result in a similar breakeven point in terms of percent decrease from baseline
pp986
Cybersecurity Performance Goals
supra
note 18
pp987
Idpp988
According to the 2021 Verizon Data Breach Investigations Report phishing was present in 36 of breaches up from 25 last year and 23 of malware was delivered through email
See
Technical Volume 2 Cybersecurity Practices for Medium and Large Healthcare Organizations Cybersecurity Practice 1 Email Protection Systems HHS Healthcare Public Health Sector Coordinating Council p 13 2023
https405dhhsgovDocumentstechvol2508pdf
citing a 2021 Verizon Data Breach Investigations Report
pp989
See
proposed 45 CFR 164312b2 and g
pp990
See
Individuals Right under HIPAA to Access their Health Information 45 CFR 164524 What is the liability of a covered entity in responding to an individuals access request to send the individuals PHI to a third party Office for Civil Rights US Department of Health and Human Services
httpswwwhhsgovhipaaforprofessionalsprivacyguidanceaccessindexhtmlpp991
42 USC 1320d2d1Av
pp992
Public Law 113283 Dec 18 2014 codified at 44 USC 3551
et seq
pp993
Idpp994
45 CFR 164304 definition of Information system
pp995
Managing Information as a Strategic Resource Circular No A130 Management of Federal Information Resources Appendix III Security of Federal Automated Information Resources Office of Management and Budget Executive Office of the President Feb 8 1996
httpsgeorgewbushwhitehousearchivesgovombcircularsa130a130htmlpp996
Public Law 10413 109 Stat 166 May 22 1995 codified at 44 USC 35028 definition of information system
see also
Managing Information as a Strategic Resource Circular No A130 Office of Management and Budget Executive Office of the President p 31 Jul 28 2016 definition of information system
httpswwwwhitehousegovwpcontentuploadslegacydrupalfilesombcircularsA130a130revisedpdfpp997
Proposed 45 CFR 164312f2ii
pp998
45 CFR 164304 proposed definition of Multifactor authentication
pp999
740348 822609 covered entities 90
pp1000
See
Table of Small Business Size Standards US Small Business Administration Mar 17 2023
httpswwwsbagovsitessbagovfiles202306Table20of20Size20StandardsEffective20March20172C2020232028229pdfpp1001
Idpp1002
Market Share and Enrollment of Largest Three InsurersLarge Group Market Kaiser Family Foundation 2019
httpswwwkfforgotherstateindicatormarketshareandenrollmentoflargestthreeinsurerslargegroupmarketcurrentTimeframe0sortModel7B22colId2222Location2222sort2222asc227Dpp1003
See
Table of Small Business Size Standards
supra
note 1000
pp1004
This figure is rounded and represents annualized costs discounted at a 2 percent rate The actual figure is 2251258305
pp1005
SUSB 2017 reports average revenue per firm by employment size The size categories begin with less than 5 employees followed by 5 to 10 employees and so on with the largest categories representing firms with 2500 to 4999 employees and 5000 or more employees 2017 Statistics of US Businesses Annual Data Tables by Establishment Industry May 2021
httpswwwcensusgovdatatables2017econsusb2017susbannualhtml
We inflated these revenues to 2021 dollars using the GDP deflator to estimate average revenues in each employment class in 2021 because that is the latest year for which data is reported
See
2021 Statistics of US Businesses SUSB Annual Data Tables by Establishment Industry
supra
note 947 We then concluded that more than 5 percent of the firms whose revenues fall below the SBA thresholds see table 4 belong to the fewer than 5 employees category and operate a single establishment
pp1006
6133 is 3 percent of 204433
pp1007
Average Small Business Revenue What To Know Fora Financial Jan 11 2023
httpswwwforafinancialcomblogsmallbusinessaveragesmallbusinessrevenuepp1008
42 USC 1320d2d
pp1009
See68 FR 8334 8341 Feb 20 2003
pp1010
See
Fact Sheet BidenHarris Administration Bolsters Protections for Americans Access to Healthcare Through Strengthening Cybersecurity
supra
note 306
See also
table 4 above SBA size threshold for hospitals
pp1011
See
2021 Statistics of US Businesses SUSB Annual Data Tables by Establishment Industry
supra
note 947 count of hospitals
pp1012
The Indian Health Service funds a network of over 600 hospitals clinics and health stations on or near Indian reservations in service areas that are rural isolated and underserved Justification of Estimates for Appropriations Committees Fiscal Year 2025 Indian Health Service US Department of Health and Human Services p CJ39 Mar 5 2024
pp1013
See id
at p CJ6375
pp1014
See
Telehealth and Health Information Technology in Rural Healthcare Rural Health Information Hub
httpswwwruralhealthinfoorgtopicstelehealthhealthitchallengesforruralcommunitiespp1015
See
Percent of Hospitals By Type that Possess Certified Health IT
supra
note 298
pp1016
Kat Jercich Rural hospitals are more vulnerable to cyberattacksheres how they can protect themselves
supra
note 295
pp1017
See
Fact Sheet BidenHarris Administration Bolsters Protections for Americans Access to Healthcare Through Strengthening Cybersecurity s
upra
note 306
pp1018
Hannah Neprash et al What happens to rural hospitals during a ransomware attack Evidence from Medicare data The Journal of Rural Health Mar 17 2024
httpspubmedncbinlmnihgov38494590
For information about grants and incentives available for improving broadband access and adoption of health IT
see eg
Funding Programs BroadbandUSA National Telecommunications and Information Administration US Department of Commerce
httpsbroadbandusantiadocgovfundingprograms
Rural Health Care Program Federal Communications Commission
httpswwwfccgovgeneralruralhealthcareprogrampp1019
See
Fact Sheet BidenHarris Administration Bolsters Protections for Americans Access to Healthcare Through Strengthening Cybersecurity s
upra
note 306
pp1020
See eg
Free Cybersecurity Services and Tools
supra
note 313 Cybersecurity Resources for HighRisk Communities
supra
note 313
pp1021
See
Fact Sheet BidenHarris Administration Bolsters Protections for Americans Access to Healthcare Through Strengthening Cybersecurity s
upra
note 306
see also
UPGRADE Universal Patching and Remediation for Autonomous Defense Advanced Research Projects Agency for Health May 20 2024
httpsarpahgovresearchandfundingprogramsupgradepp1022
What happens to rural hospitals during a ransomware attack Evidence from Medicare data s
upra
note 1018
pp1023
64 FR 43255 Aug 4 1999
pp1024
68 FR 8334 8373 Feb 20 2003
pp1025
78 FR 5566 5686 Jan 25 2013
pp1026
42 USC 1320d7
pp1027
Sec 13421a of the HITECH Act
see also45 CFR part 160 subpart B
pp1028
See
MAKING SUPPLEMENTAL APPROPRIATIONS FOR JOB PRESERVATION AND CREATION INFRASTRUCTURE INVESTMENT ENERGY EFFICIENCY AND SCIENCE ASSISTANCE TO THE UNEMPLOYED AND STATE AND LOCAL FISCAL STABILIZATION FOR THE FISCAL YEAR ENDING SEPTEMBER 30 2009 AND FOR OTHER PURPOSES Conf Report to Accompany HR 1 p 502 Feb 12 2009
pp1029
42 USC 1320d7a 45 CFR 160203
pp1030
See45 CFR 160202 definition of Contrary Preemption also applies if the provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives and purposes of sec 264 of HIPAA Sec 264 of HIPAA contains the provisions pertaining to the privacy of individually identifiable health information
pp1031
Public Law 105277 112 Stat 2681528 Oct 21 1998 codified at 5 USC 601 note
pp1032
Public Law 10413 109 Stat 163 May 22 1995 codified at 44 USC 101 note
pp1033
View ICR
supra
note 940
pp1034
IdppFR Doc 202430983 Filed 122724 415 pmppBILLING CODE 415301Pp
This site displays a prototype of a Web 20 version of the daily
Federal Register It is not an official legal edition of the Federal
Register and does not replace the official print version or the official
electronic version on GPOs govinfogov
pp
The documents posted on this site are XML renditions of published Federal
Register documents Each document posted on the site includes a link to the
corresponding official PDF file on govinfogov This prototype edition of the
daily Federal Register on FederalRegistergov will remain an unofficial
informational resource until the Administrative Committee of the Federal
Register ACFR issues a regulation granting it official legal status
For complete information about and access to our official publications
and services go to
About the Federal Register
on NARAs archivesgov
pp
The OFRGPO partnership is committed to presenting accurate and reliable
regulatory information on FederalRegistergov with the objective of
establishing the XMLbased Federal Register as an ACFRsanctioned
publication in the future While every effort has been made to ensure that
the material on FederalRegistergov is accurately displayed consistent with
the official SGMLbased PDF version on govinfogov those relying on it for
legal research should verify their results against an official edition of
the Federal Register Until the ACFR grants it official status the XML
rendition of the daily Federal Register on FederalRegistergov does not
provide legal notice to the public or judicial notice to the courts
pp
Enter a search term or FR citation eg
88 FR 382
30 FR 7878
202413208
USDA
090524
RULE
0503AA39
SORN
pp
Choosing an item from
full text search results
will bring you to those results Pressing enter in the search box
will also bring you to search results
Choosing an item from
suggestions
will bring you directly to the content
pp
Background and more details are available in the
Search Navigation
guide
pp
A Proposed Rule by the Health and Human Services Department on 01062025
pp
This document has a comment period that ends in 41 days
03072025
Submit a public comment
pp
Thank you for taking the time to create a comment Your input is important
pp
Once you have filled in the required fields below you can preview andor submit your comment to the Health and Human Services Department for review All comments are considered public and will be posted online once the Health and Human Services Department has reviewed them
pp
You can view alternative ways to comment or you may also comment via Regulationsgov at httpswwwregulationsgovcommentonHHSOCR202400200001
pp
Note You can attach your comment as a file andor attach supporting
documents to your comment
Attachment Requirements
ppthis will NOT be posted on regulationsgovppThis document has been published in the Federal Register Use the PDF linked in the document sidebar for the official electronic formatpp
This table of contents is a navigational tool processed from the
headings within the legal text of Federal Register documents
This repetition of headings to form internal navigation links
has no substantive legal effect
pp
Comments are being accepted Submit a public comment
pp
41 comments
have
been received at Regulationsgov
pp
Agencies review all submissions and may choose to redact or withhold
certain submissions or portions thereof Submitted comments may not be
available to be read until the agency has approved them
pp
FederalRegistergov retrieves relevant information about this document
from Regulationsgov to provide users with additional context This
information is not part of the official Federal Register document
pp
Document page views are updated periodically throughout the day and are
cumulative counts for this document Counts are subject to sampling
reprocessing and revision up or down throughout the day
pp
This document is also available in the following formats
pp
More information and documentation can be found in our
developer tools pages
pp
This PDF is the current
document as it appeared on Public Inspection on
12272024 at 415 pm
pp
It was viewed
16
times while on Public Inspection
pp
If you are using public inspection listings for legal research you
should verify the contents of the documents against a final official
edition of the Federal Register Only official editions of the
Federal Register provide legal notice of publication to the public and judicial notice
to the courts under 44 USC 1503 1507
Learn more here
ppThis document has been published in the Federal Register Use the PDF linked in the document sidebar for the official electronic formatpp
Document headings vary by document type but may contain
the following
pp
See the
Document Drafting Handbook
for more details
ppOffice for Civil Rights OCR Office of the Secretary Department of Health and Human ServicesppNotice of proposed rulemaking notice of Tribal consultationppThe Department of Health and Human Services HHS or Department is issuing this notice of proposed rulemaking NPRM to solicit comment on its proposal to modify the Security Standards for the Protection of Electronic Protected Health Information Security Rule under the Health Insurance Portability and Accountability Act of 1996 HIPAA and the Health Information Technology for Economic and Clinical Health Act of 2009 HITECH Act The proposed modifications would revise existing standards to better protect the confidentiality integrity and availability of electronic protected health information ePHI The proposals in this NPRM would increase the cybersecurity for ePHI by revising the Security Rule to address changes in the environment in which health care is provided significant increases in breaches and cyberattacks common deficiencies the Office for Civil Rights has observed in investigations into Security Rule compliance by covered entities and their business associates collectively regulated entities other cybersecurity guidelines best practices methodologies procedures and processes and court decisions that affect enforcement of the Security Rulepppp
Comments
Submit comments on or before March 7 2025
pp
Meeting
Pursuant to Executive Order 13175 Consultation and Coordination with Indian Tribal Governments the Department of Health and Human Services Tribal Consultation Policy and the Departments Plan for Implementing Executive Order 13175 the Office for Civil Rights solicits input from Tribal officials as the Department develops the modifications to the HIPAA Security Rule at 45 CFR part 160 and subparts A and C of 45 CFR part 164 The Tribal consultation meeting will be held on February 6 2025 at 2 pm to 330 pm eastern time
ppYou may submit comments identified by RIN Number 0945AA22 by any of the following methods Please do not submit duplicate commentsppPlease note that comments submitted by fax or email and those submitted after the comment period will not be acceptedpp
Inspection of Public Comments
All comments received by the accepted methods and due date specified above may be posted without change to content to
httpswwwregulationsgov
which may include personal information provided about the commenter and such posting may occur after the closing of the comment period However the Department may redact certain nonsubstantive content from comments or attachments to comments before posting including threats hate speech profanity sensitive health information graphic images promotional materials copyrighted materials or individually identifiable information about a thirdparty individual other than the commenter In addition comments or material designated as confidential or not to be disclosed to the public will not be accepted Comments may be redacted or rejected as described above without notice to the commenter and the Department will not consider in rulemaking any redacted or rejected content that would not be made available to the public as part of the administrative record
pp
Docket
For complete access to background documents the plainlanguage summary of the proposed rule of not more than 100 words in length required by the Providing Accountability Through Transparency Act of 2023 or posted comments go to
httpswwwregulationsgov
and search for Docket ID number HHSOCR0945AA22
pp
Tribal consultation meeting
To participate in the Tribal consultation meeting you must register in advance at
httpshhsgovzoomgovcommeetingregistervJItdOyhrjgoHxJWMDxozrxT98yXyCO3lkspp
Marissa GordonNguyen at 202 2403110 or 800 5377697 TDD or by email at
OCRPrivacyhhsgovppThe discussion below includes an Executive Summary a description of relevant statutory and regulatory authority and history the justification for this proposed regulation a sectionbysection description of the proposed modifications and a regulatory impact analysis and other required regulatory analyses The Department solicits public comment on all aspects of the proposed rule The Department requests that persons commenting on the provisions of the proposed rule label their discussion of any particular provision or topic with a citation to the section of the proposed rule being addressed and identify the particular request for comment being addressed if applicableppI Executive SummaryppA OverviewppB ApplicabilityppC Table of AbbreviationsCommonly Used Acronyms in This DocumentppII Statutory Authority and Regulatory HistoryppA Statutory Authority and Historypp1 Health Insurance Portability and Accountability Act of 1996 HIPAApp2 Health Information Technology for Economic and Clinical Health HITECH ActppB Regulatory Historypp1 1998 Security Rule Notice of Proposed Rulemakingpp2 2003 Final Rulepp3 2009 Delegation of Authoritypp4 2013 Omnibus RulemakingppIII Justification for This Proposed RulemakingppA Strong Security Standards Are Essential to Protecting the Confidentiality Integrity and Availability of ePHI and Ensuring Quality and Efficiency in the Health Care SystemppB The Health Care Environment Has Changed Since the Security Rule Was Last Revised and Will Continue To EvolveppC Regulated Entities Compliance With the Requirements of the Security Rule Is InconsistentppD It Is Reasonable and Appropriate To Strengthen the Security Rule To Address the Changes in the Health Care Environment and Clarify the Compliance Obligations of Regulated Entitiespp
1 Congress and the Department Anticipated That Security Standards
print page 899
Safeguards Would Evolve To Address Changes in the Health Care Environment
pp2 NCVHS Believes That the Security Standards Evolve To Address Changes in the Health Care Environmentpp3 A Strengthened Security Rule Would Continue To Be Flexible and Scalable While Providing Regulated Entities With Greater Claritypp4 Small and Rural Health Care Providers Must Implement Strong Security Measures To Provide Efficient and Effective Health Carepp5 A Strengthened Security Rule Is Critical to an Efficient and Effective Health Care SystemppE The Secretary Must Develop Standards for the Security of ePHI Because None Have Been Developed by an ANSIAccredited Standard Setting OrganizationppIV SectionbySection Description of the Proposed Amendments to the Security RuleppA Section 160103Definitionspp1 Current Provisionpp2 Issues To Addresspp3 Proposalspp4 Request for CommentppB Section 164304Definitionspp1 Clarifying the Definition of Accesspp2 Clarifying the Definition of Administrative Safeguardspp3 Clarifying the Definition of Authenticationpp4 Clarifying the Definition of Availabilitypp5 Clarifying the Definition of Confidentialitypp6 Adding Definitions of Deploy and Implementpp7 Adding a Definition of Electronic Information Systempp8 Modifying the Definition of Information Systempp9 Modifying the Definition of Malicious softwarepp10 Adding a Definition of Multifactor Authentication MFApp11 Clarifying the Definition of Passwordpp12 Clarifying the Definition of Physical Safeguardspp13 Adding a Definition of Relevant Electronic Information Systempp14 Adding a Definition of Riskpp15 Clarifying the Definitions of Security or Security Measures and Security Incidentpp16 Adding Definitions of Technical Controlspp17 Modifying the Definition of Technical Safeguardspp18 Adding a Definition of Technology Assetpp19 Adding a Definition of Threatpp20 Clarifying the Definition of Userpp21 Adding a Definition of Vulnerabilitypp22 Clarifying the Definition of Workstationpp23 Request for CommentppC Section 164306Security Standards General Rulespp1 Current Provisionspp2 Issues To Addresspp3 Proposalspp4 Request for CommentppD Section 164308Administrative Safeguardspp1 Current Provisionspp2 Issues To Addresspp3 Proposalspp4 Request for CommentppE Section 164310Physical Safeguardspp1 Current Provisionspp2 Issues To Addresspp3 Proposalspp4 Request for CommentppF Section 164312Technical Safeguardspp1 Current Provisionspp2 Issues To Addresspp3 Proposalspp4 Request for CommentppG Section 164314Organizational Requirementspp1 Section 164314a1Standard Business Associate Contracts or Other Arrangementspp2 Section 164314b1Standard Requirements for Group Health Planspp3 Request for CommentppH Section 164316Documentation Requirementspp1 Current Provisionspp2 Issues To Addresspp3 Proposalspp4 Request for CommentppI Section 164318Transition Provisionspp1 Current Provisions and Issues To Addresspp2 Proposalpp3 Request for CommentppJ Section 164320SeverabilityppK New and Emerging Technologies Request for Informationpp1 Quantum Computingpp2 Artificial Intelligence AIpp3 Virtual and Augmented Reality VR and ARpp4 Request for CommentppV Regulatory Impact AnalysisppA Executive Order 12866 and Related Executive Orders on Regulatory Reviewpp1 Summary of Costs and Benefitspp2 Baseline Conditionspp3 Costs of the Proposed Rulepp4 Benefits of the Proposed Rulepp5 Comparison of Benefits and CostsppB Regulatory Alternatives to the Proposed RuleppC Regulatory Flexibility ActSmall Entity AnalysisppD Executive Order 13132FederalismppE Assessment of Federal Regulation and Policies on FamiliesppF Paperwork Reduction Act of 1995pp1 Explanation of Estimated Annualized Burden Hourspp
In this notice of proposed rulemaking NPRM the Department of Health and Human Services HHS or Department proposes modifications to the Security Standards for the Protection of Electronic Protected Health Information Security Rule issued pursuant to section 262a of the Administrative Simplification provisions of title II subtitle F of the Health Insurance Portability and Accountability Act of 1996 HIPAA1
The Security Rule 2
is one of several rules collectively known as the HIPAA Rules3
that protect the privacy and security of individuals protected health information 4
PHI which is individually identifiable health information 5
IIHI transmitted by or maintained in electronic media or any other form or medium with certain exceptions6
The Security Rule applies only to electronic PHI ePHI which is IIHI that is transmitted by or maintained in electronic media7
pp
The Security Rule was initially published in 2003 and most recently revised in 20138
Since its publication there have been significant changes to the environment in which health care is provided and how the health care industry operates Today cybersecurity is a concern that touches nearly every facet of modern health care certainly more than it did in 2003 or even 2013
print page 900
Almost every stage of modern health care relies on stable and secure computer and network technologies including but not limited to the following appointment scheduling prescription orders telehealth visits medical devices patient records medical and pharmacy claims submissions and billing insurance coverage verifications payroll facilities access and management internal and external communications and clinician resources These tools and technologies are an integral part of the modern health care system but they also present opportunities for bad actors to cause harm through hacking ransomware and other means Covered entities and business associates collectively regulated entities may also experience malfunctions and inadvertent errors that threaten the confidentiality integrity or availability of ePHI Thus cyberattacks malfunctions and inadvertent errors can negatively affect the provision of health care as well as the efficiency and effectiveness of the health care system
pp
As discussed in greater detail below in recent years there has been an alarming growth in the number of breaches affecting 500 or more individuals reported to the Department the overall number of individuals affected by such breaches and the rampant escalation of cyberattacks using hacking and ransomware The Department is concerned by the increasing numbers of breaches and other cybersecurity incidents experienced by regulated entities We 9
are also increasingly concerned by the upward trend in the numbers of individuals affected by such incidents and the magnitude of the potential harms from such incidents10
pp
In recognition of those potential harms and the health care sectors importance to the economy and security of the US the President has designated Healthcare and Public Health as a critical infrastructure sector 11
and the Department as the Sector Risk Management Agency SRMA12
In addition to address concerns about the increasing level of cybercrime the President has charged Federal agencies with establishing and implementing minimum requirements for risk management and robustly enforcing those requirements and Federal laws to help manage that risk13
We believe that a comprehensive and updated Security Rule is critical to accomplishing these directives and to the Departments effectiveness as the SRMA for the Healthcare and Public Health sector
pp
In further recognition of these concerns States have promulgated or are in the process of promulgating regulations that would require the adoption of certain standards or measures for the protection of sensitive information such as PHI14
While these proposed regulations may contain helpful guidance for regulated entities none specifically focus on ensuring the security of ePHI and the information systems that create receive maintain or transmit ePHI Additionally a patchwork of Statespecific laws may create difficulties for regulated entities that are located or operate in multiple States Several entities including Federal agencies have published and maintained guidelines best practices methodologies procedures and processes for protecting the security of sensitive information including PHI Some examples of these resources include the National Institute of Standards and Technologys NISTs Cybersecurity Framework 15
the HHS 405d Programs Health Industry Cybersecurity Practices Managing Threats and Protecting Patients 16
the Federal Trade Commissions FTCs Start with Security A Guide for Business 17
and the Departments Cybersecurity Performance Goals CPGs18
We believe that the proliferation of such documents in recent years has been helpful and we have considered them in the development of this NPRM However in light of the increasing number and sophistication of cybersecurity incidents we do not believe that these documents are sufficiently instructive for regulated entities to help improve their compliance with the Security Rule
pp
Under its statutory authority to administer and enforce the HIPAA Rules the Department modifies the HIPAA Rules as needed but does not modify a standard or implementation specification more than once every 12 months19
The Department makes the determination that such modifications may be needed using information it receives on an ongoing basisfrom the Departments Federal advisory committee on HIPAA the public regulated entities media reports and its own analysis of the state of privacy and security for IIHI As referenced above and discussed in greater detail below while the Department believes that the Security Rule generally continues to accomplish the goals of HIPAA20
we believe that it would be appropriate to consider modifying the Security Rule to address the following
pp
The effective date of a final rule would be 60 days after publication21
Regulated entities would have until the compliance date to establish and implement policies procedures and practices to achieve compliance with any new or modified standards
print page 901
Regulated entities would be permitted to comply earlier than the compliance date but the Department would not take action against them for noncompliance with the proposed changes that occurs before the compliance date Except as otherwise provided 45 CFR 160105 provides that regulated entities must comply with the applicable new or modified standards or implementation specifications no later than 180 days from the effective date of any such change The Department has previously noted that the 180day general compliance period for new or modified standards would not apply where a different compliance period is provided in the regulation for one or more provisions22
However the compliance period cannot be less than the statutory minimum of 180 days23
ppWhile we recognize that we are proposing to substantially revise the regulatory text the Department believes that most of the existing Security Rules obligations for regulated entities would not be substantially changed by the proposed modifications Instead the proposed modifications would explicitly codify those activities that are critical to protecting the security of ePHI as requirements and provide greater detail for such requirements in the regulatory text For example regulated entities are already required to conduct an accurate and thorough risk analysis While not specified in the regulatory text of the Security Rule an accurate and thorough risk analysis requires a regulated entity to perform an inventory of its technology assets determine how ePHI moves through its information systems and identify the locations within its information systems or components thereof where ePHI may be created received maintained or transmitted Applying such an approach protects ePHI across all phases of the data lifecycle consistent with the purpose of the Security Rule The proposals to require a regulated entity to inventory its technology assets and map the movement of ePHI through its information systems would illuminate considerations to be included in the regulated entitys risk analysispp
As another example implementing a mechanism to encrypt ePHI is an addressable implementation specification under the standard for access control at 45 CFR 164312a2iv Under the existing Security Rule a regulated entity must assess whether encryption is a reasonable and appropriate safeguard in its environment when analyzed with reference to its likely contribution to protecting ePHI and implement encryption if reasonable and appropriate24
If encryption is not reasonable and appropriate a regulated entity must document why it would not be reasonable and appropriate for it to implement the safeguard and must implement an equivalent alternative measure if reasonable and appropriate25
As discussed in greater detail below encryption is built into most software today and where it is not there are affordable and easily implemented solutions that can encrypt sensitive information Thus it generally would be reasonable and appropriate for regulated entities to implement a mechanism to encrypt ePHI and regulated entities should already have done so in most circumstances By expressly requiring regulated entities to encrypt ePHI with limited exceptions the Departments proposal would reflect our expectations in the current cybersecurity environment and eliminate the need for regulated entities to perform an analysis of whether encryption is reasonable and appropriate
ppThus most of the modifications we are proposing would provide regulated entities with greater clarity and specificity regarding how to fulfill their obligations and the Departments expectationspp
Accordingly we do not believe that the proposed rule would pose unique implementation challenges that would justify an extended compliance period
ie
a period longer than the standard 180 days provided in 45 CFR 160105 Further the Department believes that adherence to the standard compliance period is necessary to timely address the circumstances described in this NPRM Thus the Department proposes to apply the standard compliance date of 180 days after the effective date of a final rule26
pp
To help reduce administrative burdens on regulated entities the Department proposes to add a provision at 45 CFR 164318 affording regulated entities a transition period beyond the 180day compliance period to modify business associate contracts herein referred to as business associate agreements or other written arrangements 27
that would qualify for the longer transition period as discussed further below
ppThe Department seeks comment on the proposed compliance period and transition periodppAs used in this preamble the following terms and abbreviations have the meanings noted belowpp
In 1996 Congress enacted HIPAA 28
to reform the health care delivery system to improve portability and continuity of health insurance coverage in the group and individual markets 29
and to simplify the administration of health insurance 30
Through subtitle F of HIPAA Congress amended title XI of the Social Security Act of 1935 SSA by adding part C entitled Administrative Simplification 31
A primary purpose of part C is to improve the Medicare and Medicaid programs and the efficiency and effectiveness of the health care system by encouraging the development of a health information system through the establishment of uniform standards and requirements for the electronic transmission of certain health information 32
pp
Congress recognized that the development of a health information system that enabled the electronic transmission of IIHI as required by HIPAA would pose risks to the privacy of confidential health information and viewed individual privacy confidentiality and data security as critical to support the shift from a paperbased recordkeeping system for health information to a digital one33
Congress intended for the law to enhance individuals trust in health care providers which required that the law provide additional protection for the confidentiality of IIHI As described by a Member of Congress at the time of the laws passage this standardization however accelerates the creation of large databases containing personally identifiable information All this information is transmitted over electronic networks We need to be very careful about how safe and secure that information is from prying eyes Some of it may be extremely sensitive and could be used in a malicious or discriminatory manner 34
Moreover Congress considered that health care reform required an approach that would not compromise privacy as health information became more accessible35
pp
Congress applied the Administrative Simplification provisions directly to three types of persons referred to in regulation as covered entities health plans health care clearinghouses and health care providers who transmit information electronically in connection with a transaction for which HHS has adopted a standard36
Under HIPAA covered entities are required to maintain reasonable and appropriate administrative physical and technical safeguards 37
to 1 ensure the integrity and confidentiality of information 38
2 protect against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized uses or disclosures of the information 39
and 3 otherwise ensure compliance with HIPAA by the officers and employees of covered entities40
pp
HIPAA required the Secretary to adopt uniform standards to enable health information to be exchanged electronically 41
Congress also directed the Secretary to among other things adopt standards for the security of IIHI42
The statute also directed the Secretary to adopt initial security standards within 18 months of its
print page 903
enactment43
In adopting security standards for health information HIPAA requires the Secretary to consider all of the following 44
pp
Congress contemplated that the Departments rulemaking authorities under HIPAA would not be static In fact Congress specifically built in a mechanism to adapt such regulations as technology and health care evolve directing the Secretary to review and adopt modifications to the Administrative Simplification standards including the security standards as determined appropriate but not more frequently than once every 12 months46
That statutory directive complements the Secretarys general rulemaking authority to make and publish such rules and regulations as may be necessary to the efficient administration of the functions with which the Secretary is charged47
The Secretary may adopt either a standard developed adopted or modified by a standard setting organization that relates to a standard that the Secretary is authorized or required to adopt under the Administrative Simplification provisions or a standard that is different if the different standard will substantially reduce administrative costs to health care providers and health plans48
If no standard has been adopted by any standard setting organization the Secretary shall rely on the recommendations of the National Committee on Vital and Health Statistics NCVHS and consult with Federal and State agencies and private organizations49
pp
On February 17 2009 Congress enacted the Health Information Technology for Economic and Clinical Health Act of 2009 HITECH Act part of the American Recovery and Reinvestment Act of 2009 ARRA50
promoting the nationwide adoption and standardization of health information technology health IT to support the electronic sharing of clinical data The HITECH Act created financial incentives for health IT use among health care practitioners by providing funding for investing in health IT infrastructure purchasing certified electronic health records EHRs and training on and the dissemination of best practices to integrate health IT51
The Purpose statement of an accompanying House of Representatives report 52
on the Energy and Commerce Recovery and Reinvestment Act 53
recognizes that widespread health IT adoption has the potential to ameliorate many of the quality and efficiency problems endemic to our health care system Congress also understood that ensuring the privacy and security of electronic health information is critical to the success of this immense effort to promote health IT adoption54
As a result the HITECH Act also introduced substantial changes to the HIPAA regulations by mandating stronger safeguards for the privacy and security of ePHI55
pp
The HITECH Acts security requirements focused on safeguarding an individuals health information while allowing covered entities to rapidly adopt new technologies to improve the quality and efficiency of patient care56
Specifically the HITECH Act extends the application of the Security Rules provisions on administrative physical and technical safeguards and documentation requirements to business associates of covered entities making those business associates subject to civil and criminal liability for violations of the Security Rule57
The HITECH Act also requires existing business associate agreements to incorporate new security requirements58
Additionally the HITECH Act requires the Secretary to regularly issue guidance on the most effective and appropriate technical safeguards59
pp
In enacting the HITECH Act Congress affirmed that the existing HIPAA Rules were to remain in effect to the extent that they are consistent with the HITECH Act and directed the Secretary to revise the HIPAA Rules as necessary for consistency with the HITECH Act60
Congress confirmed that the new law was not intended to have any effect on authorities already granted under HIPAA to the Department including part C of title XI of the SSA61
Thus Congress affirmed the Secretarys ongoing rulemaking authority to modify the Security Rules standards and implementation specifications as often as every 12 months when appropriate including to strengthen security protections for IIHI
pp
In 2021 the HITECH Act was amended to require the HHS Secretary to further encourage regulated entities to bolster their cybersecurity practices62
The amendment requires the Department to consider certain recognized security practices of regulated entities when making determinations relating to certain Security Rule compliance and enforcement activities63
pp
The Security Rule requires regulated entities to implement administrative physical and technical safeguards to
print page 904
protect ePHI64
Specifically regulated entities must ensure the confidentiality integrity and availability of all ePHI they create receive maintain or transmit 65
protect against reasonably anticipated threats or hazards to the security or integrity of the information 66
and reasonably anticipated impermissible uses or disclosures 67
and ensure compliance by their workforce68
pp
The Administrative Simplification provisions of HIPAA instructed the Secretary to adopt several standards concerning electronic transmission of health information including those for the security of health information69
In accordance with these provisions the Department published the Security and Electronic Signature Standards Proposed Rule 1998 Proposed Rule on August 12 199870
pp
In support of developing the national standards mandated under HIPAAs Administrative Simplification provisions the Secretary with significant input from the health care industry defined a set of principles for guiding choices for the standards to be adopted by the Secretary71
The principles were based on direct specifications in HIPAA and also took the purpose of the law and generally desirable principles into account Based on this work the Department proposed that each HIPAA standard should be clear and unambiguous but technology neutral improve the efficiency and effectiveness of the health care system meet the needs of covered entities related to ease of use and affordability of adoption and maintain consistency or alignment with other HIPAA standards adopted by an organization accredited by the American National Standards Institute ANSI and using the ANSI process for adopting such standards72
pp
In describing its general approach to the 1998 Proposed Rule the Department defined the security standard as a set of requirements with implementation features that covered entities must include in their operations to assure the security of individuals ePHI73
The security standard was based on three basic concepts that were derived from the Administrative Simplification provisions of HIPAA and consistent with the characteristics the Department identified as appropriate for all HIPAA Rules74
First the standard should be comprehensive and coordinated to address all aspects of security Second it should be scalable so that it could be effectively implemented by covered entities of all types and sizes Third it should not be linked to specific technologies allowing covered entities the flexibility to make use of future technology advancements75
ppThe 1998 Proposed Rule included four categories of requirements that a covered entity would have to address to safeguard the confidentiality integrity and availability of ePHI They were as followspp
The implementation specifications described some of the requirements in greater detail based on our determination regarding the level of instruction necessary to implement such requirements76
The Department viewed all categories as equally important77
pp
The proposed standard did not address the extent to which a covered entity should implement the specifications78
Instead the Department proposed to require that each covered entity assess its own security needs and risks and devise implement and maintain appropriate security to address its business requirements The Department believed that this approach would leave a significant amount of flexibility for covered entities and balance the needs of securing health data against risk with the economic cost of doing so79
pp
The Department issued the final Security Rule 80
on February 20 2003 2003 Final Rule In accordance with the Administrative Simplification provisions of HIPAA the 2003 Final Rule adopted standards for the security of ePHI to be implemented by covered entities
pp
The Department reiterated the purposes and guiding principles it articulated in the 1998 Proposed Rule and repeated that the protection of the privacy of information depends in large part on the existence of security measures to protect that information81
The Department noted that there were still no standard measures in the health care industry that address all aspects of the security of ePHI while it is being stored or during the exchange of that information between entities82
The Department explained that the use of the security standards would improve the Medicare and Medicaid programs other Federal health programs and private health programs and the effectiveness and efficiency of the health care industry in general by establishing a level of protection for ePHI83
pp
Provisions of the 2003 Final Rule did not mirror the 1998 Proposed Rule rather the Department finalized only certain changes The Department noted for example that to maintain consistency with the use of terms as they appear in the statute and other previously released HIPAA Rules
ie
the HIPAA Privacy and Transactions Rules it was changing some terminology from the 1998 Proposed Rule replacing the terms requirement with standard and implementation feature with implementation specification 84
pp
According to the Department the comments received in response to the 1998 Proposed Rule overwhelmingly validated its basic assumptions that the covered entities were so varied in terms of installed technology size resources and relative risk that it would be impossible to dictate a specific solution or set of solutions that would be usable by all covered entities85
Similarly we received numerous comments expressing the view that the security standards should not be overly prescriptive because the speed with which technology is evolving could make specific requirements obsolete and might in fact deter technological progress Accordingly the Department framed the standards in the 2003 Final Rule in terms that were as generic as possible and that could generally be met through a variety of approaches or technologies86
The standards we
print page 905
explained do not allow organizations to make their own rules only their own technology choices87
pp
We also recognized that entities could minimize risk through their security practices but likely could never completely eliminate all risk In the preamble to the 2003 Final Rule the Department acknowledged that there is no such thing as a totally secure system that carries no risks to security88
The Department opined that Congress intent in the use of the word ensure in section 1173d of the SSA was to set an exceptionally high goal for the security of ePHI However we also recognized that Congress anticipated that some tradeoffs would be necessary and that ensuring protection did not mean doing so without any regard to the cost89
As such the Department explained that we expected a covered entity to protect that information to the best of its ability90
Thus a covered entity would be expected to balance the identifiable risks to and vulnerabilities of ePHI with the cost of various protective measures while also taking into consideration the size complexity and capabilities of the covered entity91
pp
In the 2003 Final Rule the Department introduced the concept of addressable implementation specifications which it distinguished from required implementation specifications The goal was to provide covered entities with even more flexibility92
While none of the implementation specifications were optional designating some of the implementation specifications as addressable provided each covered entity with the ability to determine whether certain implementation specifications were reasonable and appropriate safeguards for that entity based on its risk analysis risk mitigation strategy previously implemented security measures and the cost of implementation93
pp
On October 7 2003 the Secretary delegated authority for administering and enforcing the Security Rule to the Administrator of the Centers for Medicare Medicaid Services CMS94
The Secretary issued a notice on August 4 2009 superseding the previous delegation and replacing it with a delegation authority to the Director of OCR effective July 27 200995
pp
Following the enactment of the HITECH Act the Department issued an NPRM entitled Modifications to the HIPAA Privacy Security and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health HITECH Act 2010 Proposed Rule96
to propose implementation of certain HITECH Act requirements In the 2010 Proposed Rule the Department noted that it had not amended the Security Rule since 200397
We further explained that information gleaned from contact with the public since that time OCRs enforcement experience and technical corrections needed to eliminate ambiguity provided the impetus for the Departments actions to propose certain regulatory changes beyond those required by the HITECH Act98
pp
In 2013 the Department issued the final rule Modifications to the HIPAA Privacy Security Enforcement and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health HITECH Act and the Genetic Information Nondiscrimination Act and Other Modifications to the HIPAA Rules 2013 Omnibus Rule99
which implemented applicable provisions of the HITECH Act to strengthen security protections for individuals health information maintained in EHRs
pp
For example the Department modified the Security Rule to implement the HITECH Acts provisions that extended direct liability for compliance with the Security Rule to business associates100
We explained that before the enactment of the HITECH Act the Security Rule did not directly apply to business associates of covered entities The HITECH Act extended the application of the Security Rules administrative physical and technical safeguards requirements as well as the rules policies and procedures and documentation requirements to business associates in the same manner as the requirements apply to covered entities making those business associates civilly and criminally liable for violations of the Security Rule101
The Department noted that the Security Rule requires a covered entity to establish business associate agreements that obligate business associates to implement administrative physical and technical safeguards that reasonably and appropriately protect the confidentiality integrity and availability of the ePHI that they create receive maintain or transmit on behalf of the covered entity102
Accordingly we reasoned that business associates and subcontractors should already have security practices in place that comply with the Security Rule or require only modest improvement to come into compliance with the Security Rule requirements103
Like the 2003 Final Rule104
the 2013 Omnibus Rule highlighted that the Security Rule was designed to be technology neutral and scalable and reiterated that regulated entities have the flexibility to choose security measures appropriate for their size resources and the nature of the security risks they face105
Accordingly regulated entities have the flexibility to choose appropriate security measures considering their size capabilities the costs of the specific security measures and the operational impact enabling them to reasonably implement the standards of the Security Rule
pp
The Department also adopted technical revisions to 45 CFR 164306e to clarify that regulated entities must review and modify security measures as needed to ensure reasonable and appropriate protection of ePHI and update documentation of security measures accordingly106
pp
Finally because the HITECH Act made business associates directly liable for compliance with the Security Rule the 2013 Omnibus Rule modified the Security Rule to clarify that a covered entity is not required to obtain satisfactory assurance from a business associate that is a subcontractor that the subcontractor will appropriately safeguard its ePHI Rather the business
print page 906
associate of the covered entity must obtain the required satisfactory assurances from the subcontractor to protect the security of ePHI107
pp
HIPAA and the HIPAA Rules promote access to highquality and effective health care by establishing standards for the security of ePHI The standards when implemented appropriately by regulated entities protect the confidentiality integrity and availability of individuals health information Such protections promote the electronic transmission of PHI through a national health information system To ensure access to highquality health care services regulated entities must assure their customers
eg
individuals health care providers and health plans of the security of the sensitive and confidential health information the regulated entities electronically create receive maintain or transmit
pp
As discussed above the Security Rule carefully balances the benefits of safeguarding against security risks with the burdens of implementing protective measures by permitting regulated entities to consider several factors including costs and available technology for preventing and mitigating security risks108
when determining which security measures are reasonable and appropriate for protecting the security of individuals ePHI109
pp
For example the Security Rule requires that a regulated entity implement policies and procedures to limit physical access to its electronic information systems and the facilities in which they are housed while ensuring that users who are authorized to access such information systems and facilities are permitted to do so110
The implementation specifications associated with this standard only address the need for operationalized policies and procedures related to specific aspects of physical security111
They do not dictate the specifics of such policies and procedures because we recognize that the nature of the physical safeguards should depend on the type of regulated entity its size its level of access to ePHI and a number of other factors
pp
Since the Security Rules promulgation in 2003 the environment in which health care is provided and in which regulated entities operate has changed significantly including transformative changes in how regulated entities create receive maintain and transmit ePHI For example as of 2021 almost 80 percent of physician offices and 96 percent of hospitals had adopted certified EHRs112
The use of health IT including EHRs certified or otherwise has led to enormous advancements in the fields of medicine and public health not only improving outcomes for individuals but also assisting in addressing the social economic and environmental factors that affect health on an individual and community level113
And the electronic exchange of health information spurred by HIPAA the HITECH Act and the 21st Century Cures Act Cures Act114
has enabled regulated entities and others to more quickly and efficiently share individuals health information increasing the quality and efficiency of health care increasing patient engagement and reducing administrative burden115
However the widespread use of health IT systems makes it even more critical for regulated entities regardless of their size or location to fully assess the risks and vulnerabilities to ePHI and their information systems and implement strong security measures to address those risks and vulnerabilities
pp
Experts repeatedly have expressed concern regarding the state of cybersecurity in the health care industry116
For example in a 2017 report to Congress experts convened by the Department pronounced Now more than ever all health care delivery organizations have a greater responsibility to secure their systems medical devices and patient data 117
This responsibility has only increased as the delivery of health care and the exchange of PHI have increasingly shifted to cyberspace
pp
Despite advancements in technology including health IT the core requirements of the Security Rule remain relevant and applicable today In fact they serve as a foundation for more recently promulgated cybersecurity guidelines best practices processes and procedures Security management regular monitoring and review of information system activity information access management security awareness and training contingency planning encryption and authentication all continue to be represented in the most wellknown cybersecurity frameworks including the NISTs Cybersecurity Framework118
the HHS 405d Programs Health Industry Cybersecurity Practices Managing
print page 907
Threats and Protecting Patients 119
and the Departments CPGs120
pp
While these concepts remain highly relevant and applicable the Department has concerns regarding the sufficiency of the security measures implemented by regulated entities OCRs experience investigating allegations of Security Rule violations reports received by OCR of breaches of unsecured PHI and the results of the audits conducted by OCR in 20162017 demonstrate that regulated entities are not consistently complying with the Security Rules requirements121
Additionally the Department is concerned about the extent to which regulated entities have updated their security measures to adjust to the changes in the health care environment and their operations including new and emerging threats to the confidentiality integrity and availability of ePHI
pp
And the Department is not alone in its concerns NCVHS serves as the Departments advisory body for HIPAA122
Given the increase in cybersecurity incidents affecting the health care sector NCVHS held a series of public hearings on cybersecurity to better understand how to protect ePHI and individuals In response to those hearings NCVHS submitted several recommendations to the Department regarding the importance of strengthening the Security Rule123
As discussed above HIPAA requires the Secretary to rely on NCVHS recommendations 124
with respect to standards promulgated under the statute
ppGiven the importance of strong security measures the changed environment and operations for health care uncertainty expressed by regulated entities regarding their compliance obligations deficiencies identified by OCR in its investigations of regulated entities and the recommendations of NCVHS we believe that it is necessary and appropriate for the Department to propose modifications to clarify and strengthen the Security Rulepp
A primary purpose of HIPAAs Administrative Simplification provisions 125
is to among other things improve the efficiency and effectiveness of the health care system by encouraging the development of a health information system through the establishment of uniform standards and requirements for the electronic transmission of certain health information 126
As Congress recognized when it enacted HIPAA protecting the security of ePHI is essential for accomplishing this goal Members of Congress acknowledged at that time that the provisions of HIPAA would create electronic databases of PHI enabling the PHI to be transmitted electronically with both the benefits and risks that accompany such electronic transactions127
Congressional statements leading up to HIPAAs enactment demonstrate Congress recognition of the potential risks of the shift from paper recordkeeping to electronic We need to be very careful about how safe and secure that information is from prying eyes Some of it may be extremely sensitive and could be used in a malicious or discriminatory manner 128
Accordingly HIPAA required the establishment of strict security standards for health information
pp
As discussed above the Security Rule as amended by the HITECH Act specifically requires regulated entities to maintain reasonable and appropriate administrative physical and technical safeguards to ensure the confidentiality integrity and availability of ePHI to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI and unauthorized uses or disclosures of ePHI and ensure compliance with the Administrative Simplification provisions by officers and workforce members of regulated entities129
pp
It is reasonable to anticipate that regulated entities will need to protect ePHI against cyberattacks and unauthorized uses and disclosures of ePHI by their workforce members Experts estimate the costs to the US from cyberattacks on health care facilities to be significant130
According to one study health care data breach costs to affected organizations have increased by more than 50 percent since 2020 making health care data breaches more expensive than data breaches in any other sector at an average cost of almost 101 million per breach131
Yet these costs though sizeable do not fully take into account the practical implications of poor or ineffective cybersecurity protocols A failure to implement adequate security measures may lead to financial loss reputational harm for affected individuals and affected regulated entities privacy loss and safety concerns132
Additionally breaches of unsecured PHI may lead to identity theft fraud stock manipulation and competitive disadvantage133
According to a study funded by the Institute for Critical Infrastructure Technology victims of medical identity theft incur on average costs of 13500 to recover from that theft134
Unlike financial information much of an individuals PHI is
print page 908
immutable For example an individuals date and location of birth and their health history will not change even if their address might In contrast an individuals passwords bank account numbers and other financial information can all be changed Thus PHI can continue to be exploited throughout an individuals lifetime making PHI likely to be far more valuable than an individuals credit card information135
pp
On the surface the harms that result from a breach of ePHI or a cyberattack on a regulated entitys electronic information systems as discussed above are not significantly different than those that would result from a breach of information in another sector However the reality is as discussed above that the implications of such harms are far greater in the health care sector because of their potential to adversely affect an individuals health or quality of life or even to cost an individual their life136
As stated by the Health Care Industry Cybersecurity Task Force in its 2017 report on the state of cybersecurity in health care The health care system cannot deliver effective and safe care without deeper digital connectivity If the health care system is connected but insecure this connectivity could betray patient safety subjecting them to unnecessary risk and forcing them to pay unaffordable personal costs 137
In the event of a cybersecurity incident patients health including their lives may be at risk where such incident creates impediments to the provision of health care such as interference with the operations of a critical medical device or to the administrative or clinical operations of a regulated entity such as preventing the scheduling of appointments or viewing of an individuals health history138
pp
According to a Cybersecurity Infrastructure Security Agency CISA statistical analysis of the effects of a hypothetical cyberattack on a model hospital a hospitals relative performance will suffer amidst a cyberattack139
The analysis found that the hypothetical cyberattack would lead to hospital strain from inaccessible patient schedules and records disrupted communication and delays in processing and communicating test results in time to effectively treat individuals140
While the analysis did not find any deaths directly attributable to the hypothetical attack it is logical to conclude that deathsor at least worsened outcomesare a significant risk where there are disruptions in communications as well as delays in processing and communicating test results especially for emergent or acute medical cases For example an inability to access an individuals pharmacy records could affect the ability of a pharmacist to identify known interactions between newly prescribed medications and an existing medication list potentially leading to an individuals injury or death Other studies have similarly found that cyberattacks can have a substantial effect on access to health care and potentially mortality141
In fact a more recent study found that cyberattacks had disproportionately negative effects on inhospital mortality rates for Black patients who were already admitted to the hospital at the time of the cyberattack142
A recent survey found that 92 percent of surveyed health care organizations had experienced a cyberattack in the past year 143
and almost threequarters of the respondents who had experienced a cyberattack reported negative effects on patient care including delays in tests or procedures longer stays and increased mortality rates complications from medical procedures and patient transfers or diversions to other facilities144
A recent letter from NCVHS referenced anecdotal accounts of patient deaths that have been attributed to ransomware attacks145
For example in 2019 a ransomware attack may have contributed to a babys death at an Alabama hospital A change in the babys fetal heart rate went unnoticed because the large digital display that normally would have displayed the information was affected by the attack The baby born with her umbilical cord wrapped around her neck suffered severe brain damage and died nine months later146
pp
Cyberattacks can divert both human and machine resources leading to process slowdowns cancelled procedures delayed hospital or unit lockdowns and transfers increases in wait times for individuals both increases and decreases in staff utilization and a decrease in a health care providers capacity147
A 2020 cyberattack on a large integrated academic health system attributed to malicious software embedded in an email attachment opened by an employee on their laptop affected more than 5000 enduser devices across 1300 servers and led to revenue losses of more than 63 million148
Though the health care providers EHR was not infected it elected to shut the EHR down proactively Ultimately the covered entity experienced 39 days of downtime in outpatient imaging 149
pp
In another example a ransomware attack on an academic level 1 trauma center caused it to go without access to its EHR for 25 days150
and the attack affected 5000 computers and destroyed the trauma centers electronic information systems that contained ePHI The hospital lost access to its EHR internet and intranet which also removed functionality of hospital phones EHR integrated office and surgical scheduling access to digitized radiology studies and network account access through local and remote computers 151
pp
These serious incidents and resulting effects demonstrate the importance of planning and preparing for a potential
print page 909
cyberattack or other event that adversely affects a regulated entitys information systems While such planning and preparation may not prevent all cyberattacks it can reduce the number of successful incidents and mitigate their effects In fact studies have suggested that such preparation may allow for at least close to realtime recovery152
pp
The effects of a cyberattack are not limited to the regulated entity that experiences it and the individuals whose ePHI is compromised Surveys conducted by various organizations representing health care providers indicate that an overwhelming majority of health care providers in the US were affected by a ransomware attack on a large health care clearinghouse153
A study published in 2023 examined the effects on the of a cyberattack at a neighboring unaffiliated hospital on a large academic medical center154
The study found that the academic medical center experienced among other things significant increases in the number of patients admitted ambulance arrivals waiting room times and patients leaving without being seen The studys authors concluded that their findings suggested that health care cyberattacks such as ransomware are associated with greater disruptions to regional hospitals and should be treated as disasters necessitating coordinated planning and response efforts 155
Thus implementing reasonable and appropriate security measures better protects not only the regulated entity and its ePHI but other regulated entities with whom it interacts and may reduce the effects of cyberattacks and other security incidents that adversely affect the confidentiality integrity or availability of ePHI
pp
As discussed above several industry organizations have published and maintained compilations of voluntary standards guidelines best practices methodologies procedures and processes for protecting the security of sensitive and confidential information including PHI Additionally certain Federal health programs now either require or recommend the adoption of specific criteria that are intended to protect the confidentiality integrity and availability of ePHI For example the Health IT Certification Program maintained by the Assistant Secretary for Technology Policy and Office of the National Coordinator for Health Information Technology ASTPONC 156
sets minimum requirements for certified health IT including criteria that pertain to cybersecurity157
These criteria are included in the Health IT Certification Programs Health IT Privacy and Security Framework158
which identifies
when technical capabilities to support
the privacy and security of electronic health information 159
must be included in certified health IT products Additionally health care providers that participate in certain Federal health programs must use health IT certified to these requirements160
Regulated entities also may want to consider adoption of certified health IT because it could contribute to compliance with the Security Rule We will continue to work across the Department to ensure the adoption of consistent requirements for Federal programs that support the secure electronic exchange of health information to the extent that such consistency is appropriate Throughout this preamble we provide examples of how a regulated entitys participation in other Federal programs that require the use of health IT certified through the ONC Health IT Certification Program or adoption of other Federal recommendations such as the HHS CPGs might support their compliance with the proposals in this NPRM
pp
Additionally as discussed above several organizations have published and maintained compilations of voluntary standards guidelines best practices methodologies procedures and processes for protecting the security of sensitive and confidential information including PHI These compilations and the State regulations discussed above range from granular 161
to highlevel 162
and from health carespecific 163
to industry agnostic164
Despite these differences these compilations and regulations have a great deal in common with each otherand with the Security Rule its longevity notwithstanding In fact the foundational elements of the Security Rule promulgated more than 20 years ago can still be found in cybersecurity compilations published today They generally either require or recommend administrative physical and technical safeguards to identify and mitigate risks and vulnerabilities implement authentication and access controls conduct security awareness and training for information system users and plan for contingencies and incident response165
Additionally these compilations all require or recommend the designation of a specific individual who is accountable for implementing the requirements or recommendations And importantly they all ultimately address how to maintain the
print page 910
confidentiality integrity and availability of sensitive and confidential information including ePHI
ppA major distinguishing factor between the content of the Security Rule and these compilations and regulations is the Security Rules scope The compilations and regulations are designed to protect various types of data and information systems broadly In comparison a defining quality of the Security Rules requirements is that they focus specifically on the protection of ePHI and the information systems that create receive maintain or transmit ePHI Thus while the foundational elements of various cybersecurity compilations and State regulations and the Security Rule may be the same the Security Rule alone addresses the application of those elements to ePHI and all of the components of information systems that create receive maintain or transmit ePHI Thus while the standards of the Security Rule generally align with those of other cybersecurity standards frameworks best practices guidelines processes and procedures the specific implementation specifications of the Security Rule reflect the particular sensitivities of the health care industry particularly small and rural health care providers in a way that is necessary to ultimately improve the efficiency and effectiveness of the health care system and avoid imposing unreasonable compliance burdens on regulated entitiespp
The health care sector has undergone a dramatic transformation over the last 24 years and particularly in the past 10 years spurred at least in part by the Departments implementation of HIPAA the HITECH Act and the Cures Act The industry has shifted from one that generally relied upon a system of paperbased recordkeeping and siloed devices to one that depends on interconnected information systems to maintain and exchange patient records conduct research run health care provider facility management systems and provide patient care166
This shift is largely the result of HIPAAs emphasis on the development and use of standards and the EHR incentive funds made available under the HITECH Act for health care providers167
Data from ASTPONC offer clear and convincing evidence of this shift In 2008 before the enactment of the HITECH Act less than 10 percent of nonFederal acute hospitals had implemented what was referred to at the time as a Basic EHR
ie
an electronic health record168
By 2015 six years after the enactment of the HITECH Act almost 84 percent had adopted a Basic EHR while 96 percent had adopted a certified EHR169
The transformation was further enabled by the Cures Act which encouraged the development of a trusted exchange framework for the nationwide exchange of health information and provided penalties for health care providers health information exchanges and networks and developers of certified health IT that engage in information blocking170
In 2014 41 percent of such hospitals routinely had electronic access to clinical information from outside providers or sources when treating a patient171
By 2023 70 percent of nonFederal acute care hospitals engaged in all domains of interoperable exchange routinely or sometimes a significant leap forward172
In 2017 only 38 percent of hospitals enabled patients to access their health information using an application and in 2018 57 percent enabled patient access to their clinical notes in their patient portal by 2021 70 percent of hospitals enabled patients to access their health information using an application and 82 percent enabled patients to view their clinical notes in their patient portal173
And just a year later the percentage of hospitals that supported patient access through applications increased to 86 percent174
Based on this data it is clear that HIPAA coupled with the HITECH Act and the Cures Act has successfully encouraged the development of a nationwide electronic health information system
pp
Not only is PHI increasingly maintained and transmitted electronically but treatment is also increasingly provided electronically The coronavirus disease 2019 COVID19 pandemic led to a dramatic increase in the use of telemedicine175
According
print page 911
to ONC data only 15 percent of officebased physicians used any form of telemedicine in 201819 In 2021 telemedicine usage increased to 87 percent176
The electronic content generated or transmitted during a telemedicine visit constitutes ePHI so the increase in telemedicine further increases the amount of PHI that is also ePHI
pp
It is not only the ePHI maintained in EHRs and other electronic recordkeeping systems that faces security risks Medical equipment and devices are increasingly connected through one or more networks which means that any issues affecting the network likely will affect the medical equipment and devices177
And some medical equipment and devices rely on offtheshelf operating systems such as Windows Linux and similar thirdparty software 178
thus the medical equipment and devices can experience the same vulnerabilities as personal computing devices Generally the US Food Drug Administration FDA does not need to review software patches or configuration updates for offtheshelf software before a device manufacturer puts them in place because the FDA views most patches and configuration updates as design changes that can be made without prior discussion179
pp
Cybercriminals may useor targettechnology assets such as software or medical devices used for treating individuals For example in 2021 a cyberattack on cloudbased systems supplied by a particular company compromised the ePHI of more than 200000 individuals and affected the software for linear accelerators used in radiotherapy leading to disruptions to cancer treatment180
Thus to protect technology assets used for treatment the information systems that create receive maintain and transmit ePHI also must be protected As another example in 2013 the Mayo Clinic 181
hired a group of ethical hackers 182
to identify vulnerabilities in 40 different medical devices183
The hackers were able to gain access to all of the devices meaning that the devices could all be vulnerable to a cyberattack184
Such attacks may create an opening for a subsequent attack on the device itself or on the regulated entitys information systems that create receive maintain or transmit ePHI compromising those information systems and the ePHI itself185
It also may lead intentionally or not to a loss of device integrity which could result in the corruption of the devices functionality or the ePHI on the device186
A cyberattack on a medical device may also reduce the ability of the authorized person to use the device
eg
a denial of service attack which is a type of cyberattack that overloads the device by flooding the network with traffic187
Depending on the device and its use the result of cyberattacks on a medical device could range from little or no effect to serious injury or death188
pp
According to researchers at Brown University medical devices are a prime target for cybercriminals In fact they believe More than just technically feasible the widespread takedown of medical devices is an imminent threat 189
A 2023 Government Accountability Office report on medical device cybersecurity described the importance of robust cybersecurity controls to ensure medical device safety and effectiveness because of the increasing integration of wireless internet and networkconnected capabilities and the electronic exchange of health information 190
The FDA has also acknowledged As electronic medical devices become increasingly connected to each other and to other technologies the ability of connected systems to safely securely and effectively exchange and use the information becomes critical Cybersecurity concerns rise along with the increasing medical device interoperability 191
Accordingly in 2023 the FDA issued updated guidance for industry and FDA staff on requirements for cybersecurity in medical devices192
pp
And then there are digital health applications When an application is deployed by a covered entity an application developer may be a business associate and subject to the Security Rule An application developer may also meet the HIPAA Rules definition of health care provider 193
and be a covered entity194
But also individuals are increasingly interested in accessing their ePHI using applications and transmitting information collected by health and wellness applications to
print page 912
their health care providers195
Such applications may empower individuals to better manage their health and participate in their health care and provide health care providers and researchers with a more holistic view of the individuals health at a particular point in time and over an extended period of time196
This technology while valuable for understanding an individuals overall health introduces another potential vulnerability to the security of ePHI and the information systems that create receive maintain or transmit it
pp
EHRs networked medical devices and applications are only the beginning Artificial intelligence AI in health care particularly for diagnosis and treatment is in the nascent stages of development but many are eager to test its promise197
After all many experts believe that AI promises opportunities to improve patient care outcomes and population health as well as to reduce costs198
The use of AI in health care is increasing and is expected to continue to increase199
A 2023 Healthcare Information and Management Systems Society HIMSS survey of health care cybersecurity professionals reported that approximately 50 percent of respondents organizations permitted the use of generative AI technology200
And other new technologies are expected shortly as discussed below For example according to reports quantum computing may be available in the near future which may have ramifications for data privacy and security201
We also know that researchers are exploring methods for storing ePHI in biological material
eg
DNA202
pp
While the promise of these new technologies is exciting they come with increased risks and vulnerabilities to ePHI and the information systems that create receive maintain or transmit it As noted by Executive Order EO 14110 AI must be safe and secure Meeting this goal requires addressing AI systems most pressing security risksincluding with respect to biotechnology cybersecurity critical infrastructure and other national security dangerswhile navigating AIs opacity and complexity 203
For these reasons the EO required the Secretary of HHS in consultation with the Secretary of Defense and the Secretary of Veterans Affairs to establish an HHS AI Task Force to develop a strategic plan that includes policies and frameworks on responsible deployment and use of AI and AIenabled technologies in the health and human services sector including the incorporation of safety privacy and security standards into the softwaredevelopment lifecycle for the protection of personally identifiable information such as measures to address AIenhanced cybersecurity threats in the health and human services sector204
The Department has taken a number of actions to address the use of AI in health care including establishing an AI Council appointing a Chief AI Officer205
and taking steps to regulate the use of AI in health care206
Accordingly regulated entities must be prepared to identify mitigate and remediate such risks and vulnerabilities
pp
While the health care industry has generally shifted from paper recordkeeping and noninteroperable electronic devices to an interconnected electronic health care system it has led to an increasing vulnerability to breaches of unsecured PHI resulting from unauthorized uses and disclosures and cyberattacks According to an article published by the American Hospital Association Center for Health Innovation Health care organizations are particularly vulnerable and targeted by cyberattacks because they possess so much information of high monetary and intelligence value to cyber thieves and nationstate actors 207
In fact on the dark web PHI is deemed more
print page 913
valuable than credit card data enabling cybercriminals to extract as much as 1000 per stolen medical record 208
Before this shift to an interconnected electronic system lost or misplaced paper records or even a laptop could lead to a breach of unsecured PHI affecting hundreds or thousands of individuals209
While a breach of that size remains significant unauthorized access to a single workstation today could lead to a breach that affects millions of individuals because of the increase in interconnectivity210
pp
Between 2018 and 2023 the number of breaches of unsecured PHI reported to the Department grew at an alarming rate 100 percent increase as did the number of individuals affected by such breaches 950 percent increase211
The reports reflect rampant escalation of cyberattacks using hacking 260 percent increase and ransomware 264 percent increase212
Based on reports made to OCR in 2022 approximately threefourths of the breaches of unsecured PHI affecting 500 or more individuals were the result of hacking of electronic equipment or a network server213
In 2023 over 160 million individuals were affected by breaches involving the PHI of 500 or more individualsa new record We anticipate that 2024 will surpass that record particularly in light of the estimate provided by a large covered entity regarding the number of individuals affected by a breach of its subsidiary214
pp
In 2023 the Federal Bureau of Investigations internet Crime Complaint Center received almost 250 reports of ransomware affecting the Healthcare and Public Health sector the most of any of the 16 identified infrastructure sectors215
The Healthcare and Public Health sector has been the most targeted critical infrastructure sector since at least as far back as 2015216
Between 2015 and 2019 cyberattacks on health care organizations increased by 125 percent217
And between 2022 and 2023 ransomware attacks against the US health care sector increased 128 percent218
pp
Many people including regulated entities inaccurately believe that only large regulated entities that maintain electronic records about millions of individuals are likely to face a cyberattack and thus that it is less important for smaller regulated entities to invest resources in cybersecurity219
In fact smaller regulated entities may also be the target of or adversely affected by cybercrime partly because of the interconnectedness of health care and partly because they are less likely to have invested in cybersecurity making them easier targets220
pp
As explained in a recent national security memorandum cybercriminals are targeting critical infrastructure
ie
the physical and virtual assets and systems so vital to the Nation that their incapacity or destruction would have a debilitating impact on national security national economic security or national public health or safety and their activities may be tolerated or enabled by other countries221
Thus it is essential that the Department and regulated entities take steps to safeguard health care infrastructure and ePHI
pp
External actors are not the only or even the greatest threat to the security of ePHI According to a recent study insiders were the second leading cause of breaches in the health care sector in 2023 exceeded only by miscellaneous errors such as misdelivery222
For example a recent settlement resolved an OCR investigation involving the theft and sale of the ePHI of more than 12000 patients by an employee of a large health care system223
In another example security guards at a large health care provider were alleged to have used their login credentials to inappropriately access ePHI224
Thus it is critical that regulated entities improve their cybersecurity posture to protect not only against external threats but also
print page 914
internal ones and both intentional and accidental breaches
pp
Emergencies or other occurrences can affect the security of ePHI without an intentional act For example in 2024 CrowdStrike released a defective update for its software on computers running Microsoft Windows225
This update affected the ability of regulated entities to access the ePHI of millions of individuals for varying periods of time During this time ePHI was unavailable meaning that one of the key prongs of the security triad of confidentiality integrity and availability was affected226
Because of the increased digitization of PHI it is for example essential that covered health care providers engage in thoughtful contingency planning that considers how they will proceed in the event that they are unable to access ePHI in their EHRs Additionally threat actors will often seek to take advantage of such incidents As reported by a large subcontractor of a business associate less than a week after the outage the company observed threat actors leveraging the event to distribute ransomware227
The environment in which health care is delivered the way in which it is delivered and the manner in which related information is collected all mean that regulated entities must consider a different approach to operational continuity and resiliency in the face of such challenges Additionally they must be wary of the potential for bad actors to attempt to take advantage of such events
pp
Despite the proliferation of cybersecurity standards guidelines best practices methodologies procedures and processes and the documented increase in unauthorized uses and disclosures of ePHI many regulated entities have been slow to strengthen their security measures to protect ePHI and their information systems that create receive maintain or transmit it in this new environment228
Among the reasons for this are the rapid pace of EHR adoption and digitization of health care increased connectivity and use of cloudbased infrastructures limited competition and a stable customer base limited operating margins and a failure to invest in cybersecurity infrastructure229
For example regulated entities continue to rely on legacy systems and software that are unsupported by manufacturers which means that the manufacturers no longer provide security patches or other updates to address security threats and vulnerabilities230
In a 2021 survey of health care cybersecurity professionals 73 percent reported having legacy operating systems231
This apparent lack of urgency in adopting new supported operating systems has serious implications for the confidentiality integrity and availability of ePHI
pp
In addition many regulated entities fail to invest adequate resources in cybersecurity Far too many regulated entities do not view cybersecurity as a necessary component of their operations that allows them to fulfill their health care missions Anecdotal evidence suggests that senior management often lacks awareness of cybersecurity including both threats and methods for protecting against such threats232
A lack of maturity and effectiveness of the information technology function is evident when healthcare organizations fail to maintain a current inventory of sensitive and valuable data and where those reside 233
While maintaining an accurate and thorough inventory of technology assets is not currently an explicit requirement of the Security Rule it is clearly a fundamental component of conducting a risk analysis and many of the other existing requirements234
And yet based on the Departments experience many regulated entities are not maintaining such an inventory At least in part because of senior managements lack of cybersecurity awareness many fail to invest or fail to invest appropriately in cybersecurity infrastructure235
Given the vulnerability of ePHI and the information systems of regulated entities and the potential effects of cyberattacks on patient safety and the delivery of health care it is important that regulated entities prioritize such investments236
pp
The security of ePHI also is at risk because despite our explanation of the Security Rules structure in 2003237
regulated entities are not fully complying with the standards and implementation specifications From 2016 to 2017 the Department conducted audits of 166 covered entities and 41 business associates regarding compliance with selected provisions of the HIPAA Rules including the required implementation specifications for risk analysis 238
and risk management239
The Department found that most regulated entities failed to implement the Security Rule requirements for risk analysis and risk management requirements that are fundamental to protecting the confidentiality integrity and availability of ePHI240
While most of the audited business associates reported not having experienced any breaches of unsecured PHI we found that those that
print page 915
had experienced a breach generally engaged in minimal or negligible efforts to address the risk analysis and risk management requirements241
According to the report at that time only 14 percent of covered entities and 17 percent of business associates were substantially fulfilling their regulatory responsibilities to safeguard ePHI they held through risk analysis activities 242
while 94 percent of covered entities and 88 percent of business associates failed to implement appropriate risk management activities sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level 243
The report specifically noted that the audit results were consistent with the findings of OCRs compliance reviews and complaint investigations244
pp
Recent enforcement actions provide evidence that the results of the 20162017 audits were not isolated cases In 2023 OCR entered into seven resolution agreements with regulated entities after investigations indicated that they had potentially violated the Security Rule constituting almost half of the total resolution agreements OCR entered into that year245
In each case OCRs investigation found evidence of multiple potential violations For example in one case a regulated entity did not detect an intrusion into its network until 20 months later when its files were encrypted with ransomware246
OCRs investigation found evidence of potential failures of the regulated entity to conduct a risk analysis or to sufficiently monitor information system activity OCR also found evidence that the regulated entity may not have had policies and procedures in place to implement the requirements of the Security Rule to protect the confidentiality integrity and availability of ePHI247
pp
As another example an OCR investigation of a large health care system found indications of multiple potential violations of the Security Rule including failures by the regulated entity to conduct a risk analysis monitor and safeguard its electronic information systems and implement policies and procedures to record and examine activity in its electronic information systems containing ePHI248
The regulated entity was not only unable to prevent the cyberattack but it was unaware the attack had occurred until two years later This is despite the longstanding requirements of the Security Rule and the obligations imposed on regulated entities for risk analysis and risk management
pp
Despite the longstanding nature of the Security Rule and the proliferation of guidance documents from NIST the Department CISA FTC and others regulated entities continue to fail to implement reasonable and appropriate security measures as required by the Security Rule249
For example the Security Rule and NIST guidance have addressed encryption for data in transit and at rest for many years250
And yet in the 2021 survey of health care cybersecurity professionals only half of the respondents reported having implemented encryption for data in transit across the enterprise251
Similarly according to its CEO a large covered entity failed to deploy multifactor authentication MFA throughout its enterprise and experienced a significant breach252
If this is accurate it would run counter to longstanding provisions in both the Security Rule and NIST guidance the Security Rule has required the implementation of appropriate access controls since 2003 and NIST recommends similar controls253
pp
As another example based on OCRs investigation experience some regulated entities are not developing and implementing compliant response plans for security incidents including those that are breaches of unsecured ePHI under the Breach Notification Rule Section 164308a6i establishes the standard that requires regulated entities to implement policies and procedures to address security incidents while 45 CFR 164308a6ii includes the implementation specifications for that standard This requirement included in the 2003 Final Rule aligns with the NIST Cybersecurity Framework version 20 requirement for incident management254
Similarly NIST Cybersecurity Framework version 11 recommended the execution and maintenance of response processes and procedures to ensure response to detected cybersecurity incidents255
And yet when OCR investigates the circumstances surrounding breach reports OCR continues to find evidence that regulated entities have not implemented policies and procedures to detect and respond to security incidents leading to significant time lapses between a successful security incident 256
and discovery of and response to the security incident257
Thus based on the OCRs experience investigating and enforcing the Security Rule the Department believes that many regulated entities would benefit from additional instruction in regulatory text regarding their compliance obligations to determine how to select security
print page 916
measures that are reasonable and appropriate for their circumstances
pp
We are also concerned that recent caselaw has not accurately set forth the steps regulated entities must take to adequately protect the confidentiality integrity and availability of ePHI as required by the statute Specifically in the
University of Texas MD Anderson Cancer Center
v
HHS
MD Anderson
the US Court of Appeals for the Fifth Circuit held among other things that the Security Rule does not say anything about how effective a mechanism for encryption must be nor does it require that an encryption mechanism provide bulletproof protection of all systems containing ePHI258
Thus under the courts interpretation a regulated entity can meet its obligations under the Security Rule concerning encryption and decryption of ePHI by implementing a mechanism to do so without regard for the effectiveness of the implementation259
Additionally the court noted that the requirement for a mechanism does not prohibit a regulated entity from creating a mechanism by directing employees to sign an agreement that requires the encryption of portable devices 260
While the Department disagrees with the courts interpretation that merely requiring employees to sign an agreement to encrypt portable devices is sufficient to comply with its Security Rule obligations to implement a mechanism to encrypt and decrypt ePHI the Department believes that additional clarity is warranted to ensure that regulated entities understand their obligation to have encryption mechanisms in place and deployed throughout the regulated entitys enterprise to ensure the confidentiality integrity and availability of ePHI
ppSeveral technical safeguards currently require regulated entities to implement a mechanism as part of complying with the associated standard Given that written policies and procedures alone are insufficient to protect ePHI and the misinterpretation of what it means to implement a mechanism also could lead to inadequate protection of ePHI the Department believes that the Security Rule must be revised consistent with its statutory mandate as discussed in greater detail abovepp
By requiring that regulated entities maintain reasonable and appropriate safeguards to protect against reasonably anticipated threats or hazards or unauthorized uses or disclosures of ePHI Congress clearly anticipated that the administrative physical and technical safeguards implemented to protect the security of ePHI would need to change in response to changes in the environment in which health care is provided261
As the health care environment and the operations of regulated entities evolve so must the protections for ePHI and the information systems used to create receive maintain or transmit it For example regulated entities must be expected to adopt safeguards that address new risks to the security of ePHI such as those posed by maintaining ePHI in the cloud the connection of medical devices and other technology to networks and the connection of information systems used to create receive maintain or transmit ePHI to the same networks as those do not perform such activities After all it is reasonable to anticipate that there will be new threats or hazards to ePHI or efforts by unauthorized persons to use or disclose such ePHI in an increasingly connected environment
pp
By design the Security Rule sets a national floor for the security measures that regulated entities are required to implement to protect the confidentiality integrity and availability of ePHI In 2003 the Department opted to frame the standards in terms that were as generic as possible and in a manner that enabled the standards to be met through various approaches or technologies to ensure that regulated entities had the flexibility to determine how best to protect the confidentiality integrity and availability of ePHI based on their specific circumstances262
When we extended the Security Rule in 2013 to directly apply to business associates in accordance with the HITECH Act263
the Department acknowledged that some business associates might not have engaged in the formal administrative safeguards required by the Security Rule and we made it clear that business associates would be expected to do so going forward264
Despite the changes in the health care environment between 2003 and 2013 the Department made minimal changes to the Security Rule at that time because we believed that the compliance obligations of regulated entities were clear and wellunderstood In fact when a commenter recommended that the Department remove the addressable designation from the Security Rule because it leads to ambiguity in the rules application we declined to do so at that time because we were concerned that it would reduce the rules scalability and flexibility265
However as we noted in 2003 the rules flexibility of approach is primarily provided for in paragraph b2 of 45 CFR 164306 and in the standards themselves266
The addressability feature merely provided an added level of flexibility 267
in a way that the Department now believes is inadequate to ensure that regulated entities implement reasonable and appropriate security safeguards
pp
Changes to the health care environment and the operations of regulated entities have increased the importance of implementing strong security measures to protect ePHI and the information systems that create receive maintain or transmit it While we recognize the burdens posed by such implementation on regulated entities there is also a clearly documented increase in the number of breaches of unsecured PHI and instances of cybercriminals accessing ePHI without authorization at regulated entities The changes to the health care environment including the increase in breaches and cyberattacks and operations of regulated entities have made it increasingly likely that unauthorized persons will seek to obtain ePHI and disrupt the US health care system Additionally the clearly documented failure of regulated entities to fully implement the policies and procedures required by the Security Rule and apply the required security measures throughout their operations has caused the Department to question whether the existing Security Rule should be revised to clarify and strengthen the obligations of regulated entities and revisit our
print page 917
decision from 2013268
In many cases involving a breach of ePHI that OCR has investigated a breach may not have occurred or would have been less widespread and disruptive had the regulated entities fully implemented the provisions of the Security Rule269
pp
The Department is not alone in believing that the Security Rule should be strengthened to address concerns about whether regulated entities are sufficiently protecting the confidentiality integrity and availability of ePHI An inquiry conducted by NCVHS between July 2021 and September 2023 reached the same conclusion270
During this inquiry NCVHS listened to the testimony of cybersecurity experts and Department officials The experts and Department officials consistently voiced their concerns about the major increase in incidents and in particular the widespread lack of robust risk analysis on the part of covered entities and business associates that would lead to prior planning for and mitigation of a range of cybersecurity threats 271
In response to this inquiry and consistent with their statutory mandate272
NCVHS transmitted two letters to the Secretary with recommendations for improving cybersecurity practices in the health care industry including recommendations for modifying the Security Rule273
As part of the explanation for its concerns NCVHS cited a 2021 survey of acute and ambulatory care organizations that found only 32 percent of those organizations had a comprehensive security program while only 26 percent of the longterm and postacute care facilities met the minimum security requirements274
Specifically NCVHS made the following recommendations for improvements to the Security Rule
pp
The Department in drafting this NPRM relied on the recommendations of NCVHS OCRs enforcement experience news reports and our assessment of the environment Consistent with NCVHS recommendation to revisit the Security Rules classification of some implementation specifications as addressable the Department also believes that it is appropriate to revisit our decision regarding the amount of flexibility regulated entities have in determining reasonable and appropriate safeguards as described above Based on OCRs experience in investigations and audits we believe that regulated entities would benefit from greater specificity in the Security Rule The Department has provided extensive guidance on questions to consider when adopting and implementing security measures and ways to comply with the Security Rule283
as directed by the HITECH Act And yet despite this proliferation of guidance regulated entities continue not to comply For example despite the explanation in 45 CFR 164306d about addressable implementation specifications and the notable changes in the environment in which health care is provided we are concerned that some regulated entities proceed as if compliance with an addressable implementation specification is optionaland that where there is an addressable implementation specification that compliance with the relevant standard is also optional That interpretation is incorrect and weakens the cybersecurity posture of regulated entities We believe that compliance with the implementation specifications currently designated as addressable is notand should not beoptional particularly in light of the shift to an interconnected and cloudbased environment and a significant increase in the number of breaches of unsecured PHI from both internal and external actors regardless of the regulated entitys specific circumstances Thus we believe that it is necessary to strengthen the Security Rule to reflect the changes in the health care environment and the evolution of
print page 918
technology and to underscore that compliance with all of our proposals if finalized is required
pp
The Security Rules fundamental flexibility and scalability generally would remain should the proposals in this NPRM be adopted However we are proposing to reduce that flexibility to better strengthen protections and address the changed nature of the environment in which health care is provided The Department is also proposing in this NPRM to strengthen the Security Rule by providing greater clarity regarding the nature of its flexibility and scalability and the Departments expectations as requested by regulated entities and other stakeholders In fact in response to a request for information published in 2022284
several commenters urged the Department to propose regulations that establish a single set of clear standards for regulated entities raise the floor for security requirements and expectations and encourage regulated entities to safeguard ePHI while maintaining flexibility and scalability Commenters also encouraged the Department to rely on commonly available nonproprietary frameworks that allow regulated entities to adopt critical security measures We believe that our proposals are consistent with those recommendations
pp
Under the proposal regulated entities would retain the ability to determine the security measures that are reasonable and appropriate to fulfill the required standards and implementation specifications taking into consideration the factors listed at proposed 45 CFR 164306b2 In fact the NPRM if adopted as proposed would add to the rules flexibility and scalability by adding a new factor for regulated entities to consider when determining the reasonable and appropriate security measures285
pp
Additionally if modifications are adopted as proposed the Security Rule would remain flexible and scalable by retaining broad standards with which regulated entities could comply in a variety of ways In 2003 the 13 implementation specifications that the Security Rule requires were considered so basic that no covered entity could effectively protect ePHI without implementing them286
While the Department agrees that these implementation specifications remain essential we no longer believe that they are sufficient to address the risks to ePHI today Rather regulated entities must do more to ensure the confidentiality integrity and availability of ePHI today because of the changes in the environment in which health care is provided how ePHI is maintained the level of connectivity between information systems and the technological sophistication of bad actors
pp
We acknowledged in 2003 and again acknowledge here that there is no such thing as a totally secure system that carries no risks to security 287
We posited at that time that Congress intended to set an exceptionally high goal for the security of ePHI while also recognizing that securing ePHI did not require that covered entities do so without regard for the cost288
However we also made clear that a covered entity is required to implement adequate security measures and that cost was but one factor for a covered entity to consider when determining what constituted appropriate security measures289
As we noted Cost is not meant to free covered entities from this responsibility 290
In the 2013 Omnibus Rule we further explained that regulated entities have the flexibility to choose security measures appropriate for their size resources and the nature of the security risks they face enabling them to reasonably implement any given Security Rule standard Thus the costs of implementing for business associates will be proportional to their size and resources 291
We continue to believe that this is the case Additionally as discussed above there is a significant cost associated with breaches and unauthorized accessfinancial reputational for both the individual and the regulated entity and more Thus we believe that the standards and implementation specifications that we propose in this NPRM are the minimum that regulated entities should be doing to protect the security of ePHI and lower the costs associated with breaches and other incidents
pp
The statute requires that we consider the needs and capabilities of small health care providers and rural health care providers as such providers are defined by the Secretary 292
We recognize that small and rural health care providers may have needs and capabilities that differ from those of other regulated entities For example small health care providers and rural health care providers are often located at a greater distance from other health care providers293
It may be more challenging for them to attract and retain clinicians and administrative support staff294
They also face difficulty attracting and retaining security experts and must make difficult decisions regarding investments in competing priorities295
Often preparation for security incidents or other occurrences that adversely affect the confidentiality integrity or availability of ePHI is neglected in favor of other priorities putting small and rural health care providers at greater risk for such an occurrence296
pp
We continue to believe that it is just as important for small and rural health care providers to implement strong security measures as it is for larger health care providers and other categories of regulated entities According to experts Cybercriminals go after small businesses especially those in the healthcare industry
print page 919
because they are easy targets 297
In 2017 93 percent of small rural and critical access hospitals and 86 percent of physician offices relied on health IT to inform their clinical practice298
And yet small health care providers are less likely than a larger organization to even have a designated security or compliance officer299
Smaller practices and rural and community facilities also may be more likely to rely on older technologies that are no longer supported by security patches and updates including medical devices such as insulin pumps and pacemakers in which inaccuracies or errors could affect patient safety300
Thus small health care providers are at the greatest risk of a breach Smaller rural practice settings are especially highrisk target areas for a breach 301
According to an expert who speaks to and works with health care providers on IT services and cybersecurity small health care providers are more susceptible because they do not have a lot of the tools and security measures necessary to protect themselves 302
For example a critical access hospital in Colorado recovered from a cyberattack in 2019 but it required an incredible amount of staff time many months of recovery efforts and an enormous financial outlay to restore systems and prevent another attack 303
In fact the hospital estimates that it took a full year of a staff persons time to complete the recovery and protect the organization for the future 304
These costs do not include the multiple ransoms paid to the attackers after the first set of keys did not unlock all of the data305
pp
Patients and communities have a critical need for health care providers including rural hospitals and other rural health care providers to be resilient and remain operational which depends in part on the cybersecurity of their electronic information systems For rural health care providers especially hospitals a breach can significantly affect an entire community306
Rural health care providers often are separated by significant distances which can have real consequences for someone experiencing a medical emergency307
A recent study comparing hospital characteristics and operations of rural and urban hospitals that experienced ransomware attacks between 2016 and 2021 found that rural hospitals experienced large declines in inpatient admissions and Medicare revenue similar to those experienced by urban hospitals308
The study also found that the decline in volume and revenue of hospital outpatient and emergency room visits was more pronounced among rural facilities309
In fact in June 2023 a hospital in rural Illinois announced that it would close in part because a 2021 cyberattack prevented it from submitting claims to health plans for months310
According to a local elected official the hospitals closure would require some residents to travel approximately 30 minutes for the nearest emergency room and obstetrics services311
Thus implementing security measures to maintain facility operations is critical to minimize or avoid disruptions to patient care and patient safety activities in such facilities Consistent with these examples the Department believes that small and rural health care providers are also viewed as potential targets by cybercriminals and such providers need to implement strong cybersecurity measures to secure the ePHI in their possession In fact in June 2024 the Administration announced a collaboration with the private sector to provide additional cybersecurity resources for rural health care providers in recognition of the importance of protecting the security of ePHI created received maintained or transmitted by such entities312
We believe this collaboration will provide small and rural health care providers with additional support particularly when coupled with other resources described in greater detail below313
Thus we believe that small and rural health care providers have both the need to comply with the proposals in this NPRM and the capability of doing so Additionally we believe that the NPRM would continue to provide all regulated entities including small and rural health care providers the ability to take into account their circumstances when determining which security measures are reasonable and appropriate314
pp
While the Security Rule generally continues to accomplish a primary goal of HIPAA315
the Department believes that it is essential to propose modifications to strengthen its protections for the confidentiality integrity and availability of ePHI to address the changing health care environment We also believe it is important to clarify the obligations of regulated entities and emphasize the importance of protecting the confidentiality integrity and availability of ePHI We believe that the proposed revisions would require regulated entities to consider and potentially modify their safeguards more regularly which would better enable them to quickly respond to changes in the environment and be consistent with cybersecurity best practices While we do not expect that compliance with the Security Rule will
print page 920
prevent all breaches or interruptions in the confidentiality integrity or availability of ePHI we believe that it will prevent many and enable regulated entities to identify mitigate and remediate the damage more quickly if there is a breach or other security incident thereby reducing harm to individuals and the overall costs of such occurrences to regulated entities and to the US health care system As such the proposed modifications would support a primary goal of HIPAAs Administrative Simplification provisions improving the efficiency and effectiveness of the US health care system by encouraging the development of health information systems through the establishment of uniform standards and requirements for electronic transmission of ePHI including those for security316
pp
HIPAA requires the Secretary to adopt standards that have been developed adopted or modified by a standard setting organization accredited by ANSI except in certain circumstances317
For example HIPAA permits the Secretary to develop standards where no relevant standards have been developed adopted or modified by an ANSIaccredited standard setting organization In developing adopting or modifying a standard the Secretary is required to consult with standard setting organizations NCVHS and with the appropriate Federal and State agencies318
pp
The statutory definition of the term standard applies only to standards for electronic transactions and data elements for such transactions that are appropriate for 1 the financial and administrative transactions described in the statute and 2 other financial and administrative transactions consistent with the goals of improving the operation of the health care system and reducing administrative costs as determined appropriate by the Secretary319
Under HIPAA security is not considered a financial or administrative transaction or a data element of such transaction320
In the Health Insurance Reform Standards for Electronic Transactions final rule in 2000 we explicitly adopted a broader definition of standard because we recognized that the statutory definition only applied to standards for financial and administrative transactions despite the statutes requirement that the Secretary adopt standards addressing other matters including privacy and security321
At that time we explained that we adopted a broader definition of standard to accommodate the varying functions of the specific standards proposed in other HIPAA regulations322
For the same reason we believe that it is appropriate to continue to rely on the regulatory definition of standard323
pp
As discussed above in both 1998 and 2003 the Department determined that no comprehensive scalable and technologyneutral set of standards exists and accordingly we proposed and adopted a new standard324
In 2013 we made only minor modifications to the standards when we complied with explicit directions from Congress to apply the requirements of the Security Rule to business associates so we did not need to consider whether an ANSIaccredited standard setting organization had adopted a comprehensive set of standards on the security for ePHI that was flexible scalable and technologyneutral325
pp
However because we believe it is appropriate for us to consider modifying the Security Rule at this time for the reasons discussed above we must again consider whether an ANSIaccredited standards setting organization has developed adopted or modified a standard relating to the security of ePHI The Department continues to believe that any standard must be comprehensive rather than piecemeal as recommended by the ANSI Healthcare Informatics Standards Board326
We also continue to agree with the recommendation that the standards should be technologyneutral because security technology continues to evolve to keep pace with the evolution of technology more broadly Additionally the Security Rule must remain flexible and scalable to allow for consideration of the wide variety of regulated entities enabling such entities to determine the reasonable and appropriate security measures for their circumstances by taking into account the factors specified by HIPAA327
pp
We are not aware of any standard setting organizations that are accredited by ANSI that have issued standards for the security of ePHI let alone standards that are sufficiently comprehensive flexible scalable and technologyneutral to enable regulated entities to take into account the HIPAA factors For example NIST has issued numerous publications addressing health care cybersecurity that are considered by NIST to be guidance rather than standards In fact NIST is ANSIaccredited for only one standard328
And with the exception of publications that analyze the Security Rule NISTs guidance does not specifically address the security of ePHI CISA has issued crosssector CPGs but it is not ANSIaccredited There may be other organizations that have set standards for the transmission of particular information such as the secure transmission of images but adopting such individual standards would not meet the Departments criteria In this case adoption of such standard would be far too granular and require the Department to revise the Security Rule at the same interval as the particular standard which may be irregular Additionally given that the Department is limited to modifying each standard or implementation specification no more frequently than once every 12 months this approach would be inefficient and could lead to a requirement that the Department update the Security Rule more than once a year depending on when such individual standards or implementation specifications are revised Even modifying the standards annually would require a significant investment of Department resources not to mention the investment required of regulated entities to comply with an everchanging set of requirements
pp
Additionally in 2021 Congress amended the HITECH Act to require the Secretary to consider whether a regulated entity has adequately demonstrated that it had in place recognized security practices for a certain period of time329
Congress defined recognized security practices to include certain NIST publications the approaches promulgated under
print page 921
section 405d of the Cybersecurity Act of 2015 and other programs and processes that address cybersecurity and that are developed recognized or promulgated through regulations under other statutory authorities 330
However the HITECH Act amendment did not require the Secretary to accept a regulated entitys implementation of recognized security practices as an alternative to compliance with the Security Rule nor did it provide that such implementation was sufficient to meet the security objectives of HIPAA or the HITECH Act Accordingly it is appropriate for the Department to develop and adopt its own standards to meet the statutory objective of ensuring the security of ePHI The standards and implementation specifications proposed herein take into consideration not only those promulgated by NIST but also guidelines best practices methodologies processes and procedures published by CISA the HHS 405d program CMS State governments and others The proposals also enable regulated entities to adopt security measures that ensure the confidentiality integrity and availability of ePHI protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI and unauthorized uses or disclosures of such ePHI ensure compliance with the Security Rule by the workforce members of regulated entities while also taking into account the technical capabilities of record systems used to maintain ePHI the costs of such measures the need for training users who have access to ePHI the value of audit trails in computerized record systems and the needs and capabilities of small and rural health care providers
pp
The Department has consulted with and relied on the recommendations of NCVHS in the formulation of this proposed rule 331
and intends to continue to engage in these consultations before finalizing the rule332
We also expect to consult with the National Uniform Billing Committee the National Uniform Claim Committee the Workgroup for Electronic Data Interchange and the American Dental Association before finalizing this rule as required by section 1172c3Aii of HIPAA333
ppThis section contains a description of the proposed amendments to the Security Rule and the Departments rationale for its proposals As part of this rationale we often include a discussion of best practices contained in previously published guidance documents issued by the Department NIST and other Federal agencies We request comment on previously published guidance documents that are not discussed herein that were issued by the Department or other Federal agencies and contain best practices but may be relevant or applicable to regulated entities including the names of and citations for such guidance documents We do not propose to adopt referenced best practices as the standard or implementation specifications unless otherwise specified in the proposed regulatory text Rather we include such discussion to provide regulated entities with context for the aforementioned proposals We recognize that regulated entities are of varying types and sizes and may be concerned that requiring the adoption of such best practices might not be appropriate for all However we request comment on whether we should require implementation of certain aspects of a particular guidance document If so please explain which aspects we should require the rationale and information about the burden of implementing such aspectspp
Electronic media are used by many health care organizations to process transmit and maintain ePHI As defined by the Security Rule the term electronic media 334
encompasses both 1 electronic storage material on which data is or may be electronically recorded and 2 transmission media used to exchange information already in electronic storage media It specifically excludes certain transmissions such as those of paper via facsimile fax and voice via telephone from being considered transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission
pp
The Department revised the definition of electronic media in 2013 by replacing the term electronic storage media with electronic storage material in recognition that there may be storage material other than media that houses electronic data in the future335
At that time the Department said that a fax machine accepting a hardcopy document for transmission is not a covered transmission even though the document may have originated from printing from an electronic file336
In response to commenter concerns we also clarified that ePHI maintained intentionally or otherwise in a photocopier fax machine or other device is subject to the Security Rule and reminded regulated entities that they should be aware of the capabilities of such devices with respect to their ability to maintain ePHI337
Additionally a regulated entity should consider the appropriateness of implementing security measures that account for such capabilities338
pp
Since 2013 the role technology plays in the storage and transmission of information has changed as have the types of media used to store and transmit such information For example traditional landlines 339
are rapidly being replaced with electronic communication technologies such as Voice over internet Protocol VoIP340
and mobile technologies that use electronic media such as the internet intra and extranets cellular and WiFi341
Some current electronic technologies that regulated entities use for remote communications may include communication applications on a smartphone or another computing device VoIP technologies technologies that electronically record or transcribe a telehealth session and messaging services that electronically store audio messages The definition of electronic media does not account for these changes because it excepts
print page 922
transmissions via fax and of voice via telephone from transmissions via electronic media nor does the definition take into consideration new and emerging technologies Accordingly the Department believes that it is appropriate to reconsider this definition
ppThe Department proposes to modify the definition of electronic media as follows First the Department proposes to revise paragraph 1 of the definition to clarify that electronic media includes not only media on which data may be recorded but also media on which data may be maintained or processedpp
Generally data is either at rest in transit or in process
eg
being worked on in use being modified in memory or being updated342
After the data is no longer in use it is either maintained or transmitted It is especially important for entities to protect data in process because generally data must be unencrypted to be processed making this a time when it is particularly vulnerable to a breach or other security incident343
To that end the Departments proposal would clarify that the definition includes electronic media that is used to record maintain or process data
ppThe Department also proposes to revise paragraph 1 to clarify and update terminology used in a nonexhaustive list of examples of electronic storage material Additionally to ensure that the definition includes future technology the Department proposes to add to the list of examples any other form of digital memory or storage on which data may be recorded maintained or processedpp
As discussed above traditional landlines and fax machines are rapidly being replaced with electronic communication technologies and mobile technologies that use electronic media The Security Rule applies when a regulated entity uses such electronic communication technologies Therefore regulated entities using telephone systems and fax equipment that transmit ePHI need to apply the Security Rule safeguards to those technologies344
Accordingly in paragraph 2 we propose to revise the description of transmission media to recognize that data is transmitted almost exclusively in electronic form today The limited exception to this would be data that is handwritten on paper and handdelivered or mailed such that the data is never on electronic storage material Additionally the Department proposes to include public networks in the examples of transmission media and to remove the sentence that describes transmissions that are not considered transmissions via electronic media By making these changes we would reflect technologys evolution since 2013
pp
We also propose to make a technical correction to paragraph 2 of the definition consistent with a revision made in the 2013 Omnibus Rule to paragraph 1345
Specifically the Department proposes to replace the term electronic storage media with electronic storage material in paragraph 2 to clarify the connection between definitions of electronic storage material and transmission media We neglected to make this change in 2013 when we replaced electronic storage media with electronic storage material in paragraph 1 which means that paragraph 2 relies on a term that is no longer defined This technical correction we propose is consistent with how the Department has interpreted the definition of transmission media and the connection between it and electronic storage material since the change was made in 2013
ppThe Department requests comment on the foregoing proposals including any benefits drawbacks or unintended consequences We also request comment on the following considerations in particularppa Whether the proposed modifications accurately capture current use of electronic mediappb Whether the proposed modifications allow for future technological innovationppc Whether there are other types of electronic storage material that the Department should include in the nonexhaustive list of examplesppd Whether there are other types of transmission media that the Department should include in the nonexhaustive list of examplesppSection 164304 includes definitions for key regulatory terms in the Security Rule The Department proposes to add ten new defined terms and to modify the definitions of fifteen existing terms The proposed new regulatory terms would be Deploy Implement Electronic information system Multifactor authentication Relevant electronic information system Risk Technical controls Technology asset Threat and Vulnerability The definitions we propose to modify are for the following terms Access Administrative safeguards Authentication Availability Confidentiality Information system Malicious software Password Physical safeguards Security or Security measures Security incident Technical safeguards User and Workstation Generally the Department is proposing to add or modify regulatory terms that would either clarify how regulated entities should apply the standards and implementation specifications or modernize the rule to better account for changes in the environment in which health care is providedpp
The Security Rule defines the term access as the ability or means necessary to perform a set of activities describing how a user may interact with a system resource346
These activities are reading writing modifying communicating datainformation or otherwise using any component of an information system The definition applies only to the Security Rule not to the Breach Notification Rule or the Privacy Rule
pp
The term access defines the scope of some key regulatory provisions in the Security Rule For example whether a person meets the definition of a user is determined based on whether their access to information or a component of the regulated entitys information system is authorized347
The definition
print page 923
of the term security incident requires consideration of whether a person attempted to access or accessed information without authorization348
To determine whether a regulated entity complied with the administrative safeguard standard for workforce security the Department must consider to what extent a regulated entity established policies and procedures for ensuring that workforce members have appropriate access to ePHI349
ppThe current definition is expansive but not fully representative of how users could interact with information today As discussed above users create receive maintain and transmit information in more ways now than they did ten years ago Thus the Department believes that it is critical for the Department to consider modifying the definition of this term to adequately reflect the current electronic environmentppThe Department proposes to expand the list of activities that should be considered under the term by adding the activities of deleting and transmitting The Department also proposes to replace system resource with component of an information system to rely on an already defined term information system The proposed modification would clarify that the term includes any and all components of an information system and an information system as a whole Additionally the Department believes that a component of an information system better describes how the term access applies today because it is inclusive of hardware software and people as opposed to only the inherent capabilities that contribute to performance such as system memory and hard disk spacepp
Administrative safeguards are administrative actions policies and procedures to manage the selection development implementation and maintenance including reviewing and modifying of security measures to protect ePHI350
Administrative safeguards also manage the conduct of the regulated entitys workforce in relation to the protection of ePHI Under the Security Rule there are minor inconsistencies in language between the definitions of the types of safeguards which might lead to uncertainty about how to interpret the terms and lead to unintended consequences For example the definitions of administrative safeguards and physical safeguards use are while the definition of technical safeguards uses means 351
ppIn addition the existing definition of administrative safeguards does not expressly relate the administrative actions to the policies and procedures addressing the activities covered by the definition nor does it make clear that the policies and procedures are in addition to the administrative actions The same is true for the definitions of physical and technical safeguards Further the definition of administrative safeguards does not expressly mention managing updates and modifications to safeguardsppTo address the minor inconsistencies between the definitions of the safeguards and to ensure that each safeguard is afforded an equal weight of importance the Department proposes similar but minor changes across the definitions The Department proposes to add the word related to the definition here and below to add the words and related when necessary to more clearly connect the components that make up safeguards In the case of administrative safeguards the Departments proposal relates administrative actions to administrative policies and procedures The Department believes that this change would reduce confusion and improve clarity about compliance obligations We are proposing a similar change to the definitions of physical safeguards and technical safeguards below Additionally we are proposing to clarify that maintenance includes updating and modifying with respect to administrative safeguardspp
The Security Rule defines authentication as corroboration that a person is the one claimed By limiting the definition of authentication to persons the current definition neglects to acknowledge the importance to the security of ePHI of authenticating technology assets that are components of a regulated entitys electronic information systems that create receive maintain or transmit ePHI or that otherwise affect the confidentiality integrity or availability of ePHI or that the regulated entity intends to connect to such electronic information systems352
Absent such authentication a bad actor could add technology assets
eg
software to a regulated entitys electronic information systems that enable the bad actor to compromise the security of ePHI
ppTo modernize the definition of authentication to reflect best practices in cybersecurity today the Department proposes to clarify the definition to mean corroboration that either a person or technology asset is the one they are claiming to be The modified definition would also improve readability with minor changes in wording The Department believes as proposed the revised definition would more accurately reflect the role played by technology assets in electronic information systems today For example a covered health care provider permits individuals to access their own PHI using an application that connects to the software that runs the covered health care providers patient portal Not only must the individual be authenticated as a user but the application must be authenticated such that the covered entitys software can verify that the application is what it claims to be In another example a portable technology asset for retrieving and storing PHI in the cloud must be authenticated before retrieving data from cloud storagepp
Availability is defined in the Security Rule as the property that data or information is accessible and usable upon demand by an authorized person Although not intended the current definition could be read to limit the scope of availability only to authorized persons And yet it is equally important to ensure that authorized technology assets such as connected medical devices software and workstations
print page 924
have access on demand to ePHI to carry out their functions
ppGiven the increased connectivity of the health care environment the Department proposes to clarify the definition of availability by specifying that availability means the property that data or information is accessible and usable upon demand by not only an authorized person but also an authorized technology asset In so doing the Department is not changing the meaning of availability but rather clarifying its scopeppSimilar to the definition of availability the definition of the term confidentiality could be read as limited to the property that data or information is not made available or disclosed to unauthorized persons or processes Read that way the definition does not reflect todays health care environment in which data and information may be accessed through any component of an interconnected electronic information systemppThe Department proposes to clarify the definition of confidentiality to specify that it means the property that data or information is not made available or disclosed to unauthorized persons technology assets or processespp
The Security Rule directs regulated entities to implement technical policies and procedures and assumes that such implementation requires the installation and configuration of technical safeguards353
OCR is concerned based on its investigations and compliance reviews that some regulated entities may interpret the regulatory requirement to implement technical policies and procedures to mean that a regulated entity is only required to establish written policies and procedures about technical requirements but need not then apply effective automated technical policies and procedures to all ePHI throughout the regulated entitys enterprise For example in
MD Anderson
the court stated that the encryption requirement at 45 CFR 164312a2iv requiring a regulated entity to implement a mechanism to encrypt ePHI does not require a covered entity to warrant that its mechanism provides bulletproof protection of all systems containing ePHI Nor does it require covered entities to warrant that all ePHI is always and everywhere inaccessible to unauthorized users 354
Further the court added that the requirement does not say anything about how effective a mechanism must be how universally it must be enforced or how impervious to human error or hacker malfeasance it must be 355
ppTherefore the Department believes it is necessary to add definitions that distinguish between implementation of the administrative and technical safeguards by separately describing how regulated entities can comply with requirements to implement technical safeguards and install technical solutionsppThe Department proposes to define the term deploy to identify a specific type of implementation We believe that the new term and definition would help to better describe the compliance obligations for implementation specifications related to the use of technology for securing the confidentiality integrity or availability of ePHI As proposed the definition would require a regulated entity to ensure that technology is in place configured for use and actually in use and operational throughout the regulated entity The Departments proposed use of the term helps illustrate its purpose and utility in clarifying that policies and procedures while necessary are insufficient to meet requirements for technical safeguardspp
For example the Department is proposing to create a new requirement for regulated entities to verify that business associates have deployed technical safeguardsthat is the technology is configured and operational not only addressed in policies and procedures356
In another example the Department is proposing new implementation specifications under the access control standard that would require a regulated entity to deploy technical controls for relevant electronic information systems so that the system is configured and applied to limit access to only users and technology assets that have been granted access rights357
In the automatic logoff implementation specification for that same standard the Department is proposing to replace the requirement to implement electronic procedures for terminating an electronic session with a requirement to deploy technical controls that terminate an electronic session after a period of inactivity358
In each case the technical controls must not only be configured for use but they also must be applied to and in effect in all ePHI and relevant electronic information systems
pp
The Department proposes to define the term implement to clarify that a safeguard must be put into place and be in effect throughout the enterprise as opposed to only some components of a regulated entitys relevant information systems
eg
some laptops or servers or applied to a subset of ePHI The Department also proposes the term to further clarify what it means to configure and put technology technical controls and related policies and procedures into effect and be in use operational and function as expected throughout the regulated entitys enterprise
ie
deploy as compared to putting into place and making effective administrative or physical safeguards Further the Department proposes to expressly clarify that implement also means that a safeguard must function as expected Under this proposal if adopted we would not consider a safeguard to be implemented if it is not functioning in the manner in which it is expected
ppFor example a regulated entitys administrative policy requiring it to take action to prevent infections from malicious software is not implemented until it is applied throughout the enterprise meaning that the entity has ensured that antimalware protections have been put into place on all relevant electronic information systems that create receive maintain or transmit ePHI or that otherwise affect the confidentiality integrity or availability of ePHI throughout the enterprisepp
Similarly to operationalize such a policy the regulated entity must deploy technology assets andor technical controls to block such software according to its technical policies and
print page 925
procedures In this regard the proposed term deploy clarifies that the technology assets or technical control must be put into place configured and actually work
ie
function in the manner expected of the technology or technical control throughout a regulated entity in addition to the relevant policy and procedures being applied across a regulated entity To implement a policy and procedure is separate from the implementation of a technology asset or technical control but in both cases the underlying requirement is application across the enterprise
pp
The current Security Rule includes explicit requirements for regulated entities to protect electronic information systems by implementing policies and procedures to limit physical access to such systems 359
and by implementing technical policies and procedures for electronic information systems that maintain ePHI to allow access to only persons or technology assets that have been granted access rights pursuant to 45 CFR 164308a4360
Further the physical measures policies and procedures that meet the definition of physical safeguards are specifically limited to those that protect regulated entities electronic information systems and related buildings and equipment361
And yet the Security Rule does not explicitly define this term Instead it assumes that the definition is easily understood to be a subset of information system a broad term that is not limited by the boundaries of the Security Rule The Department believes that regulated entities would benefit from additional clarity regarding the definition of this term given its foundational nature
ppThe Department proposes to add a definition of electronic information system to better distinguish the concept from the broader category of an information system Accordingly the Department would limit the definition to an interconnected set of electronic information resources under the same direct management control that shares common functionality Under this proposal an electronic information system generally would include technology assets such as hardware software electronic media data and informationppAs discussed above the Department seeks to clarify the scope of an information system as compared to an electronic information system We believe that it would be beneficial to align the common elements of these terms and clarify the relationship between them given their importance to compliance with requirements of the Security Rule Additionally the changes in the environment such as the shift to cloudbased computing may raise questions regarding the Departments interpretation of direct management controlppAccordingly the Department proposes to modify the definition of information system to clarify that an information system generally not just normally includes hardware software data communications and people The Department believes this proposed modification combined with the existing broad reference to resources more accurately reflects the typical components of an information system and the full extent of resources that are addressed by the Security Rule We also propose to remove applications from the list of technology assets that are generally included in an information system because applications are a type of software making the inclusion of applications redundant This proposed modification would not alter our interpretation that an information system includes applicationsppWe use this opportunity to affirm that a technology asset may be included as part of the information systems of multiple regulated entities where such regulated entities all have direct management control over the technology asset For example both a health care provider and a cloudbased EHR vendor have direct management control over the ePHI in the cloudbased EHR Accordingly such ePHI generally is part of both the information system of the health care provider and of the cloudbased EHR vendor Additionally the EHR that is used to create receive maintain or transmit ePHI regardless of whether it is accessed using software installed on the health care providers workstations or an internet browser generally is also part of the information system of both entities because both the health care provider and the vendor have direct management control over the EHRppPersons seeking unauthorized access to data and information are increasingly sophisticated Their methods of attempting to gain such access can take many forms and result in a wide array of harms as discussed above One of the methods they use is through the introduction of malicious software also referred to as malware into an electronic information system As the sophistication of bad actors has increased so has the variety of types of malicious software that they use to access electronic information systems The Security Rule defines malicious software but limits it to software designed to damage or disrupt a system The regulatory text provides only one example of malicious software in regulatory texta viruspp
The Department proposes to replace the current definition of malicious software with one that would be consistent with how cybersecurity experts define the term today362
Specifically we propose to define it to mean software or firmware intended to perform an unauthorized action or activity that will have adverse impact on an electronic information system andor the confidentiality integrity or availability of electronic protected health information This proposal would therefore clarify that malicious software could include either software or firmware and that the negative effects of the malicious software may not be limited to damaging or disrupting a system Rather effects of the software could be intended to have any type of adverse impact on an electronic information system andor the confidentiality integrity or availability of ePHI The Department also proposes to include in regulatory text a nonexhaustive list of examples such as viruses worms Trojan horses spyware and some forms of adware to assist regulated entities in understanding what constitutes malicious software
ppThe Security Rule includes several technical safeguard provisions that require regulated entities to identify and authenticate persons accessing information and systems to protect ePHI Section 164312a21 includes the standard that requires a regulated entity to implement technical policies and procedures that limit access to ePHI to only those persons or software programs that have been granted access rights while 45 CFR 164312d2 the standard for person or entity authentication requires a regulated entity to implement procedures to verify that a person seeking access to ePHI is the one claimedpp
Historically regulated entities relied on combinations of usernames and passwords to identify users and authenticate users to the system We recognize that such combinations are insufficient to secure sensitive information and that more sophisticated mechanisms for doing so have been developed As a best practice for managing cyber threats most cybersecurity frameworks including those discussed above recommend that organizations adopt solutions that rely on multiple factors to identify and authenticate users For example the HHS 405d Programs Health Industry Cybersecurity Practices Managing Threats and Protecting Patients 363
recommends a layered approach to cyber defense
ie
if a first layer is breached a second exists to prevent a complete breach364
It further provides that MFA as a source of identity and access security control is an important means to control access to infrastructure and conduct proper change management control365
The Departments CPGs 366
identify MFA as an essential goal and a critical additional layer of security for the protection of assets and accounts that are directly accessible from the internet367
The Department has also explained in guidance that weak authentication processes leave organizations vulnerable to intrusion while effective authentication ensures that only authorized entities may access information systems and data368
Additionally CISA has issued recommendations for implementing MFA specifically MFA solutions that are phishing resistant to protect against disclosures of authentication data to a bad actor369
pp
The Department proposes to define the term Multifactor authentication to provide regulated entities with a specific level of authentication for accessing relevant electronic information systems370
Regulated entities would be required to apply this proposed definition when implementing the proposed rules specific requirements for authenticating users identities through verification of at least two of three categories of factors of information about the user The proposed categories would be
pp
MFA relies on the user presenting at least two factors Authentication that relies on multiple instances of the same factor such as requiring a password and PIN is not MFA because both factors are something you know 371
For example where MFA is deployed users could seek access by entering a password However without the entry of at least a second factor such as a token 372
or smart identification card the user is not granted access and the password is useless by itself Cybercriminals seeking access to MFAprotected information systems require significantly more resources to launch the attack because there are multiple data points required to succeed373
pp
The Department proposes that the personal characteristics that could be used as factors would include both physical characteristics such as fingerprints or facial identifiers and behavioral characteristics such as a users gait or typing cadence374
pp
The Security Rule currently defines password as confidential authentication information composed of a string of characters375
The definition provides no further regulatory instruction on what constitutes a character for purpose of compliance
pp
The Department proposes to add examples to the definition to further clarify what constitutes a character and adds such as letters numbers spaces and other symbols to the existing definition The Department believes that regulatory examples would provide necessary context for regulated entities that deploy safeguards involving passwords
print page 927
ppPhysical safeguards encompass the physical measures policies and procedures that protect a regulated entitys electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion As discussed within the definition of administrative safeguards the Department believes that it is necessary to reduce minor inconsistences in language between the definitions of the types of safeguards Additionally the definition of physical safeguards relies on an undefined term buildings despite the existence of a defined term facilities that has an equivalent meaningpp
The Department proposes to clarify that the policies and procedures referred to in the definition are those that specifically are related to physical measures and to replace buildings with facilities because facility is a defined term under the Security Rule and has an equivalent meaning376
The Department intends and has always intended the physical safeguards to apply to any location where a regulated entity might possess ePHI including the physical premises and interior and exterior of a building and any location that might affect the confidentiality integrity or availability of ePHI Additionally given the mobility of technology today including workstations that may access ePHI we believe it would be more appropriate to use the term facility to make clear that the physical safeguards are to apply throughout the premises of the regulated entity For the same reasons discussed above we also propose to clarify that the physical safeguards serve to protect relevant electronic information systems as we propose to define the term elsewhere in this NPRM rather than all electronic information systems Further the Department proposes to better standardize the administrative physical and technical safeguard requirements by using defined terms where they exist
pp
The Security Rule requires a regulated entity to ensure the confidentiality integrity and availability of all of the ePHI it creates receives maintains or transmits377
To protect the ePHI as required a regulated entity must also protect the electronic information systems that create receive maintain or transmit ePHI and the electronic information systems that otherwise affect the confidentiality integrity or availability of ePHI The Department believes that regulated entities are not consistently protecting ePHI in a manner that is consistent with their Security Rule obligations and believes that it is necessary to clarify the scope of those obligations We believe that creating a new defined term for the electronic information systems to which the Security Rule requirements apply will help achieve this goal by ensuring that regulated entities fully understand how their technology assets and the architecture of their electronic information systems affect the confidentiality integrity and availability of ePHI
ppThe Department proposes to add and define the term relevant electronic information system to mean an electronic information system that creates receives maintains or transmits ePHI or that otherwise affects the confidentiality integrity or availability of ePHI We believe that distinguishing between a relevant electronic information system and an electronic information system as proposed would further clarify the scope of regulated entities compliance obligations including the obligation of regulated entities to understand the relationship between their various electronic information systems and the confidentiality integrity and availability of ePHIpp
The Department believes it is important to clarify that the requirements of the Security Rule do not only apply to electronic information systems that create receive maintain or transmit ePHI After all cybercriminals may be able to access ePHI by leveraging vulnerabilities in some electronic information systems that do not themselves create receive maintain or transmit ePHI where such information systems are connected to or otherwise affect electronic information systems that do create receive maintain or transmit ePHI For example while a payment processing system used in a covered entitys food and beverage outlets or gift shops may not create receive maintain or transmit ePHI it may affect the confidentiality integrity or availability of ePHI in certain circumstances such as where such systems are connected to the same network as servers that contain ePHI378
Accordingly we would interpret an electronic information system as otherwise affecting the confidentiality integrity or availability of ePHI if it is insufficiently segregated physically and electronically from an electronic information system that creates receives maintains or transmits ePHI or one that otherwise affects the confidentiality integrity or availability of ePHI
pp
An electronic information system would also fit the category of otherwise affecting if it contains information that relates to an electronic information system that creates receives maintains or transmits ePHI or to another electronic information system that otherwise affects the confidentiality integrity or availability of ePHI For example a compromised electronic information system used to provide administrative functions such as user authentication or management of storage area network infrastructure that does not contain ePHI may allow unauthorized access to ePHI affecting the confidentiality of ePHI or disruption of storage configuration data affecting the integrity and availability of ePHI An electronic information system that is not connected to a covered health care providers EHR but that maintains user IDs and passwords for the EHR also may not create receive maintain or transmit ePHI however the confidentiality integrity or availability of the ePHI in the EHR would be affected if an unauthorized person gained access to that electronic information system And the same is true for an electronic information system that contains the decryption keys for a regulated entitys encryption algorithms Thus it is important that administrative physical and technical safeguards be implemented not only for electronic information systems that create receive maintain or transmit ePHI but also for electronic information systems that otherwise affect the confidentiality integrity or availability of ePHI
print page 928
pp
The Security Rule does not currently include a definition for the term risk The Department considered defining it when it first promulgated the final rule in 2003 but declined to do so because it determined that the term was commonly understood379
However the Department now believes that the lack of a definition may affect the clarity of some key requirements for regulated entities Such requirements include conducting a risk analysis to assess the potential risks and vulnerabilities to the confidentiality integrity and availability of ePHI held by the regulated entity 380
and implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the general rules at 45 CFR 164306a381
pp
One of the ways NIST defines the term is as a measure of the extent to which an entity is threatened by a potential circumstance or event and typically a function of i the adverse impacts that would arise if the circumstance or event occurs and ii the likelihood of occurrence 382
This and other NIST definitions serve as helpful references for the Department when considering how to define the term within the rule
pp
The Department proposes to define risk as the extent to which the confidentiality integrity or availability of ePHI is threatened by a potential circumstance or event The Department believes that defining the term would clarify several existing and proposed provisions of the Security Rule such as the factors regulated entities must consider when determining the security measures they will implement 383
and the importance and purpose of conducting the required risk analysis384
pp
The Security Rule defines security or security measures as encompassing all of the administrative physical and technical safeguards in an information system385
The definition implies that the safeguards must be part of the information system as opposed to something that may be applied or done to a system to protect the confidentiality integrity and availability of ePHI
ppThe rule also defines security incident as the attempted or successful unauthorized access use disclosure modification or destruction of information or interference with system operations in an information system The existing definition does not make clear that a security incident may result from two types of behaviorsthose related to attempted or successful but unauthorized access use disclosure modification or destruction of information in an information system and those that are related to the attempted or successful unauthorized interference with system operations in an information system In other words a security incident may directly touch upon information in a system or interfere with the operations of the system itself The Department believes that it is necessary to clearly convey the distinct types of incidents to regulated entities to ensure that regulated entities implement and deploy safeguards that address both concernspp
The Department proposes to modify the definition of security or security measures to clarify that security or security measures may not only exist in information systems but may also be applied to information systems386
This clarification would better reflect the multilayered approach to cybersecurity recommended by experts to address the concerns facing regulated entities today For example a regulated entity may determine that it is necessary to apply access controls and encryption mechanisms through an external mechanism such as added firewall technology387
that is applied to the system rather than technical controls that are embedded within the system or components of the system The Department believes that the proposed definition would provide a more complete instruction
ppThe Department proposes to reorganize the definition of security incident into two numbered paragraphs to delineate the two separate categories of security incidents We also propose to clarify that in both instances the definition applies when the described action affects an information system and regardless of whether an attempt to affect the information in the system or interfere with system operations is successful or notpp
Throughout the technical safeguards provisions in 45 CFR 164312 the Department directs regulated entities to implement technical policies and procedures The court in
MD Anderson
interpreted technical policies and procedures as written policies and procedures on technical matters388
This interpretation does not reflect the Departments intent for technical safeguards to include policies and procedures that rely on technology or technological solutions for implementation389
We believe that the courts interpretation could have significant consequences for the confidentiality integrity and availability of ePHI
pp
The Department proposes to add and define the term technical controls to help regulated entities better understand what we mean by technical safeguards for purposes of complying with the Security Rule We propose to define technical controls as technical mechanisms contained in the hardware software or firmware components of an electronic information system that are primarily implemented and executed by the electronic information system to protect it and the data within the electronic information system The Department believes that adding this term would better convey the expectation that a regulated entity is
print page 929
required to deploy technical safeguards across its enterprise by among other things configuring and using technical mechanisms in the hardware software and firmware components of its relevant electronic information systems to protect ePHI and electronic information systems that create receive maintain or transmit ePHI or that otherwise affect the confidentiality availability or integrity of ePHI
pp
The current definition of technical safeguards includes the technology and policy and procedures for its use that protect ePHI and control access to it390
As discussed above the Department believes that there is an immediate need to modernize and update the definition to better reflect the role technology plays in protecting ePHI and the technical components of information systems versus the role of policies and procedures This would complement our effort to clarify the relationship between technology and the implementation of technical policies and procedures
ppThe Department proposes to modify the definition of technical safeguards to expressly include technical controls We also propose to add language that would clarify that the technology technical controls and related policies and procedures in this category govern the use of the technology to protect and control access to ePHI The proposed changes also would improve the consistency of language across the safeguard provisions and ruleppThroughout the Security Rule standards and implementation specifications list the components of electronic information systems to which its requirements apply Based on the Departments enforcement experience we believe that it would be beneficial to more clearly distinguish between the requirements that apply to all components of an electronic information system and those that only apply to certain components Additionally we believe it would be beneficial to distinguish between requirements that apply specifically to each particular component of an electronic information system and those that apply to the electronic information system as a wholeppThe Department proposes to define the term technology asset to mean the components of an electronic information system including but not limited to hardware software electronic media information and data In so doing we would clarify which Security Rule requirements apply to all of the components of electronic information systems as opposed to those that apply only to certain components and which requirements apply to each particular components and which apply to the entire electronic information systemppFor example understanding the risks and vulnerabilities to a regulated entitys ePHI requires a thorough understanding of the components of its electronic information systems the electronic information systems themselves how they are connected and how ePHI moves through those systems Thus by requiring a regulated entity to conduct an inventory of its technology assets and to create a network map of its electronic information systems we clarify that a regulated entity is obligated to consider not only its electronic information systems as a whole but also the components within those electronic information systems and their functionspp
Addressing threats to the confidentiality integrity and availability of ePHI is a key function of the Security Rule but the rule does not define threat The concept of threat also underlies the Departments proposed definition of risk defined above and forms the basis of a key proposed implementation specification associated with the standard for risk analysis391
pp
The Department proposes to define the term threat to mean any circumstance or event with the potential to adversely affect the confidentiality integrity or availability of ePHI This proposal is similar to NISTs varying definitions of threat edited to apply specifically to health care and the type of information addressed by the Security Rule392
Under this proposal we would construe the term to apply broadly to include threats caused by or existing because of a variety of circumstances that specifically could affect the security of ePHI Hackers malicious insiders and malicious software are examples of threat sources
pp
The Department first defined the term person in the HIPAA Rules as part of the 2003 Civil Money Penalties Procedures for Investigations Imposition of Penalties and Hearings interim final rule to distinguish a natural person who could testify in the context of administrative proceedings from an entity defined therein as a legal person on whose behalf a person would testify393
Although they were both published in 2003 the interim final rule was published two months after the Security Rule Thus when the Security Rule was published in 2003 it was necessary to specify that the term user included both natural persons and entities but we believe that this is no longer the case because the current definition of person includes natural persons as well as entities394
pp
The Department proposes to clarify the definition of User by removing the reference to an entity395
Because the definition of person includes an entity including entity in the definition of user is redundant and could cause confusion We believe that this is a technical correction because it would not change how the Department has interpreted the term
ppThe term vulnerability is currently not defined in the Security Rulepp
The Department previously explained that although some cyberattacks may be sophisticated and exploit previously unknown vulnerabilities
ie
zeroday attacks most can be prevented or mitigated by addressing known vulnerabilities396
For example
print page 930
exploitable vulnerabilities exist across many components of IT infrastructures including but not limited to servers desktops mobile device operating systems web software and firewalls397
To mitigate against intrusions and hacking threats the Department has recommended that regulated entities install vendor patches make software updates and monitor sources of cybersecurity alerts describing new vulnerabilities such as the NIST National Vulnerability Database 398
and CISAs Known Exploited Vulnerabilities Catalog399
pp
The Department proposes to define vulnerability by adopting substantially the same definition as NIST a weakness in an information system system security procedures internal controls or implementation that could be exploited or triggered by a threat source 400
with minor changes to clarify how it applies to regulated entities and ePHI The definition if adopted as proposed would then form the basis for understanding key assessment and mitigation strategies proposed in this NPRM such as risk analyses401
patch management402
and vulnerability management and scans403
pp
The Department currently defines the term workstation to mean an electronic computing device and provides the examples of technology that dominated the health care environment in 2003 and 2013 such as a laptop desktop computer and other device that performs similar functions and electronic media stored in its immediate environment404
Workstations are essential for workforce members to perform their assigned functions such as clinicians entering an individuals health history and treatment plan or billing staff preparing claims Workstations are one of the key entry points for users to access a regulated entitys information systems Thus the Security Rule contains provisions requiring that regulated entities secure not only their information systems but also individual workstations405
However as discussed above the health care environment has changed It now includes both the physical and virtual environment and is replete with mobile devices and other types of devices that may serve as multifunctional workstations Clinicians and other workforce members often rely on smart phones smart watches tablets laptops and even personal digital assistants among other devices These devices have proliferated and so has their ability to perform a wide variety of functions with increasing sophistication The Department believes that it is necessary to update the definition to reflect the evolved nature of the landscape
ppIn recognition of this changed environment the Department proposes to modify the definition of workstation to provide additional examples of what constitutes a workstation Specifically we propose to add the examples of a server virtual device and a mobile device such as a smart phone or tablet Virtual devices could include a virtual medical device virtual server or virtual desktop computer The proposed definition also would clarify that technology properly considered as a workstation is not limited to the proposed regulatory examplesppThe Department requests comment on all the foregoing proposed definitions including any benefits drawbacks or unintended consequences We also request comment on the following considerations in particularppa Whether any of the proposed definitions would be problematic for regulated entities or result in unintended adverse consequences If so please explainppb Whether the Department should consider an alternative definition for any terms the Department proposes to define in the rule If the answer is yes please propose such an alternative definition and a reference or supporting rationaleppc Whether the Department should define any additional terms within the rule If the answer is yes please propose such additional terms and definitions along with any reference or supporting rationaleppd With respect to the definitions of information system and electronic information system the extent of a covered entitys direct management control over applications in cloud computing environments such as a cloudbased EHR systemppe With respect to the definitions of information system and electronic information system the extent of a business associates direct management control over applications in cloud computing environments where the business associate is the cloud service providerppf Whether defining the term technical controls and adding it to the definition of technical safeguards would more clearly explain the requirements of 45 CFR 164312ppg Whether defining implement and deploy as we propose would more clearly explain the differences between what is expected of regulated entities with respect to administrative and physical safeguards and technical safeguards To the extent that the proposals would not clarify the differences please provide alternative solutionspp
Section 164306 applies to regulated entities and includes the general rules for security standards Generally paragraph a codifies HIPAA statutory requirements for safeguarding ePHI406
Under these rules regulated entities are required to do all of the following
pp
Paragraph b of this section permits regulated entities to determine the most
print page 931
appropriate security measures for protecting ePHI and their information systems Accordingly 45 CFR 164306b1 permits regulated entities to use any security measures to reasonably and appropriately implement the standards and implementation specifications of the Security Rule while 45 CFR 164306b2 contains the factors that regulated entities are to consider when deciding which security measures to use This paragraph furthers the aim of HIPAAs requirement for the security standards to take into account certain factors by providing for their consideration by regulated entities411
Accordingly 45 CFR 164306b2 directs regulated entities to take these factors into account when determining the manner in which they will comply with the security standards and implementation specifications
ppSection 164306c requires regulated entities to comply with the administrative physical and technical safeguard standards in sections 45 CFR 164308 164310 and 164312 respectively and with standards for organizational requirements and policies procedures and documentation requirements in sections 45 CFR 164314 and 164316 This provision is followed by paragraph d which explains that regulated entities are required to implement a specific implementation specification if described as required If the implementation specification is described as addressable regulated entities are required to implement the implementation specification if it is reasonable and appropriate to do so or if it is not reasonable and appropriate document why and implement an equivalent alternative measureppFinally the maintenance provision at 45 CFR 164306e requires regulated entities to review and modify security measures implemented under the Security Rule as needed to continue providing reasonable and appropriate protection of ePHI It also requires regulated entities to update documentation of such security measures in accordance with the requirements for documentation at 45 CFR 164316b2iiipp
We believe that we can improve consistency in language between this section and other Security Rule provisions and better align this section with statutory terms and intent For example we are concerned that regulated entities are misinterpreting 45 CFR 164306a to apply the requirements of the Security Rule to only some ePHI rather than all ePHI This interpretation could lead to inadequate protection of ePHI and relevant electronic information systems412
We also believe that consistency in language facilitates clear understanding and less ambiguity about how regulated entities must apply Security Rule standards
pp
Flexibility and scalability are among the Security Rules defining characteristics and we intend to preserve those elements to the extent possible However we believe that in this era of increased reliance on technology more sophisticated cyber capabilities and increasing cyberattacks it is critical for regulated entities to implement and deploy strong security measures to protect ePHI and related information systems We are concerned that regulated entities have focused their attention primarily on the cost of security measures rather than considering the reasonableness and appropriateness of security measures in the context of all of the listed factors including the probability and criticality of potential risks to ePHI413
Further the Department believes that providing additional clarity would improve the ability of regulated entities to evaluate security measures for the protection of ePHI and the ability of a security measure to facilitate a regulated entitys recovery from emergencies and to support continued operations With these proposed modifications the Department seeks to ensure that regulated entities reliance on the Security Rules flexibility and scalability does not come at the expense of adequate security The current regulations framework in 45 CFR 164306b lacks any express factor that would require an evaluation of the effectiveness of the security measures in supporting the resiliency of the regulated entity
pp
The Department has explained in regulation and guidance the difference between required and addressable implementation specifications The meaning of required is clear Regarding addressable we previously explained that its purpose is to provide regulated entities flexibility with respect to implementation compliance414
We also previously explained that a regulated entity must assess whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its environment and if it is the regulated entity must implement the addressable implementation specification415
However the Department remains concerned that regulated entities believe that flexibility overrides the need for them to protect all ePHI and do not uniformly treat addressable implementation specifications as needing to be met if they are reasonable and appropriate OCRs enforcement experience and interaction with regulated entities causes us to believe that addressable is misunderstood to be optional leading regulated entities to choose not to adopt the implementation specification even when it would be reasonable and appropriate for them to do so416
pp
In 2022 NCVHS recommended that the Department eliminate the choice to not implement a specification or alternative and instead require that regulated entities implement the specification or adopt a documented reasonable alternative417
According to a survey referenced by NCVHS despite private sector and government efforts to address a changing cybersecurity landscape the majority of health care entities have failed to maintain a comprehensive security program and
print page 932
continue to neglect people and process measures necessary for a comprehensive security program418
NCVHS also pointed to a continued failure of regulated entities to develop adequate incident recovery plans and to assess their vulnerability to cyberattacks grounded in social engineering419
Finally NCVHS opined that the current structure of the Security Rule is inadequate to protect US health care infrastructure because it does not require regulated entities to adopt the basic building blocks of good security hygiene or a documented reasonable alternative 420
pp
We share NCVHS concerns and believe that we must squarely confront the problem of regulated entities treating addressable implementation specifications as optional Relatedly we also believe that we must consider modifying the Security Rule to set an acceptable minimum level of security specifications Circumstances have changed sufficiently since 2003 such that we now believe that good cyber hygiene requires regulated entities to implement more than the implementation specifications that we originally mandated421
Indeed we believe that it requires compliance with all of the standards and implementation specifications we are proposing with specific limited exceptions
ppWe also believe that the current maintenance requirement in 45 CFR 164306e would benefit from increased specificity in light of the dramatic transformation of the health IT environment discussed above For example providing the frequency with which regulated entities must review and update their security measures would improve the security of ePHI and regulated entities compliance with the Security Rule The Security Rules maintenance requirement would be further strengthened by requiring regulated entities to test their security measures to verify their sufficiency and by clarifying the Departments expectations regarding documentation Regulated entities lack of documentation about how they implement security measures makes it difficult for them to know what security measures they have in fact implemented and to demonstrate compliance with the requirements of the Security Rule Finally the maintenance requirement in 45 CFR 164306e is not included in or designated as a Security Rule standard although it explicitly references the overarching documentation requirements in 45 CFR 164316b2iii Thus there is overlap between the two sections that may be causing confusion regarding the obligations of regulated entities to maintain security measuresppThe Department proposes to expand the introductory language to the general requirements provision at 45 CFR 164306a to clarify the extent to which the general requirements apply to the obligations of regulated entities with respect to ePHI that they create receive maintain or transmitppUnder the proposal the Department would clarify that the general requirements apply to all ePHI Additionally the Department proposes to move language from paragraph a1 to paragraph a to further emphasize that regulated entities must apply the requirements of the Security Rule to protect all of the ePHI they create receive maintain or transmit We also propose to clarify that each regulated entity would be required to apply the obligations in paragraphs a1 through 4 to all ePHI it creates receives maintains or transmits The Department believes that this proposal would stress to regulated entities that each and every covered entity and business associate would be responsible for ensuring it meets Security Rule requirements with respect to all ePHIppThe Department believes this proposed change would also help address issues raised by current interpretations of the Security Rule that suggest that its plain wording may not require regulated entities to fully implement each security measure to protect all ePHI Thus the Departments proposed language would clarify that a security measure must be implemented such that it protects the security of all ePHI and all information systems that affect the confidentiality integrity and availability of ePHIpp
Additionally the Department proposes to modify the general requirements of paragraph a2 to require each regulated entity to protect against any reasonably anticipated threats or hazards to the confidentiality integrity or availability of all ePHI instead of to the security or integrity of ePHI We believe that this proposal would better align this requirement with the general requirement at 45 CFR 164306a1 and confidentiality integrity and availability are generally considered the three basic elements of security422
ppAdditionally the Department proposes a minor change to paragraph a3 to refer specifically to ePHI rather than using a more general term We believe that both proposals would constitute technical revisions and that neither would alter the meaning of 45 CFR 164306a2 or 3 respectivelyppFinally the Department proposes to modify paragraph a4 so that each regulated entity would be required to ensure that its workforce complies not only with the Security Rule but also all administrative physical and technical safeguards implemented in accordance with this subpartpp
These proposals would better align the language of the general requirements in paragraph a of 45 CFR 164306 with the statute 423
and 45 CFR 164530c424
These proposals are also consistent with our proposals to revise the introductory language for each of the safeguard provisions to clarify the provisions therein would be the minimum regulated entities are to implement
ie
that the security measures required by the Security Rule constitute a floor of protections not a ceiling
pp
The Departments proposals generally retain the flexible approach described in paragraph b As discussed above the Security Rule carefully balances the benefits of safeguarding against risks to security and the burdens of implementing protective measures by for example enabling regulated entities to take into account specified factors when determining how to implement security measures in a manner that complies with the Security Rule To acknowledge the rapid evolution of technology and increasing threats the Department proposes to clarify
print page 933
paragraph b1 to provide that regulated entities are to apply reasonable and appropriate security measures to implement the standards and implementation specifications of the Security Rule This proposal if adopted would replace the existing paragraph providing for regulated entities reasonable and appropriate implementation of standards and implementation specifications which could be misinterpreted to mean that a regulated entity may determine that implementation itself is unreasonable or inappropriate in some circumstances That has never been the case Thus the proposed modification would clarify that implementation is not optional based on whether a regulated entity believes it is reasonable and appropriate to the contrary a regulated entity is required to implement the standards and implementation specifications and must adopt reasonable and appropriate security measures that allow the entity to achieve such implementation The proposed clarification would comport more precisely with the statute which requires regulated entities to maintain reasonable and appropriate safeguards425
pp
The Department also proposes to add a new element to the list of factors that regulated entities must take into account when deciding whether a particular security measure
eg
a technical control is reasonable and appropriate for implementing a standard and its associated implementation specifications the effectiveness of the security measure in supporting the resiliency of the regulated entity A regulated entity would be required to consider this factor in addition to the existing factors for example when choosing a specific encryption solution that allows the entity to meet the proposed requirement to encrypt ePHI which will help prevent an unauthorized user from accessing the entitys ePHI or when developing its security incident plan or disaster recovery plan which will help ensure that the regulated entity can recover data or reestablish data integrity after a security incident or disaster
pp
The Department proposes at 45 CFR 164306b2v to require a regulated entity to take into account how effectively its application of a particular security measure to achieve compliance with a standard and its associated implementation specifications would support its resiliency in the face of an event that adversely affects the entity According to NIST information system resilience addresses how well information systems continue to i operate under adverse conditions or stress even if in a degraded or debilitated state while maintaining essential operational capabilities and ii recover to an effective operational posture in a time frame consistent with mission needs 426
Recently in this era of rising cybercrime NIST described cyber resiliency as the ability to anticipate withstand recover from and adapt to adverse conditions stresses attacks or compromises on systems that use or are enabled by cyber resources 427
Thus the Department proposes to require a regulated entity to consider the ability of its implementation of a particular security measure to aid it in preventing withstanding and recovering from an emergency or other occurrence that affects the confidentiality integrity or availability of ePHI including a successful security incident
pp
The Department proposes this new requirement to better enable regulated entities to ensure the confidentiality integrity and availability of all ePHI that they create receive maintain or transmit The general rules require regulated entities to not only prevent threats and hazards to the confidentiality and integrity of ePHI but also to ensure the availability of ePHI even during a security incident that has the potential to severely hinder the ability of a regulated entity to provide health care or to bring it to a standstill This new factor would require a regulated entity to consider whether a particular approach to complying with a standard and the associated implementation specifications can help it recover from an emergency or other occurrence in addition to maintaining operations throughout the event The Department proposes this factor to complement its proposals to strengthen the standards for security incident procedures 428
and contingency planning 429
and proposals for new standards for patch management 430
and vulnerability management431
discussed in detail below If finalized these proposals would help to ensure that regulated entities put in place the necessary measures to implement these standards
ppThe factors contemplate that regulated entities will regularly evaluate the security measures they have applied to comply with the standards and implementation specifications based on the technology available and known risks and vulnerabilities at the time of the evaluation The Department expects that when the existing factors are considered with the factor proposed in this NPRM a regulated entity would be required to consider whether a specific technical control has become sufficiently ubiquitous such that choosing not to adopt it would be unreasonablepp
To address the Departments concerns regarding the apparent misunderstanding by regulated entities of addressable we propose to modify 45 CFR 164306c and d by collapsing the separate paragraphs into one paragraph c to address both standards and implementation specifications and to remove the distinction between addressable and required implementation specifications Instead proposed paragraph c if adopted would require regulated entities to comply with both the standards and implementation specifications The Department believes that eliminating the distinction would make clear to regulated entities what has always been a requirementthat the Security Rule sets a floor for cybersecurity protections and that its flexibility is in allowing them to choose the manner in which they meet the standards and implementation specifications not whether they meet them The proposed change also would be consistent with NCVHS recommendation to require regulated entities to meet certain minimum cybersecurity hygiene requirements432
pp
The Department acknowledges that proposing to remove the addressability distinction is a change from the approach adopted in the 2003 Final Rule At that time we explained that the decision to include addressable implementation specifications was made to provide additional flexibility to
print page 934
covered entities433
In this rulemaking the Department proposes to strengthen protections and address evolving cybersecurity threats While we acknowledge that this proposal would reduce the Security Rules flexibility we believe that it is necessary to do so to achieve HIPAAs purpose of an efficient and effective health care system that relies on the secure electronic exchange of ePHI Importantly removing the distinction between required and addressable would not eliminate all of the Security Rules flexibility and scalability Instead it would simply clarify for regulated entities where the floor of protection must lie and regulated entities must implement solutions that meet that floor taking into consideration their needs and capabilities For example a small or rural health care provider must implement a solution that ensures the protection of ePHI in the manner required by the Security Rule but the specific solution that it chooses would reflect consideration of its particular circumstances including available resources In some cases a small or rural health care provider might opt to implement a cloudbased EHR or other software solution that could reduce the health care providers need to separately invest in data storage backup systems and IT personnel And in other circumstances a small or rural health care provider might choose to contract with a third party to provide IT support rather than hiring its own workforce members to perform such functions
ppThe Department also proposes to delete the maintenance provision at 45 CFR 164306e Instead as discussed in greater detail below we propose to clearly delineate maintenance implementation specifications for specific standards when applicable We believe this approach would clarify how maintenance requirements relate to specific security measures and would remove any ambiguity about the need for regulated entities to regularly review test and modify measures as reasonable and appropriate We further discuss maintenance provisions below for each safeguardppThe Department requests comment on the foregoing proposals including any benefits drawbacks or unintended consequences We also request comment on the following considerations in particularppa Whether removing the distinction between required and addressable implementation specifications would result in unintended negative consequences for regulated entities If so please explain and provide a recommendation for how the Department should clarify how regulated entities are required to implement the security measures described in the proposed ruleppb Whether the Department should include other factors in 45 CFR 164306b for regulated entities to consider when selecting the security measures that they will implement to meet the requirements of the Security Rule If so please explainppc Whether the factor proposed by the Department at proposed 45 CFR 164306b2v would help regulated entities identify reasonable and appropriate security measuresppd Whether the Departments proposals sufficiently clarify that a regulated entity is expected to modify its security measures in response to changes in the environment in which health care is provided including but not limited to the adoption of new technology the evolution of existing technology and the emergence of new threatsppe Whether the proposals sufficiently take into account the needs and capabilities of small health care providers and rural health care providers as required by the statute If not please explain and include a recommendation for ways that the Department could better account for such needs and capabilities while adequately ensuring the confidentiality integrity and availability of ePHI that they create receive maintain or transmit The recommendations should also take into consideration the effect of the actions taken by small and rural health care providers on the ePHI that is created received maintained or transmitted by other regulated entities with whom small and rural health care providers interactppSection 164308 of title 45 CFR contains the administrative safeguards that a regulated entity must implement consistent with the general requirements described in 45 CFR 164306 All of the standards and implementation specifications found in the Administrative Safeguards section refer to administrative functions such as policies and procedures that must be in place for the management and execution of security measuresppSection 164308a contains most of the standards and associated implementation specifications that are categorized as administrative safeguards The standards for administrative safeguards are as followsppThe standard for security management process at 45 CFR 164308a1i requires regulated entities to implement policies and procedures to prevent detect contain and correct security violations The Security Rule directs regulated entities as to how they are to comply with the standard for security management process through four implementation specifications Section 164308a1iiA requires regulated entities to conduct a risk analysis that accurately and thoroughly assesses potential risks and vulnerabilities to the confidentiality integrity and availability of ePHI they hold The implementation specification for risk management at 45 CFR 164308a1iiB requires regulated entities to implement measures to reduce risks and vulnerabilities such as those identified in the risk analysis to a reasonable and appropriate level Under 45 CFR 164308a1iiC regulated entities are required to apply appropriate sanctions against workforce members who fail to comply with applicable security policies and procedures while the implementation specification for information system activity review at 45 CFR 164308a1iiD requires regulated entities to implement procedures to regularly review information system activity recordsppThe standard for assigned security responsibility at 45 CFR 164308a2 requires regulated entities to identify a security official who is responsible for the development and implementation of the policies and procedures that are required by this section There are no implementation specifications associated with this standardpp
Section 164308a3i contains the standard for workforce security and requires regulated entities to implement policies and procedures to ensure that their workforce members have appropriate access to ePHI which includes preventing workforce members who do not have authorized access from
print page 935
obtaining it The implementation specifications associated with this standard address the need to implement certain procedures regarding workforce member access to ePHI Section 164308a3iiA addresses the implementation of procedures for the authorization andor supervision of workforce members who work with ePHI or in locations where it might be accessed The implementation specification for workforce clearance procedure at 45 CFR 164308a3iiB addresses the implementation of procedures to determine that a workforce members access to ePHI is appropriate while 45 CFR 164308a3iiC addresses the implementation of procedures for terminating a workforce members access to ePHI when their employment or similar arrangement ends or as required by the regulated entitys workforce clearance procedures
pp
Under 45 CFR 164308a4i the standard for information access management a regulated entity is required to implement policies and procedures for authorizing access to ePHI in a manner that is consistent with the requirements of the Privacy Rule that is only when such access is appropriate based on the user or recipients role
ie
rolebased access This interpretation is consistent with the Privacy Rules standard that limits most uses and disclosures of PHI to the minimum necessary to accomplish the purpose of the use or disclosure434
The standard for information access management has three implementation specifications paragraph a4iiA requires a health care clearinghouse that is part of a larger organization to implement policies and procedures to protect ePHI from unauthorized access by that organization paragraph a4iiB addresses implementation of policies and procedures for granting access to ePHI for example through a workstation program or other mechanism and paragraph a4iiC addresses the implementation of policies and procedures that based on the regulated entitys access authorization policies establish document review and modify a users right of access to a workstation program or other process
ppSection 164308a5i contains the standard for security awareness and training This standard requires a regulated entity to implement a security awareness and training program for all workforce members including management There are four associated implementation specifications that address the need for regulated entities to implement the followingppThe standard for security incident procedures at 45 CFR 164308a6i requires a regulated entity to implement policies and procedures to address security incidents The one implementation specification associated with this standard 45 CFR 164308a6ii requires regulated entities to identify and respond to suspected or known security incidents to mitigate to the extent practicable harmful effects of security incidents that are known to the regulated entity and to document security incidents and their outcomespp
Under the standard for contingency planning at 45 CFR 164308a7i a regulated entity is required to establish and implement as needed policies and procedures for responding to an emergency or other occurrence that damages systems that contain ePHI The standard includes five implementation specifications at 45 CFR 164308a7ii The first paragraph a7iiA requires a regulated entity to establish and implement procedures to create and maintain exact copies of ePHI that are retrievable439
Paragraph a7iiB requires a regulated entity to establish and implement as needed procedures to restore any lost data440
Paragraph a7iiC requires a regulated entity to establish and implement as needed procedures to enable continuation of critical business processes for protecting the security of ePHI while the regulated entity is operating in emergency mode Paragraph a7iiD addresses the implementation of procedures for periodic testing and revision of contingency plans and paragraph a7iiE addresses the assessment of the relative criticality of specific applications and data in support of other contingency plan components
ppThe standard for evaluation at 45 CFR 164308a8 requires a regulated entity to periodically perform a technical and nontechnical evaluation that establishes the extent to which the regulated entitys security policies and procedures meet the requirements of the Security Rule The initial evaluation is to be based upon the standards implemented under the Security Rule while subsequent evaluations are to be conducted in response to environmental or operational changes affecting the security of ePHIpp
Section 164308b contains the administrative safeguards that apply to the relationships between regulated entities Specifically 45 CFR 164308b1 permits a covered entity to engage a business associate to create receive maintain or transmit ePHI on the covered entitys behalf when it obtains satisfactory assurances consistent with the organizational requirements for business associate agreements or other arrangements in 45 CFR 164314a that the business associate will appropriately safeguard the ePHI Similarly under 45 CFR 164308b2 a business associate may retain a subcontractor to create receive maintain or transmit ePHI on its behalf if the business associate obtains satisfactory assurances through a business associate agreement or other arrangement that the subcontractor will appropriately safeguard the information Section 164308b3 requires that the contract or other arrangement be in writing441
pp
The Security Rule administrative standards are comprehensive but our experience has demonstrated that they have been misunderstood by some regulated entities especially regarding how compliance with the standards and implementation specifications must be integrated with the general requirements in 45 CFR 164306 including the requirement in 45 CFR 164306e that a regulated entity must review and modify security measures Section 164306 does not explicitly reference specific security measures and we are concerned that recent caselaw has highlighted conditions that may cause regulated entities to misinterpret regulatory text that connects the maintenance provision at 45 CFR 164306e with the documentation requirements in 45 CFR 164316 and the administrative safeguards Through OCRs educational and enforcement efforts we also have observed inadequacies in compliance with security management processes For example some regulated entities have
print page 936
incorrectly interpreted the standards to not require implementing administrative safeguards such as risk analyses for all relevant electronic information systems Some regulated entities have not documented in writing their policies procedures plans and analyses442
As discussed above many mistakenly treated addressable implementation standards as optional443
Enforcement experience has shown that regulated entities generally do not perform all elements of the risk management process that are fundamental to protecting the confidentiality integrity and availability of ePHI and to cybersecurity more broadly
pp
In addition since the Security Rule was issued in 2003 and revised in 2013 newer more protective security technology has become widely available to regulated entities and best practices for securing electronic information have evolved NIST has published numerous guides including its recent Cybersecurity Framework 20 providing resources for establishing and implementing policies and practices to better manage cybersecurity risks444
OCR is drawing upon its enforcement experience as well as best practices guidelines processes and procedures for improving cybersecurity to propose changes to these standards to better protect ePHI that a regulated entity creates receives maintains or transmits We believe that these proposals would help ensure that regulated entities implement compliance activities that are consistent with recommendations made by NIST the HHS 405d program and standards setting bodies regarding cybersecurity
pp
Because business associates are directly liable for compliance with the Security Rule in our 2013 Security Rule revisions we did not require covered entities to implement any additional safeguards to ensure that their business associate is in fact in compliance445
However OCR has learned through its enforcement experience that many covered entities have entrusted ePHI to business associates that are not employing appropriate safeguards Some business associates have such market power that covered entities may believe they have no alternative to using their services even if they have concerns about the safeguards employed by the business associate The Department is concerned by the breaches experienced by business associates and the effects of such breaches on the confidentiality integrity and availability of ePHI446
ppThroughout this section the Department proposes to add explicit maintenance requirements to certain standards to address concerns that regulated entities may be misinterpreting the regulatory text that connects the maintenance provision at 45 CFR 164306e with the administrative safeguards These proposals would clarify that a regulated entity is required to maintain certain security measures and that where a regulated entity is required to maintain a particular security measure it is required to review and test such measure on a specified cadence and to modify the measure as reasonable and appropriate Testing of particular security measures such as technical controls or policies and procedures would include verifying that the security measures work as designed and that workforce members know how to implement them For example written policies and procedures can be tested through various methods including but not limited to simulating security events that mimic realworld attacks to assess how effectively employees follow incident response and security procedures conducting knowledge assessments after training on policies and procedures and reviewing system logs and access records to evaluate whether policies and procedures governing access to ePHI are being followed We would expect a regulated entity to take the results of the required tests into consideration when determining whether it is reasonable and appropriate to modify its security measures as well as the actions that would be expected of a regulated entity that is similarly situated based on the results of such testsppWe also propose to modify certain administrative safeguards to clarify the obligations of a regulated entity to ensure the confidentiality integrity and availability of ePHI by securing its relevant electronic information systemsthat is its electronic information systems that create receive maintain or transmit ePHI and those that otherwise affect its confidentiality integrity or availabilityand the technology assets in its relevant electronic information systemsppThe Department proposes to modify the general language at 45 CFR 164308a to clarify the connection between the general rules for security standards at 45 CFR 164306 the standards for policies and procedures and documentation requirements at 45 CFR 164316 and the standards for the administrative safeguards under 45 CFR 164308a We also propose to clarify that regulated entities would be required to implement all of the administrative safeguards of the Security Rule to protect the confidentiality integrity or availability of all ePHI that they create receive maintain or transmit Thus when read together proposed 45 CFR 164308a and 164316a would require that a regulated entity implement and document in writing its implementation of the administrative safeguards required by the Security Rule These requirements set the baseline for administrative safeguards Nothing in this NPRM would prevent a regulated entity from implementing additional administrative safeguards provided that those additional safeguards do not conflict with any requirements in the Security RuleppThe proposed changes are discussed in greater detail belowpp
We propose to modify 45 CFR 164308a1 by elevating to standardlevel status the existing implementation specifications for the standard for security management process at 45 CFR 164308a1iiA through D and deleting the existing standard Doing so would highlight the importance of these elements and permit us to add implementation specifications that detail our expectations for compliance with those elements We believe that providing more specificity in our requirements would help regulated entities better understand their compliance responsibilities for
print page 937
safeguarding ePHI These proposals are consistent with current guidance as described below
ppIn place of the existing standard for security management process we propose a standard at 45 CFR 164308a1i that would require a regulated entity to conduct and maintain an accurate and thorough written technology asset inventory and a network map of its electronic information systems and all technology assets that may affect the confidentiality integrity or availability of ePHI The inventory forms the foundation for a fulsome and accurate risk analysis A regulated entity must identify its information systems that create receive maintain or transmit ePHI and all technology assets as we propose to define them in 45 CFR 164304 that may affect ePHI in such information systems in order to secure them Regulated entities cannot understand the risks to the confidentiality integrity and availability of their ePHI without a complete understanding of these assets We believe that this proposal would clarify compliance expectations and provide increased protections for the confidentiality integrity and availability of ePHI Consistent with practices previously highlighted in guidance regulated entities would be required by this proposal to conduct and maintain an accurate and thorough written inventory of technology assetspp
The standard would also require each regulated entity to determine the movement of ePHI through into and out of its information systems and to describe such movement in a network map A regulated entitys network map would reflect where its technology assets are for example physically located at the regulated entitys worksite or accessed through the cloud As another example a covered entity might determine that ePHI is created received maintained or transmitted by one or more offshore business associates
ie
persons that are located outside of the US for such services as claims processing call center staffing and technical support activities that inherently involve ePHI The technology assets used by the business associate to create receive maintain or transmit ePHI are not a part of the covered entitys electronic information system but do affect the confidentiality integrity or availability of ePHI and so would be required to be included in the network map of the covered entity447
Such assets would be considered part of the business associates electronic information systems and therefore would need to be included in both its technology asset inventory and network map Any technology assets used by the covered entity to create receive maintain or transmit ePHI to the business associate would need to be accounted for in both its technology asset inventory and network map Such technology assets would not be part of the business associates technology asset inventory but would need to be included on its network map
pp
This proposed standard aligns with the Departments enhanced CPG for Asset Inventory which requires that a regulated entity identify assets to more rapidly detect and respond to potential risks and vulnerabilities448
and is consistent with NCVHS recommendation to require regulated entities to identify where all PHI is stored and to collect data on applications and systems used by the organization to create a systems inventory449
pp
In 2003 the Department elected not to require regulated entities to conduct an inventory because we believed that regulated entities would understand that such an inventory is a vital component of the risk analysis making it redundant of other requirements of the Security Rule450
The Department and NIST have provided extensive guidance described below about how to conduct such inventories as part of compliance with 45 CFR 164308 However nearly 20 years of enforcement experience indicates that regulated entities routinely disregard this part of the process OCRs investigations frequently find that organizations lack sufficient understanding of where all the ePHI entrusted to their care is located451
pp
Understanding ones environmentparticularly how ePHI is created and enters an organization how ePHI flows through an organization and how ePHI leaves an organizationis crucial to understanding the risks ePHI is exposed to throughout an organization452
According to the NIST Cybersecurity Framework 20 having a comprehensive understanding of the organizations assets
eg
data hardware software systems facilities services people suppliers and related cybersecurity risks enables a regulated entity to prioritize its efforts consistent with its risk management strategy and its mission needs453
pp
The proposed standard would be accompanied by three implementation specifications Under the proposed implementation specification for inventory at proposed 45 CFR 164308a1iiA the regulated entity would be required to establish a written inventory that contains the regulated entitys technology assets Technology assets are components of an electronic information system including but not limited to hardware software electronic media information and data The written inventory would be required to include technology assets that create receive maintain or transmit ePHI and those that do not but that may affect the confidentiality integrity or availability of ePHI454
It would also be required to include the identification version person accountable for and location of each of the assets or information system components455
ppThe proposed implementation specification for network map at proposed 45 CFR 164308a1iiB would require a regulated entity to develop a network map that illustrates the movement of ePHI throughout its electronic information systems including but not limited to how ePHI enters and exits such information systems and is accessed from outside of such information systemspp
Under the proposed implementation specification for maintenance at proposed 45 CFR 164308a1iiC a regulated entity would be required to review and update the written inventory of technology assets and the network map in the following circumstances 1 on an ongoing basis but at least once every 12 months and 2 when there is a change in the regulated entitys environment or operations that may affect ePHI Such a change in the
print page 938
regulated entitys environment or operations would include but would not be limited to the adoption of new technology assets the upgrading updating or patching of technology assets newly recognized threats to the confidentiality integrity or availability of ePHI a sale transfer merger or consolidation of all or part of the regulated entity with another person a security incident that affects the confidentiality integrity and availability of ePHI and relevant changes in Federal State Tribal or territorial law For example a dissolution or bankruptcy of the regulated entity would require the regulated entity to review and update its inventory and network map For another example if a State implemented regulations specifying cybersecurity requirements for all hospitals these proposed specifications would require a regulated entity in that State to review and update its inventory and network map considering implementation of the State regulations by the regulated entity or other persons whose activities may affect movement of ePHI throughout its electronic information systems456
ppThe proposed standard is consistent with the NIST Cybersecurity Framework Identify function Asset Management IDAM category which describes inventorying hardware and software and mapping communication and data flows to create and maintain an asset inventory that can be used in a risk analysis process For example the Cybersecurity Framework recommends that when creating an asset inventory organizations should include all of the following as applicableppWhere multiple persons have control over a technology asset all persons that have control should include the asset in both their technology asset inventories and on their network maps For example where a covered entity contracts with a cloudbased EHR vendor both the covered entity and the EHR vendor have control over the ePHI in the EHR Thus the ePHI in the EHR and the EHR should be included in the technology asset inventories and network maps of both the covered entity and the cloudbased EHR vendor Where the technology assets are controlled entirely by another person such as the servers controlled by a cloudbased provider of data backup services the technology assets would not be considered part of a health care providers electronic information systems and therefore would not have to be included in its technology asset inventory However the data backup provider would have to be included in the health care providers network mappp
When creating or maintaining a technology asset inventory that can aid in identifying risks to ePHI regulated entities should consider their technology assets that may not create receive maintain or transmit ePHI but that may affect technology assets that do so458
Assets within an organization that do not create receive maintain or transmit ePHI may still present opportunities for intruders to enter the regulated entitys electronic information systems which could lead to risks to the confidentiality integrity or availability of an organizations ePHI For example consider a smart device that is connected to the internet
eg
connected to the Internet of Things 459
IoT and provides access to facilities for maintenance personnel to control and monitor an organizations heating ventilation and air conditioning HVAC Although it may not maintain or process ePHI such a device potentially can present serious risks to the security of ePHI in an organizations information systems Unpatched IoT devices with known vulnerabilities such as weak or unchanged default passwords installed on a network without firewalls network segmentation or other techniques that deny or impede an intruders lateral movement can provide an intruder with access to an organizations relevant electronic information systems The intruder may then leverage this access to conduct reconnaissance and further penetrate an organizations network and potentially compromise ePHI
ppThe risks and deficiencies OCR has observed in its enforcement experience persuades us that we must consider adding an express requirement for a regulated entity to conduct an accurate and thorough written inventory of its technology assets and create a network mappp
After a regulated entity conducts a written inventory of its technology assets and creates its network map it is critical for it to identify the potential risks and vulnerabilities to its ePHI Conducting a risk analysis is necessary to adequately protect the confidentiality integrity and availability of ePHI because it provides the basis for determining the manner in which the regulated entity will comply with and carry out the other standards and implementation specifications in the Security Rule460
Basic questions that a regulated entity would consider when conducting a risk analysis that is compliant with the Security Rule include 461
pp
There are numerous methods of performing a risk analysis and there is no single method or best practice that guarantees compliance with the Security Rule462
The Department has issued multiple guidance documents and tools for regulated entities to help them implement risk analyses463
and several versions of its Security Risk Assessment Tool a desktop application that walks users through the process of conducting a risk assessment464
NIST has published numerous guides for risk assessment over the past two decades465
in addition to reference materials it has developed in collaboration with the Department including a toolkit and a crosswalk between the Security Rule to NIST Cybersecurity Framework466
and how to guides on risk analysis467
In February 2024 NIST released a new guide that provides resources for implementing a Security Rule risk analysis468
Consistent with previous Department guidance the guide describes key elements in a comprehensive risk assessment process that include the following
pp
The Department has also published guidance that explains the differences between a risk analysis and a gap analysis and the use of both in an entitys risk management program470
While a risk analysis is a comprehensive identification of risks and vulnerabilities to all ePHI a gap analysis typically provides a partial assessment of an entitys enterprise and is often used to provide a highlevel overview of what safeguards are in place or missing and may also be used to review a regulated entitys compliance with particular standards and implementation specifications of the Security Rule
pp
Other NIST guidance on conducting risk assessments explains that the result of a risk analysis is a determination of risk posed to the regulated entitys ePHI and related information systems
471
print page 940
Consistent with the discussion above a key step is determining the risk level posed to such ePHI by threats and vulnerabilities and how critical it is to address and mitigate the identified risk In general the descriptive words very high or critical are used to indicate that a threat event could be expected to have multiple severe or catastrophic adverse effects on organizational operations organizational assets individuals other organizations or the country472
A high risk would indicate that a threat event could be expected to have a severe or catastrophic adverse effect on the same while a moderate risk could indicate that the threat event could have a serious adverse effect on the same Risks that are low and very low could be expected to have a limited and negligible effect respectively on organizational operations or assets individuals other organizations or the country
pp
The Department believes that determinations of risk level and criticality may vary based on the specific type of regulated entity and the regulated entitys specific circumstances For example a health care provider must consider the higher levels of risks to physical and technical security that are created by regular entry and exit of individuals seeking health care and other members of the public into its facilities creating potentially numerous avenues for access to ePHI through technology assets in contrast a health plan that generally does not permit physical entry by individuals into its office building may determine that the risks to ePHI from physical entry by individuals or other members of the public is low because its workforce members do not generally physically interact with the public As another example a vulnerability permitting unauthenticated remote code execution on a device connected to a regulated entitys relevant electronic information systems would likely constitute either a high or critical risk However should such a device not have the ability to connect to the network the risk might be low or moderate because the likelihood of triggering a network vulnerability on a nonnetworked device is low even though the impact of such trigger might be high Thus it is essential that a regulated entity consider its specific circumstances when assessing the criticality of a risk and to address such risks in a manner that is appropriate to its specific facts and circumstances473
In yet another example a regulated entity in possession of legacy devices or devices that are nearing the end of their lifespan should assess the risks associated with continued use of such devices as part of its risk analysis and ensure that replacement of such devices andor the implementation of compensating controls are included in its risk management plan
pp
Despite our having made available an abundance of free and widelypublicized guidance tools OCR unfortunately has learned through its compliance and enforcement activities that regulated entities often do not perform compliant risk analyses As discussed above in 2016 and 2017 the Department conducted audits of 166 covered entities and 41 business associates for their compliance with selected provisions of the HIPAA Rules474
These audits confirmed that only small percentages of covered entities 14 percent and business associates 17 percent were substantially fulfilling their regulatory responsibilities to safeguard ePHI they hold through risk analysis activities Entities generally failed to
pp
Failing to document any efforts to develop maintain and update policies and procedures for conducting risk analyses was common For example health care providers commonly submitted documentation of some security activities performed by a thirdparty security vendor without submitting documentation of any risk analysis that served as the basis of such activities475
Many regulated entities used and relied on outside persons to manage or perform risk analyses for their organizations however these outside persons frequently failed to meet the requirements of the Security Rule Regulated entities also frequently and incorrectly assumed that a purchased security product satisfied all of the Security Rules requirements
ppThe responsibility to maintain an appropriate risk analysis rests with the regulated entity Accordingly it is essential that regulated entities understand and comply with risk analysis requirements to appropriately safeguard PHIpp
Numerous OCR investigations reflect the failure of regulated entities to develop and implement holistic risk analysis programs For example OCRs investigation of a health system in the aftermath of a ransomware attack found evidence of potential failures to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems implement a contingency plan to respond to emergencies like a ransomware attack that damage systems that contain ePHI and implement policies and procedures to allow only authorized users access to ePHI476
pp
In another recently concluded investigation involving a large medical center the covered entity reported that over a sevenmonth period one of its employees inappropriately accessed the ePHI of more than 12000 patients and then sold certain patient information to an identity theft ring477
OCRs investigation indicated potential violations of the requirement to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality integrity and availability of all of the ePHI held by the medical center as well as the requirement at 45 CFR 164308a1iiD to implement procedures to regularly review records of information system activity such as audit logs access reports and security incident tracking
pp
In another case the OCR settled a ransomware cyberattack investigation with a business associate478
The cyberattack affected the ePHI of over
print page 941
200000 individuals when the business associates network server was infected with ransomware It took the company more than 18 months to detect the intrusion and they only did so when the ransomware was used by the intruder to encrypt the companys files Among other factors OCRs investigation found evidence of potential failures to conduct an accurate and thorough risk analysis and to implement procedures to regularly review records of information system activity such as audit logs access reports and security incident tracking reports
pp
Given the compliance deficiencies that OCR regularly seesthose cited as examples and what OCR has observed more broadlywe believe that stronger requirements coupled with greater specificity regarding the components of a risk analysis would help and encourage regulated entities to appropriately perform such activities Accordingly the Department proposes to elevate the requirement to conduct a risk analysis from an implementation specification at 45 CFR 164308a1iiA to a standard at proposed 45 CFR 164308a2i Under the proposal and consistent with NCVHS recommendations479
a regulated entity would be required to conduct an accurate and comprehensive written assessment of the potential risks and vulnerabilities to the confidentiality integrity and availability of all ePHI created received maintained or transmitted by the regulated entity
pp
The Department proposes eight implementation specifications for the risk analysis standard consistent with previously issued guidance described above The proposed implementation specification for a written assessment at proposed paragraph a2iiA would require the regulated entity at a minimum to perform and document all of the following 480
ppUnder the proposed implementation specification for maintenance at proposed 45 CFR 164308a2iiB a regulated entity additionally would be required to review verify and update the written assessment on an ongoing basis but in any event no less frequently than at least once every 12 months and in response to a change in the regulated entitys environment or operations that may affect ePHI As discussed above a change in the regulated entitys environment or operations that may affect ePHI would include but would not be limited to the adoption of new technology assets the upgrading updating or patching of technology assets newly recognized threats to the confidentiality integrity or availability of ePHI a sale transfer merger or consolidation of all or part of the regulated entity with another person a security incident that affects the confidentiality integrity or availability of ePHI and relevant changes in Federal State Tribal or territorial lawpp
The Department proposes to redesignate the existing evaluation standard at 45 CFR 164308a8 as 45 CFR 164308a3i and to revise the redesignated evaluation standard to require the technical and nontechnical evaluations to be in writing and performed to determine whether change in the regulated entitys environment or operations may affect the confidentiality integrity or availability of ePHI Evaluating the effects of a potential change on a regulated entitys environment or operations including the effects on the confidentiality integrity and availability of ePHI is a critical step in the change control process An evaluation serves a similar purpose to a risk analysis However while a risk analysis looks at the entirety of a regulated entitys enterprise regularly and in response to a change in the regulated entitys environment or operations an evaluation looks at a specific change that a regulated entity intends to make before the change is made Thus this proposal if adopted would ensure that a regulated entity proactively considers whether any risks or vulnerabilities to ePHI or its relevant electronic information systems will be introduced by changes it intends to make to its environment or operations and responds by implementing appropriate safeguards in a timely fashion489
pp
We also propose to delete the requirement that the evaluation be performed based initially on the standards implemented under this rule because an evaluation is performed to assess the effects of a planned change on the environment which can be observed when those effects are compared to the environment reflected in the risk analysis Additionally the Department proposes to add two implementation specifications at
print page 942
proposed 45 CFR 164308a3ii The proposed implementation specification for performance at proposed 45 CFR 164308a3iiA would require that a regulated entity conduct the evaluation within a reasonable period of time before making a change to its environment or operations while the proposed implementation specification for response at proposed 45 CFR 164308a3iiB would require a regulated entity to respond to the evaluation in accordance with its risk management plan
ppA change in the regulated entitys environment or operations would include but would not be limited to the adoption of new technology assets the upgrading updating or patching of technology assets newly recognized threats to the confidentiality integrity or availability of ePHI a sale transfer merger or consolidation of all or part of the regulated entity with another person a security incident that affects the confidentiality integrity or availability of ePHI and relevant changes in Federal State Tribal and territorial lawpp
NIST guidance provides descriptions of key activities and sample questions that would help regulated entities meet this evaluation standard490
They include
ppDespite the existing standard and the availability of guidance many regulated entities do not evaluate how changes in their environment such as a merger or acquisition or implementation of new technology may affect the security of ePHI In some instances regulated entities assert that they have done so but have no documentation of the purported evaluation The Department believes that this proposal if adopted would clarify our expectations for implementing these safeguardspp
As described in Department guidance regulated entities can defend themselves from common cyberattacks but hackers continue to target the health care industry in search of ways to access valuable ePHI491
Accordingly timely implementation of patches for known vulnerabilities is crucial to maintaining the security of ePHI Many cyberattacks could be prevented or substantially mitigated if regulated entities implemented activities to manage the implementation of patches updates and upgrades to comply with the Security Rules requirements for risk management which can deter one of the common types of attacks exploitation of known vulnerabilities If an attack is successful the intruder often will encrypt a regulated entitys ePHI to hold it for ransom or exfiltrate the data for future purposes including identity theft or blackmail Cyberattacks are especially concerning in the health care sector because they can disrupt the provision of health care services Exploitable vulnerabilities can exist in many parts of a regulated entitys information systems but often known vulnerabilities can be mitigated by applying vendor patches updating software or system configurations or upgrading to a newer version of the product If a patch update or upgrade is unavailable vendors often suggest actions to take that is compensating controls to mitigate a newly discovered vulnerability Such actions could include modifications of configuration files or disabling of affected services Regulated entities should pay careful attention to cybersecurity alerts describing newly discovered vulnerabilities These alerts often include information on mitigation activities and patching
pp
Risk management processes that are compliant with the Security Rule include identifying and mitigating risks and vulnerabilities that unpatched software poses to an organizations ePHI Mitigation activities could include installing patches if patches are available and patching is reasonable and appropriate In situations where patches are not available
eg
obsolete or unsupported software or testing or other concerns weigh against patching as a mitigation solution492
regulated entities should implement reasonable compensating controls to reduce the risk of identified vulnerabilities to a reasonable and appropriate level
eg
restricting network access or disabling network services to reduce vulnerabilities that could be exploited via network access Security vulnerabilities may be present in many types of software including databases EHRs operating systems email and device firmware Each type of program would have its own unique set of vulnerabilities and challenges for applying patches but identifying and mitigating the risks unpatched software
print page 943
poses to ePHI is important to ensuring that ePHI is protected493
pp
Although older applications or devices may no longer be supported with patches for new vulnerabilities regulated entities must still take appropriate action if a newly discovered vulnerability affects an older application or device If an obsolete unsupported system cannot be upgraded or replaced additional safeguards should be implemented or existing safeguards enhanced to mitigate known vulnerabilities until upgrade or replacement can occur
eg
increase access restrictions remove or restrict network access disable unnecessary features or services494
pp
Patches can be applied to software and firmware on all types of devicestelephones computers servers routers and more Installation of vendorrecommended patches is typically a routine process However regulated entities should be prepared if issues arise as a result of applying patches Software and hardware are often interconnected and dependent on the functionality and output of other information systems or components of other information systems When certain changes are made including the installation of a patch software dependent on the changed application may not perform as expected because settings or data may be affected Thus in complex environments patch management plays a crucial role in the safe and correct implementation of these changes495
Enterprise patch management is the process of identifying prioritizing acquiring installing and verifying the installation of patches updates and upgrades throughout an organization496
NIST has issued a series of guidance documents that regulated entities can use to design their own patch management processes as part of their risk management plans
pp
Consistent with previously issued guidance the discussion above and recommendations from NCVHS497
the Department proposes a new standard for patch management at proposed 45 CFR 164308a4i that would require a regulated entity to implement written policies and procedures for applying patches and updating the configurations of its relevant electronic information systems This proposed standard would ensure that a regulated entity is aware of its liability for appropriately safeguarding ePHI by installing patches updates and upgrades throughout its relevant electronic information systems
pp
The Department proposes six implementation specifications at proposed 45 CFR 164308a4ii that would be associated with the proposed standard for patch management The proposed implementation specification for policies and procedures at proposed paragraph a4iiA would require a regulated entity to establish written policies and procedures for identifying prioritizing acquiring installing evaluating and verifying the timely installation of patches updates and upgrades throughout its electronic information systems that create receive maintain or transmit ePHI or that otherwise affect the confidentiality integrity or availability of ePHI Under the proposed implementation specification for maintenance at proposed paragraph a4iiB a regulated entity would be required to review its patch management written policies and procedures at least once every 12 months and modify them as reasonable and appropriate based on that review The proposed implementation specification for application at proposed paragraph a4iiC would require a regulated entity to patch update and upgrade the configurations of its relevant electronic information systems in accordance with its written policies and procedures and based on the results of the regulated entitys risk analysis that would be required by proposed 45 CFR 164308a2 the vulnerability scans that would be required under proposed 45 CFR 164312h2i the monitoring of authoritative sources that would be required under proposed 45 CFR 164312h2ii and penetration tests proposed at 45 CFR 164312h2iii The proposal would require that such actions be taken within a reasonable and appropriate period of time except to the extent that an exception in proposed paragraph h2iiD applies Specifically a reasonable and appropriate period of time to patch update or upgrade the configuration of a relevant electronic information system would be within 15 calendar days of identifying the need to address a critical risk where a patch update or upgrade is available or where a patch update or upgrade is not available within 15 calendar days of a patch update or upgrade becoming available The proposal would require that within 30 calendar days of identifying the need to address a high risk498
a regulated entity patch update or upgrade the configuration of a relevant electronic information system where a patch update or upgrade is available or where a patch update or upgrade is not available within 30 calendar days of a patch update or upgrade becoming available For all other patches updates or upgrades to the configurations of relevant electronic information systems a reasonable and appropriate period of time would be determined by the regulated entitys written policies and procedures for identifying prioritizing acquiring installing evaluating and verifying the timely installation of patches updates and upgrades
pp
For the proposed exceptions to apply we propose in proposed paragraph a4iiD that a regulated entity would be required to document that an exception applies and that all other applicable conditions are met The first proposed exception in proposed 45 CFR 164308a4iiD
1 would be for when a patch update or upgrade to the configuration of a relevant electronic information system is not available to address a risk identified in the regulated entitys risk analysis The second proposed exception would be in proposed 45 CFR 164308a4iiD
2 for when the only available patch update or upgrade would adversely affect the confidentiality integrity or availability of ePHI The Department anticipates that this proposed exception would apply when a regulated entity tests a patch update or upgrade and determines that it would adversely affect the confidentiality integrity or availability of ePHI or where there are reports from government sources or persons with appropriate knowledge of an experience with generally accepted cybersecurity principles and methods for ensuring the confidentiality integrity and availability of ePHI indicating that the patch update or
print page 944
upgrade is likely to adversely affect the confidentiality integrity or availability of ePHI
ppIn proposed paragraph a4iiE the Department proposes to require a regulated entity document in realtime the existence of the applicable exception and to implement reasonable and appropriate compensating controls Similarly in proposed paragraph a4iiF we propose that where an exception applies a regulated entity would be required to implement reasonable and appropriate security measures as compensating controls to address the identified risk according to the timeliness requirements in proposed 45 CFR 164308a5iiD until such time as a patch update or upgrade that does not adversely affect the confidentiality integrity or availability of ePHI becomes availablepp
This proposed standard aligns with the Departments enhanced CPG for Cybersecurity Mitigation by quickly requiring a regulated entity to prioritize and mitigate vulnerabilities discovered by vulnerability scanning and penetration testing499
ppThe Department proposes to elevate the implementation specification for risk management to a standard at proposed 45 CFR 164308a5i This proposed standard would require a regulated entity to establish and implement a plan for reducing the risks identified through its risk analysis activities Specifically it would require a regulated entity to implement security measures sufficient to reduce risks and vulnerabilities to all ePHI to a reasonable and appropriate level What would constitute a reasonable and appropriate level depends on the regulated entitys specific circumstances including but not limited to its size needs and capabilities risk profile the ability of security measures to reduce or eliminate a particular identified risk or vulnerability and the ubiquity of such security measures We also propose four implementation specifications that would require regulated entities to engage in activities that are consistent with previously issued guidance described belowpp
Under the proposed implementation specification for planning at proposed paragraph a5iiA a regulated entity would be required to establish and implement a written risk management plan for reducing risks to all ePHI including but not limited to those risks identified by the regulated entitys risk analysis500
to a reasonable and appropriate level Proposed paragraph a5iB contains the proposed implementation specification for maintenance and would require the regulated entity to review the written risk management plan at least once every 12 months and as reasonable and appropriate in response to changes in its risk analysis The Department would interpret reasonable and appropriate in both paragraphs as requiring the regulated entity to take into account not only its specific circumstances but also the criticality of the risks identified We propose an implementation specification for priorities at proposed 45 CFR 164308a5iiC that would require a regulated entitys written risk management plan to prioritize the risks identified in the regulated entitys risk analysis based on the risk levels determined by that analysis Finally in the proposed implementation specification for implementation at proposed 45 CFR 164308a5iiD we propose to require that a regulated entity implement security measures in a timely manner to address the risks identified in the regulated entitys risk analysis in accordance with the priorities established under paragraph a5iiC The proposed risk management standard aligns with the Departments essential CPG to Mitigate Known Vulnerabilities501
pp
The Department previously issued guidance on risk management including links to NIST resources that is consistent with what we propose in this NPRM502
We encourage regulated entities to refer to similar NIST guidance for descriptions of risk management activities503
The results of a risk analysis performed in accordance with the proposed standard for risk analysis generally provide the regulated entity with a list of applicable threatvulnerability pairs as well as the overall risk rating of each pair to the confidentiality integrity and availability of ePHI504
For example some threatvulnerability pairs may result in a risk rating of moderate or high level of risk to ePHI while other pairs may result in a risk rating of low level of risk The regulated entity would need to determine what risk rating poses an unacceptable level of risk to ePHI and address any threatvulnerability pairs that indicate a risk rating above the organizations risk tolerance505
pp
Under this proposed standard the regulated entity would be required to reduce the risks to its ePHI to a level that is reasonable and appropriate for its specific circumstances Ultimately the regulated entitys risk assessment processes should inform its decisions about the manner in which it will implement security measures to comply with the Security Rules standards and implementation specifications506
Additionally each regulated entity would be required to document the security controls it has implemented because it has determined them to be reasonable and appropriate including analyses decisions and the rationale for decisions made to refine or adjust the security controls507
pp
As stated by NIST the documentation and retention of risk assessment and risk management activities is important for future risk management efforts 508
In general risk management activities should be performed with regular frequency to examine past decisions reevaluate risk likelihood and impact levels and assess the effectiveness of past remediation efforts 509
Risk management plans should address risk appetite risk tolerance workforce duties responsible parties the frequency of risk management and required documentation510
pp
Consistent with other proposals to elevate certain critical implementation specifications to standards we propose to elevate the implementation specification for sanction policy at 45 CFR 164308aiiC to a standard for sanction policy at proposed 45 CFR 164308a6i We propose this standard because applying appropriate sanctions against workforce members who fail to comply with security requirements and thus imperil the
print page 945
security of ePHI serves as an important tool for improving compliance by other workforce members with the regulated entitys safeguards for ePHI While the Department does not propose to modify the language of the standard we are proposing three implementation specifications that are consistent with guidance that was previously issued by the Department
ppSpecifically under the proposed implementation specification for policies and procedures at proposed 45 CFR 164308a6iiA a regulated entity would be required to establish written policies and procedures for sanctioning workforce members who fail to comply with the regulated entitys security policies and procedures The proposed implementation specification for modifications at paragraph a6iiB would require a regulated entity to review its written sanctions policies and procedures at least once every 12 months and based on that review modify such policies and procedures as reasonable and appropriate The proposed implementation specification for application at proposed paragraph a6iiC would direct a regulated entity to apply appropriate sanctions against workforce members who fail to comply with such security policies and procedures and to document when it sanctions a workforce member and the circumstances in which it applies such sanctionspp
The policy choices represented in this NPRM are informed by the compliance challenges OCR has observed through its enforcement activities These challenges demonstrate that regulated entities would benefit from greater precision and clarity about their legal obligations in the proposed standard Additionally according to a recent survey of IT and IT security practitioners in healthcare careless users were the top cause of data loss and exfiltration while accidental loss was the second highest cause Thirtyone percent of respondents indicated that the data loss or exfiltration was caused by a failure of workforce members to follow organizational policies511
As described in existing Department guidance an organizations sanction policies can be an important tool for supporting accountability and improving cybersecurity and data protection512
Sanction policies can be used to address the intentional actions of malicious insiders such as a workforce member that accesses the ePHI of a public figure or steals ePHI to sell as part of an identitytheft ring as well as the failure of workforce members to comply with policies and procedures such as failing to secure data on a network server or investigate a potential security incident
pp
Sanction policies that are appropriately applied can improve a regulated entitys general compliance with the HIPAA Rules Imposing consequences on workforce members who violate a regulated entitys policies and procedures implemented as required by the Security Rule or the HIPAA Rules generally can be effective in creating a culture of HIPAA compliance and improved cybersecurity Knowledge that there is a negative consequence to noncompliance enhances the likelihood of compliance513
Training workforce members on a regulated entitys sanction policy can also promote compliance and greater cybersecurity vigilance by informing workforce members in advance which actions are prohibited and punishable514
A sanction policy that clearly communicates a regulated entitys expectations should ensure that workforce members understand their individual compliance obligations and consequences of noncompliance
pp
Regulated entities have the flexibility to implement the standard in a manner consistent with numerous factors including but not limited to their size degree of risk and environment The HIPAA Rules do not require regulated entities to impose any specific penalty for any particular violation nor do they require regulated entities to implement any particular methodology for sanctioning workforce members Rather in any particular case each regulated entity must determine the type cause and severity of sanctions imposed based upon its policies and the relative severity of the violation515
A regulated entity may structure its sanction policies in the manner most suitable to its organization As described in previously issued guidance materials from the Department and NIST regulated entities should consider the following when drafting or revising their sanction policies
pp
Generally it is important for a regulated entity to consider whether its sanction policies align with its general disciplinary policies and how the individuals or departments involved in the sanction processes can work in concert when appropriate Regulated entities may also want to consider how sanction policies can be fairly and consistently applied throughout the organization to all workforce members including management523
The deterrent effect of penalizing noncompliance and misconduct paired with clear communications about the consequences of noncompliance can promote greater compliance with the HIPAA Rules through accountability understanding and transparency
pp
As described in previously issued HHS guidance review of activity in its relevant electronic information systems and their components including workstations524
enables a regulated entity to determine if any ePHI has been used or disclosed in an inappropriate manner525
The procedures should be customized to meet the regulated entitys risk management strategy and consider the capabilities of all information systems with ePHI526
These activities should also promote continual awareness of any information system activity that could suggest a security incident527
pp
Detecting and preventing data leakage initiated by malicious authorized users is a significant challenge528
Identifying potential malicious activity in relevant electronic information systems including in workstations and other components as soon as possible is key to preventing or mitigating the impact of such activity529
To identify potential suspicious activity organizations should consider an insiders interactions with information systems and their components A regulated entity can detect anomalous user behavior or indicators of misuse by either a trusted employee or thirdparty vendor who has access to critical systems workstations and other system components and data530
To minimize this risk an organization may employ safeguards that detect suspicious user activities such as traffic to an unauthorized website downloading data to an external device
eg
thumb drive or access to a network server by an unauthorized mobile device Maintaining audit controls
eg
system event logs application audit logs and regularly reviewing audit logs access reports and security incident tracking reports are important security measures that can assist in detecting and identifying suspicious activity or unusual patterns of data access531
pp
Regulated entities should regularly review activity in their relevant electronic information systems including the components of such systems for potential concerns and consider ways to automate such reviews532
Additionally regulated entities are responsible for establishing and implementing appropriate standard operating procedures including determining the types of audit trail data and monitoring procedures that would be needed to derive exception reports533
They also must activate the necessary review processes and maintain auditing and logging activity534
pp
Department and NIST guidance advise regulated entities to consider many questions when establishing their policies and procedures for reviewing activity in their relevant electronic information systems review535
These include
pp
Compliance challenges observed through OCRs enforcement activities suggest that regulated entities would benefit from an expanded standard to provide more details on compliance expectations Investigations of reported breaches of unsecured PHI discussed above as examples of risk analysis failures also identified a potential failure by the regulated entities to conduct appropriate information system activity review536
In an investigation involving a large health care provider the ePHI of more than 12000 patients was sold to an identity theft ring by employees who for six months inappropriately accessed patient account information537
Compliance with the requirement to implement procedures to regularly review records of activity in relevant electronic information systems such as audit logs access reports and security incident tracking could have identified and mitigated these disclosures538
pp
Similarly a business associate experienced an intrusion into its systems that it failed to notice for over 20 months Eventually the ePHI of more than 200000 individuals associated with several covered entities was encrypted in a ransomware cyberattack539
Among other factors OCRs investigation indicated that the business associate potentially failed to implement procedures for regularly reviewing records of activity in its relevant electronic information system such as audit logs access reports and security incident tracking reports540
pp
Consistent with previously issued guidance and based on OCRs enforcement experience the Department proposes to elevate the existing implementation specification for information system activity review to a standard and to redesignate it as proposed 45 CFR 164308a7i The purpose of the proposal is to impose specific requirements on a regulated entity to review the activity occurring in its relevant electronic information systems including the activity occurring in the components of such systems By virtue of these proposed requirements we would specify actions that a regulated entity is required to take to ensure that only appropriate users access ePHI and that it responds quickly to any suspicious activity in its relevant electronic information systems including in components thereof such as workstations that connect to or otherwise access its relevant electronic information systems We also propose to revise the language to provide regulated entities with additional direction regarding their review of suspicious activities The proposed standard if adopted would require a regulated entity to implement written policies and procedures for regularly reviewing
print page 947
records of activity in its relevant electronic information systems
pp
The Department proposes five implementation specifications for the proposed standard for information system activity review The proposed implementation specification for policies and procedures at proposed 45 CFR 164308a7iiA would require a regulated entity to establish written policies and procedures for retaining and reviewing records of activity in the regulated entitys relevant electronic information systems by persons and technology assets Such written policies and procedures should require review of activity in the regulated entitys relevant electronic information systems as a whole as well as the systems components including but not limited to any workstations They should also include information on the frequency for reviewing such records The frequency of review may vary based on the specific type of record being reviewed and the information it contains According to the proposed implementation specification for scope at proposed 45 CFR 164308a7iiB records of activity in the regulated entitys relevant electronic information systems by persons and technology assets would include but would not be limited to audit trails event logs firewall logs system logs data backup logs access reports antimalware logs and security incident tracking reports The proposed implementation specification for records review at proposed 45 CFR 164308a7iiC would require a regulated entity to review records of activity in its relevant electronic information systems by persons and technology assets as often as reasonable and appropriate for the type of report or log They would also be required to document such review A proposed implementation specification for record retention at proposed 45 CFR 164308a7iiD would require a regulated entity to retain records of activity in its relevant electronic information systems by persons and technology assets Under the proposal the regulated entity would be required to retain such records for an amount of time that is reasonable and appropriate for the specific type of report or log For example it may be reasonable and appropriate to retain audit trails for a different amount of time than security incident tracking reports because of the type of information they contain and their purpose The proposed implementation specification for response at proposed 45 CFR 164308a7iiE would require a regulated entity to respond to a suspected or known security incident identified during the review of activity in its relevant electronic information systems including any components thereof such as workstations in accordance with the regulated entitys security incident plan541
Finally the proposed implementation specification for maintenance at proposed 45 CFR 164308a7iiF would require a regulated entity to review and test its written policies and procedures for reviewing activity in its relevant electronic information systems at least once every 12 months The regulated entity would be expected to modify such policies and procedures as reasonable and appropriate based on the results of that review
ppConsider a large regulated entity that may have thousands of workforce members accessing various networks and relevant electronic information systems generating large amounts of log and audit data Given the size complexity and capabilities of entities of such size a reasonable and appropriate process for reviewing activity may include the adoption of an automated solution that performs rulesbased enterprise log aggregation and analysis to identify anomalous or suspicious patterns of behavior in the regulated entitys relevant electronic information systems and the components thereof including but not limited to workstations in realtime and sends alerts of potential security incidents to a workforce member or team for further review and action By contrast for a small regulated entity it might be reasonable and appropriate to have designated staff that manually review log files and audit trails multiple times per weekppThe Department proposes to redesignate the standard for assigned security responsibility at 45 CFR 164308a2 as proposed 45 CFR 164308a8 OCRs enforcement experience demonstrates that in practice many regulated entities follow informal policies and procedures that are not documented and have not documented the identification of the Security Official in writingppBased on OCRs enforcement experience and consistent with existing guidance we propose to modify the standard to specify that a regulated entity must identify in writing the Security Official who is responsible for the establishment and implementation of the policies and procedures whether written or otherwise and deployment of technical controls These proposals are consistent with our general intention in this NPRM to propose to clarify that policies and procedures required by the Security Rule should be reduced to writing and to distinguish between the implementation of written policies and procedures and the deployment of technical controlspp
As we previously explained in guidance542
the purpose of this standard is to identify who would be operationally responsible for assuring that the regulated entity complies with the Security Rule It is comparable to the Privacy Rule standard for personnel designations at 45 CFR 164530a1 which requires all covered entities to designate a Privacy Official The Security Official and Privacy Official can but need not be the same person While one workforce member must be designated as having overall responsibility other workforce members may be assigned specific security responsibilities
eg
facility security network security When making this decision regulated entities should consider basic questions such as Has the organization agreed upon and clearly identified and documented the responsibilities of the Security Official How are the roles and responsibilities of the Security Official crafted to reflect the size complexity and technical capabilities of the organization
pp
NIST guidance urges the regulated entity to select a workforce member who is able to assess the effectiveness of security to serve as the point of contact for security policy implementation and monitoring543
It further recommends that a regulated entity should document the responsibilities in a job description and communicate this assigned role to the entire organization NIST provides additional sample items for consideration by a regulated entity organizing its security practices including identifying the workforce members in the organization who oversee the development and communication of security policies and procedures direct IT security purchasing and investment and ensure that security concerns have been addressed in system implementation NIST also offers that a regulated entity should ask whether the security official has adequate access and communications with senior officials in the organization and whether there is a
print page 948
complete job description that accurately reflects assigned security duties and responsibilities
ppThe purpose of the workforce security standard is to ensure that workforce members only have access to ePHI that they need to perform their assigned functions and are prevented from accessing ePHI that they are not authorized to access to perform such functions The proposed changes to the standard and implementation specifications would clarify the actions required of a regulated entity to assure such limitspp
Individuals have been harmed in the past by the failure of regulated entities to comply with the Security Rule requirements for workforce security For example a former employee of a large covered entity was able to access their former worksite and workstation using stillactive credentials for more than a week after their employment was terminated544
OCRs investigation found evidence of a potential failure to terminate the former employees access to PHI which enabled the former employee to download the ePHI of nearly 500 individuals including their names addresses dates of birth raceethnicity gender and sexually transmitted infection test results onto a USB drive This type of realworld experience and OCRs observations more broadly inform the changes proposed in this NPRM
pp
Moreover this proposal is consistent with guidance issued by HHS and NIST for implementing this standard and associated implementation specifications For example in guidance issued in 2005 we explained that regulated entities must identify workforce members who need access to ePHI to carry out their duties545
For each workforce member or job function the regulated entity must identify the ePHI that is needed when it is needed and make reasonable efforts to control access to the ePHI a concept generally referred to as rolebased access
ie
authorizing access to ePHI only when such access is appropriate based on the workforce members role546
This also includes identification of the computer systems and applications that provide access to the ePHI A regulated entity must provide only the minimum necessary access to ePHI that is required for a workforce member to do their job547
As described in HHS guidance access authorization is the process of determining whether a particular user or a computer system has the right consistent with their function to carry out a certain activity such as reading a file or running a program548
Implementation may vary among regulated entities depending on the size and complexity of their workforce and their electronic information systems that contain ePHI For example in a small medical practice all staff members may need to access all ePHI in their information systems because each staff member may perform multiple functions In this case the regulated entity would document the reasons for implementing policies and procedures that permit this type of global access If the documented rationale is reasonable and appropriate this may be an acceptable approach The implementation specification provision for authorization andor supervision provides the necessary checks and balances to ensure that all members of the workforce have appropriate access or in some cases no access to ePHI
pp
NIST guidance provides descriptions of key activities and sample questions for regulated entities implementing this implementation specification549
To implement procedures for the authorization andor supervision of workforce members who work with ePHI or in locations where it might be accessed the guidance advises regulated entities to consider whether chains of command and lines of authority have been established as well as the identity and roles of supervisors A regulated entity also should establish clear job descriptions and responsibilities which includes defining roles and responsibilities for all job functions assigning appropriate levels of security oversight training and access and identifying in writing who has the business need and who has been granted permission to view alter retrieve and store ePHI and at what times under what circumstances and for what purposes550
To determine the most reasonable and appropriate authorization andor supervision procedures a regulated entity must be able to answer some basic questions about existing policies and procedures For example are detailed job descriptions used to determine what level of access the person holding the position should have to ePHI Who has or should have the authority to determine who can access ePHI
eg
supervisors or managers Are there written job descriptions that are correlated with appropriate levels of access to ePHI Are these job descriptions reviewed and updated on a regular basis Have workforce members been provided copies of their job descriptions and informed of the access granted to them as well as the conditions by which this access can be used As noted above a smaller regulated entity may address compliance by implementing a simpler approach but it is still liable for ensuring that workforce members only have access to ePHI that they need to perform their assigned functions551
pp
NIST also recommends establishing criteria and procedures for hiring and assigning tasks and ensuring that these requirements are included as part of the personnel hiring process552
In its guidance NIST provides questions and suggestions for regulated entities to consider with respect to these criteria procedures and requirements NIST guidance also describes this implementation specification as calling for regulated entities to implement appropriate screening of persons who would have access to ePHI and a procedure for obtaining clearance from appropriate offices or workforce members where access is provided or terminated553
Similarly the Departments guidance on workforce clearance procedures states that the clearance process must establish the procedures to verify that a workforce member would in fact have the appropriate access for their job function554
A regulated entity may choose to perform this type of screening procedure separate from or as a part of the authorization andor supervision procedure Sample questions for
print page 949
regulated entities to consider include the following Are there existing procedures for determining that the appropriate workforce members have access to the necessary information Are the procedures used consistently within the organization when determining access of related workforce job functions NIST guidance describes this implementation specification as calling for regulated entities to implement appropriate screening of persons who would have access to ePHI and a procedure for obtaining clearance from appropriate offices or workforce members where access is provided or terminated555
pp
We issued guidance in 2017 addressing termination procedures556
Data breaches caused by current and former workforce members are a recurring issue across many industries including the health care industry Effective identity and access management policies and controls are essential to reduce the risks posed by these types of insider threats Identity and access management can include many processes but most commonly it would include the processes by which appropriate access to data is granted and terminated by creating and managing user accounts Ensuring that user accounts are terminatedand in a timely mannerso that former workforce members do not have access to data is one important way identity and access management can help reduce risks posed by insider threats Additionally effective termination procedures also reduce the risk that inactive user accounts
eg
user accounts that are not being used or are inactive but are not fully terminated or disabled could be used by a current or former workforce member with malicious motives to get access to ePHI The Departments guidance also offers tips to prevent unauthorized access to PHI by former workforce members such as having standard procedures of all action items to be completed when an individual leaves557
pp
Guidance that we issued in 2019 further explains that security is a dynamic process 558
Good security practices entail continuous awareness assessment and action in the face of changing circumstances The information users can and should be allowed to access may change over time organizations should recognize this in their policies and procedures and in their implementation of those policies and procedures For example if a user is promoted demoted or transfers to a different department a users need to access data may change In such situations the users data access privileges should be reevaluated and as needed modified to match the new role if needed559
As described in other HHS guidance these procedures should also address the complexity of the organization and the sophistication of its relevant electronic information systems560
pp
NIST guidance provides additional descriptions of key activities and sample questions for regulated entities to consider when implementing this standard and associated implementation specifications561
Regulated entities should establish a standard set of procedures that should be followed to recover access control devices
eg
identification badges keys access cards when employment ends and likewise they should timely deactivate computer access
eg
disable user IDs and passwords and facility access
eg
change facility security codesPINs Sample questions for implementation include the following Are there separate procedures for voluntary termination
eg
retirement promotion transfer change of employment versus involuntary termination
eg
termination for cause reduction in force involuntary transfer criminal or disciplinary actions Is there a standard checklist for all action items that should be completed when a workforce member leaves
eg
return of all access devices deactivation of accounts and delivery of any needed data solely under the workforce members control Do other organizations need to be notified to deactivate accounts to which that the workforce member had access in the performance of their employment duties
ppHowever regulated entities often do not establish or implement written procedures nor even in instances where they have established or implemented them have they done so in an appropriate fashion to protect ePHI from improper access by current or former workforce memberspp
Consistent with the guidance described above and other proposals in this NPRM the Department proposes to redesignate the workforce security standard at 45 CFR 164308a3i as proposed 45 CFR 164308a9i to add a paragraph heading to clarify the organization of the regulatory text and to modify the regulatory text clarify that a regulated entity must implement written policies and procedures ensuring that workforce members have appropriate access to ePHI and to relevant electronic information systems The regulated entity must also implement written policies and procedures preventing workforce members from accessing ePHI and relevant electronic information systems if they are not authorized to do so The modifications we propose to the implementation specification for authorization andor supervision would clarify that a regulated entity is required to establish and implement written procedures for the authorization andor supervision of workforce members who access ePHI or relevant electronic information systems or who work in facilities where ePHI or relevant electronic information systems might be accessed562
We propose similar modifications to the implementation specification for workforce clearance procedure which would require a regulated entity to establish and implement written procedures to determine that the access of a workforce member to ePHI or relevant electronic information systems is appropriate in accordance with written policies and procedures for granting and revising access to ePHI and relevant electronic information systems as required by proposed 45 CFR 164308a10iiB563
Additionally we propose several clarifications to the implementation specification for termination procedures Specifically the proposed implementation specification for modification and termination procedures at proposed 45 CFR 164308a9iiC would require procedures for terminating a workforce members access to ePHI and relevant electronic information systems and to facilities where ePHI or relevant electronic information systems might be accessed Proposed paragraph a9iiC
1 would require a regulated entity to establish and implement written procedures for terminating a workforce members access to ePHI and relevant electronic information systems
print page 950
and to locations where ePHI or relevant electronic information systems might be accessed Proposed paragraph a9iiC
2 would require that the workforce members access be terminated as soon as possible but no later than one hour after the workforce members employment or other arrangement ends A proposed implementation specification for notification at proposed 45 CFR 164308a9iiD would require a regulated entity to establish and implement written procedures for notifying another regulated entity of a change in or termination of a workforce members authorization to access ePHI or relevant electronic information systems Proposed paragraph a9iiD
1 would require the regulated entity to establish and implement written procedures for notifying another regulated entity after a change in or termination of a workforce members authorization to access ePHI or relevant electronic information systems that are maintained by such other regulated entity where the workforce member is or was authorized to access such ePHI or relevant electronic information systems by the regulated entity making the notification Proposed paragraph a9iiD
2 would require the notice to be provided as soon as possible but no later than 24 hours after the workforce members authorization to access ePHI or relevant electronic information systems is changed or terminated Finally a proposed new implementation specification for maintenance at proposed 45 CFR 164308a9iiE would require a regulated entity to review and test its written workforce security policies and procedures at least once every 12 months and to modify them as reasonable and appropriate564
The proposed implementation specifications for termination procedures and notification implementation align with the Departments essential CPG for Revoke Credentials for Departing Workforce Members Including Employees Contractors Affiliates and Volunteers by requiring a regulated entity to promptly remove access following a change in or termination of a users authorization to access ePHI565
pp
The purpose of the standard for information access management is to protect ePHI by reducing the risk that other persons or technology assets may access the information for their own reasons Existing HHS guidance explains that restricting access to only those persons and entities with a need for access is a basic tenet of security566
By implementing this standard the risk of inappropriate disclosure alteration or destruction of ePHI is minimized A regulated entity must determine those persons and technology assets that need access to ePHI within its environment The implementation specifications associated with the standard on information access management are closely related to those associated with the standard for workforce security567
Compliance with the proposed and existing standards for information access management should support a regulated entitys compliance with the Privacy Rules minimum necessary requirements which requires a regulated entity to evaluate its practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of PHI568
pp
OCRs enforcement experience demonstrates that many regulated entities have not adequately implemented this standard Thus we believe it is necessary to consider strengthening the requirement For example on one occasion a large covered entitys failure to implement its written policies and procedures to ensure that employees only had access to ePHI that they had proper authorization or authority to access enabled an employee to access the ePHI of more than 24000 individuals569
This failure also enabled other employees to inappropriately access the ePHI of a celebrity570
ppTo ensure that regulated entities implement recommendations and best practices for securing ePHI we propose to require in the standard for information access management and associated implementation specifications that a regulated entity must establish and implement written policies and procedures for authorizing access to ePHI and relevant electronic information systems that are consistent with the Privacy Rule The Department also proposes to redesignate the standard at 45 CFR 164308a4i as proposed 45 CFR 164308a10i and to add a paragraph heading to clarify the organization of the regulatory text Additionally the Department proposes to modify three of the associated existing implementation specifications and to add three new implementation specifications as followsppSpecifically the Department proposes to redesignate the implementation specification for isolating health care clearinghouse functions as proposed 45 CFR 164308a10iiA and to modify it to require a health care clearinghouse that is part of a larger organization to establish and implement written policies and procedures that protect the ePHI and relevant electronic information systems of the clearinghouse from unauthorized access by the larger organizationpp
The existing implementation specification for isolating health care clearinghouse functions only applies in the situation where a health care clearinghouse is part of a larger organization This would remain true under the proposal to revise this implementation specification if adopted In these situations the health care clearinghouse is responsible for protecting the ePHI that it is creating receiving maintaining and transmitting As discussed in NIST guidance if a health care clearinghouse is part of a larger organization the clearinghouse must implement policies and procedures that protect the ePHI of the clearinghouse from unauthorized access by the larger organization571
This necessarily includes its relevant electronic information systems First the regulated entity must determine
print page 951
whether any of its components constitute a health care clearinghouse under the Security Rule572
If no health care clearinghouse functions exist within the organization the regulated entity should document this finding If a health care clearinghouse does exist within the organization the regulated entity must implement procedures that are consistent with the Privacy Rule573
Questions for regulated entities to consider include If health care clearinghouse functions are performed are policies and procedures implemented to protect ePHI from the other functions of the larger organization Does the health care clearinghouse share hardware or software with a larger organization of which it is a part Does the health care clearinghouse share staff or physical space with staff from a larger organization Has a separate network or subsystem been established for the health care clearinghouse if reasonable and appropriate Has staff of the health care clearinghouse been trained to safeguard ePHI from disclosure to the larger organization if required for compliance with the Privacy Rule 574
Regulated entities should also consider whether additional technical safeguards are needed to separate ePHI in electronic information systems used by the health care clearinghouse to protect against unauthorized access by the larger organization
pp
We also propose to redesignate the implementation specification for access authorization as proposed 45 CFR 164308a10iiB and to modify it to emphasize that a regulated entity must establish and implement written policies and procedures for granting and revising access to ePHI and the regulated entitys relevant electronic information systems as necessary and appropriate for each prospective user and technology asset to carry out their assigned functions
ie
rolebased access policies Additionally we propose to redesignate the implementation specification for access establishment and modification as 45 CFR 164308a10iiD and to modify the heading to Access determination and modification We also propose to modify this implementation specification to require a regulated entity to establish and implement written policies and procedures that based on its access authorization policies establish document review and modify the access of each user and technology asset to specific components of the regulated entitys relevant electronic information systems Such written policies and procedures would be required to be based upon the regulated entitys policies for authorizing access Under this proposal and consistent with the existing implementation specification575
the regulated entity would be required to establish standards for granting access to ePHI and relevant electronic information systems and provide formal authorization from the appropriate authority before granting access to ePHI or relevant electronic information systems Regulated entities should regularly review personnel access to ePHI and relevant electronic information systems to ensure that access is still authorized and needed and modify personnel access to ePHI and electronic information systems as needed based on review activities
pp
The existing implementation specification for access authorization calls for the regulated entity to implement policies and procedures for granting access to ePHI for example through components of its information system576
The Departments proposal to revise this implementation specification would provide greater specificity than our existing requirements and echo NIST guidance on this topic Specifically NIST guidance 577
describes the key steps for developing policies and procedures for granting access to ePHI as follows
pp
Other questions that a regulated entity should consider when establishing such policies and procedures include Have appropriate authorization and clearance procedures as specified in the standard for workforce security578
been performed prior to granting access Do the organizations systems have the capacity to set access controls Are there additional access control requirements for users who would be accessing privileged functions Have organizational personnel been explicitly authorized to approve user requests to access ePHI andor systems with ePHI
pp
The Department proposes three additional implementation specifications for authentication management maintenance and network segmentation These specifications clarify the Departments expectations for compliance and are consistent with NIST guidance We believe that the proposed additions would assist regulated entities in their efforts to prevent or mitigate attacks by malicious internal and external actors For the implementation specification on authentication management at proposed 45 CFR 164308a10iiC we propose to require a regulated entity to establish and implement written policies and procedures for verifying the identities of users and technology assets before accessing the regulated entitys relevant electronic information systems including written policies and procedures for implementing MFA technical controls579
The proposed implementation specification for network segmentation at proposed 45 CFR 164308a10iiE would require a regulated entity to establish and implement written policies and procedures that ensure that its relevant electronic information systems are segmented to limit access to ePHI to authorized workstations
pp
Finally to address the Departments general concerns regarding the ongoing failure of many regulated entities to regularly review and revise their policies and procedures the proposed implementation specification for maintenance at proposed 45 CFR
print page 952
164308a10iiF would require a regulated entity to review the written policies and procedures required by this standard at least once every 12 months and to modify them as reasonable and appropriate
pp
A covered entitys workforce is its frontline not only in patient care and patient service but also in safeguarding the privacy and security of PHI580
The health care sectors risk landscape continues to grow with the increasing number of interconnected smart devices of all types the increased use of interconnected medical record and billing systems and the increased use of applications and cloud computing This standard reflects the fact that training on data security for workforce members is essential for protecting an organization against cyberattacks
ppAn organizations training program should be an ongoing evolving process and flexible enough to educate workforce members on new cybersecurity threats and how to respond to them As such regulated entities should consider how often to train workforce members on security issues given the risks and threats to their enterprises and how often to send security updates to their workforce members Many regulated entities have determined that twiceannual training and monthly security updates are necessary given their risks analysespp
Regulated entities should apply security updates and reminders to quickly communicate new and emerging cybersecurity threats to workforce members such as new social engineering ploys
eg
fake tech support requests and new phishing scams and malicious software attacks including new ransomware variants Entities need to address what type of training to provide to workforce members on security issues given the risks and threats to their enterprises Computerbased training classroom training monthly newsletters posters email alerts and team discussions are all tools that different organizations use to fulfill their training requirements Entities must also address how to document that training to workforce members was provided including dates and types of training training materials and evidence of workforce participation
pp
HHS has issued many types of training materials on securing PHI581
NIST has also provided detailed guidance for developing and implementing workforce training programs582
Despite this existing guidance regulated entities often fail to provide appropriate training to adequately safeguard ePHI For example in one investigation OCR investigators found evidence that not only had an ambulance company potentially failed to conduct a risk analysis it also potentially failed to implement a security training program or to train any of its employees583
Such failures can contribute to breaches of individuals unsecured ePHI
ppTo ensure security awareness training compliance a regulated entity needs to regularly educate its workforce members on the evolving technological threats to ePHI how to use the technology that the regulated entity has adopted and implemented and the specific procedures workforce members must follow to ensure that the ePHI remains protected Additionally while many educational programs for clinicians provide general training on the HIPAA Rules the curriculums vary widely Without providing its own training on the Security Rule a regulated entity cannot ensure that the training its workforce received elsewhere meets the required standardspp
Given the failure of regulated entities to implement the security awareness and training standard and consistent with existing guidance the Department proposes to provide more detailed requirements for security awareness training Specifically the Department proposes to rename and redesignate the standard for security awareness and training at 45 CFR 164308a5i as the standard for security awareness training at proposed 45 CFR 164308a11i and to add a paragraph heading to clarify the organization of the regulatory text The proposed standard would require a regulated entity to implement security awareness training for all workforce members on protection of ePHI and information systems as necessary and appropriate for the members of the workforce to carry out their assigned functions
ie
rolebased training The proposals to revise this standard would also align with the Departments essential CPG for Basic Cybersecurity Training because they would require a regulated entity to educate users on how to access ePHI and electronic information systems in a manner that protects the confidentiality integrity and availability of ePHI584
Additionally the proposals would align with the essential CPG for Email Security by requiring a regulated entity to train workforce members to guard against detect and report suspected or known security incidents including but not limited to malicious software and social engineering585
ppWe propose four implementation specifications for the proposed security awareness training standard The proposed implementation specification for training at 45 CFR 164308a11iiA would require a regulated entity to establish and implement security awareness training for all workforce members that addresses the followingpp
The Department proposes to replace the implementation specification for periodic security updates 589
with one addressing the timing and frequency of security awareness training at proposed 45 CFR 164308a11iiB Specifically we propose to require a regulated entity to provide such training to each member of the regulated entitys workforce by the compliance date for this rulemaking if finalized and at least once every 12 months thereafter590
For example under this proposal workforce members would receive security awareness training on the protection of ePHI and on the regulated entitys Security Rule policies and procedures that is based on their specific role at least once a year A regulated entity would be required to provide rolebased security awareness training to a new workforce member within a reasonable period of time but no later than 30 days after the workforce member first has access to the regulated entitys relevant electronic information systems591
We also propose to require that the regulated entity provide such training592
For example if the entity implements a new EHR system it would be required to also train its workforce as appropriate on measures to guard against security incidents related to the installation maintenance andor use of the system
ppAdditionally the Department proposes at proposed 45 CFR 164308a11iiC an implementation specification for ongoing education This would require a regulated entity to provide its workforce members with ongoing reminders of their security responsibilities and notice of relevant threats including but not limited to new and emerging malicious software and social engineering Lastly we propose a new implementation specification for documentation at proposed 45 CFR 164308a11iiD that would require a regulated entity to document that it has provided training and ongoing reminders to its workforce membersppAddressing security incidents is an integral part of an overall security program While a regulated entity will never be able to prevent all security incidents implementing the Security Rule standards would reduce the amount and negative consequences of security incidents it encounters Even regulated entities with detailed security policies and procedures and advanced technology may experience security incidents but through sufficient planning and continued monitoring generally can mitigate the negative effects of such incidents on regulated entities and ultimately individuals The security incident procedures standard is intended to help ensure that a regulated entity conducts such planning and monitoring to allow it to mitigate such negative effectspp
The Department has also provided guidance that a regulated entity can use to devise its security incident plans The policies and procedures a regulated entity establishes to prepare for and respond to security incidents can pay dividends with faster recovery times and reduced compromises of ePHI593
A well thoughtout welltested security incident response plan is integral to ensuring the confidentiality integrity and availability of a regulated entitys ePHI A timely response to a security incident can be one of the best ways to prevent mitigate and recover from future cyberattacks For example responding to a single intrusion or inappropriate access can prevent a pattern of repeated malicious actions It is extremely important that a regulated entity analyzes an incident to establish what has occurred and its root cause Doing so will enable the regulated entity to use that information to update its security incident response plans The Department has previously issued guidance addressing such activities as forming a security incident response team identifying and responding to security incidents mitigating harmful effects of and documenting a security incident and breach reporting594
pp
NIST also offers guidance for addressing security incidents595
It describes four key activities with detailed descriptions and sample questions
pp
NIST has also issued comprehensive guidelines for incident handling particularly for analyzing incident related data and determining the appropriate response to each incident596
For example the NIST Cybersecurity Framework addresses these activities as part of the core function of respondactions regarding a detected cybersecurity incident are taken 597
Respond supports the ability of the regulated entity to contain the effects of cybersecurity incidents Outcomes within this Function include incident management analysis mitigation reporting and communication 598
pp
Despite this existing guidance OCRs enforcement experience indicates that many regulated entities have not met the existing standard so we believe that additional specificity regarding their obligations and liability for incident response is warranted Accordingly the Department proposes to redesignate the standard for security incident procedures as 45 CFR 164308a12i to add a paragraph heading to clarify the organization of the regulatory text and to modify the regulatory text to clarify that a regulated entity would be required to implement written policies and procedures to respond to rather than address security incidents Additionally we propose to clarify expectations by adding an implementation specification for planning and testing at proposed 45 CFR 164308a12iiA
1
that would require a regulated entity to establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents599
pp
Internal reporting is an essential component of security incident procedures600
Plans and procedures for
print page 954
reporting of suspected or known security incidents may address to whom when and how such incidents are to be reported The recipients and the content of such reports according to such plans and procedures may vary based on the type of incident and the role of the workforce member making the report We do not propose to dictate the form format or content of such report Rather we believe that regulated entities would be best situated to identify the points of contact for their organization
eg
Chief Information Security Officer IT security team business associate engaged to support incident response activities for the regulated entity for such reports and the type of information they need to determine how to respond to the suspected or known security incident
pp
The proposal to require a regulated entity to establish written security incident response plans and procedures for how it will respond to suspected or known security incidents would align with the enhanced CPG for Third Party Incident Reporting because it would address the procedures for how and when a business associate would report to a covered entity or another business associate known or suspected security incidents as required by proposed 45 CFR 164314a2iC601
pp
Under proposed 45 CFR 164308a12iiA
2 and
3 the regulated entity would be required to implement written procedures for testing and revising the security incident response plans and then using those written procedures review and test its security incident response plans at least once every 12 months and document the results of such tests The regulated entity would also be required to modify the plans and procedures as reasonable and appropriate based on the results of such tests and the regulated entitys circumstances
pp
This proposal if finalized would include requirements that align with the Departments essential CPG for Basic Incident Planning and Preparedness to have effective responses to and recovery from security incidents602
It also aligns with the Departments enhanced CPG for Centralized Incident Planning and Preparedness by requiring a regulated entity to maintain revise and test security incident response plans603
pp
Additionally the Department proposes to redesignate the implementation specification for response and reporting at 45 CFR 164308a6ii as 45 CFR 164308a12iiB and to rename it Response We also propose to modify the existing implementation specification by separating it into two paragraphs one at paragraph a12iiB
1 for identifying and responding to suspected or known security incidents and the other at paragraph a12iiB
2 for mitigating to the extent practicable the harmful effects of suspected or known security incidents The Department also proposes to add three additional paragraphs to this implementation specification Proposed 45 CFR 164308a12iiB
3 would require a regulated entity to identify and remediate to the extent practicable the root causes of suspected or known security incidents while proposed 45 CFR 164308a12iiB
4
would require the regulated entity to eradicate the security incidents that are suspected or known to the regulated entity We would expect eradication to include the removal of malicious software inappropriate materials and any other components of the incident from the regulated entitys relevant electronic information systems604
Finally proposed 45 CFR 164308a12iiB
5 would require a regulated entity to develop and maintain documentation of investigations analyses mitigation and remediation for security incidents that are suspected or known For example verbal reports of a suspected or known security incident would be required to be documented in writing Under proposed 45 CFR 164316b1 if finalized a regulated entity would be required to maintain such documentation for six years from the date of its creation or the date when it last was in effect whichever is later These proposals are consistent with existing guidance described above and with other proposals or existing regulatory standards to secure health information605
pp
The purpose of any contingency plan is to allow an organization to return to its daily operations as quickly as possible after an unforeseen event606
The contingency plan protects resources minimizes customer inconvenience and identifies key staff assigning specific responsibilities in the context of the recovery Contingency plans are critical to protecting the availability integrity and security of data during unexpected adverse events Contingency plans should consider not only how to respond to disasters such as fires and floods but also how to respond to cyberattacks Cyberattacks using malicious software such as ransomware may render an organizations data unreadable or unusable In the event data is compromised by a cyberattack restoring the data from backups may be the only option for recovering the data and restoring normal business operations For example the faulty software update by CrowdStrike made it impossible for health care systems worldwide to use their Windowsbased systems607
There were many instances where surgical procedures and health care appointments were cancelled schedules upended and pharmacies were unable to fill prescriptions Regulated entities need to make and implement contingency plans they would use when such events occur to enable themselves to get back to their core functions of providing or paying for health care
pp
The Department and NIST have issued extensive guidance on contingency planning including detailed descriptions of key activities sample questions for regulated entities to consider when standing up a contingency plan and information on how the results of the risk analysis feed into contingency plans608
Unfortunately many regulated entities have not implemented the required
print page 955
planning and then have been unable to fully recover from ransomware attacks that bring down electronic systems that create receive maintain or transmit ePHI For example a large health system that experienced a ransomware attack had to shut down services at multiple locations and encountered difficulties restoring those services OCRs investigation indicated a potential failure to among other things implement contingency plans609
Such planning is crucial for maintaining the resilience of a regulated entitys health IT
ppTo address these inadequacies in compliance and to protect the confidentiality integrity and availability of ePHI the Department proposes to redesignate the standard for a contingency plan at 45 CFR 164308a7i as proposed 45 CFR 164308a13i to add a paragraph heading to clarify the organization of the regulatory text and to modify the regulatory text to clarify it The modified standard as proposed would require a regulated entity to establish and implement as needed a written contingency plan consisting of written policies and procedures for responding to an emergency or other occurrence including but not limited to fire vandalism system failure natural disaster or security incident that adversely affects relevant electronic information systemspp
The Department proposes a new implementation specification for criticality analysis at proposed 45 CFR 164308a13iiA This would require a regulated entity to perform and document an assessment of the relative criticality of its relevant electronic information systems and technology assets in its relevant electronic information systems The proposal would not limit this analysis to electronic information systems that create receive maintain or transmit ePHI because other electronic information systems andor technology assets may be crucial to ensuring the confidentiality integrity or availability of ePHI providing patient care and supporting other business needs A prioritized list of specific relevant electronic information systems and technology assets in those electronic information systems would help a regulated entity to determine their criticality and the order of restoration610
ppUnder this proposal the implementation specification for establishing and implementing a data backup plan would be redesignated as proposed 45 CFR 164308a13iiB and renamed Data backups It would also be modified to clarify that the procedures to create and maintain exact retrievable copies of ePHI must be in writing and to also require such procedures to include verifying that the ePHI has been copied accurately For example the ability to access ePHI from a remote location in the event of a total failure should be reflected in the procedures specified for data backupsppThe proposed implementation specification for backing up information systems at proposed paragraph a13iiC would require a regulated entity to establish and implement written procedures to create and maintain backups of its relevant electronic information systems including verifying the success of such backups Establishing such procedures would ensure that the ePHI in relevant electronic information systems is both protected and availablepp
Additionally the Department proposes to redesignate the implementation specification for disaster recovering planning as paragraph a13iiD We propose to clarify that a regulated entity would be required to establish and implement as needed written procedures to restore both its critical relevant electronic information systems and data within 72 hours of the loss and to restore the loss of other relevant electronic information systems and data in accordance with its criticality analysis611
ppThe Department proposes to clarify the implementation specification for emergency mode operation planning redesignated as proposed 45 CFR 164308a13iiE by clarifying that procedures must be written We also propose to redesignate the implementation specification for testing and revision procedures as paragraph a13iiF and to clarify that procedures for testing and revising of the required contingency plans must be established in writing We propose to require a regulated entity to review and implement its procedures for testing contingency plans at least once every 12 months to document the results of such tests and to modify those plans as reasonable and appropriate based on the results of those testsppThe final standard we propose under 45 CFR 164308a is a new standard for compliance audits at proposed 45 CFR 164308a14 For this proposed standard the Department proposes to require regulated entities to perform and document an audit of their compliance with each standard and implementation specification of the Security Rule at least once every 12 monthspp
While the Security Rule does not currently require regulated entities to conduct internal or thirdparty compliance audits such activities are important components of a robust cybersecurity program The Government Accountability Office has published guidance on conducting cybersecurity performance audits for Federal agencies612
Audits are typically conducted independently from information security management and the function generally reports to the governing body of the regulated entity This independence can provide an objective view of the regulated entitys policies and practices According to the Institute of Internal Auditors an internal audit provides independent and objective assurance and advice on all matters related to the achievement of objectives 613
An internal audit may be conducted by a business associate of a covered entity or a subcontractor of a business associate These activities provide regulated entities with confidence in the effectiveness of their risk management plan Thus we believe that this proposal would aid a regulated entity in ensuring compliance with the Security Rule and ultimately protecting ePHI We do not propose to specify whether the compliance audit should be performed by the regulated entity or an external party614
pp
Vendor management and identification of risks in a supply chain are essential to controlling the introduction of new threats and risks to a regulated entity615
NIST guidance explains that regulated entities are permitted to include more stringent cybersecurity measures in business associate agreements than those required by the Security Rule616
Such requirements would need to be agreed upon by both parties to the business associate agreement617
The guidance also recommends establishing a process for measuring contract performance and terminating the contract if security requirements are not being met Important considerations include Is there a process for reporting security incidents related to the agreement Are additional assurances of protections for ePHI from the business associate necessary If so where would such additional assurances be documented
eg
in the business associate agreement servicelevel agreement or other documentation and how would they be met
eg
providing documentation of implemented safeguards audits certifications
pp
The Security Rule requires a regulated entity to protect the confidentiality integrity and availability of all ePHI that it creates receives maintains or transmits618
It also requires a regulated entity to obtain written satisfactory assurances that its business associate will appropriately safeguard ePHI before allowing the business associate to create receive maintain or transmit ePHI on its behalf619
However the Security Rule does not require a regulated entity to verify that entities that create receive maintain or transmit ePHI on its behalf are in fact taking the necessary steps to protect such ePHI The lack of such a requirement may leave a gap in protections from risks to ePHI related to regulated entities vendors and supply chains Accordingly the Department proposes several modifications to the Security Rule to provide greater assurance that business associates and their subcontractors are protecting ePHI because a subcontractor to a business associate is also a business associate The Department proposes to redesignate 45 CFR 164308b1 and 2 as proposed 45 CFR 164308b1i and ii respectively Additionally we propose to make a technical correction to the standard for business associate contracts and other arrangements for organizational clarity separating proposed paragraph b1i into paragraphs b1iA and B We believe this is a nonsubstantive change that would have no effects on any regulatory recordkeeping or reporting requirement nor would it change the Departments interpretation of any regulation We also propose to modify both to require a regulated entity to verify that the business associate has deployed the technical safeguards required by 45 CFR 164312 620
in addition to obtaining satisfactory assurances that its business associate would comply with the Security Rule621
To assist regulated entities in complying with the new standard we propose to redesignate the implementation specifications at 45 CFR 164308b3 as 45 CFR 164308b2 and propose to add an implementation specification for written verification at proposed 45 CFR 164308b2ii that would require the regulated entity to obtain written verification from the business associate that the business associate has deployed the required technical safeguards622
The Department proposes to require that the regulated entity obtain this written verification documenting the business associates deployment of the required technical safeguards at least once every 12 months623
Additionally we propose that the verification include a written analysis of the business associates relevant electronic information systems624
The written analysis would be required to be performed by a person with appropriate knowledge of and experience with generally accepted cybersecurity principles and methods for ensuring the confidentiality integrity and availability of ePHI to verify the business associates compliance with each standard and implementation specification in 45 CFR 164312625
We also propose to require that the written verification be accompanied by a written certification by a person who has the authority to act on behalf of the business associate that the analysis has been performed and is accurate626
The proposal would permit the parties to determine the appropriate person to perform the analysis and how that person is engaged or compensated This person may be a member of the covered entitys or business associates workforce or an external party
pp
This proposed new requirement that a regulated entity obtain written verification from its business associates that they have deployed technical safeguards combined with the existing requirement to obtain written satisfactory assurances that they safeguard ePHI aligns with the Departments essential CPG for VendorSupplier Cybersecurity Requirements627
This CPG calls for regulated entities to identify assess and mitigate risks to ePHI used by or disclosed to business associates628
pp
Based on the OCRs investigations and enforcement experience we believe that some regulated entities are not aware that they retain compliance responsibility for implementing requirements of the Security Rule even when they have delegated the functions of designated security official to a business associate Therefore the Department proposes a new standard for delegation to a business associate at proposed 45 CFR 164308b3 The proposed standard would clarify that a regulated entity may permit a business associate to serve as its designated security official629
However a regulated entity that delegates actions activities or assessments required by the Security Rule to a business associate remains liable for compliance with all the applicable provisions of the Security Rule630
pp
The Department requests comment on the foregoing proposals including any benefits drawbacks or unintended consequences We also request comment on the following considerations in particular For any proposed timeframe that a commenter believes is not appropriate we request comment and explanation on a more appropriate timeframe
print page 957
ppa Whether the Department should require a regulated entity to implement any additional administrative safeguards If so please explainppb Whether the Department should not require a regulated entity to implement any of the existing or proposed standards for implementation specifications If so please explainppc Whether there are additional implementation specifications that should be adopted for any of the standards for administrative safeguardsppd Whether the Department should provide any exceptions to the administrative safeguards or related implementation specifications If so please explain when and why any exceptions should applyppe Whether once every 12 months is the appropriate frequency between reviews of policies procedures and other activities required by the other standards for administrative safeguardsppf Whether there are any special considerations for business associates and business associate agreements that the Department should be aware of with respect to administrative safeguardsppg Whether there are any requirements for business associates and business associate agreements that the Department should include in administrative safeguards that it did not proposepph Whether the Department should require covered entities to report to their business associates or business associates to their subcontractors the activation of the covered entities or business associates contingency plans If so please explain the appropriate circumstances of and the appropriate amount of time for such notificationppi Whether once every 12 months is an appropriate length of time in which a covered entity must verify and document that a business associate has deployed technical safeguards pursuant to the requirementsppj Whether the Department should require covered entities to obtain satisfactory assurances and verify that a business associate has implemented physical or other safeguards in addition to deploying technical safeguards before permitting it to create receive maintain or transmit ePHI on its behalfppk Whether on an ongoing basis but at least once every 12 months and when there is a change to a regulated entitys environment or operations that affects ePHI is the appropriate frequency for updating the technology asset inventory and network mapppl Whether on an ongoing basis but at least once every 12 months and when there is a change to the regulated entitys environment or operations that affects ePHI is the appropriate frequency for performing a risk analysisppm Whether there are additional events for which the Department should require a regulated entity to update its risk analysis If so please explainppn Whether the Department should include or exclude any specific circumstances from its explanation of environmental or operational changes when determining whether review or update of the written inventory of technology assets and network map or review of the risk analysis written assessment is warrantedppo Whether the proposed requirement in the standard for evaluation to perform a written technical and nontechnical evaluation within a reasonable period of time before making a change in the regulated entitys environment or operations pursuant to the requirements is sufficiently clear If not how should the Department clarify it For example should the Department require a specific amount of time and if so what length of timeppp Whether at least once every 12 months is the appropriate frequency for reviewing and updating written policies and procedures for patch management sanctions policies and procedures information system activity review workforce security and information access managementppq Whether as reasonable and appropriate in response to changes in the risk analysis but at least once every 12 months is the appropriate frequency for reviews of a regulated entitys written risk management planppr Whether the proposed frequency for security awareness training is appropriatepps Whether the proposed substance of the security awareness training is appropriate and any recommendations for additional required contentppt Whether the proposed timelines for applying patches updates and upgrades are appropriateppu Whether the Department should set a time limit for applying patches updates and upgrades to configurations of relevant electronic information systems to address moderate and low risks If so please explain and provide a recommendationppv Whether the amount of time regulated entities currently retain records of information system activity varies by the type of record and for how long such records are retainedppw Whether the Department should specify the length of time for which records of information system activity should be retained If so please explainpp
x Whether the Department should require that a regulated entity notify other regulated entities of the termination of a workforce members access to ePHI in less than 24 hours after the workforce members termination If so please explain what would be an appropriate period of time
eg
three business hours 12 hours
ppy Whether at least once every 12 months is the appropriate frequency for testing security incident response plans documenting the results and revising such plansppz Whether it is reasonable and appropriate to require that regulated entities restore loss of critical relevant electronic information systems and data in 72 hours or lessppaa Whether the Department should require a regulated entity to restore all of its relevant electronic information systems and data within 72 hoursppbb Whether the Department should require some regulated entities to restore their relevant electronic information systems and data in less than 72 hours If so please explainppcc Whether at least once every 12 months is the appropriate frequency for the testing of contingency plansppdd Whether annual auditing of a regulated entitys compliance with the Security Rule is appropriateppee Whether the Department should specify the level of detail or standard required for the annual compliance audit If so please explainppff Whether the Department should require a regulated entity to obtain written verification of their business associates implementation of the administrative and physical safeguards that are required by the Security Rule in addition to the proposed requirement to obtain verification of implementation of the technical safeguards If so please explainppgg Whether there are other requirements for which the Department should require that the person performing them have a specific level or type of expertise If so please explainpp
A person with physical access to electronic media or a regulated entitys electronic information systems that create receive maintain or transmit or that otherwise affect the confidentiality integrity and availability of ePHI might have the opportunity to change the configurations of its relevant electronic information systems install malicious software or otherwise adversely affect technology assets in its relevant
print page 958
electronic information systems change information or access ePHI or other sensitive information631
Any of these actions has the potential to adversely affect the confidentiality integrity or availability of ePHI which means that physical safeguards for electronic media and a regulated entitys relevant electronic information systems are critical to protecting the security of ePHI Thus the physical safeguards standards address the essential requirements for regulated entities to apply to limit physical access to their relevant electronic information systems to only authorized workforce members As discussed above ePHI is increasingly transmitted using interconnected systems that rely on cloud computing The shift to a cloudbased infrastructure may increase regulated entities reliance on business associates to maintain and access ePHI stored in the cloud632
Additionally the shift to cloud computing enables regulated entities workforce members to access ePHI and relevant electronic information systems from a greater number of locations Accordingly regulated entities must appropriately expand andor ensure that applied physical safeguards take into account these new arrangements
ppSection 164310 includes the four standards with which a regulated entity must comply to physically secure relevant electronic information systems and the premises where they are located These standards require regulated entities to implement physical safeguards for facility access controls workstation use workstation security and device and media controls in a manner that conforms with 45 CFR 164306c the general compliance provision for the security standardspp
As discussed above in greater detail physical safeguards encompass the physical measures and related policies and procedures to protect relevant electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion633
The standard for facility access controls applies to protect the physical premises while the standards for workstation use workstation security and device and media controls are aimed at protecting the electronic information systems and electronic media that create receive maintain or transmit ePHI or that otherwise affect its confidentiality integrity and availability
ppThe standard for facility access controls at 45 CFR 164310a1 requires a regulated entity to implement policies and procedures that limit physical access to electronic information systems and facilities that contain those systems Section 164310a1 also requires a regulated entity to ensure its policies and procedures allow persons who are properly authorized to access its facilitiespp
Under 45 CFR 164310a2 a regulated entity must implement the standard for facility access controls in accordance with four implementation specifications The implementation specification for contingency operations addresses the establishment and implementation as needed of procedures that allow for facility access in support of the restoration of lost data under a disaster recovery plan and emergency mode operations634
Section 164310a2ii contains the specification for a facility security plan and addresses the implementation of policies and procedures to safeguard facilities and equipment in such facilities from unauthorized physical access tampering and theft The implementation of procedures for rolebased access control including for visitors and for access to software programs for testing and revision is addressed in 45 CFR 164310a2iii while 45 CFR 164310a2iv addresses the implementation of policies and procedures for the documentation of repairs and modifications to physical security components of a facility such as hardware walls doors and locks
pp
Section 164310b requires a regulated entity to implement policies and procedures specifying proper workstation functions the manner in which those functions are to be performed and the physical attributes of the environment for where specific workstations or classes of workstation used for accessing ePHI635
This standard is not accompanied by standalone implementation specifications compared to the standards for facility access controls at 45 CFR 164310a and device and media controls at 45 CFR 164310d Section 164310c the standard for workstation security also is not accompanied by standalone addressable or required implementation specifications but it does require a regulated entity to implement physical safeguards that restrict all workstations such as a laptop or desktop computer or any other device that performs similar functions that access ePHI to authorized users636
pp
Device and media controls can help regulated entities respond to and recover from security incidents and breaches637
Proper understanding of and implementation of such controls may enable regulated entities to quickly determine which devices and electronic media may be implicated in an actual or suspected security incident or breach and respond accordingly638
For example if cybercriminals gained access to an organizations network by exploiting a vulnerability present in a particular electronic device a robust and accurate inventory and tracking process could identify how many devices are affected and where they are located With this information a regulated entity should be able to make more effective use of its resources and respond more effectively to an actual or suspected security incident or breach involving such devices Thus it is important for regulated entities to implement the device and media controls required under 45 CFR 164310d Accordingly the standard for device and media controls at 45 CFR 164310d requires a regulated entity to implement policies and procedures to govern how hardware and electronic media containing ePHI are received or removed from a facility and within a facility Section 164310d2 includes two required and two addressable implementation specifications Paragraphs d2i and ii on disposal and media reuse respectively require a regulated entity to implement policies and procedures that address the final disposition of ePHI and the hardware or electronic media on which it is stored and the removal of ePHI before the electronic media is reused Section 164308d2iii addresses the
print page 959
maintenance of a record of the movement of hardware and electronic media and any person responsible for such hardware or electronic media while the provision on data backup and storage at 45 CFR 164310d2iv addresses the creation of a retrievable exact copy of ePHI before moving the equipment
pp
The Department has concerns regarding the effectiveness of the language used in the physical safeguards in 45 CFR 164310 for the same reasons discussed in the context of 45 CFR 164306 and 164316 For example while 45 CFR 164310 contemplates that a regulated entity must implement the standards and implementation specifications required under 45 CFR 164310 in accordance with the general documentation and maintenance requirements found in 45 CFR 164306 and 164316 at least one court has stated that compliance obligations are limited to the plain words of regulatory text and that a requirement to implement does not mean that a requirement must be in place throughout the regulated entitys enterprise639
Additionally the standards for facility access controls workstation use and device and media controls all require a regulated entity to implement policies and procedures while the standard for workstation security requires regulated entities to implement physical safeguards The differences in regulatory text among these provisions could be interpreted to mean that a regulated entitys obligations differ depending on whether a provision requires it to implement only policies and procedures or whether the provision requires the implementation of something more This may confuse regulated entities and lead some to believe that less comprehensive protection is needed for ePHI subject only to policies and procedures
ppThe Department believes that the current Security Rule provides a clear path for regulated entities to protect the confidentiality integrity and availability of ePHI However as discussed above we also believe recent caselaw has created confusion about the steps regulated entities must take to adequately protect the confidentiality integrity and availability of ePHI as required by the statute Further the conditions highlighted by caselaw may also cause regulated entities to misinterpret the regulatory text that connects the current maintenance requirement at 45 CFR 164306e the documentation requirement at 45 CFR 164316 and the requirement to implement physical safeguards For example regulated entities may be confused about how 45 CFR 164316 requires a regulated entity to document the policies and procedures for specific physical safeguard in 45 CFR 164310 or across any other safeguard In this case the regulated entity also might not apply the implementation specifications to retain make available and review documentation of how it has operationalized the physical safeguard Failing to connect these provisions would lead to inadequate protection of ePHI andor an inability to demonstrate compliance with the Security RuleppOur experience enforcing the Security Rule provides examples of the types of breaches that can occur because of absent or insufficient physical safeguardsppGiven the increased portability of devices media workstations and information systems such components may often be located outside of a regulated entitys physical location For example OCR has investigated several incidents involving portable electronic media and mobile workstations that were removed from the regulated entitys physical environment and subsequently lost As a result the Department believes that we should more broadly construe the physical environment where ePHI is stored and accessed because it is essential that regulated entities have policies and procedures in place to address the portability of components of their information systems as well as the ability of workforce members to access such information systems offsite using portable workstationsppAdditionally the standard for device and media controls at 45 CFR 164310d1 applies only to devices and media rather than all technology assets that may be components of a regulated entitys relevant electronic information systems The Department is concerned that a regulated entity may have other types of technology assets that may either create receive maintain or transmit ePHI or otherwise affect its confidentiality integrity or availability and that can be removed from brought to or moved within its facilities The confidentiality integrity or availability of the regulated entitys ePHI could be negatively affected in the absence of written policies and procedures governing the movement of such technology assetspp
Finally we believe that it is important to address several issues in the standards and implementation specifications for the physical safeguards that are also addressed in other proposals addressing the Departments expectations regarding implementation specifications 642
memorializing policies and procedures in writing documenting the implementation of the aforementioned policies and procedures reviewing such policies and procedures on a regular cadence modifying such policies and procedures when reasonable and appropriate 643
and clarifying the scope of the electronic information systems and their components that regulated entities are expected to consider when establishing their policies and procedures644
ppThe Department proposes to retain the four standards that comprise the Security Rules physical safeguards required by 45 CFR 164306 and codified in 45 CFR 164310 However we propose several modifications to 45 CFR 164310 to address the issues identified abovepp
The Department proposes to expand the introductory language at 45 CFR
print page 960
164310 to clarify that the Security Rule requires that physical safeguards be applied to all ePHI in the possession of the regulated entity that is throughout the regulated entitys facilities The Department also proposes to expand this section to expressly require a regulated entity to implement physical safeguards in accordance with not only 45 CFR 164306 but also 45 CFR 164316 to connect the overarching documentation requirements
pp
Consistent with the proposals to revise the general requirements in 45 CFR 164306c and d the Department proposes to remove any distinction between addressable and required implementation specifications in this section such that all specifications would be required Also consistent with changes proposed elsewhere in this NPRM the Department proposes to modify all four physical safeguard standards to require that the requisite policies and procedures be in writing 645
and implemented throughout the enterprise646
Under this proposal a regulated entity that could not produce a written policy describing how it will implement a required physical safeguard and demonstrate that the safeguard is in effect and operational throughout the enterprise would not be in compliance with the standard Consistent with our proposals to require that regulated entities maintain their administrative safeguards the Department also proposes to require a regulated entity to maintain its security measures by reviewing and testing the required security measures at least once every 12 months and by modifying the same as reasonable and appropriate Additionally we propose to modify certain standards and implementation specifications to ensure that regulated entities understand their obligations to ensure the confidentiality integrity and availability of ePHI by implementing physical safeguards to protect their relevant electronic information systems andor the technology assets in their relevant electronic information systems
ppThe Department proposes to modify the standard for facility access controls at 45 CFR 164310a1 to clarify that the policies and procedures required by this standard must be in writing and address physical access to all of a regulated entitys relevant electronic information systems and the facility or facilities in which these systems are housed and to add a paragraph to clarify the organization of the regulatory text The Department also proposes to modify the implementation specifications associated with the standard for facility access controls Specifically we propose to modify the implementation specifications for contingency operations facility security plan and access control and validation procedures at 45 CFR 164310a2i through iii to clarify that we expect a regulated entity to not only establish and implement policies and procedures but also that we expect them to be in writingpp
The Departments proposal would also require that the procedures for contingency operations proposed at 45 CFR 164310a2i support the regulated entitys contingency plan instead of the current requirement specifying that the procedures support the restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency647
This proposal would align the implementation specification for contingency operations with the standard for contingency planning at proposed 45 CFR 164308a13i by specifically ensuring that the written policies and procedures support the required contingency plan It also would avoid duplicating the implementation specification for disaster recovery planning at proposed 45 CFR 164308a13iiD which would require a regulated entity to address the restoration of lost data and systems in the disaster recovery plan component of its contingency plan We propose to modify 45 CFR 164310a2ii to clarify that the written policies and procedures that constitute the facility security plan must apply to all of the regulated entitys facilities and equipment contained within those facilities The Department proposes to retitle the implementation specification for access control and validation procedures at 45 CFR 164310a2iii as Access management and validation procedures and to require regulated entities to establish and implement written procedures to both authorize and manage a persons rolebased access to facilities
ppIn the implementation specification for maintenance records the Department proposes at 45 CFR 164310a2iv to change the provision heading to Physical maintenance records and to add security cameras to the list of examples of physical security components about which a regulated entity is required to implement written policies and procedures to document repairs and modifications Both proposals are consistent with and recognize the evolution of the role that technology plays in managing and granting physical access to facilitiesppConsistent with our proposals to add maintenance requirements where we believe it is necessary for regulated entities to review test and modify their security measures on a particular cadence we also propose to add an implementation specification for maintenance at proposed 45 CFR 164310a2v The maintenance provision would require that for each facility a regulated entity review and test its written policies and procedures at least once every 12 months and to modify those policies and procedures as reasonable and appropriate based on that reviewpp
Further in the standards for workstation use and workstation security at 45 CFR 164310b redesignated as proposed 45 CFR 164310b1 and c respectively the Department proposes several changes that would recognize the increasingly mobile nature of ePHI and workstations that connect to the information systems of regulated entities The purpose of these proposals is to ensure that regulated entities properly consider physical safeguards for all workstations including those that are mobile and not only those that are located in regulated entities facilities The Department also proposes to modify both standards to clarify the organization of the regulatory text The Department proposes to modify the standard for workstation use to clarify that policies and procedures established by a regulated entity to govern the use of workstations be in writing and address all workstations that access ePHI or the regulated entitys relevant electronic information systems These proposed changes are consistent with the Departments longstanding expectations and other proposals in this NPRM described above In 45 CFR 164310b2iC the Department proposes to require a regulated entity to establish and implement written policies and procedures that among other things specify the physical attributes of workstation surroundings including the removal of workstations from a facility and the movement of workstations within and outside of a facility This proposal is consistent with
print page 961
the proposed revision to the definition of workstation discussed above Additionally we propose to add an implementation specification for maintenance at proposed 45 CFR 164310b2ii to require that a regulated entity review and test its written policies and procedures at least once every 12 months and to modify those policies and procedures as reasonable and appropriate based on that review
pp
Relatedly the Department proposes to modify the standard for workstation security at 45 CFR 164310c to require a regulated entity to implement physical safeguards for workstations that access ePHI or relevant electronic information systems to comply with its written policies and procedures for workstation use This proposal would also make clear that such physical safeguards must be modified in response to any modifications to the written policies and procedures for workstation use As part of their policies and procedures for workstation security the Department encourages regulated entities to consider among other things whether there are workstations located in public areas or other areas that are more vulnerable to theft unauthorized use or unauthorized viewing whether such devices should be relocated the physical security controls for workstations that are in use
eg
cable locks privacy screens secured rooms cameras and whether they are easy to use and whether there are additional physical security controls that could reasonably be put into place648
Additionally consistent with the Departments proposal to require that a regulated entity provide rolebased security awareness training on its Security Rule policies and procedures649
the Department expects that such training would address the physical safeguards it has implemented particularly those policies and procedures for mobile devices that are used to create receive maintain or transmit ePHI or that otherwise affect the confidentiality integrity or availability of ePHI
pp
The Department proposes to modify the standard at 45 CFR 164310d1 by changing the heading to Technology asset controls from Device and media controls and replacing hardware and electronic media in 45 CFR 164310d1 and 2 with technology assets We believe that this modification would more accurately capture the various categories of components of a regulated entitys relevant electronic information systems that may be received in removed from or moved within a facility and that also affect the confidentiality integrity or availability of ePHI Thus we believe that this modification would provide regulated entities with a clearer understanding of their compliance obligations with respect to the physical safeguards that should be implemented to protect ePHI when technology assets are received by removed from or moved within a facility While we are not proposing other significant changes to 45 CFR 164310d1 at this time we remind regulated entities to consider the appropriateness of the policies and procedures they have implemented with respect to the movement of technology assets that maintain ePHI into and out of their facilities and the movement of these items within their facilities The processes a regulated entity chooses to implement to govern the movement of technology assets may vary based on the type of technology asset650
For example once installed a server or desktop computer may not need to be moved for the entirety of its lifecycle within the regulated entity while portable electronic devices and media such as smartphones tablets and USB flash drives are designed to be mobile and may move frequently into out of and within a regulated entitys facilities651
Thus the regulated entitys policies and procedures must account for these differences652
Further we note that the proposed definition of workstation includes mobile devices Mobile devices that serve as workstations are subject to the requirements in this paragraph and those in paragraphs b and c
pp
The Department also proposes to modify the standard at 45 CFR 164310d1 to clarify the organization of regulatory text and to clarify its longstanding expectations that policies and procedures must be in writing and to replace contain with maintain consistent with terminology used throughout the HIPAA Rules The Department believes that having written policies for the disposal of ePHI and the technology assets on which it is stored and for the removal of ePHI from electronic media such that the ePHI cannot be recovered continues to be important to ensuring the physical safety of ePHI Improper disposal of technology assets puts the ePHI stored in or on such assets at risk for a potential breach and as discussed elsewhere data breaches can result in substantial costs to regulated entities and the individuals affected by the breach We also propose in the related implementation specifications at 45 CFR 164310d2i and ii to require that written policies and procedures for disposal of ePHI and sanitization of electronic media be tied to current standards for sanitizing electronic media before the media are made available for reuse653
For example photocopiers today are often connected to the same network as workstations and generally store the information including ePHI transmitted to them This capability is a significant change from photocopier capabilities that existed when the Security Rule was first issued in 2003 Under this proposal a regulated entity would be required to include in its written policies and procedures for disposing of ePHI and the technology assets on which it is maintained policies and procedures addressing ePHI maintained on photocopiers consistent with the current standards for disposing and removing ePHI from electronic media654
ppWe have previously explained in guidance that a regulated entity should consider all of the following as part of its risk analysispp
Our guidance describes these considerations in greater detail For example regulated entities should consider how to address the replacement of technology assets including devices and media656
Technology assets that need to be replaced should be decommissioned meaning that they are taken out of service before the final disposition of such assets657
Steps a regulated entity should consider as part of its decommissioning process include ensuring technology assets are securely erased and then either securely destroyed or recycled ensuring that the regulated entitys technology asset inventory is updated to accurately reflect the status of decommissioned technology assets or technology assets slated to be decommissioned and ensuring that privacy is protected through proper migration to another electronic information system or total destruction of the ePHI658
ppThe Department proposes to remove the implementation specifications for accountability and data backup and storage at 45 CFR 164310d2iii and iv We believe that the accountability provisions would be subsumed and replaced by the proposed standard for technology asset inventory at proposed 45 CFR 164308a1i Thus when the proposed new standard and implementation specifications are read together the written policies and procedures that govern the receipt and removal of technology assets that maintain ePHI into and out of a facility and the movement of these assets within the facility should include tracking relevant information in the technology asset inventory Similarly we are proposing to delete the specification for data backup and storage because it is redundant to the administrative safeguard on data backups at proposed 45 CFR 164308a13iiBpp
As referenced above in place of the implementation specifications we are proposing to delete the Department proposes a new implementation specification at proposed 45 CFR 164310d2iii that would require a regulated entity to review and test the written policies and procedures related to the implementation specifications for technology assets at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriate Such environmental or operational changes may range from new and emerging threats to the confidentiality integrity or availability of ePHI
eg
a new virus to the adoption of new technology assets by the regulated entity
eg
a new operating system new types of workstations Given the constant evolution of IT and methods for restoring data that has been disposed of or was on electronic media that has been sanitized the Department believes that it is essential for a regulated entity to at least consider the reasonableness and appropriateness of its policies and procedures for disposal and electronic media sanitation not only annually but also in the face of any environmental or operational changes We expect that pursuant to our proposals to strengthen the standard for risk analysis a regulated entity would be able to identify such environmental and operational changes before they occur
ppThe Department requests comment on the foregoing proposals including any benefits drawbacks or unintended consequences We also request comment on the following considerations in particularppa Whether every 12 months is an appropriate frequency for review of a regulated entitys written policies and procedures for physical safeguards If not please explainppb Whether the written policies and procedures for physical safeguards should be reviewed at different intervals based on the specific standard or implementation specification If so please explainppc Whether the Department should include additional examples in regulatory text at proposed 45 CFR 164310a2iv of physical components of a facility related to security for which there should be written policies and procedures to document repairs and modificationsppd Whether the standard at proposed 45 CFR 164310d1 and its associated implementation specifications at paragraph d2 should apply to technology assets that do not maintain ePHI but do access the regulated entitys relevant electronic information systemsppSection 164312 includes five standards for technical safeguards which are the requirements concerning the implementation of technology and technical policies and procedures to protect the confidentiality integrity and availability of ePHI and related information systems A regulated entity must comply with the standards for technical safeguards in accordance with 45 CFR 164306c the provision that describes the general rules for the security standardspp
Under 45 CFR 164312a1 a regulated entity is required to establish policies and procedures for electronic information systems to allow access only to those persons or software programs that have been granted access rights as specified in 45 CFR 164308a4 Regulated entities may comply with this standard by implementing a combination of access control methods and technical controls consistent with the implementation specifications for this standard The Security Rule does not identify a specific access control method or technology to implement Regardless of the technology or information system used access controls should be appropriate for the workforce members role andor function659
For example a workforce member responsible for monitoring and administering information systems with ePHI such as an administrator or a superuser660
should only have access to ePHI as appropriate for their role andor job function
pp
The implementation specifications that provide instructions for satisfying the access control standard are found at 45 CFR 164312a2 Two are required and two are addressable661
The implementation specifications address unique user identifiers662
emergency access procedures663
automatic logoff664
and encryption and decryption665
The implementation
print page 963
specification for unique user identification requires a regulated entity to assign unique identifiers to users to facilitate the identification of specific users of an information system666
By assigning a unique identifier to each user a regulated entity can track the specific activity of that user when they are logged into an information system and hold the user accountable for functions they perform in the information system when they access that system
pp
Under the implementation specification for emergency access procedures a regulated entity is required to establish procedures such as documented operational practices and instructions to workforce members for obtaining access to necessary ePHI during an emergency and to implement such procedures as needed667
In accordance with this implementation specification a regulated entity must identify the types of situations in which its normal procedures for accessing an information system or application that contains ePHI may not work and establish procedures for obtaining access in those situations668
These procedures must be established prior to an emergency to instruct workforce members on possible ways to gain access to needed ePHI where for example the electrical system has been severely damaged or rendered inoperative or where a software update fails and prevents the regulated entity from accessing ePHI in its EHR
pp
The implementation specification for automatic logoff associated with the standard for access control addresses the need for a regulated entity to when reasonable and appropriate implement electronic procedures that terminate an electronic session after a period of inactivity669
Automatic logoff is an effective way to prevent unauthorized users from accessing ePHI on a workstation when it is left unattended for a period of time670
While many applications have configuration settings that automatically log a user out of the system after a period of inactivity some systems have more limited capabilities and may activate a screen saver that is password protected671
pp
The implementation specification under the standard for access control addresses encryption and decryption and requires regulated entities when it is reasonable and appropriate to implement a mechanism to encrypt and decrypt ePHI672
Encrypting data including ePHI reduces the likelihood that anyone other than the party that has the key to the encryption algorithm would be able to decrypt
ie
translate the data and convert it into plain comprehensible text673
pp
The standard for audit controls requires a regulated entity to implement hardware software andor procedural mechanisms that record and examine activity in electronic information systems that contain or use ePHI Most electronic information systems provide some level of audit controls with a reporting method such as audit reports674
These controls are useful for recording and examining information system activity especially when determining whether a security violation has occurred675
The Security Rule does not identify data that must be gathered by the audit controls or how often the audit reports should be reviewed676
Instead a regulated entity must consider its risk analysis and organizational factors such as current technical infrastructure and hardware and software security capabilities to determine reasonable and appropriate audit controls for information systems that contain or use ePHI677
The audit controls standard has no implementation specifications
pp
Section 164312c1 the standard for integrity requires a regulated entity to implement policies and procedures to protect ePHI from improper alteration or destruction The integrity of data can be compromised by both technical and nontechnical sources Workforce members or business associates may make accidental or intentional changes that improperly alter or destroy ePHI Data can also be altered or destroyed without human intervention such as by electronic media errors or failures678
The purpose of this standard is to establish and implement policies and procedures for protecting ePHI from being compromised regardless of the source Improperly altered or destroyed ePHI can result in clinical quality problems for a covered entity including patient safety issues679
pp
Section 164312c2 contains the addressable implementation specification for the integrity standard that requires a regulated entity when reasonable and appropriate to implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner To determine which electronic mechanisms should be implemented to ensure the integrity of ePHI a regulated entity must consider the various risks to the integrity of ePHI identified during the risk analysis Once a regulated entity has identified risks to the integrity of its data it must identify security measures that will reduce the risks680
ppThe standard for person or entity authentication at 45 CFR 164312d requires a regulated entity to establish policies and procedures for verifying that a person seeking access to ePHI is the one claimed This standard addresses technical controls for ensuring access is allowed only to those persons or software programs that have been granted access rights under the administrative safeguard for information access management at 45 CFR 164308a4 This standard has no implementation specificationspp
Under the standard for transmission security at 45 CFR 164312e1 a regulated entity is required to implement technical security measures to guard against unauthorized access to ePHI when transmitted electronically such as through the internet A regulated entity must identify the available and appropriate means to protect ePHI as it is transmitted select appropriate solutions and document its decisions681
pp
The two addressable implementation specifications for the transmission security standards are under 45 CFR 164312e2 The implementation specification for integrity controls requires a regulated entity when it is reasonable and appropriate to implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until the ePHI has been disposed682
The implementation specification for encryption requires a regulated entity when it is reasonable and appropriate to implement a mechanism to encrypt ePHI
ppWhile the intention of 45 CFR 164312 is for regulated entities to develop and put into place technical controls the Department is aware that regulated entities have not always achieved the degree of protection for ePHI that we intended Absent a definition of implement some regulated entities might interpret the term to mean something other than implementing technical controls to ensure the confidentiality integrity and availability of ePHI This misinterpretation may leave ePHI partially unprotected because regulated entities may not implement safeguards throughout their enterprise As discussed above with respect to both the administrative and physical safeguards the Department is also concerned that regulated entities are not making the connection between the maintenance requirement at 45 CFR 164306d and the requirement to implement technical safeguards and therefore are not reviewing or updating their policies and procedures for technical safeguards Additionally the Department believes that regulated entities may not be recognizing that their obligations under the Security Rule to protect ePHI are not limited to protecting electronic information systems that create receive maintain or transmit ePHI but necessarily include other electronic information systems that affect the confidentiality integrity or availability of ePHIpp
While the Security Rule relies on a flexible and scalable approach to compliance the health care industrys shift to a digital environment has substantially increased both the risk to ePHI and the prevalence of technological solutions for addressing those risks Additionally the cost of such solutions has in many cases decreased over time as is often the case with technology For example when the original Security Rule was published tools to encrypt ePHI had limited availability were more costly and were not userfriendly particularly for small health care providers683
By contrast in 2024 the technical ability to encrypt data may be seamless in many applications inexpensive and widely available in commercial software and hardware products684
Where an encryption solution is not integrated into an application software or hardware thirdparty solutions are often available685
Thus we do not believe that it is appropriate for such provisions to be addressable 686
ppBased on its own investigations and compliance reviews news reports and published studies the Department is aware that many regulated entities have failed to implement adequate technical controls or in some cases any technical controls For examplepp
Some investigations have found indications that regulated entities may implement technical controls that address some but not all users of and technology assets in a relevant electronic information system such as software hardware and persons involved in the development configuration and implementation of technical controls692
And other investigations have suggested that the potential failure of a regulated entity to have security measures in place to protect ePHI from unauthorized access when it is transmitted electronically has resulted in increased risk and breaches of ePHI693
Common network segmentation practices would have substantially reduced the risk to the security ePHI and could have prevented such breaches
pp
Beyond the health care sector threat actors have been able to gain access to networks by compromising user accounts and taking advantage of insufficient network segregation For example the 2014 Home Depot breach involved the compromise of a thirdparty vendors username and password to enter Home Depots network which allowed hackers to obtain elevated rights to navigate to selfcheckout pointofsale system694
The Department is concerned about the potential effects of such incidents in health care where they would jeopardize the confidentiality integrity and availability of ePHI
pp
Finally consistent with the concerns expressed above about the implications of recent caselaw and the uncertainty it might cause among regulated entities assessing whether they have adequately protected their ePHI the Department is concerned that the existing Security Rule may not provide sufficient instruction to regulated entities about
print page 965
how they must maintain specific security measures
ppThe Department retains the requirements for technical safeguards generally and proposes additions and modifications to the existing standards and implementation specificationsppThe Department proposes to expand the primary provision at 45 CFR 164312 to clarify that regulated entities as a general matter must implement and document the implementation of technical safeguards adopted for compliance with the Security Rule This proposal would clarify that the requirement to implement and document technical safeguards would apply to all technical safeguards including technical controls implemented by a regulated entity to protect the confidentiality integrity and availability of all ePHI it creates receives maintains or transmitsppAs noted above the current provision at 45 CFR 164312 does not reference the documentation requirements in 45 CFR 164316 Therefore for clarity we propose to explicitly require in 45 CFR 164312 that documentation of technical safeguards conforms to the requirements in 45 CFR 164316 This proposed change would clarify that a regulated entity must document the policies and procedures required to comply with this rule and how entities considered the flexibility factors in 45 CFR 164306b It would also clarify that a regulated entity must document each action activity and assessment required by the Security Rule The Department considers the documentation requirements and other provisions of 45 CFR 164316 to apply to all of the safeguards including the technical safeguards and this proposal is intended to remove any potential uncertainty among regulated entities Additionally we propose to add maintenance requirements separately to the implementation specifications for particular technical safeguards in 45 CFR 164312 as discussed below and consistent with our proposals to add similar requirements to particular administrative and physical safeguardsppAdditionally as discussed above the Department proposes to remove the distinction between required and addressable implementation specifications and make all implementation specifications required with specific limited exceptions Also as discussed above we propose to modify certain standards and implementation specifications to clarify that the technical safeguards apply to ensure the confidentiality integrity and availability of ePHI which requires a regulated entity to implement the technical safeguards in or on all relevant electronic information systems These proposals are discussed in greater detail belowpp
The Department proposes to clarify the standard for access control at 45 CFR 164312a1 by requiring a regulated entity to deploy technical controls in relevant electronic information systems to allow access only to those users and technology assets that have been granted access rights This proposed modification would ensure that a regulated entity deploys technical controls rather than solely ensuring that it implements technical policies and procedures consistent with our proposals to define deploy and implement 695
Thus the proposal would clarify that a regulated entity is not expected to merely establish a policy and procedure but must also put into place ensure the operation of and verify the continued operation of technical controls for access to its relevant electronic information systems such that the failure to have such technical control in operation throughout its enterprise would be a violation of the new proposed standard Additionally the Departments proposal would clarify that access controls would apply to persons with authorized access and to technology assets
pp
Access controls are one of the key mechanisms by which a regulated entity protects ePHI Such technical controls ensure that access to the regulated entitys electronic information systems is limited to only users and technology assets that have been granted access rights under the policies and procedures adopted in accordance with the standard for information access management under 45 CFR 164308696
The Security Rule does not identify a specific type of access control method or technology to deploy nor are we proposing to do so in this rule697
As discussed above access rights should be rolebased and the technical controls should assist the regulated entity in implementing such policies and procedures For example workforce members responsible for monitoring and administering a regulated entitys relevant electronic information systems such as someone responsible for cybersecurity or providing technical support to users must only have access to ePHI and to the regulated entitys relevant electronic information systems as appropriate for their role and job function
ppWe also propose at 45 CFR 164312a1 to add a paragraph heading to clarify the organization of the regulatory textppThe Department proposes to modify the existing implementation specifications under the standard for access control and to add five new implementation specifications Additionally we propose to redesignate the implementation specification for encryption and decryption as a standardppWe propose to modify the implementation specification for unique user identification at 45 CFR 164312a2i by renaming the implementation specification as Unique identification and adding a requirement to assign a unique identifier for tracking each technology asset These proposed modifications would clarify for regulated entities that the purpose of this requirement is to enable a regulated entity to identify and track unauthorized activity in its relevant electronic information systems Such unauthorized activity may include activity by unauthorized persons or technology assets It may also include activity by persons who are authorized to access the regulated entitys relevant information systems but who access ePHI that they do not need to access for their job or functionpp
The Department also proposes to expand the types of identifiers a regulated entity may assign to users and technology assets beyond names to include numbers andor other identifiers and to clarify that a unique identifier must be assigned to each user and technology asset in the regulated entitys relevant electronic information systems This proposed modification would better meet the goals of this implementation specification by requiring a regulated entity to be able to discern and track activities among all users and technology assets regardless of whether that user or technology asset is a person hardware software program or device The proposed implementation specification for unique identification aligns with the Departments essential CPG for Unique Credentials which calls for regulated entities to use unique credentials to
print page 966
help detect and track anomalous activities698
pp
Additionally we propose to add an implementation specification at proposed 45 CFR 164312a2ii for administrative and increased access privileges Access controls should enable an authorized user to access the minimum necessary information needed to perform their job functions699
Rights andor privileges should be granted to authorized users based on the policies and procedures required under the administrative safeguard for information access management700
For example a workforce member who has certain rolebased administrative access privileges should have separate user identities for nonadministrative access privileges and administrative access privileges Separating a single workforce members user identities based on access privilege substantially limits the risk that an intruder will be able to access ePHI through a workforce members user identity when they are using the administrative access privileges701
A regulated entity may be able to improve the control and review of the use of administrative access privileges such as through a privileged access management system to understand how privileged accounts are used within its environment and help detect and prevent the misuse of privileged accounts702
pp
The proposed implementation specification would require a regulated entity to separate the unique user identities required by the implementation specification for unique user identification based on the type of access privileges used by a specific unique user For example the adoption of health IT that is certified through the ONC Health IT Certification Program as having the technical capability to establish user permissions for accessing and performing actions with electronic health information based on unique identifiers may contribute to a regulated entitys compliance with the proposed new implementation specification for administrative and increased access privileges should the proposal be finalized703
This proposed new implementation specification aligns with the Departments essential CPG for Separate User and Privileged Accounts by addressing the separation of privileged or administrator access rights from common user accounts704
pp
Additionally the Department proposes to redesignate the implementation specification for emergency access procedures at 45 CFR 164312a2ii as proposed 45 CFR 164312a2iii and to modify it to require a regulated entity to establish both written procedures and technical procedures for obtaining necessary ePHI during an emergency and to implement them as needed For example we note that the adoption of health IT that is certified through the ONC Health IT Certification Program as having the technical capability to permit an identified set of users to access electronic health information during an emergency may contribute to a regulated entitys compliance with the proposed implementation specification for emergency access procedures should the proposal be finalized705
pp
Under the Departments proposal the implementation specification for automatic logoff at 45 CFR 164312a2iii would be redesignated as proposed 45 CFR 164312a2iv and modified to require a regulated entity to deploy technical controls that terminate an electronic session after a period of inactivity Deploying a mechanism to automatically terminate an electronic session after a period of inactivity reduces the risk of unauthorized access when a user forgets or is unable to terminate their session706
Failure to deploy automatic logoff not only increases the risk of unauthorized access and potential alteration or destruction of ePHI it also impedes an organizations ability to properly investigate such unauthorized access because it would appear to originate from an authorized user707
pp
The Department proposes that the period of inactivity be both predetermined and reasonable and appropriate When determining the length of the period of inactivity a regulated entity should consider the access privileges of a given user or technology asset the systems being accessed the environment in which the system access occurs and other appropriate factors in determining a reasonable and appropriate time of inactivity before session termination For example in an emergency setting a user may not have time to manually log out of a system User identities with administrative and other highlevel access that present a greater risk to the confidentiality integrity and availability of ePHI should have appropriately shorter periods of inactivity because of the increased risk While many applications have configuration settings for automatic logoff708
a regulated entity must determine whether the default automatic logoff is reasonable and appropriate and make modifications if it is not For example the adoption of health IT that is certified through the ONC Health IT Certification Program as having the technical capability to automatically stop a users access to health information after inactivity for a predetermined period and require a user to reenter their credentials to resume or regain access may contribute to a regulated entitys compliance with the proposed implementation specification for automatic logoff should the proposal be finalized709
pp
Additionally we propose to add an implementation specification for login attempts at proposed 45 CFR 164312a2v The proposal would require a regulated entity to deploy technical controls that disable or suspend the access of a user or technology asset to relevant electronic information systems after a certain number of unsuccessful authentication attempts Although incorrectly keying in a known password by the intended user may occur infrequently a repeated and persistent failure is a strong indication of an attempt at unauthorized access For example brute force attacks are attempts to gain unauthorized access by guessing the password many times in a row710
Technical controls that limit the number of incorrect login attempts by disabling or suspending the access of a user or technology asset to relevant electronic information systems are appropriate to address unsuccessful login attempts711
pp
The proposal would require a regulated entity to determine the number of unsuccessful authentication attempts that would trigger disabling or suspending access to relevant electronic information system The number should
print page 967
be reasonable and appropriate for the type of user or technology asset the electronic information system or technology asset to which access is sought and the type of information maintained on such information system or technology asset For example a regulated entity may determine that any authentication failure of an administrative privileged access account should disable the account because of the level of risk compared to an authentication failure of a nonadministrative privileged account The Department does not propose to define disable or suspend and relies upon the industry understanding that disabling a users access would require intervention to restore the capability to use the user identity while a suspension may prevent additional login attempts for a temporary limited period of time
pp
Consistent with NCVHS recommendation and existing guidance the Department also proposes to add an implementation specification for network segmentation at 45 CFR 164312a2vi that would require a regulated entity to deploy technical controls to segment its relevant electronic information systems in a reasonable and appropriate manner712
Under this proposal a regulated entity with multiple distinct electronic information systems would be required to separate relevant electronic information systems using reasonable and appropriate technical controls Network segmentation is a physical or virtual division of a network into multiple segments creating boundaries between the operational and IT networks to reduce risks such as threats caused by phishing attacks713
For example where a regulated entity operates both a pointofsale system and an EHR on the same network the EHR could be compromised through a successful attack by an intruder moving laterally
ie
within the same network from a previously compromised pointofsale system because the intruders movements were not impeded by network segmentation Accordingly we believe that it is appropriate to require regulated entities to deploy technical controls to segment the networks to which their relevant electronic information systems are connected714
What constitutes reasonable and appropriate network segmentation depends on the regulated entitys risk analysis and how it has implemented its networks and relevant electronic information systems This proposed new implementation specification aligns with the Departments enhanced CPG for Network Segmentation because where the CPG is implemented an intruders ability to freely move within a regulated entitys network and protect ePHI is minimized715
ppThe proposed implementation specification for data controls at proposed 45 CFR 164312a2vii would require a regulated entity to deploy technical controls to allow access to ePHI based on the regulated entitys policies and procedures for granting users and technology assets access relevant electronic information systems as specified in proposed 45 CFR 164308a10 This implementation specification would require a regulated entity to have in place technical controls that distinguish between users and technology assets that are permitted to access the regulated entitys relevant electronic information systems and those that are not permitted to do so and would require that the controls permit or disallow access accordinglypp
Properly deployed networkbased solutions can limit the ability of a hacker to gain access to an organizations network or impede the ability of a hacker already in the network from accessing other electronic information systemsespecially systems containing sensitive data716
Access controls could include rolebased access userbased access or any other access control mechanisms the organization deems appropriate717
Access controls need not be limited to computer systemsfirewalls network segmentation and network access control solutions are effective means of limiting access to relevant electronic information systems718
ppAdditionally we propose to add an implementation specification for maintenance at proposed 45 CFR 164312a2viii Under this proposal a regulated entity would be expressly required to review and test the effectiveness of the procedures and technical controls required by the implementation specifications associated with the standard for access control at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriatepp
Encryption can reduce the risks and costs of unauthorized access to ePHI719
For example if a hacker gains access to unsecured ePHI on a network server or if a device containing unsecured ePHI is stolen a breach of PHI will be presumed and reportable under the Breach Notification Rule720
The Breach Notification Rule applies to unsecured PHI which is PHI that is not rendered unusable unreadable or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance issued under the HITECH Act721
The Departments guidance on rendering unsecured PHI unusable unreadable or indecipherable to persons who are not authorized to access such PHI states that ePHI at rest
ie
stored in an information system or electronic media is considered secured if it is encrypted in a manner consistent with NIST Special Publication 800111 722
SP 800111 The ePHI encrypted in a manner consistent with SP 800111 is not considered unsecured PHI and therefore qualifies for what is commonly known as the Breach Notification safe harbor meaning that it is not subject to the requirements of the Breach Notification Rule723
Thus by encrypting ePHI in a manner consistent with the Secretarys guidance a regulated entity may not only fulfill its encryption obligation under the Security Rule but also make use of the
print page 968
Breach Notification Rules safeharbor provision724
pp
As the use of mobile computing devices
eg
laptops smartphones tablets has become more pervasive the risks to sensitive data stored on such devices also have increased725
And while in 2003 and even in 2013 encryption might have been out of reach for many regulated entities because of cost or a similar reason726
today encryption solutions are generally considered to be widely accessible The cost of such solutions has decreased significantly as has the difficulty in implementing such solutions In fact many applications have encryption solutions embedded in them727
Once enabled a devices encryption solution can protect stored sensitive data including ePHI from unauthorized access in the event the device is lost or stolen The same is true for most software today728
Thus while encryption of a particular regulated entitys ePHI might not have been reasonable and appropriate in 2003 or 2013 the Department believes encryption generally is reasonable and appropriate today729
pp
Because the prevalence of encryption solutions has increased as has their affordability and the role they play in protecting information including ePHI the Department believes it is appropriate to consider requiring encryption and elevating it from an implementation specification to a standard to increase its visibility and prominence Based on this and consistent with NCVHS recommendation the Department proposes to redesignate the implementation specification for encryption and decryption at 45 CFR 164312a2iv as a standard at proposed 45 CFR 164312b1730
The proposed standard would incorporate the requirements of two implementation specifications that address encryptionthe one addressed here and the one at 45 CFR 164312e2ii731
The Department proposes that the new standard would require a regulated entity to configure and implement technical controls to encrypt and decrypt all ePHI in a manner that is consistent with prevailing cryptographic standards This proposed new standard aligns with the Departments essential CPG for Strong Encryption by calling for regulated entities to deploy encryption to protect ePHI and with the recommendation of NCVHS732
We also note that the adoption of health IT that is certified through the ONC Health IT Certification Program as having the technical capability to encrypt and decrypt electronic health information using an encryption algorithm that meets certain requirements may contribute to a regulated entitys compliance with the proposed standard for encryption and decryption should the proposal be finalized733
ppUnder the proposal a regulated entity would need to ensure that an encryption solution that it adopts meets prevailing cryptographic standards prior to using it The Department uses the phrase prevailing cryptographic standards to refer to widely accepted standards for encryption and decryption that are recommended by authoritative sources and that ensure the confidentiality integrity and availability of ePHI at the time the regulated entity performs its risk analysis and establishes or modifies its risk management plan The Department would expect a regulated entity to deploy updated encryption solutions as prevailing cryptographic standards evolve consistent with both of the proposed requirements discussed above 1 to review verify and update its risk analysis in response to changes in its environment that may affect ePHI and 2 to review and modify as reasonable and appropriate its risk management plan in response to changes in its risk analysis Thus a regulated entity using an encryption algorithm that is known to be insecure would not be in compliance with the proposed requirement to deploy an encryption algorithm that meets prevailing cryptographic standards We are not proposing to define prevailing cryptographic standards in regulatory text at this timepp
The Department proposes to add one implementation specification for the proposed standard for encryption and decryption Specifically proposed 45 CFR 164312b2 would require regulated entities to encrypt all ePHI at rest and in transit with limited exceptions734
Thus a regulated entity would be required to encrypt all ePHI it maintains as well as all ePHI it transmits unless an exception applies and the following conditions are met
pp
The first proposed exception at proposed 45 CFR 164312b3i would apply to a technology asset currently used by a regulated entity that does not support encryption according to prevailing cryptographic standards Because the requirements for encryption under the Security Rule today are addressable a regulated entity may be in compliance with the encryption requirement without actual encryption of ePHI if encryption is not reasonable and appropriate provided that the entity meets certain conditions Additionally technology assets in use today may rely on cryptographic standards that are no longer accepted industry practice The Department recognizes that it may take some time for a regulated entity to adopt compliant technology assets Thus we propose this exception for such technology assets that do not support encryption consistent with prevailing cryptographic standards in limited circumstances Specifically to meet this exception a regulated entity would be required to establish a written plan to migrate ePHI to technology assets that support encryption consistent with prevailing cryptographic standards and to implement such plan The regulated entity would be required to establish and implement the written plan within
print page 969
a reasonable and appropriate period of time For example it would not be reasonable or appropriate for a regulated entity to establish a plan to migrate ePHI on a single flash drive within 30 days and not complete migration of that ePHI for a period of a year because migrating ePHI from a flash drive to a more secure medium is a simple and quick process that the regulated entity already determined could be completed within 30 days Thus a year would be an unreasonably long period to leave ePHI insufficiently encrypted particularly after a need to migrate the ePHI has been established In such circumstances the regulated entity would not be complying with the requirements of this proposed exception
pp
The second proposed exception at proposed 45 CFR 164312b3ii would be available for ePHI transmitted in response to an individual request pursuant to 45 CFR 164524 to receive their ePHI in an unencrypted manner Unencrypted manners for an individual to receive their ePHI may include some types of text messaging instant messaging and other applications on a smartphone or another computing device that are capable of making an access request and receiving ePHI735
This exception for individual access requests under 45 CFR 164524 would not apply when the individual would receive their ePHI using technology controlled by the regulated entity such as a patient portal 736
or other technology for the transmission of ePHI
eg
API technology737
Such email or messaging technologies are considered to be among a covered entitys technology assets because they are components of a covered entitys relevant electronic information systems and the requirement to encrypt ePHI would apply
pp
Under the right of access an individual who is the subject of PHI has the right to inspect and request a copy of PHI about them in a designated record set subject to certain exceptions A regulated entity is required to provide such access in the form and format requested by the individual if it is readily producible in such form and format Thus if an individual requests that the regulated entity provide them access in a manner that does not support encryption a regulated entity is generally required to do so if it does not jeopardize the security of the regulated entitys information systems For the exception to apply a regulated entity would be required to have informed the individual of the risks associated with the transmission receipt and storage of unencrypted ePHI when the individual requests unencrypted access and to document that the individual has been informed of such risks738
pp
Consistent with the information blocking regulations the information provided by regulated entities that are also actors must focus on any current privacy andor security risks posed by the technology or the thirdparty developer of the technology be factually accurate unbiased objective and not unfair or deceptive and be provided in a nondiscriminatory manner739
For example a regulated entity that is an actor must provide information to individuals about the privacy and security risks of all mobile health applications in the same manner
pp
We are not proposing to require that the documentation be in any particular form or format Rather the required information could be on a standard form chart note or checkbox as examples The Department does not propose to apply this exception to ePHI transmitted in other forms or formats such as on a CD or other physical device used to maintain and transmit ePHI The proposal would not absolve a regulated entity from compliance with other applicable laws or regulations including the information blocking regulations740
pp
We recognize that emergencies or other occurrences may render it infeasible to encrypt ePHI Thus the third proposed exception at 45 CFR 164312b3iii would apply to certain circumstances in which encryption is infeasible Such circumstances would be limited to when there is emergency or other occurrence that adversely affects a regulated entitys relevant electronic information systems For the proposed exception to apply a regulated entity would be required to implement reasonable and appropriate compensating controls in accordance with and determined by its contingency plan741
The Department would expect this proposed exception to be applicable for a limited period of time and only when encryption is infeasible As noted above the proposed exception to encryption would narrowly apply only when a regulated entitys relevant electronic information system is adversely affected by the emergency or other occurrence The proposed exception would no longer be applicable at such time encryption becomes feasible regardless of whether the emergency or other occurrence continues
pp
The fourth proposed set of exceptions at proposed 45 CFR 164312b3iv would be for ePHI that is created received maintained or transmitted by a medical device
ie
a device within the meaning of section 201h of the Federal Food Drug and Cosmetic Act 21 USC 321h that is authorized by the FDA for marketing We propose three separate exceptions for devices that are authorized by the FDA for marketing pursuant to a submission received before March 29 2023 a submission received on or after March 29 2023 where the device is no longer supported by its manufacturer or a submission received on or after March 29 2023 where the device is supported by its manufacturer Where a device has been authorized by the FDA for marketing pursuant to a submission received before March 29 2023 we propose that the exception at proposed 45 CFR 164312b3ivA would be available only where the regulated entity deploys in a timely manner any updates or patches required or recommended by the manufacturer of the device We also propose a similar exception at proposed 45 CFR 164312b3ivB for devices authorized by the FDA for marketing pursuant to a submission received on or
print page 970
after March 29 2023 where the device is no longer supported by its manufacturer provided that the regulated entity has deployed any updates or patches required or recommended by the manufacturer
pp
We recognize that to comply with this proposal some regulated entities may incur costs for replacing legacy medical devices
ie
medical devices that cannot be reasonably protected against current cybersecurity threats742
We also recognize that legacy devices can pose significant risks to the confidentiality integrity and availability of ePHI743
By limiting these exceptions to devices that have been updated andor patched while they were supported by their manufacturer we believe that this proposal would balance the interest in encouraging regulated entities to dispense with legacy devices with the cost of replacing such devices Additionally the Department believes that regulated entities should already have plans to replace legacy devices that cannot be made cybersecure because of their existing Security Rule obligations We also recognize that at some point most if not all devices will likely become legacy devices and that there may be legitimate reasons not to immediately replace them when the manufacturer ceases to provide support In such cases it will continue to be important for regulated entities to plan for how to address their ongoing Security Rule obligations
pp
Finally we propose an exception proposed 45 CFR 164312b3ivC that would be available for a device authorized by the FDA for marketing pursuant to a submission received on or after March 29 2023 where the device is supported by its manufacturer We understand that the FDA considers security during the review of medical device marketing submissions including those for software that is approved as a medical device and works with device manufacturers to ensure that appropriate cybersecurity protections are built into such devices pursuant to FDAs authority under the Consolidated Appropriations Act 2023744
Thus we do not believe it would be necessary or appropriate for the Security Rule to require encryption for an FDAauthorized medical device that has been authorized by the FDA for marketing pursuant to a submission received on or after March 29 2023 where the device continues to be supported by its manufacturer
ppWhere a proposed exception applies to the proposed encryption requirement the Department also proposes to require that a regulated entity implement alternative measures and compensating controls Specifically we propose at proposed 45 CFR 164312b4i to require a regulated entity to document the existence of an applicable exception and implement reasonable and appropriate compensating controls Under the proposal we would require documentation to occur in realtime meaning when the criteria for the exception exist and at the time compensating controls are implemented For example a regulated entity disclosing ePHI to an individual by unencrypted email in accordance with the right of access would be required to document in accordance with the proposed 45 CFR 164312b4i that 1 before the disclosure the individual has requested to receive ePHI by unencrypted email or unencrypted messaging technology and 2 before the disclosure the regulated entity informed the individual of the risks associated with transmission of unencrypted ePHI The exception would not apply where such individual requests to receive access to their ePHI pursuant to 45 CFR 164524 via email or messaging technologies implemented by the covered entitypp
At proposed 45 CFR 164312b4i the Department proposes to require that where a proposed exception applies a regulated entity would also be required to implement an alternative measure or measures that are reasonable and appropriate compensating controls under proposed 45 CFR 164312b4ii Compensating controls would be implemented in the place of encryption to protect ePHI from unauthorized access745
The Department does not propose to require that compensating controls be limited to technical controls Rather a regulated entity should consider the nature of the exception operating environment and other appropriate circumstances to determine what controls are reasonable and appropriate and implement compensating controls effective for those circumstances For example a regulated entity may use physical access controls such as physically limiting access to a device in combination with other controls to compensate for the absence of encryption
ppProposed paragraph b4iiA would require that if the regulated entity has determined that an exception applies it must secure ePHI by implementing reasonable and appropriate compensating controls that are reviewed and approved by the regulated entitys designated Security Official Because exceptions are a departure from the Security Rule framework the Department proposes to ensure appropriate focus and review by the Security Official of the controls chosen to compensate for the absence of encryptionppWith respect to the exception at proposed 45 CFR 164312b3ivC the Department proposes at paragraph b4iiB to presume that a regulated entity had implemented reasonable and appropriate compensating controls where the regulated entity has deployed the security measures prescribed and as instructed by the FDAauthorized label for the device This would include any updates including patches recommended or required by the manufacturer of the device The proposed language recognizes that while the devices label may not specifically require deployment of an encryption solution it may provide for a specific compensating control and the manner in which that control is to be implemented While not required a regulated entity would be permitted to implement additional alternative security measures and compensating controls in accordance with best practices andor its risk analysispp
Finally at proposed paragraph b4iiC the Department proposes to require that the regulated entitys Security Official review and document the implementation and effectiveness of the compensating controls during any period in which such compensating controls are in use to continue securing ePHI and relevant electronic
print page 971
information systems While regulated entities should review deployed compensating controls on a routine basis the Department proposes to require a regulated entity to periodically review the implementation and effectiveness of compensating controls to ensure the continued protection of ePHI746
For example if a regulated entitys plan to migrate ePHI from hardware that does not support encryption changes such that the use of the unencrypted hardware continues for a longer period of time the regulated entity should review implemented compensating controls to ensure ongoing effectiveness and whether new compensating controls should be deployed We propose to require the designated Security Office conduct such review at least once every 12 months or in response to environmental or operational changes whichever is more frequent Additionally the Department proposes to require that the review be documented in writing and signed If the regulated entitys Security Official review determines that certain compensating controls are no longer effective the Department expects that the regulated entity would adopt new compensating controls that are effective to continue to meet the applicable exception For example a regulated entity would be expected to update any compensating controls for use of an FDAauthorized medical device when and as instructed by the manufacturer of the device
ppWe also propose to add an implementation specification for maintenance at proposed 45 CFR 164312b5 Under this proposal a regulated entity would be expressly required to review and test the effectiveness of the technical controls required by the standard for encryption at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriate This proposal is consistent with others in this NPRM that would require regulated entities to maintain specified administrative physical and technical safeguardspp
The Department believes that the failure to configure technical controls appropriately and to establish and maintain secure baselines for relevant electronic information systems and technology assets in its relevant electronic information systems presents an opportunity for cyberattack and compromise of ePHI747
Accordingly we propose to add a standard for configuration management at proposed 45 CFR 164312c1 The proposed standard would require a regulated entity to establish and deploy technical controls for securing relevant electronic information systems and technology assets in its relevant electronic information systems including workstations in a consistent manner Under this proposal a regulated entity also would be required to establish a baseline
ie
minimum level of security for each relevant electronic information system and technology asset in its relevant electronic information systems and to maintain such information systems and technology assets according to those secure baselines Consistent with our proposals regarding risk analysis and risk management planning the Department intends for a regulated entity to establish its security baseline and to maintain that baseline even when technology changes For example a regulated entity that uses software to access ePHI would be required to update the software with patches as reasonable and appropriate But where a developer ceases to support a software it would be reasonable and appropriate for the regulated entity to take steps to either replace it or to otherwise ensure that its level of security remains consistent with the regulated entitys established baseline Under this proposal if finalized the Department would expect a regulated entity to continually monitor its relevant electronic information systems and technology assets in its relevant electronic information systems to ensure that the secure baselines established by the regulated entity are maintained and take appropriate actions when a relevant electronic information system or technology asset in a relevant electronic information system fails to meet the established baselines A regulated entitys secure baselines would be determined based on its risk analysis and use of security settings that are consistent across its relevant electronic information systems and technology assets in its relevant electronic information systems For example the risk analysis may determine that a manufacturers default settings for a particular technology asset are insufficient Accordingly the regulated entity may establish the baseline for settings that should be applied to the particular asset and similar technologies across the regulated entitys enterprise This proposed standard aligns with the Departments enhanced CPG for Configuration Management which calls for regulated entities to define secure device and system settings It also aligns with the enhanced CPG for Detect and Respond to Relevant Threats and Tactics Techniques and Procedures by calling for regulated entities to include malware protection in their security baseline to detect threats and protect electronic information systems748
Additionally the proposed standard also aligns with the Departments essential CPG for Email Security which addresses the reduction of risks from emailbased threats749
pp
The Department proposes five implementation specifications for the proposed standard for configuration management750
Under the proposed implementation specification for antimalware protection at proposed 45 CFR 164312c2i a regulated entity would be required to deploy technology assets andor technical controls that protect all of the technology assets in its relevant electronic information systems against malicious software such as viruses and ransomware Antimalware software especially when used in combination with other technical controls such as intrusion detectionprevention solutions can also help prevent detect and contain cyberattacks751
This protection would be applied to all of a regulated entitys technology assets in its relevant electronic information systems When determining how to fulfill this proposed obligation regulated entities may consider deploying tools such as antimalware and endpoint detection and response EDR solutions Antimalware tools generally scan a regulated entitys electronic information systems to
print page 972
identify malicious software752
Such tools may also quarantine malicious software if identified As explained by the Office of Management and Budget EDR combines realtime continuous monitoring and collection of endpoint data with rulesbased automated response and analysis capabilities 753
pp
We propose a new implementation specification for software removal at proposed 45 CFR 164312c2ii to require a regulated entity to remove extraneous software from the regulated entitys relevant electronic information systems Software is extraneous if it is unnecessary for the regulated entitys operations It can be a target for attack and older applications may no longer be supported with patches for new vulnerabilities754
Removal of unnecessary software reduces an avenue of attack The Department is not proposing to specify what would constitute necessary and unnecessary software Rather we intend that the regulated entity would consider removal of unwanted or unused software for example default software added by a computer manufacturer or reseller where such software may open an avenue for unnecessary risk because the regulated entity does not intend to use it Accordingly the proposal would require a regulated entity to consider all software on its relevant electronic information systems and any potential avenue of risk and address the risk through software removal where such software is unnecessary for the regulated entitys operations
pp
The proposed implementation specification for configuration at proposed 45 CFR 164312c2iii would require a regulated entity to configure and secure operating systems and software in a manner consistent with the regulated entitys risk analysis Generally a regulated entitys risk analysis should guide its implementation of appropriate technical controls to reduce the risk to ePHI755
Requiring operating systems and software to be maintained in a secure manner would reduce exploitable vulnerabilities756
Often known vulnerabilities can be mitigated by applying vendor patches or upgrading to a newer version757
pp
Under the proposed implementation specification for network ports at proposed 45 CFR 164312c2iv a regulated entity would be required to disable network ports in accordance with the regulated entitys risk analysis758
Successful ransomware deployment often depends on the exploitation of technical vulnerabilities such as unsecured ports759
The proposal to require network ports to be disabled in accordance with the risk analysis would reduce exploitable vulnerabilities760
ppLastly the proposed implementation specification for maintenance at proposed 45 CFR 164312c2v would expressly require a regulated entity to review and test the effectiveness of the technical controls required by the other implementation specifications associated with the standard for configuration management at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriatepp
Audit controls are crucial technical safeguards that are useful for recording and examining activity in electronic information systems especially when determining whether a security violation occurred761
A regulated entity must consider its risk analysis and organizational factors such as current technical infrastructure hardware and software security capabilities to determine reasonable and appropriate audit controls762
However based on OCRs enforcement experience we believe that regulated entities understanding of and compliance with this standard could be improved by providing more specificity
pp
Accordingly the Department proposes to redesignate the standard for audit controls at 45 CFR 164312b as proposed 45 CFR 164312d1 rename it as the standard for audit trail and system log controls and to add a paragraph heading to clarify the organization of the regulatory text We also propose to modify it to require a regulated entity to deploy either or both technology assets and technical controls that record and identify activity in the regulated entitys relevant electronic information systems The proposal would replace procedural mechanisms with technical controls to match the general focus on technical controls in 45 CFR 164312 and would recognize that a regulated entity may be able to meet the requirements of the standard by deploying either or both technology assets
eg
software or technical controls Under the proposal a regulated entity would be required to collect sufficient information to understand what a specific activity in its relevant electronic information systems is such that the regulated entity would be better able to address activity that presents a risk to the confidentiality integrity or availability of ePHI For example a regulated entity should understand that a given activity in a relevant electronic information system is an attempt to access a portable workstation without authorization The proposal also would modify the limitation on the regulated entitys obligation to record and identify activity in its relevant electronic information systems Thus the proposal would require a regulated entity to record and identify any activity that could present a risk to ePHI meaning activity in all of its relevant electronic information systems not only in its electronic information systems that create receive maintain or transmit ePHI In so doing the Department would also require a regulated entity to record and identify activity in its electronic information systems that may affect the confidentiality integrity or availability of ePHI This redesignated standard as proposed aligns more closely with the Departments enhanced CPG for Centralized Log Collection by addressing the deployment of technical controls to record and identify activity in all electronic information systems763
Additionally as an example we note that adoption of health IT certified through the ONC Health IT Certification Program may contribute to a regulated entitys compliance with the proposed standard for audit trail and system log controls where such health IT meets the criteria for auditing actions on health information and recording actions related to electronic health information and audit log status764
pp
The Department proposes four implementation specifications under this proposed standard that are intended to improve the effectiveness of audit controls deployed by a regulated entity The proposed implementation specification for monitoring and identifying activity at proposed 45 CFR 164312d2i would require a regulated entity to deploy technology assets andor technical controls that monitor in realtime
ie
contemporaneously all activity occurring in a regulated entitys relevant electronic information systems and identify indications of unauthorized persons and unauthorized activity as determined by the regulated entitys risk analysis As proposed the technology assets andor technical controls also would be required to alert workforce members of such indications in accordance with the regulated entitys policies and procedures for information system activity review at proposed 45 CFR 164308a7 Unauthorized activity may include actions by technology assets or persons that have not been authorized to access the regulated entitys ePHI or relevant electronic information systems It may also include actions by authorized users or technology assets that are inconsistent with the regulated entitys policies and procedures for information access management at proposed 45 CFR 164308a10 The Department proposes that monitoring be continual and conducted in realtime because asynchronous review would allow for the compromise of ePHI for the period of time between the unauthorized activity and its discovery OCRs enforcement experience has shown that some regulated entities are potentially failing to implement appropriate audit controls or to review information system activity in a timely manner which may have contributed to a reportable breach765
pp
A regulated entity would be required under the proposed implementation specification for recording activity at proposed 45 CFR 164312d2ii to deploy technology assets andor technical controls that record in realtime all activity in the regulated entitys relevant electronic information systems766
While technical assets andor technical controls deployed in accordance with proposed 45 CFR 164312d2i would monitor activity in its relevant electronic information systems recording such activity would enable a regulated entity to assess any activity to better understand the activitys effects The proposed implementation specification at proposed 45 CFR 164312d2iii would require a regulated entity to deploy technology assets andor technical controls to retain records of all activity in its relevant electronic information systems as determined by the regulated entitys policies and procedures for information system activity review at 45 CFR 164308a7iiA The proposed implementation specification for scope of activity at proposed 45 CFR 164312d2iv would clarify what would constitute activity to be monitored and recorded in the regulated entitys relevant electronic information systems as required by the proposed implementation specifications at proposed 45 CFR 164312d2i and ii Specifically the Department proposes that such activities would include but would not be limited to creating accessing receiving transmitting modifying copying or deleting ePHI and creating accessing receiving transmitting modifying copying or deleting relevant electronic information systems and the information
ie
not only ePHI therein
ppWe also propose to add an implementation specification for maintenance at proposed 45 CFR 164312d2iv Under this proposal a regulated entity would be expressly required to review and test the effectiveness of the technology assets andor technical controls required by the respective implementation specifications of this section at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriatepp
Improper alteration or destruction of ePHI even unintentionally can result in clinical quality problems including patient safety issues for a covered entity767
Workforce members or business associates may make accidental or intentional changes that improperly alter or destroy ePHI768
Data can also be altered or destroyed without human intervention such as by electronic media errors or failures769
It is important to protect ePHI from being compromised regardless of the source770
pp
The current standard for integrity at 45 CFR 164312c1 requires implementation of policies and procedures rather than actual deployment of technical controls to ensure integrity of ePHI To improve the effectiveness of this standard the Department proposes to redesignate it as proposed 45 CFR 164312e and modify it for clarity Under the proposal a regulated entity would be required to deploy technical controls to protect ePHI from improper alteration or destruction when at rest and in transit and to review and test the effectiveness of such technical controls at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriate For example the adoption of health IT that is certified through the ONC Health IT Certification Program as having the technical capability to verify that the electronically exchanged health information contained within the health IT has not been altered using a hashing algorithm that meets certain requirements may contribute to a regulated entitys compliance with the proposed standard for integrity771
The Department proposes to remove the implementation specification at 45 CFR 164312c2 because technical controls to corroborate that ePHI has not been altered or destroyed in an unauthorized manner are commonly built into hardware and protocols today Thus it is unnecessary to require a regulated entity to specifically deploy such controls
pp
Authentication ensures that a person is in fact who they claim to be before being allowed access to ePHI by providing proof of identity772
The Department proposes to redesignate the standard for person or entity authentication at 45 CFR 164312d as 45 CFR 164312f1 to rename it Authentication to reflect its broad purpose and to add a paragraph heading to clarify the organization of the regulatory text Additionally consistent with our proposals to define
print page 974
implement and deploy we propose to replace the requirement for a regulated entity to implement procedures with a requirement to deploy technical controls Also consistent with our proposals to clarify that a regulated entitys obligations to ensure the confidentiality integrity and availability extend to all of its relevant electronic information systems we propose to clarify that the regulated entity is to deploy technical controls to verify that a person seeking access to the regulated entitys relevant electronic information systems is the one claimed The Department also proposes to modify the existing standard to clarify that a regulated entity would be required to deploy technical controls to verify that a technology asset seeking access to the regulated entitys relevant electronic information systems is the one claimed Thus the proposed standard for authentication would require a regulated entity to deploy technical controls to verify that a person or technology asset seeking access to ePHI andor the regulated entitys relevant electronic information systems is in fact the person or technology asset that the person or asset claims to be We also propose to remove the reference to an entity because entity is included within the definition of person
pp
The Department proposes four implementation specifications under this standard Consistent with NCVHS recommendation to eliminate the use of default passwords the proposed implementation specification for information access management policies at proposed 45 CFR 164312f2i would require a regulated entity to deploy technical controls in accordance with its information access management policies and procedures including technical controls that require users to adopt unique passwords773
Among other things this proposal would ensure that regulated entities change default passwords Such unique passwords would be required to be consistent with current recommendations of authoritative sources The Department does not propose to define authoritative sources and defers to best practices for setting and maintaining passwords of sufficient strength to ensure the confidentiality integrity and availability of ePHI Under this proposal a regulated entity would need to require its workforce members to change any default passwords to unique passwords that are consistent with current authoritative source recommendations for unique passwords as well as prevent the sharing of passwords among workforce members Default passwords typically factoryset passwords may be discovered in common product documentation and used by attackers to gain access to relevant electronic information systems774
Thus the Department believes that it is crucial for the security of ePHI that a regulated entity eliminate the use of default passwords
pp
In addition to proposing the elimination of default passwords the Department proposes a specific requirement for a regulated entity to deploy MFA in the implementation specification for MFA at proposed 45 CFR 164312f2ii We propose to expressly require MFA as recommended by NCVHS because it increases security by ensuring that a compromise of a single credential does not allow access to unauthorized users775
MFA is an effective way to reduce the risk of brute force attacks and to increase the cost of such attack making such an attack less appealing to intruders776
Further deployment of MFA aligns with the Departments essential CPGs for Email Security and Multifactor Authentication because use of MFA would be applicable to email access and protect assets connected to the internet777
Accordingly proposed 45 CFR 164312f2iiA would require a regulated entity to deploy MFA to all technology assets in its relevant electronic information systems to verify that the person seeking access to its relevant electronic information system is the user that the person claims to be A regulated entity should deploy MFA to all technology assets in its relevant electronic information systems in a manner consistent with its risk analysis MFA allows for the use of different categories of factors as described earlier A decision by a regulated entity to use specific factors during specific circumstances where MFA is deployed will be dependent upon the risks to ePHI identified by the regulated entity and the ability of technology to use such factors to authenticate specific users For example certain behavioral characteristics may not satisfy current standards for MFA however the Department anticipates that it may be reasonable and appropriate in the future for a regulated entity to adopt a solution where users provide such characteristics as one of the factors Additionally a regulated entity may identify varying levels of risk posed by its technology assets and elect to deploy MFA in different ways to address the risk posed by each asset For example consistent with its risk analysis a regulated entity may choose to deploy a single signon SSO authentication solution using MFA to allow users to access multiple local applications while also requiring users to authenticate using MFA to access certain cloudbased services
pp
This proposed implementation specification generally is consistent with ASTPONCs Health Data Technology and Interoperability Patient Engagement Information Sharing and Public Health Interoperability HTI2 NPRMs proposed revisions to the MFA criterion requiring certified health IT to support authentication through multiple elements of the users identity according to todays standards such as those recommended by NIST and enable user to configure enable and disable the MFA capabilities778
Adoption of health IT that is certified through the ONC Health IT Certification Program as meeting the proposed MFA criterion should the proposal be finalized may contribute to a regulated entitys compliance with the proposed implementation specification for MFA in this NPRM
pp
Under proposed 45 CFR 164312f2iiB a regulated entity would be required to deploy MFA for any action that would change a users privileges to the regulated entitys relevant electronic information systems in a manner that would alter the users ability to affect the confidentiality integrity or availability of ePHI These modified privileges may provide a user with a level of access inconsistent with a regulated entitys policies and procedures and increase the risk to ePHI by affording a user who does not need to have access to certain systems or information the opportunity to remove security measures deployed to protect ePHI Because a user may affect the confidentiality integrity or availability of ePHI by accessing a relevant electronic information system a regulated entity would be expected to
print page 975
deploy MFA for changed privileges in both types of systems
ppSimilar to the proposed standard for encryption the Department proposes three exceptions at proposed 45 CFR 164312f2iii to the proposed specific requirement to implement MFA The first proposed exception at proposed 45 CFR 164312f2iiiA would be for a technology asset that does not support MFA but is currently in use by a regulated entity Because the requirements for authentication under the existing Security Rule today do not expressly refer to MFA a regulated entity that is not using MFA to meet the requirement to authenticate user identities may argue that it is in compliance with the authentication standard without using MFA The Department recognizes that it may take some time for a regulated entity to adopt compliant software or hardware and thus we propose an exception where such software or hardware does not support MFA To meet this exception a regulated entity would be required to establish a written plan to migrate ePHI to technology assets that supports MFA and to actually migrate the ePHI to such technology assets in accordance with the written plan Accordingly a regulated entity would be required to establish the plan implement the plan and actually migrate ePHI to technology assets that supports MFA within a reasonable and appropriate period of time For example it would not be reasonable and appropriate for a regulated entity to establish a plan to migrate to a new practice management system that supports MFA and fail to take any steps to perform the migration for an entire year Applying the standard flexibly and at scale a reasonable and appropriate timeframe for a system with 5000 users may be different than one for a solo practitioner however both entities would be expected to progress to completionpp
We recognize that emergencies or other occurrences may render it infeasible for a regulated entity to use MFA so we propose a second exception for when MFA is infeasible during an emergency or other occurrence that adversely affects the regulated entitys relevant electronic information systems or the confidentiality integrity or availability of ePHI779
For the proposed exception to apply a regulated entity would be required to implement reasonable and appropriate compensating controls in accordance with its contingency plan 780
and emergency access procedures781
For example if an optical scanner used by a regulated entity as one of the required factors for MFA is rendered inoperable
eg
is temporarily broken or adversely affected by a cyberattack a compensating control may be to temporarily allow users to log in with their user name and a unique password rather than with a PIN and retinal scan The Department would make this proposed exception applicable only for the limited period of time in which MFA is infeasible for the regulated entity during the emergency or other occurrence regardless of whether the emergency or other occurrence continues
pp
At proposed 45 CFR 164312f2iiiC we propose three exceptions that would be for a technology asset in use that is a device within the meaning of section 201h of the Food Drug and Cosmetic Act that has been authorized for marketing by the FDA The first would be for a device authorized by the FDA for marketing pursuant to a submission received before March 29 2023 while the second would be for a device authorized by the FDA for marketing pursuant to a submission received on or after March 29 2023 that is no longer supported by its manufacturer In both cases the exception would only apply where the regulated entity has deployed any updates or patches required or recommended by the manufacturer of the device Similar to our proposal for exceptions to encryption at proposed 45 CFR 164312b3ivA and B we recognize that some regulated entities may incur costs of replacing legacy devices because of the limitations on the proposed exception to MFA where a device was submitted to the FDA for authorization before March 29 2023 or a device submitted for authorization on or after that date that is no longer supported by its manufacturer782
However as discussed above such devices can pose significant risks to the confidentiality integrity and availability of ePHI783
By limiting these exceptions to devices that have been updated andor patched while they were supported by their manufacturer we believe that this proposal would balance the interest in encouraging regulated entities to dispense with legacy devices with the cost of replacing such devices Additionally the Department believes that regulated entities should already have plans to replace legacy devices that cannot be made cybersecure because of their existing Security Rule obligations As discussed above we also recognize that at some point most if not all devices will likely become legacy devices and that there may be legitimate reasons not to immediately replace them when the manufacturer ceases to provide support In such cases it will continue to be important for regulated entities to plan for how to address their ongoing Security Rule obligations
pp
The third proposed exception to MFA at 45 CFR 164312f2iiiC
3
for devices authorized by the FDA for marketing would be available for those devices authorized for marketing by the FDA pursuant to a submission received on or after March 29 2023 where they are supported by their manufacturer We understand that the FDA considers security during the review of medical device marketing submissions and works with device manufacturers to ensure that appropriate cybersecurity protections are built into such devices pursuant to FDAs authority under the Consolidated Appropriations Act 2023784
Thus we do not believe it would be necessary or appropriate for the Security Rule to require MFA for an FDAauthorized medical device that has been authorized by FDA for marketing pursuant to a submission received on or after March 29 2023 where the device continues to be supported by its manufacturer However these devices may continue to be used by a regulated entity when they are no longer supported consistent with the proposed exception for legacy devices that were approved pursuant to a submission received on or after March 29 2023 as described above
pp
Where a proposed exception would apply to the proposed MFA requirement the Department proposes to require that a regulated entity implement alternative measures and compensating controls785
Specifically when a regulated entity seeks to comply with the Security Rule by meeting one of the proposed exceptions to the proposed MFA requirement the Department proposes to require a regulated entity to document both the existence of the criteria demonstrating that the proposed exception would apply and the rationale for why the proposed exception would apply
print page 976
Additionally the proposal would require a regulated entity to implement reasonable and appropriate compensating controls as described at proposed paragraph f2ivB
pp
The proposed requirements for reasonable and appropriate compensating controls are explained under proposed 45 CFR 164312f2ivB Compensating controls are implemented in the place of MFA to protect ePHI786
The Department does not propose to require that compensating controls be technical controls Rather a regulated entity should consider the nature of the exception operating environment and other appropriate circumstances to determine what controls are reasonable and appropriate and implement compensating controls effective for those circumstances For example if a software program does not support MFA deploying a firewall or increasing the sensitivity of an existing firewall protecting that software may in some circumstances constitute a reasonable and appropriate compensating control787
In some instances physical safeguards may serve as reasonable and appropriate compensating controls For example limiting access to certain components of a relevant electronic information system to workforce members who meet certain requirements may be a reasonable and appropriate compensating control under some circumstances In most cases it would be reasonable and appropriate for a regulated entity to implement multiple compensating controls to ensure that the affected electronic information system is secured
pp
The Department proposes at proposed 45 CFR 164312f2ivB
1 that to comply with an exception at paragraph f2iiiA or B or f2iiiC
1 or
2 the regulated entity would be required to secure the relevant electronic information system with reasonable and appropriate compensating controls that have been reviewed approved and signed by the regulated entitys Security Official Because exceptions are a departure from the designed Security Rule framework the Department intends to ensure appropriate review by the Security Official of controls selected by the regulated entity to compensate for the absence of MFA Merely because a regulated entitys Security Official has reviewed approved and signed off on compensating controls does not mean that those controls are effective The regulated entity would also be required to give due consideration to the circumstances surrounding the exception and implement compensating controls effective for those specific circumstances
pp
With respect to the exception at proposed 45 CFR 164312f2iiiC
3 the Department proposes at proposed 45 CFR 164312f2ivB
2 to presume that a regulated entity had implemented reasonable and appropriate compensating controls where the regulated entity has implemented the security measures prescribed and as instructed by the FDAauthorized label for the device The proposed language recognizes that while the devices label may not specifically require deployment of an MFA solution it may provide for a specific compensating control and the manner in which that control is to be implemented This would include any updates such as patches recommended or required by the manufacturer of the device While not required a regulated entity would be permitted to implement additional alternative security measures and compensating controls in accordance with best practices andor its risk analysis
pp
Additionally the Department proposes at 45 CFR 164312f2ivB
3
that during any period in which compensating controls are in use the regulated entitys Security Official would be required to review the effectiveness of the compensating controls at securing its relevant electronic information systems While regulated entities should review implemented compensating controls on a routine basis the Department intends for a regulated entity to periodically review the implementation and effectiveness of implemented compensating controls to ensure the continued protection of ePHI788
For example if a regulated entitys plan to migrate ePHI from hardware that does not support MFA changes such that the use of the nonMFA hardware continues for a longer period of time the regulated entity should review implemented compensating controls to ensure ongoing effectiveness and whether new compensating controls should be implemented We are proposing to require that the review be conducted at least once every 12 months or in response to an environmental or operational change whichever is more frequent and that the review be documented Additionally the Department proposes to require that the review be documented If the regulated entitys Security Official review determines that certain compensating controls are no longer effective the Department would expect the regulated entity to adopt other compensating controls that are effective to continue to meet the applicable proposed exception
ppAs an example of how proposed 45 CFR 164312f2iii would operate in concert with proposed 45 CFR 164312f2iv a regulated entity experiencing an emergency that adversely affects a relevant electronic information system and renders MFA infeasible would be required to document the followingpp
As part of its documentation a regulated entity would need to include the controls that have been deployed a record of the fact that the compensating controls are in use and a record indicating that the compensating controls have been reviewed and approved by the regulated entitys Security Official Proposed 45 CFR 164312f2ivB
3 would require the Security Official to review and document the effectiveness of the compensating controls at least once every 12 months or in response to an environmental or operational change whichever is more frequent A determination regarding the effectiveness of the technical controls would be based on their ability to secure the regulated entitys ePHI and its relevant electronic information systems
pp
Last we propose to add an implementation specification for maintenance at proposed 45 CFR 164312f2v Under this proposal a regulated entity would be expressly required to review and test the effectiveness of the technical controls required by this standard at least once every 12 months or in response to
print page 977
environmental or operational changes whichever is more frequent and modify as reasonable and appropriate
pp
Transmission security protects against the interception of ePHI in the communications networks used by regulated entities to transmit ePHI789
The Department proposes to redesignate the standard for transmission security as proposed 45 CFR 164312g and to modify the standard consistent with other proposals made elsewhere in this NPRM as described below Specifically we propose to clarify the existing standard by requiring a regulated entity to deploy technical controls to guard against unauthorized access to ePHI in transmission over an electronic communications network For example adoption of health IT that is certified through the ONC Health IT Certification Program as having the technical capability to establish a trusted connection using encrypted and integrity message protection or a trusted connection for transport and deploying such capability may contribute to a regulated entitys compliance with the proposed standard for transmission security790
These proposed changes are consistent with the Departments proposals to replace implement with deploy in the context of technical safeguards to differentiate between implementation of a written policy or procedure and deployment of technical controls
ppConsistent with our proposals to require that regulated entities maintain their technical controls we also propose to require a regulated entity to review and test the effectiveness of its technical controls for guarding against unauthorized access to ePHI that is being transmitted over an electronic communications network We propose that such review and testing occur at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify such technical controls as reasonable and appropriatepp
The Department also proposes to remove the implementation specification for integrity controls at 45 CFR 164312e2i because these requirements are incorporated in the standard for integrity at proposed 45 CFR 164312e discussed above A regulated entity would continue to be required to review the current methods used to transmit ePHI and then deploy appropriate solutions to protect ePHI from improper alteration or destruction791
pp
Hackers can penetrate a regulated entitys network and gain access to ePHI by exploiting publicly known vulnerabilities792
Exploitable vulnerabilities can exist in many parts of the technology infrastructure of a regulated entitys relevant electronic information systems
eg
server desktop and mobile device operating systems application database and web software router firewall and other device firmware793
A regulated entity can identify technical vulnerabilities in multiple complementary ways including
pp
Additionally CISA has compiled a database of free cybersecurity services and tools some provided directly by CISA and others provided by private and public sector organizations797
For example public and private critical infrastructure organizations may avail themselves of CISAs Cyber Hygiene Services798
These services are available at no cost to such organizations and can help regulated entities reduce their risk level identify vulnerabilities that could otherwise go unmanaged and increase the accuracy and effectiveness of their response activities among other benefits putting them in a better place to make riskinformed decisions CISAs Cyber Hygiene Services include both vulnerability scanning and web application scanning CISA also has compiled a specific suite of tools and services for highrisk communities799
pp
To address the potential for a bad actor to exploit publicly known vulnerabilities and consistent with NCVHS recommendation the Department proposes to add a new standard for vulnerability management at 45 CFR 164312h1800
The proposed standard would require a regulated entity to deploy technical controls to identify and address technical vulnerabilities in the regulated entitys relevant electronic information systems The deployment of technical controls should be consistent with the regulated entitys patch management policies and procedures at proposed 45 CFR 164308a4 This proposed standard aligns with the Departments enhanced CPGs for Cybersecurity Testing and Third Party Vulnerability Disclosure by calling for regulated entities to employ multiple processes to discover technical vulnerabilities including vulnerabilities in workstations and in technology assets provided by vendors and service providers801
For example a regulated entity should include a device owned by a person other than the regulated entity
eg
the medical device manufacturer in its vulnerability management activities where the device is deployed on the regulated entitys network The regulated entity should also include all workstations
eg
desktop computers mobile devices that are part of its relevant electronic information systems in its vulnerability management activities
pp
To implement this proposed standard we propose four implementation specifications Proposed 45 CFR 164312h2iA would require a regulated entity to conduct automated scans of the regulated entitys relevant electronic information systems including all of the components of such relevant electronic information systems
eg
workstations private networks to identify technical vulnerabilities Vulnerability scans detect vulnerabilities such as obsolete software
print page 978
and missing patches802
Once identified assessed and prioritized appropriate measures need to be implemented to mitigate these vulnerabilities
eg
apply patches harden systems retire equipment803
Under the proposal the scans would be required to be conducted in accordance with the regulated entitys risk analysis under proposed 45 CFR 164308a2 and no less frequently than once every six months
ppRelatedly proposed 45 CFR 164312h2iB would add an implementation specification for maintenance of the technology assets that conduct the required automated vulnerability scans Under this proposal a regulated entity would be expressly required to review and test the effectiveness of the technology assets that conducts the automated vulnerability scans that would be required by the proposed implementation specification at proposed 45 CFR 164312h2iA at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriatepp
Identification of a known vulnerability in a relevant electronic information system or a component thereof is a necessary precursor for a regulated entity to take action to mitigate the vulnerability A 2019 study on vulnerability and patch management found that 48 percent of respondents reported that their organizations had at least one breach in the preceding two years Of those 60 percent said that the breaches could have occurred because an available patch for a known vulnerability had not been applied804
pp
Accordingly the Department also proposes a new implementation specification for monitoring at proposed 45 CFR 164312h2ii to require that a regulated entity monitor authoritative sources for known vulnerabilities on an ongoing basis and take action to remediate identified vulnerabilities in accordance with the regulated entitys patch management program805
The Department expects such monitoring to be conducted on an ongoing basis and is not proposing to specify a minimum time interval for reviewing sources We are also not proposing to prescribe the specific sources of known vulnerabilities because such sources may change over time and the vulnerabilities for which regulated entities may be monitoring may vary greatly among regulated entities We propose to require that the sources used must be authoritative Examples of authoritative sources of known vulnerabilities would include NISTs National Vulnerability Database 806
and CISAs Known Exploited Vulnerabilities Catalog807
pp
The proposed implementation specification for penetration testing at 45 CFR 164312h2iii would require a regulated entity to conduct periodic testing of the regulated entitys relevant electronic information systems for vulnerabilities commonly referred to as penetration testing Penetration tests identify vulnerabilities in the security features of an application system or network by mimicking realworld attacks 808
and are an effective way to identify weaknesses that could be exploited by an attacker809
The proposal would require such testing to be conducted by qualified persons We propose to describe a qualified person as a person with appropriate knowledge of and experience with generally accepted cybersecurity principles and methods for ensuring the confidentiality integrity and availability of ePHI We believe that within the cybersecurity industry it is understood that a person who is qualified to conduct such penetration testing is an individual who has a combination of one or more qualifying credentials skills or experiences to perform ethical hacking or offensive security of information systems The proposal would require a regulated entity to conduct such testing at least once every 12 months or in accordance with the regulated entitys risk analysis810
whichever is more frequent
pp
Lastly we are proposing a new implementation specification for patch and update installation at 45 CFR 164312h2iv to require a regulated entity to configure and implement technical controls to install software patches and critical updates in a timely manner in accordance with the regulated entitys patch management program811
The proposed standard for patch management an administrative safeguard discussed above would require a regulated entity to establish and implement written policies and procedures for applying patches and updating relevant electronic information system configurations while this proposal would require the regulated entity to implement technical controls to implement those written policies and procedures In other words proposed 45 CFR 164312h2iv addresses the technical controls to effectuate a regulated entitys patch management plan Applying patches for technology assets including workstations is an effective mechanism to mitigate known vulnerabilities and limit the risk of exploitation812
Although older applications or devices may no longer be supported with patches for new vulnerabilities regulated entities still must take appropriate action if a newly discovered vulnerability affects an older application or device If an obsolete unsupported system cannot be upgraded or replaced additional safeguards should be implemented or existing safeguards enhanced to mitigate known vulnerabilities until upgrade or replacement can occur
eg
increase access restrictions remove or restrict network access disable unnecessary features or services813
Deployment of such technical controls would help to ensure that a regulated entitys relevant electronic information systems are updated as quickly as possible after a vulnerability has been identified and a patch released
pp
The proposed standard for patch management discussed above would work in tandem with the proposed standard for vulnerability management to ensure that regulated entities substantially reduce the risk to ePHI from known vulnerabilities814
Together these proposals would clarify that a regulated entity is required to affirmatively seek out information about known vulnerabilities assess the risks to the confidentiality integrity and availability of ePHI and implement effective mechanisms through both policies and procedures and technical controls to reduce the risk as well the actual occurrence of breaches resulting from known vulnerabilities For example known vulnerabilities should be readily identified by a regulated entity through monitoring of
print page 979
authoritative sources for known vulnerabilities such as those referenced above and remediating any identified vulnerabilities When a vulnerability is discovered a regulated entity through its patch management program should have in place a policy and procedure for applying any available patches or implementing reasonable and appropriate compensating controls if a patch is not available Remediation may be as simple as applying a vendoroffered software patch or in the case of software no longer supported by a vendor designing and implementing reasonable and appropriate compensating controls to reduce the risk of the vulnerability The policies and procedures required by the proposed standard for patch management in proposed 45 CFR 164308a4i also would be implemented in part by the proposed implementation specifications associated with the proposed standard for vulnerability management Those proposed implementation specifications would require the deployment of technical controls to ensure the patch management program is carried out automated vulnerability scans and penetration testing all of which may identify when a patch or compensating control has not been put in place The Department envisions that the full implementation of all of the proposed standards and implementation specifications would effectively reduce the risk to ePHI
pp
The Security Rule requires regulated entities to regularly create copies of ePHI to ensure that it can be restored in the event of a loss or disruption815
However OCRs enforcement experience indicates that regulated entities could benefit from a more specific standard Consistent with the proposed standard for contingency planning at 45 CFR 164308a13iiB the Department proposes to add a standard for a new technical safeguard for data backup and recovery This new standard would require a regulated entity to deploy technical controls to create and maintain exact retrievable copies of ePHI The proposed changes would remove the existing implementation specification for this activity from the physical safeguards section and place it within technical safeguards The Department also proposes to modify the language of the existing requirement by removing the limitation that it applies before moving equipment so that it applies broadly and comprehensively Elevating data backup and recovery to a standard would also increase the prominence of this requirement and highlight the liability of regulated entities for creating the capacity to restore systems after a data breach
ppThe Department proposes four new implementation specifications for the data backup and recovery standard The first 45 CFR 164312i2i would require a regulated entity to create copies of ePHI in a manner that ensures that such copies are no more than 48 hours older than the ePHI maintained in the regulated entitys relevant electronic information systems and in accordance with the policies and procedures required by proposed 45 CFR 164308a13iiB The second 45 CFR 164312i2ii would require a regulated entity to deploy technical controls that in realtime monitor and alert workforce members about any failures and error conditions of the backups required by the first implementation specification The third 45 CFR 164312i2iii would require a regulated entity to deploy technical controls that record the success failure and any error conditions of backups required The fourth 45 CFR 164312i2iv would require a regulated entity to test the effectiveness of its backups and document the results at least monthly Specifically a regulated entity would be required to restore a representative sample of backed up ePHI after the ePHI is backed up as required by paragraph i2i and document the results of such test restorations at least monthly Such tests should include verifying regulated entitys ability to access ePHI from a remote locationpp
These activities are included in NIST guidance for Security Rule compliance816
which directs regulated entities to consider the following questions Is the frequency of backups appropriate for the environment Are backup logs reviewed and data restoration tests conducted to ensure the integrity of data backups Is at least one copy of the data backup stored offline to protect against corruption due to ransomware or other similar attacks The potential need for these requirements also has been indicated through the rising number of ransomware attacks and the high number of individuals affected in such incidents The Department believes these new implementation specifications if finalized would provide additional instruction for regulated entities about conducting data backups and enhance the ability of regulated entities to avoid costly work stoppages and interruptions in the delivery of health care when data becomes unavailable because of a disaster security incident or other emergency We believe enhanced measures for data backup would reduce the need to pay ransom to hackers to recover compromised data
ppThe Department also proposes to add a new standard for backup and recovery of relevant electronic information systems at proposed 45 CFR 164312j This proposed standard would require a regulated entity to deploy technical controls to create and maintain backups of relevant electronic information systems It would also require a regulated entity to review and test the effectiveness of such technical controls at least once every six months or in response to environmental or operational changes whichever is more frequent and modify them as reasonable and appropriate The Department would not require a regulated entity to test every relevant electronic information system rather the requirement to test the effectiveness of the controls would permit a regulated entity to review the relevant log files and to test a representative sample of the backup of its relevant electronic information systemspp
This proposed standard would reduce potential gaps in the data that needs to be backed up and recovered to ensure that regulated entities address compliance across relevant electronic information systems It is crucial to a regulated entitys recovery from an emergency or other occurrence including a security incident that adversely affects its relevant electronic information systems to create and maintain backups of such information systems that comprise the infrastructure that maintains and supports the confidentiality integrity and availability of ePHI The Department would expect that the extent of this activity would be affected by the size and complexity of the relevant electronic information systems used by a regulated entity It is also consistent with NIST guidance which directs regulated entities to consider whether backups or images of operating systems devices software and configuration files necessary to support the
print page 980
confidentiality integrity and availability of ePHI817
ppThe Department requests comments on the foregoing proposals including any benefits drawbacks or unintended consequences We also request comment on the following considerations in particularppa Whether there are additional technical safeguards that the Department should require regulated entities to implementppb Whether there are additional implementation specifications that should be adopted for any of the proposed or existing technical safeguardsppc Whether the Department should extend the standard for encryption and decryption and associated implementation specifications to require encryption of all relevant electronic information systemsppd Whether there should be exceptions to any of the proposed or existing technical safeguards or related implementation specifications in addition to those proposed for encryption and decryption and MFA For example are there any proposed or existing standards or implementation specifications with which small or rural regulated entities would have substantial difficulty complying If so please explain the type of regulated entities that would be adversely affected by the requirement the nature of the compliance difficulty and any alternative or compensating measures that such entities are implementing now or could implement in the event of such requirement to address the risk to ePHI posed by the specific standard or implementation specificationppe Whether the exceptions the Department has proposed to the standard for encryption or decryption are appropriate If not please explainppf Data about the frequency and number of requests regulated entities receive pursuant to the individual right of access at 45 CFR 164524 where an individual requests that the regulated entity transmit to the individual or a third party a copy of the individuals ePHI via unencrypted email or other unencrypted messaging technologies Please confirm that these are requests made pursuant to the individual right of access rather than other types of communications such as appointment reminders or requests made pursuant to a valid authorizationppg Whether the Department should provide any additional exceptions to standard for encryption or decryption If so please explainpph Whether there are additional criteria or parameters for encryption that regulated entities would find helpful If yes please explain and provide examplesppi Whether the Department should require review of compensating controls implemented to comply with an exception to the encryption and decryption standard more frequently than once every 12 months where there are no environmental or operational changespp
j With respect to the exception to the standard for encryption and decryption for certain requests made pursuant to the individual right of access whether there are forms and formats the Department should include or exclude from the exception
eg
portable document format PDF If so please explain
ppk Resources that regulated entities have identified to help inform individuals about the risks associated with the unencrypted transmission of ePHI and whether the Department should compile and publish a list of such resourcesppl Whether the Department should define in regulation or guidance what constitutes a prevailing cryptographic standard If so please explainppm Whether the Department should specify the deployment of a particular form or manner of encryption such as the use of particular algorithms protocols or compliance standards If so please explainppn Whether the Department should specify how much time regulated entities have to implement encryption for technology assets that do not support encryption If so please explainppo Whether the Department should provide more detailed requirements for network segmentation such as the types of technologies that should be segmented and how to determine whether certain technologies should be segmented If so please explainppp Whether the exceptions the Department has proposed to the implementation specification for MFA are appropriate If not please explainppq Whether the Department should provide additional exceptions to the implementation specification for MFA If so please explainppr Whether the Department should require a regulated entity to review its compensating controls adopted to comply with the exceptions to the implementation specification for MFA more frequently than once every 12 monthspps The costs and burdens for regulated entities to implement MFAppt Whether the Department should require regulated entities to deploy an endpoint detection and response EDR security information and event management SIEM or other specific solutionppu Whether once every six months is the appropriate frequency for the automated vulnerability scans required under the implementation specification for vulnerability management If not please explainppv Whether the Department should define in regulation or guidance what constitutes an authoritative source of known vulnerabilities If so please explainppw Whether once every 12 months is the appropriate frequency for the penetration testing required under the implementation specification for vulnerability management If not please explainppx For regulated entities that have conducted penetration tests the amount of time and costs of such testspp
The first standard in 45 CFR 164314 contains the requirements for business associate agreements and other arrangements The associated implementation specifications at 45 CFR 164314a2 require that a business associate agreement include provisions compelling a business associate to do all of the following 1 comply with the requirements of the Security Rule 818
2 ensure that any subcontractors that create receive maintain or transmit ePHI on behalf of the business associate agree to comply with the applicable requirements of the Security Rule by also entering into a business associate agreement 819
and 3 report to the covered entity any security incident of which it becomes aware including breaches of unsecured PHI as required by the Breach Notification Rule820
pp
Under 45 CFR 164314a2ii a covered entity that is a governmental entity is in compliance with the requirements of this section if it has in place an arrangement with a business associate that is also a governmental entity where the arrangement meets the
print page 981
analogous requirements of the Privacy Rule at 45 CFR 164504e3821
ppAdditionally 45 CFR 164314a2iii requires that a business associate and its subcontractor enter into a business associate agreement that meets the same requirements as those that apply to a business associate agreement between a covered entity and business associatepp
As described above a business associate agreement must include a provision that requires a business associate to report to the covered entity any known security incident The term security incident includes both attempted and successful unauthorized events in an information system822
The Security Rule does not prescribe the timing and frequency with which a business associate reports a security incident to the covered entity or subcontractor to a business associate823
Instead regulated entities may determine the appropriate timing and frequency as part of their business associate agreement consistent with the requirements of the Breach Notification Rule824
pp
Depending on the size of the regulated entity the number of security incidents it experiences may vary ranging from the occasional incident experienced by a small regulated entity to more than 1000 per hour for a large regulated entity825
Given that such incidents may have little to no effect if the regulated entitys electronic information systems are able to deter it it may not be necessary for a business associate to report the security incidents immediately to a covered entity or a subcontractor to a business associate
pp
Additionally as discussed above regulated entities are required to establish and implement as needed a contingency plan 826
that includes the policies and procedures for responding to an emergency or other occurrence that damages systems that contain ePHI Such emergencies or other occurrences could include a fire vandalism system failure or a natural disaster827
The Department believes that in some instances a security incident would also be an emergency or other occurrence that could require a regulated entity to activate its contingency plan828
As the Department previously explained a contingency plan is the only way to protect the confidentiality integrity and availability of ePHI during unexpected events that may expose ePHI because the usual security measures may be disabled ignored or not observed829
pp
In recent years there has been an increase in the number and types of emergencies or other occurrences that cause damage to systems that contain ePHI and may require a regulated entity to activate its contingency plan For example we have experienced an increase in extreme weather events over the last 40 years as a result of the changing climate830
Additionally as discussed in greater detail above there has been a significant increase in the number of breaches of unsecured PHI reported to the Department over the last five years831
And increasingly ePHI is created received maintained and transmitted using cloudbased software that may be located in a remote location which means that covered entities more frequently rely on business associates to access ePHI832
Not only could the covered entitys ability to access ePHI or the relevant electronic information systems of the business associate that are affected by such an event but the incident could also have repercussions for the covered entitys ePHI or its relevant electronic information systems For example a business associates relevant electronic information systems may become infected with malicious software that spreads across devices connected to a network
eg
the NotPetya malware833
If the covered entity is also connected to the same network providing prompt notice to the covered entity of the security incident and activation of its contingency plan could enable the covered entity to prevent or mitigate damage to the covered entitys relevant electronic information systems
pp
When considered altogether these developments mean that a regulated entity is more likely to experience an emergency or other occurrence that damages systems that contain ePHI than it was in either 2003 834
or 2013835
Unfortunately based on the Departments experience neither the increased risk nor the Security Rules requirement that a business associate notify a covered entity or that a subcontractor notify a business associate of any security incident including breaches of unsecured PHI has been sufficient to encourage prompt notifications by a business associate to the covered entity or of a subcontractor to a business associate that its ability to
print page 982
access ePHI or the electronic information systems that create receive maintain or transmit ePHI may be affected This lack of prompt notification delays a covered entity or business associate from responding and protecting its ePHI and electronic information systems accordingly
pp
To address these risk trends and deficiencies in protections the Department proposes to add an implementation specification at proposed 45 CFR 164314a2iD that would require a business associate agreement to include a provision for a business associate to report to the covered entity activation of its contingency plan that would be required under 45 CFR 164308a13 without unreasonable delay but no later than 24 hours after activation836
This proposal if finalized would not alter the business associates breach reporting obligations under the Breach Notification Rule837
The Department believes that it is necessary to notify the covered entity in a timely manner of the contingency plan activation because of the downstream implications for such activation Receiving such prompt notice could enable the covered entity to take the necessary steps to protect its own relevant electronic information systems as well as to implement its own contingency plan if necessary and appropriate
eg
enable the covered entity to access a remote or offline backup of its ePHI if necessary to ensure that patient care is unaffectedor to reduce the effect on patient care as much as possible For example in 2020 a software company was the target of an attack that used software containing malware to infiltrate the electronic information systems of subsequent users of the software This allowed cybercriminals to gain access to several government systems and thousands of private systems worldwide838
Requiring a business associate to provide prompt notice to the covered entity when the business associate activates its contingency plan could enable regulated entities to maintain individuals confidence in their commitment to protecting the confidentiality integrity and availability of ePHI in the event of an emergency or other occurrence that adversely affects relevant electronic information systems839
Additionally the modified standard would align with the enhanced CPG for Third Party Incident Reporting because this proposal would require a business associate to both report to a covered entity or another business associate activation of its contingency plan within 24 hours of such activation and report known or suspected security incidents840
pp
As discussed above the Department proposes to require a regulated entity to activate its contingency plan to respond to an emergency or other occurrence that adversely affects relevant electronic information systems841
The Department believes that regulated entities activate their contingency plans infrequently because such plans are only activated when there is an emergency or other occurrence that rises to a level beyond a security incident that is thwarted or other event that does not adversely affect the confidentiality integrity or availability of ePHI Thus the need to make the proposed notification would also arise infrequently
pp
For example a business associate may not be required to notify a covered entity within a certain time after a relevant electronic information system receives a basic internet command such as a ping842
which happens frequently This is because a ping in and of itself generally does not adversely affect relevant electronic information systems when it is blocked by firewall policies and thus does not require activation of the regulated entitys contingency plan Instead the business associate would be required to provide such notice in instances where internet commands received by the business associate indicate potential malicious activity such as a denial of service attack leading to activation of its contingency plan because of an event that adversely affects the business associates relevant electronic information systems that create receive maintain or transmit ePHI or adversely affects the confidentiality integrity or availability of its ePHI However in both such instances a business associate would still be required to provide notice to the covered entity of the ping as a security incident in accordance with the business associate agreement843
ppThe proposal itself would only require that the business associate notify the covered entity of its activation of the contingency plan it does not include any specific requirements with respect to the form content or manner of the notice Instead we propose to permit the covered entity and business associate to negotiate such terms and include them in their business associate agreement if they so choosepp
We recognize that when such an emergency or other occurrence transpires the focus of the affected regulated entity must be on activating its contingency plan and restoring access to ePHI and the affected relevant electronic information systems Similarly when the contingency plan activation is in response to a successful security incident844
it may take some time to investigate and determine the cause of the security incident Thus this proposal would not require reporting on the cause of the contingency plan activation it would require reporting solely on the fact that it has activated the plan Accordingly we believe that 24 hours would provide a business associate with sufficient time to do all of the following determine that there is an emergency or other occurrence adversely affecting the business associates relevant electronic information systems determine that it needs to activate its contingency plan identify any covered entities that need to be notified and notify such covered entities
pp
This proposed requirement to provide notice without unreasonable delay but no later than 24 hours after a
print page 983
contingency plan is activated would also apply when a business associate that is a governmental entity enters into an arrangement with a covered entity that is also a governmental entity where such arrangement meets the requirements of the Privacy Rule at 45 CFR 164504e3 in accordance with 45 CFR 164314a2ii and when a business associate enters into a business associate agreement with a subcontractor in accordance with 45 CFR 164314a2iii to notify its business associate when it has activated its contingency plan
ppAdditionally the Department proposes conforming changes to the references of 45 CFR 164308b throughout 45 CFR 164314 consistent with proposals made to modify 45 CFR 164308b The Department does not intend these to be substantive changes but rather an alignment with the proposed structural modifications in 45 CFR 164308bppAs discussed above the Department proposes to remove the term required from the implementation specification at 45 CFR 164314a2 consistent with its proposal to eliminate the distinction between addressable and required implementation specifications We also propose a few miscellaneous nonsubstantive corrections to update citations in the standard at 45 CFR 164314a1i and a2iii We do not believe that these technical amendments would add or change any regulatory recordkeeping or reporting requirements nor would they change the Departments interpretation of any regulationpp
The second standard in 45 CFR 164314 requires that except when ePHI disclosed to a plan sponsor is summary health information 845
or enrollment or disenrollment information846
group health plan 847
documents must provide that the plan sponsor will reasonably and appropriately safeguard ePHI created received maintained or transmitted to or by the plan sponsor on behalf of the group health plan Section 164314b2 requires that the plan documents of a group health plan must be amended to incorporate provisions to require the plan sponsor to
pp
Plan sponsors are not directly liable for compliance with the Security Rule because they are not regulated entities
ie
covered entities or business associates under HIPAA Therefore plan sponsors obligations to apply safeguards to ensure the confidentiality integrity and availability of ePHI are limited to the requirements set forth in the plan documents of its group health plan While 45 CFR 164314b generally requires that plan documents call for the implementation of Security Rulelike safeguards the current provision does not specifically require the group health plan to require the plan sponsor or any agent to whom it provides ePHI to comply with the requirements of the Security Rule Given the concerns we have regarding Security Rule compliance generally by regulated entities the Department is also concerned that group health plans have not sufficiently ensured that plan documents require that plan sponsors reasonably and appropriately safeguard ePHI created received maintained or transmitted to or by the plan sponsor on behalf of the group health plan Additionally the Department is concerned that group health plans may not be monitoring plan sponsors to ensure that ePHI is disclosed to a plan sponsor only if the plan sponsor voluntarily agrees to use and disclose the information only as permitted or required by the regulations853
pp
Plan sponsors may perform certain functions that are integrally related to or similar to the administrative functions of group health plans and in carrying out these functions need access to ePHI held by the group health plan For example plan sponsors may perform plan administration functions on behalf of the group health plan which are specified in plan documents The increase in cybercrime and other emergencies adversely affecting electronic information systems is not limited to regulated entities or to the health care sector plan sponsors are experiencing similar increases in events that require the activation of contingency plans854
And plan sponsors may not be reasonably and appropriately protecting the confidentiality integrity and availability of ePHI absent an express requirement that plan documents obligate a plan sponsor to implement the security measures in the Security Rule Additionally regulated entities may not have the ability to determine whether alternate security measures will accomplish the same result because they do not have access to the information systems of plan sponsors nor would it be appropriate for them to have such access
ppAdditionally the Department believes that prompt notification by a plan sponsor to the group health plan that the ability of the plan sponsor or the group health plan to access ePHI or relevant electronic information systems may be affected by a security incident is important for the same reasons discussed above in 45 CFR 164314a This lack of prompt notification delays a group health plan from responding and protecting its ePHI and relevant electronic information systems accordinglypp
The Department proposes to modify the implementation specifications at 45 CFR 164314b2i through iii to address concerns that group health plans may not recognize that reasonable and appropriate safeguarding of ePHI requires the implementation of security measures that are the same as or at least equivalent to the security measures in the Security Rule First we propose to rename the implementation specifications as Safeguard implementation Separation and
print page 984
Agents respectively We also propose to modify all three implementation specifications to require that plan documents of the group health plan would obligate a plan sponsor or any agent to whom it provides ePHI to implement the administrative physical and technical safeguards of the Security Rule The Department recognizes that plan sponsors may need access to ePHI in certain situations such as when they perform functions that are integrally related to or similar to those performed by group health plans and we believe that such information must be protected by plan sponsors in the same manner in which it is protected by group health plans and other regulated entities855
pp
The security measures we are proposing in this NPRM are consistent with the CISA CrossSector CPGs856
and thus should be consistent with measures plan sponsors are implementing to protect their own electronic information systems regardless of the obligations imposed on them by plan documents For example the Department seeks to ensure that plan sponsors are implementing administrative safeguards such as performing a risk analysis857
to protect the confidentiality integrity and availability of all ePHI in its information systems documenting required policies and procedures and documenting implementation of such administrative safeguards including the required policies and procedures858
Thus requiring plan sponsors to implement the same security measures that regulated entities are implementing would maintain confidence in the commitment of plan sponsors to protecting the confidentiality integrity and availability of ePHI in light of the increasing cybersecurity threats as discussed above
ppAdditionally the Department proposes to rename the implementation specification at 45 CFR 164314b2iv as Security incident awarenesspp
Similar to the discussion above the Department proposes to add a new implementation specification for contingency plan activation at proposed 45 CFR 164314b2v that would require plan documents to include a provision requiring a plan sponsor to report to the group health plan without unreasonable delay but no later than 24 hours after activation of its contingency plan859
As discussed above the Department believes that a group health plan needs to be notified in a timely manner when a plan sponsor activates its contingency plan because of the potential implications on the ability of a group health plan to protect the confidentiality integrity and availability of ePHI in its relevant electronic information systems Accordingly we believe that 24 hours would provide a plan sponsor sufficient time to do all of the following determine that there is an emergency or other occurrence adversely affecting the plan sponsors relevant electronic information systems determine that it needs to activate its contingency plan activate its contingency plan identify any group health plans that need to be notified and notify such group health plans
ppSimilarly as discussed above we propose to permit the group health plan and plan sponsor to negotiate the form content or manner of the notice and include them in their plan documents if they so chooseppThe Department believes that requiring a plan sponsor to provide prompt notice to the group health plan when the plan sponsor activates its contingency plan would enable group health plans and plan sponsors to maintain individuals confidence in their commitment to protecting the confidentiality integrity and availability of ePHIppAdditionally consistent with our proposal to revise 45 CFR 164306 the Department proposes to remove the term required from the implementation specification at 45 CFR 164314b2 consistent with our overall proposal to eliminate the distinction between required and addressable implementation specifications However a regulated entity would still be required to comply with all standards and implementation specifications as applicable to its situation as proposed in 45 CFR 164306cppThe Department requests comment on the foregoing proposals including any benefits drawbacks or unintended consequences We also request comment on the following considerations in particularppa How group health plans currently ensure that plan sponsors implement reasonable and appropriate administrative physical and technical safeguards to protect the confidentiality integrity and availability of ePHIppb Whether it is appropriate for group health plans to require plan sponsors to implement the administrative physical and technical safeguards of the Security Rule If not please explain and provide alternatives for how the Department should ensure the confidentiality integrity and availability of ePHI when it is disclosed to plan sponsorsppc Whether business associates currently notify covered entities or subcontractors notify business associates upon activation of their contingency plans and if so the manner and timing of such noticeppd Whether plan sponsors currently notify group health plans upon activation of their contingency plans and if so the manner and timing of such noticeppe Whether it would be appropriate to require a business associate to notify a covered entity or a subcontractor to notify a business associate within 24 hours of activating its contingency plan If not please explain why and what would be an appropriate amount of time for such notificationppf Whether it would be appropriate to require a plan sponsor to notify a group health plan within 24 hours of activating its contingency plan If not please explain why and what would be an appropriate amount of time for such notificationppg The manner timing frequency and process used by business associates to report security incidents to a covered entity or subcontractors to business associatespph The manner timing frequency and process used by a plan sponsor to report security incidents to a group health planpp
Section 164316a requires a regulated entity to implement reasonable and appropriate policies and procedures that comply with the Security Rule taking into account the size complexity and capabilities of the regulated entity 860
the regulated entitys technical infrastructure hardware and software capabilities 861
the costs of security measures 862
and the probability and criticality of
print page 985
potential risks to ePHI863
Such policies and procedures must be consistent with the other requirements of the Security Rule A regulated entity is permitted to change its policies and procedures but it must document and implement such change in accordance with the Security Rule
ppThe standard and implementation specifications for documentation are in 45 CFR 164316b Paragraph b1 requires a regulated entity to maintain the policies and procedures it implements to comply with the Security Rule in written form Additionally where the Security Rule requires an action activity or assessment to be documented the regulated entity must maintain a written record of the action activity or assessment In both cases the written record may be electronic Paragraph b2 includes the current implementation specifications for the documentation standard Such documentation must be retained for the later of either 1 six years from its creation or 2 the date it was last effective Additionally it must be available to those responsible for implementing the documented policies and procedures Finally regulated entities must periodically review their documentation and update it as needed in response to environmental or operational changes affecting the security of ePHIppAlthough this section currently addresses policies and procedures and documentation it does not require or include standards to govern how regulated entities must implement maintain and document implementation of all security measures Implementing maintaining and documenting implementation of all security measures is important to ensure that regulated entities make wellreasoned decisions about implementing the requirements of this rule Just as the Department believes that it is necessary to consider expanding the definition of security measures to better reflect that security measures should be multilayered we also believe that it is necessary to consider providing a more complete instruction concerning how regulated entities must implement maintain and document their implementation of the required security measurespp
Additionally OCRs own experience in investigations and audits leads us to believe that many regulated entities may not be documenting their security measures or their implementation of those measures864
It is critical for a regulated entity to commit to writing the security measures required by the Security Rule to ensure consistent implementation and compliance with the Security Rule Verbal instructions may be forgotten or misconstrued and what the regulated entity believes to be common knowledge may not be or may be relayed incorrectly between workforce members
ppAdditionally based on OCRs enforcement experience the Department believes that regulated entities may not be periodically reviewing and updating their documentation when they modify their security measures in response to environmental or operational changes affecting the security of their ePHI Given the constant evolution of technology and the everchanging behavior of cybercriminals in response to technological evolution the Department believes that regular review of cybersecurityrelated security measures is essential for protecting the confidentiality integrity and availability of ePHI and relevant electronic information systemsppAs discussed above the Department has proposed to revise other provisions of the Security Rule to clarify the differences between administrative and technical safeguards and between policies and procedures on the one hand and technical controls on the other hand We have also proposed to revise other provisions of the Security Rule to clarify that a regulated entity is required to implement and maintain its administrative physical and technical safeguards including its policies and procedures These proposals clarify that such maintenance requires the review testing and modification of the regulated entitys security measures on a regular cadence meaning that the regulated entitys security measures can be modified at any time Given these proposals the Department believes that we must also propose to revise 45 CFR 164316 to delete the standard for policies and procedures and to modify the Security Rules documentation requirements Accordingly the Department proposes to rename this section as Documentation Requirements and to redesignate the documentation standard as paragraph a We also propose to require that a regulated entity document how it considered the factors in 45 CFR 164306b in the development of its written policies and proceduresppWe also propose to modify the documentation standard to clarify that all required written documentation may be in electronic form Additionally we propose to modify the standards two paragraphs Specifically the Department proposes at proposed 45 CFR 164316a1 to require that a regulated entity document the policies and procedures it has implemented to comply with the Security Rule and as part of that documentation explain how it considered the factors at 45 CFR 164306b in the development of its policies and procedures Relatedly we also propose to modify 45 CFR 164316a2 to require a regulated entity to document all of the actions activities and assessments required by the Security Rule The Department believes that both proposals would help to address two common problems observed in Security Rule investigations a failure by the regulated entity to document its policies and procedures and a failure to document actions activities and assessments taken to comply with the Security Rule Without such documentation it is challenging for a regulated entity to assess and ensure its own compliance Accordingly we believe that our proposals to require a regulated entity to document its implementation of the Security Rule requirements would aid both the regulated entity and the Departmentpp
Consistent with our proposal to redesignate the documentation standard as 45 CFR 164316a we propose to redesignate the implementation specifications for documentation time limits availability and updates as proposed at 45 CFR 164316b1 through 3 respectively Under proposed 45 CFR 164316b3 the Department proposes to require a regulated entity to update its documentation at least once every 12 months and within a reasonable and appropriate period of time after a security measure is modified865
As
print page 986
discussed above the Department recognizes that the health care environment has changed in a way that necessitates thorough and frequent review of and updates to documentation By proposing to specify how often documentation must be updated the Department would clarify that we expect regulated entities to review and update their documentation at regular intervals in addition to doing so in response any changes to a security measure Cybersecurity and data protection is an evolving process which makes formal updated and detailed documentation imperative for data protection By reviewing and updating its documentation including its written policies and procedures at least annually and in response to changes to its security measures a regulated entity should have a full understanding of its implemented security measures and be able to determine which measures should be updated to protect the confidentiality integrity and availability of ePHI
ppAs discussed above and consistent with the proposed changes to 45 CFR 164306 the Department is proposing to remove the term required from 45 CFR 164316b1 through 3ppThe Department requests comment on the foregoing proposals including any benefits drawbacks or unintended consequences We also request comment on the following consideration in particularppa Whether it would be appropriate to require regulated entities to review and update documentation for security measures at least once every 12 months If not please explainppb Whether it is clear that 45 CFR 164316 provides regulated entities with directions on when and how they are to document all security measures across all safeguard requirements If not please explainppc Whether it is feasible for regulated entities to document all of the actions activities and assessments required by the Security Rule as proposed at 45 CFR 164316a2 If not please explainpp
Section 164318 established the compliance dates for the initial implementation of the security standards for health plans health care clearinghouses and health care providers in 2005 and 2006866
Covered entities have been required to comply with the security standards for almost 20 years and the initial implementation of the security standards is no longer applicable Because of this the Department believes that these provisions are no longer necessary
ppThe Department proposes to remove the information in 45 CFR 164318 and replace the language with provisions for transitioning to the revised Security Rule should the proposals included in this NPRM be adoptedpp
The Department understands that regulated entities may be concerned with the anticipated administrative burden and cost of revising their business associate agreements or other written arrangements to comply with a revised Security Rule For example a regulated entity would need to update its business associate agreements to add a provision specifying that the business associate will report to the covered entity 867
that it activated its contingency plan no later than 24 hours after activation of such plan868
A regulated entity may have existing contracts that are not set to terminate or expire until after the compliance date for a final rule modifying the Security Rule and we understand that a sixmonth compliance period may not provide enough time to reopen and renegotiate all contracts in addition to ensuring that all regulated entities are compliant with the revised Security Rule Accordingly the Department proposes to relieve some of the burden on regulated entities by adding a specified period of transition for certain existing contracts
pp
The Departments authority to provide a transition period is expressed in 45 CFR 160104c which allows the Secretary to establish the compliance date for any modified standard or implementation specification considering the extent of the modification and the time needed to comply with the modification869
ppGiven these considerations to allow regulated entities enough time to update thousands of existing business associate agreements or other written arrangements the Department proposes to provide additional time to update the contracts required by 45 CFR 164314a1ppSpecifically the Department proposes to add new transition provisions under 45 CFR 164318 to allow regulated entities to continue to operate under certain existing business associate agreements or other written arrangements until the earlier of 1 the date such contract or other arrangement either is renewed on or after the compliance date of the final rule or 2 a year after the effective date of the final rule The additional transition period would be available to regulated entities if both of the following conditions are met 1 prior to the publication date of the final rule the covered entity or business associate had an existing business associate agreement or other written arrangement with a business associate or subcontractor respectively that complied with the Security Rule prior to the effective date of a final rule revising the Security Rule and 2 such contract or arrangement would not be renewed or modified between the effective date and the compliance date of the final rulepp
Under the proposed transition provisions a business associate would be permitted to create receive maintain or transmit ePHI pursuant to an existing business associate agreement or other written arrangement with another regulated entity that does not require the regulated entity to obtain satisfactory assurances that meet the requirements of the revised Security Rule for up to one year after the revised Security Rule becomes effective assuming that a final Security Rule is published and that the agreement is compliant with the Security Rule at the time the final rule is published and that it is not renewed or modified between the effective and compliance dates870
The transition provisions would also allow for the business associate to create receive maintain or transmit ePHI on behalf of another regulated entity where the existing business associate agreement does not require that the regulated entity verify that the
print page 987
business associate has deployed technical safeguards in accordance with the Security Rule under the same circumstances as those described above871
pp
During the transition period the Department proposes to allow a business associate to create receive maintain or transmit ePHI pursuant to a business associate agreement or other written arrangement with another regulated entity without including in the agreement that the business associate will 1 comply with the revised Security Rule 872
2 ensure that any subcontractors that create receive maintain or transmit ePHI on behalf of the business associate agree to comply with the revised Security Rule by entering into a business associate agreement or other arrangement that meets the requirements of the revised rule 873
and 3 report to the covered entity 874
activation of its contingency plan875
ppAdditionally the Department intends that in cases where a contract renews automatically without any change in terms or other action by the parties also known as evergreen contracts such contracts would be eligible for the extension if they automatically renew between the effective and compliance dates Thus regulated entities with an evergreen contract will be deemed to be in compliance with the Security Rules requirements for business associate agreements or other written arrangements and such deemed compliance would not terminate when these contracts automatically renew These transition provisions would apply to written contracts or other written arrangements as specified abovepp
These transition provisions would apply only to the requirement to amend contracts or other arrangements with business associates and they would not affect any other compliance obligations under the Security Rule For example beginning on the compliance date of the final rule assuming a final rule is published and that it is finalized as proposed a business associate would be required to implement and document its implementation of the administrative physical and technical safeguards required by a revised Security Rule except with respect to 45 CFR 164308b and 164314a even if the business associates contract with the covered entity 876
has not yet been amended
ppGiven the possibility of a similar burden on group health plans and plan sponsors to update plan documents by the compliance date the Department is considering but not proposing a similar transition provision for plan documents We are not proposing such provisions at this time because unlike business associates plan sponsors do not have independent obligations under the Security Rule Instead the obligations of plan sponsors are based entirely on the content of the plan documents Accordingly if the plan documents are not updated plan sponsors are not obligated to comply with the requirements of the Security Rule because they are not regulated entitiesppIn particular the Department is considering but not proposing at this time adding a new paragraph d introductory text under 45 CFR 164318 with the heading Standard Effect of prior plan documents for group health plans stating that notwithstanding any other provisions of the subpart a group health plan may allow a plan sponsor to create receive maintain or transmit electronic protected health information pursuant to a written plan document with such group health plan that does not comply with 164314b only in accordance with paragraph d1 The Department is also considering adding a new paragraph d1 under 45 CFR 164318 with the heading Implementation specification Plan documents for group health plans stating that the requirements of paragraph b apply to the plan document between a group health plan and a plan sponsor in the same manner as such requirements apply to written contracts or other arrangements between a covered entity and a business associateppSimilarly the Department is considering but not proposing at this time adding a new paragraph d2 under 45 CFR 164318 with the heading Group health plan responsibilities stating that nothing in the section shall alter the requirements of a group health plan or plan sponsor to comply with the applicable provisions of the part other than 164314bppThe Department requests comment on the foregoing proposals including any benefits drawbacks or unintended consequences We also request comment on the following considerations in particularppa Whether the Departments proposal to provide regulated entities with additional time to revise business associate agreements or other written contracts is appropriate If not please explainppb Whether the Department should also provide group health plans and plan sponsors additional time to revise plan documents by adding a transition provision to grandfather certain existing plan documents for a specified period of timeppc Whether the Department should consider additional constraints or specificity for a new paragraph d to allow group health plans more time to comply with the Security Rule requirements for plan documentsppThe Department intends that if any provisions of this subpart including the provisions of this NPRM if finalized were held to be invalid or unenforceable facially or as applied to any person plaintiff or stayed pending further judicial or agency action such provision shall be severable from other provisions of this subpart and from other rules and regulations currently in effect and not affect the remainder of this subpart It is also our intent that unless such provision shall be held to be utterly invalid or unenforceable it shall be construed to give the provision maximum effect to the provision permitted by law including in the application of the provision to other persons not similarly situated or to other dissimilar circumstances from those where the provision may be held to be invalid or unenforceableppThe provisions of this subpart including the proposals of this NPRM are intended to operate independently of each other even if multiple provisions serve the same or similar general purposes or policy goals Where a provision is necessarily dependent on another the context generally makes that clear such as by crossreference to a particular standard requirement or implementation specification Where a provision that is dependent on one that is stayed or held invalid or unenforceable as described in the preceding paragraph is included in paragraph or section within 45 CFR part 160 or 164 we intend that other provisions of such paragraphs or sections that operate independently of said provision would remain in effectpp
The Department intends the individual standards in 45 CFR 164308 164310 164312 164314 and 164316 to apply separately to govern how a regulated entity must protect the security of all ePHI it creates receives
print page 988
maintains or transmits Accordingly if finalized this provision would provide that if any one or several standards in 45 CFR 164308 164310 164312 164314 and 164316 are deemed invalid by a court or nonapplicable to a particular person or circumstance all remaining standards shall be unaffected and shall remain in force and any remaining component of the adjudicated provision not invalid or found to be unenforceable or inapplicable shall be considered by the Department to be still in effect
ppFor example the standard for risk analysis proposed in 45 CFR 164308a2 would protect ePHI from risks and vulnerabilities to the confidentiality integrity and availability of ePHI while the modified standard for workforce security proposed in 45 CFR 164308a9 would protect ePHI from inappropriate access by a regulated entitys workforce An invalidated standard for workforce security would not render the entire rule unworkable because a regulated entity could still meet the requirement to conduct the risk analysis without regard to whether the entity meets the requirements included in the standard for workforce security Similarly were a court to invalidate the Departments proposal in 45 CFR 164310a1 requiring that implemented policies and procedures to limit physical access to relevant electronic information systems and the facility or facilities in which they are housed be in writing a regulated entity could still meet a requirement to implement the policies and procedures Similar considerations apply to the proposal for written policies and procedures in proposed 45 CFR 164316a and to proposals that are deemed inapplicable to certain persons or circumstancesppFurther the Department believes it is necessary to clarify how regulated entities would continue to apply implementation specifications in the event a court invalidates or deems inapplicable a governing standard over a specific implementation specification or if a court invalidates or deems inapplicable one or several implementation specifications without taking adverse action on the governing standard The Department does not interpret that this severability proposal if finalized would apply to implementation specifications in the same manner as it would apply to standards Because the implementation specifications are regulatory instructions on how a regulated entity is to comply with a particular standard if any standard is stricken all implementation specifications underneath are similarly stricken Conversely the Department does not intend for the overarching standard to be affected by a courts decision to invalidate or make a determination of nonapplicability to particular person or circumstance all implementation specifications under a particular standard The Security Rule would still retain its flexible and scalable approach and therefore a regulated entity could use any reasonable and appropriate security measure to implement the standard consistent with 45 CFR 164306b even if all implementation specifications under the standard are strickenpp
If a court invalidates or deems inapplicable less than all implementation specifications under a specific standard
ie
only one or several the ability of a regulated entity to execute the remaining implementation specifications depends on whether the remaining implementation specifications are dependent on one another or operate together to impose requirements on regulated entities For example several proposed implementation specifications under the standard for facility access controls at 45 CFR 164310a1 would require a regulated entity to both establish and implement written procedures pertaining to specific requirements such as contingency operations facility security planning and access control and validation and then subsequently review the written policies and procedures every 12 months Should a court invalidate or deem inapplicable the implementation specification to establish and implement written policies procedures the secondary specification requiring review of said procedures would also become invalid
ppThe Department believes that each definition is independent of all other definitionsppThis list of examples is not intended to be exhaustive The absence from this list of any particular provision should not be construed to mean that the Department considers that provision to be not severable from other parts of the ruleppTo ensure that our intent for severability of provisions is clear in the CFR the Department proposes to add a section on severability at 45 CFR 164320 Proposed 45 CFR 164320 would state our intent that if any provision of this subpart is held to be invalid or unenforceable it shall be construed to give maximum effect to the provision permitted by law unless the holding shall be one of utter invalidity or unenforceability in which case the provision shall be severable from this subpart and shall not affect the remainder thereof or the application of the provision to other persons not similarly situated or to other dissimilar circumstancesppThe Department requests comment on the foregoing proposal including any benefits drawbacks or unintended consequencesppTechnology is constantly evolving able to perform increasingly complex tasks including those with the potential to improve health care and communication between individuals and care providers These new and evolved technologies will continue to transform health care in a variety of ways including providing regulated entities with new tools for faster and more accurate diagnoses effective treatments and more efficient administrationpp
As a regulated entity considers the application of new technologies or the use of existing tools in innovative ways it also must consider whether these technologies create receive maintain or transmit ePHI and if so how to secure them The Security Rule was designed to be technologyneutral for this very reason and continues to provide the foundation for ensuring the confidentiality integrity and availability of all ePHI as technology changes877
As a result while the technology may be new or developing securing ePHI involved with the technology can be successfully executed through compliance with the Security Rule
pp
Before implementing new and emerging technologies a regulated entity must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality integrity and availability of ePHI878
It must then implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level879
Such administrative physical and technical safeguards apply to all instances of ePHI maintained or transmitted by the regulated entity regardless of the technology used Below we discuss some examples of new technologies such as quantum computing AI and virtual and augmented reality VR and AR and
print page 989
how the Security Rule would apply in each case
pp
Several Federal agencies have considered the potential benefits and drawbacks of quantum information science880
that is the study of the impacts of quantum physics properties on information science Those properties can increase computational power and speed significantly over classical computers provide precision measurements enhance sensing capabilities and increase the accuracy of position navigation and timing services 881
According to NIST In recent years there has been a substantial amount of research on quantum computersmachines that exploit quantum mechanical phenomena to solve mathematical problems that are difficult or intractable for conventional computers 882
pp
However the increase in computational capability threatens the security of asymmetric cryptography883
which is critical to encryption solutions a key protection for ePHI and other sensitive information today Scientists warn that when such quantum computers are built they will have the ability to break many of the systems for asymmetric cryptography that are in use today884
Thus experts anticipate that quantum computing will adversely affect the confidentiality and integrity of digital communications885
The goal of postquantum cryptography also called quantumresistant cryptography is to develop cryptographic systems that are secure against both quantum and classical computers and can interoperate with existing communications protocols and networks 886
A recent National Security Memorandum affirmed that alongside its potential benefits quantum computing also poses significant risks to the economic and national security of the United States including the potential to break much of the publickey cryptography used on digital systems across the United States and around the world 887
Accordingly the White House has directed Federal agencies to take specific steps to mitigate the threat of cryptanalytically relevant quantum computers through a timely and equitable transition of the Nations cryptographic systems to interoperable quantumresistant cryptography 888
pp
NCVHS examined these security issues and provided recommendations to the Department for applying the safeguards of the HIPAA Rules to potential quantum computing threats Specifically NCVHS declared that incorporation of recent Administration guidance for Federal agencies on vulnerable cryptographic systems is necessary to strengthen the Technical Safeguards within the Security Rule 889
This joint guidance developed by NIST CISA and NSA encourages the early planning for migration to postquantum cryptographic standards by developing a QuantumReadiness Road map 890
It also recommends that organizations prepare a cryptographic inventory discuss postquantum roadmaps with technology vendors consider their supply chains readiness for quantum computing and consider the responsibilities of their technology vendors with respect to preparing for quantum readiness891
ppThe Department encourages regulated entities to incorporate these activities as part of their ongoing risk management programs For example the steps presented in the joint guidancesurveying the environment for potential risks and vulnerabilities that endanger ePHI identifying workforce members with responsibility for addressing them inventorying quantumvulnerable systems including that inventory in its risk analysis and risk management and working with technology vendors to ensure their readinessare all activities that already are required by the administrative safeguards of the Security RuleppWe believe these obligations would be clarified by the proposals in this NPRM For example the Department proposes to require that a regulated entity not only conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality integrity and availability of the ePHI it creates receives maintains or transmits but would add an express requirement that the assessment be comprehensive and in writing We also propose to specify that the required assessment include among other things identification of all reasonably anticipated threats and potential vulnerabilities and predisposing conditions making a reasonable determination and documentation of the likelihood that each identified threat will exploit the identified vulnerabilities and performing a written assessment of the risk level for each identified threat and vulnerability Under the NPRM a regulated entity would be expected to as part of the risk analysis consider whether quantum computing poses a reasonably anticipated threat to the confidentiality integrity or availability of its ePHI and whether there is a vulnerability or predisposing condition that corresponds to that threat and to document those considerations make a reasonable determination and document the likelihood that the threat will exploit the identified vulnerabilities and assign a risk level to the identified threat and vulnerabilitypp
Section 238g of the John S McCain National Defense Authorization Act for Fiscal Year 2019 defined AI to include the following 892
pp
AI requires enormous amounts of data to develop but it also has enormous potential benefits The Department has previously stated that these technologies have the potential to drive innovation increase market competition and vastly improve care for patients and populations 893
According to experts AI is unlocking new possibilities by advancing medicine in entirely unimaginable ways and solving some of the grand global healthcare challenges 894
And FDA agrees AI technologies are transforming health care by producing diagnostic therapeutic and prognostic medical recommendations or decisions in some cases independently informed by the vast amount of data generated during the delivery of health care 895
In medical devices areas for AI application include
pp
For example clinicians are using AI to distill large volumes of EHR information about a complex patient into a summarized note that they can use to consider diagnoses and treatment AI also has been used for aid in the detection of diabetic retinopathy screening for breast and lung cancer and classification of skin conditions897
Others are using ambient AI scribes a technology that uses microphones to transcribe encounters with patients in realtime898
This tool creates clinical documentation that clinicians can later edit which can lead to improved interactions with patients and reduced time on documentation899
Newer AI tools may search medical records for relevant information regarding common conditions and other risk factors 900
or offer relevant questions for clinicians to pose to make an accurate diagnosis901
pp
Unfortunately AI can also be used to harm individuals both intentionally and unintentionally Bad actors are using generative AI to threaten the privacy and security of ePHI more effectively through phishing and other social engineering As explained by NCVHS AI tools can create mass scale cyberattacks that are highly effective and major threats to ePHI 902
Experts anticipate that AI will ultimately pioneer the malicious use of Offensive AIhighly sophisticated and malicious attack codethat will be able to mutate itself as it learns about its environment and to expertly compromise systems with minimal chance of detection 903
Such experts are concerned about the level of destruction that will lie in its wake and compare it to an arms race that can only escalate904
Indeed it seems likely that regulated entities will need to invest in AI to defend against malicious use of AI in the future905
pp
After assessing current and potential AI threats NCVHS recommended that the Department clarify how the HIPAA Rules apply to AI906
We agree with their assessment and recommendation Specifically ePHI including ePHI in AI training data prediction models and algorithm data that is maintained by a regulated entity for covered functions is protected by the HIPAA Rules and all applicable standards and specifications907
For example generative AI tools have produced in their output the names and personal information of persons included in the tools sources of training data908
Similar uses of generative AI by regulated entities including the training of AI models on patient data could result in impermissible uses and disclosures including exposure to bad actors that can exploit the information909
As part of its risk analysis and risk management activities a regulated entity must consider the risk associated with different uses and data910
Accordingly we expect that a regulated entity interested in using AI would include the use of such tools in its risk analyses and associated risk management activities The regulated entitys risk analysis must include consideration of among other things the type and amount of ePHI accessed by the AI tool to whom the data is disclosed and to whom the output is provided The NIST AI Risk Management Framework is a helpful resource for regulated entities to better
print page 991
understand measure and manage risks effects and harms of AI911
pp
The Security Rule requires a regulated entity to conduct repeated risk analyses that consider any changes to its environment or operations such as updates or changes in technology or clinical administration and to apply all reasonable updated protections to safeguard ePHI912
Accordingly as technology such as AI evolves the Department would expect a regulated entity to perform a risk analysis to consider the effects of such changes on the confidentiality integrity and availability of ePHI As NCVHS observed It is important to conduct risk analyses on AI throughout the life cycle of the system 913
We believe the proposals in this NPRM would clarify our expectations for when and how regulated entities need to consider prepare for and address such changes For example the Department proposes to expressly require that a regulated entity develop a written inventory of its technology assets Under this proposal the Department would expect that AI software used to create receive maintain or transmit ePHI or that interacts with ePHI including where ePHI is used to train the AI software would be listed as part of its technology asset inventory which feeds into the regulated entitys risk analysis Making AI safe and secure with respect to ePHI requires efforts in a variety of areasbiotechnology cybersecurity critical infrastructureto address risks914
The Federal Government seeks to ensure that the collection use and retention of ePHI is lawful and secure and that it mitigates privacy and confidentiality risks Across the administration Federal agencies are considering potential uses for AI as well as their benefits and risks consistent with EO 11410 and its principles to advance and govern the development and use of AI915
These principles include making AI safe and secure and protecting privacy and civil liberties For example the Department finalized regulations earlier this year that improve transparency by health IT developers of certified health IT including those that are business associates that supply a particular type of AIpredictive decision support interventions DSIs916
Specifically the regulations require such health IT developers to provide greater transparency about the design development training evaluation and use of such predictive DSIs917
This approach promotes responsible AI and makes it possible for covered entities to access a consistent baseline set of information about the algorithms they use to support their decision making and to assess such algorithms for fairness appropriateness validity effectiveness and safety918
ppAdditionally the Department proposes to require that regulated entities monitor authoritative sources for known vulnerabilities and to remediate such vulnerabilities in accordance with their patch management program We also propose to require that patches updates and upgrades that address critical and high risks be applied promptly Together these proposals would support the rapid response to vulnerabilities that will be necessary as AI becomes more prevalent Thus the Department believes that the adoption of the cybersecurity best practices proposed in this NPRM is an important first step to ensuring that AI tools are deployed by regulated entities in a manner that protects the confidentiality integrity and availability of ePHIpp
Research on VR and AR technologies is widespread and has produced numerous applications in the health care fields Such technologies are being used in medical education and patient care including ARassisted surgeries VRbased pain management therapies and immersive patient education tools919
Additionally innovators are working on ways to incorporate AI with VR and AR for improved diagnostics and treatment planning920
pp
However as with quantum computing and AI VR and AR technologies raise new privacy and security concerns VR and AR involve the use of diverse technologies and the collection of a wide array of sensitive information including comprehensive biometric data921
According to experts VR and AR present distinct security challenges encompassing typical vulnerabilities associated with electronic devices as well as potential risks of physical harm and leakage of highly sensitive data 922
VR like any connected computing device is susceptible to standard cybersecurity concerns and various types of cyberthreats necessitating proactive anticipation 923
pp
These cybersecurity risks such as hacking social engineering malicious software and ransomware can be mitigated through holistic risk analysis and risk management consistent with the Security Rule administrative standards in 45 CFR 164308 In addition patch management924
access control925
authentication926
and appropriate business associate agreements 927
are examples of some of the required safeguards that would apply to VR and AR systems
pp
We believe the proposals in this NPRM to clarify these safeguards would substantially improve the ability of regulated entities to address these cybersecurity risks For example the Department proposes to require that a regulated entity obtains from a business associate written verification that the business associate has deployed the technical safeguards required by the Security Rule including a written analysis of the business associates information systems from a person with
print page 992
appropriate knowledge of and experience with generally accepted cybersecurity principles and methods for ensuring the confidentiality integrity and availability of ePHI verifying compliance with the requirements of 45 CFR 164312 and a written certification that the analysis has been performed and is accurate Under this proposal a regulated entity would be required to obtain such verification from a business associatedeveloper of VRAR software ensuring that ePHI that is created received maintained or transmitted using the VRAR software is protected to the same extent as ePHI that is created received maintained or transmitted using other technology assets that are components of the regulated entitys relevant electronic information systems
pp
Many regulated entities are piloting innovative technologies Such entities generally have separate departments that research develop test and deploy such technologies928
Regulated entities might consider integrating workforce members with expertise in security and privacy into their technology development groups to ensure that privacy and security including the Security Rulerequired safeguards are embedded into the design of new and emerging technologies929
Doing so can help improve security while boosting quality efficiency and productivity 930
ppThe Department requests comment on the foregoing discussion of how the Security Rule protects ePHI used in new and developing technologies including any benefits drawbacks or unintended consequences We also request comment on the following considerations in particularppa Whether the Departments understanding of how the Security Rule applies to new technologies involving ePHI is not comprehensive and if so what issues should also be consideredppb Whether there are technologies that currently or in the future may harm the security and privacy of ePHI in ways that the Security Rule could not mitigate without modification and if so what modifications would be requiredppc Whether there are additional policy or technical tools that the Department may use to address the security of ePHI in new technologiespp
The Department of Health and Human Services HHS or Department has examined the effects of this proposed rule under Executive Order EO 12866 Regulatory Planning and Review931
EO 13563 Improving Regulation and Regulatory Review932
EO 14094 Modernizing Regulatory Review933
the Regulatory Flexibility Act 934
RFA the Unfunded Mandates Reform Act of 1995 935
UMRA and EO 13132 on Federalism936
EOs 12866 and 13563 direct the Department to assess all costs and benefits of available regulatory alternatives and when regulation is necessary to select regulatory approaches that maximize net benefits including potential economic environmental public health and safety and other advantages distributive effects and equity The proposed rule meets the criteria as significant under section 3f1 of EO 12866 as amended by EO 14094
ppThe RFA requires us to analyze regulatory options that would minimize any significant effect of a rule on small entities As discussed in greater detail below this analysis concludes and the Secretary certifies that the notice of proposed rulemaking NPRM if adopted would not result in a significant economic effect on a substantial number of small entitiespp
The UMRA section 202a generally requires us to prepare a written statement which includes an assessment of anticipated costs and benefits before proposing any rule that includes any Federal mandate that may result in the expenditure by State local and Tribal governments in the aggregate or by the private sector of 100000000 or more adjusted annually for inflation in any 1 year 937
The current threshold after adjustment for inflation is 183 million using the most current 2024 Implicit Price Deflator for the Gross Domestic Product UMRA does not address the total cost of a rule Rather it addresses certain categories of cost mainly Federal mandate costs resulting from imposing enforceable duties on State local or Tribal governments or the private sector or increasing the stringency of conditions in or decreasing the funding of State local or Tribal governments under entitlement programs
pp
This proposed rule if adopted would impose mandates that would result in the expenditure by State local and Tribal governments in the aggregate or by the private sector of more than 183 million in any one year The impact analysis in this proposed rule addresses such effects both qualitatively and quantitatively Each covered entity and business associate collectively regulated entity including government entities that meet the definition of covered entity
eg
State Medicaid agencies would be required to conduct a Security Rule compliance audit report to covered entities or business associates as applicable upon activation of their contingency plan deploy multifactor authentication MFA in and penetration testing of relevant electronic information systems complete network segmentation disable unused ports and remove extraneous software update cybersecurity policies and procedures revise business associate agreements and update workforce training Business associates would be required to conduct an analysis and provide verification of their compliance with technical safeguards and covered entities would be required to obtain verification from business associates and business associates from their subcontractors Additionally group health plans would need to revise plan documents to require plan sponsors to comply with administrative physical and technical safeguards according to the Security Rule standards Finally through contractual language health plan sponsors would need to enhance safeguards for electronic protected health information ePHI according to the Security Rule standards Costs for all regulated entities to change their policies and procedures alone would increase costs above the UMRA threshold in one year and costs of health plan sponsors would increase total costs further Although Medicaid makes Federal matching funds available for States for certain administrative costs these are limited to costs specific to operating the Medicaid program There are no Federal funds directed at Health Insurance Portability and Accountability Act of 1996 HIPAA compliance activities
pp
The Department believes that pursuant to Subtitle E of the Small Business Regulatory Enforcement
print page 993
Fairness Act of 1996938
the Office of Management and Budgets OMBs Office of Information and Regulatory Affairs would be likely to determine that when finalized this rule meets the criteria set forth in 5 USC 8042 because it is projected to have an annualized effect on the economy of more than 100000000
ppThe Justification for this Rulemaking and Summary of Proposed Rule Provisions section at the beginning of this preamble contain a summary of this rule and describe the reasons it is needed We present a detailed analysis belowpp
The Department identified ten categories of quantifiable costs arising from these proposals that would apply to all regulated entities 1 conducting a Security Rule compliance audit 2 obtaining written verification from their business associates or subcontractors that the business associates or subcontractors respectively have conducted the required verification of compliance with technical safeguards 3 notifying other regulated entities when workforce members access to ePHI is terminated 4 completing network segmentation 5 disabling ports and removing extraneous software 6 deploying MFA 7 deploying penetration testing 8 updating policies and procedures 9 updating workforce training programs and 10 revising business associate agreements Additionally group health plans would be required to update plan documents to require health plan sponsors compliance with the administrative physical and technical safeguards according to the Security Rule and notification of group health plans when health plan sponsors activate their contingency plan Business associates would have additional obligations to verify compliance with technical safeguards and provide it in writing to covered entities and subcontractors to business associates and to notify covered entities upon activation of their contingency plans Finally although plan sponsors are not directly subject to the HIPAA Rules by virtue of the plan document requirements the Department estimates that certain group health plan sponsors
eg
employers that provide group health benefits would likely incur some quantifiable costs to improve safeguards for their electronic information systems that affect the confidentiality integrity or availability of ePHI and to notify group health plans upon activation of plan sponsors contingency plan
ppThe Department estimates that the firstyear costs attributable to this proposed rule total approximately 9 billion These costs are associated with regulated entities and health plan sponsors engaging in the regulatory actions described above For years two through five estimated annual costs of approximately 6 billion are attributable to costs of recurring compliance activities Table 1 reports the present value and annualized estimates of the costs of this proposed rule covering a 5year time horizon Using a 2 percent discount rate the Department estimates that this proposed rule would result in annualized costs of 68 billion for regulated entities and health plan sponsors combinedppTable 1Accounting Table Costs of the Proposed Rule Billions
appAs a result of the proposed changes in this NPRM the enhanced security posture of regulated entities would likely reduce the number of breaches of ePHI and mitigate the effects of breaches that nonetheless occur The Department has partially quantified these effects and presents them in a breakeven analysis The breakeven analysis estimates that if the proposed changes in the NPRM reduce the number of individuals affected by breaches by 7 to 16 percent the revised Security Rule would pay for itself Alternatively the same cost savings may be achieved by lowering the cost per affected individuals ePHI by 7 percent 35 to 16 percent 82 respectivelyppThe changes to the Security Rule would likely result in important benefits and some costs that the Department is unable to fully quantify at this time As explained further below unquantified benefits include reductions in reputational financial and legal harm from breaches of individuals ePHI reductions in disruptions to health care delivery increased confidence among parties to health care business transactions and improved quality of health careppTable 2Potential NonQuantified BenefitsppThe Department also recognizes that there may be some costs that are not readily quantifiable notably actions that regulated entities may take to comply with existing requirements more fully as a result of proposed clarifications For example this would include completing a technology asset inventory which is a baseline expectation for the existing requirement of conducting a risk assessment documenting completion of existing requirements adding more specificity to the required contingency plan such as designating staff roles with specific responsibilities when a contingency occurs testing safeguards as part of reviewing and updating policies and procedures and technical controls and deploying encryption for ePHI in a more concerted manner including documenting provision of notification in response to individuals access requests for transmission of ePHI in an unencrypted manner and has been informed of the risks associated with the transmission receipt and storage of unencrypted ePHI These activities are specified in the NPRM but they would be more in the nature of clarifications to and increased specificity of existing requirements Because the degree of additional effort by regulated entities to meet these requirements would be dependent on multiple factors and likely to be highly variable the additional cost is difficult to quantifyppWe acknowledge that there may be a small burden associated with documenting that an individual was informed of the risks of unencrypted transmission of ePHI however we believe there are few requests that fall into this category Because we do not have a basis to make an estimate we have requested data on potential burdens associated with this proposed exception to the proposed standard for encryption in the preamble discussion of 45 CFR 164312pp
The cost of complying with the exceptions to encryption and MFA for medical devices authorized by the US Food Drug Administration for marketing may depend in part on the extent to which a regulated entity relies on legacy devices because the regulated entity may be required to adopt compensating controls New devices are likely to have encryption and MFA built into them not requiring compensating controls The Department is unable to estimate the range of costs to adopt compensating controls for legacy devices because there is no reliable data to accurately assess the extent to which legacy devices are used in the United States939
The Department requests comment on the number of legacy devices in use and the costs of applying compensating controls to such devices
ppThe Security Rule in conjunction with the Privacy and Breach Notification Rules protects the privacy and security of individuals PHI that is individually identifiable health information IIHI The Security Rules protections are limited to ePHI while the Privacy and Breach Notification Rules protect both electronic and nonelectronic PHI The Security Rule establishes standards to protect individuals ePHI and requires reasonable and appropriate administrative physical and technical safeguards The Security Rule specifies a series of administrative physical and technical security requirements that must be performed or implemented for regulated entities to safeguard ePHI Specifically entities regulated by the Security Rule must 1 ensure the confidentiality integrity and availability of all ePHI they create receive maintain or transmit 2 protect against reasonably anticipated threats to the security and integrity of the information 3 protect against reasonably anticipated impermissible uses or disclosures and 4 ensure compliance by their workforce A major goal of the Security Rule is protecting the security of individuals health information while allowing for the development of a health information system to improve the efficiency and effectiveness of the health care systemppThe Administrative Simplification provisions of HIPAA title II provide the Secretary of HHS with the authority to publish standards for the privacy and security of health information The Department first proposed standards for the security of ePHI on August 12 1998 and published a final rule on February 20 2003 The Department modified the Security Rule in 2013 Recently as the preamble to this NPRM discusses changes in the health care environment and insufficient compliance by regulated entities with the existing Security Rule require the modifications proposed herepp
For purposes of this Regulatory Impact Analysis RIA the proposed rule adopts the list of covered entities with an updated count and certain cost assumptions identified in the Departments Information Collection Request ICR associated with the HIPAA Privacy Rule to Support Reproductive Health Care Privacy 2024 ICR940
The Department also relies on certain estimates and assumptions from the 1998 Proposed Rule 941
that remain relevant the 2003 Final Rule942
and the 2013 Omnibus Rule943
as referenced in the analysis that follows
ppThe Department quantitatively analyzes and monetizes the effect that this proposed rule would have on the actions of regulated entities to conduct a Security Rule compliance audit provide or obtain verification of business associates compliance with technical safeguards notify other regulated entities when workforce members access to ePHI is altered or terminated notify covered entities or business associates as applicable upon activation of a contingency plan complete network segmentation disable unused ports and remove extraneous software deploy MFA and penetration testing update health plan documents update policies and procedures update workforce training and revise business associate agreements The Department also quantitatively analyzes the effects on group health plan sponsors for ensuring that safeguards for their relevant electronic information systems meet Security Rule standards and notifying group health plans upon activation of the plan sponsors contingency plansppAdditionally the Department quantitatively analyzes the benefits of the proposed modifications to regulated entities due to an expected reduction in costs of remediation of breaches and risk of breaches by regulated entitiesppThe Department analyzes the remaining benefits and costs qualitatively because many of the proposed modifications are clarifications of existing requirements and predicting other concrete actions that such a diverse scope of regulated entities might take in response to this rule is inherently uncertainpp
The Department bases its assumptions for calculating estimated costs and benefits on several publicly available datasets including data from the US Census Bureau Census the US Department of Labors DOL Bureau of Labor Statistics the Small Business Administration SBA and the Departments Centers for Medicare
print page 995
Medicaid Services CMS and Agency for Healthcare Research and Quality AHRQ For the purposes of this analysis the Department assumes that employee benefits plus indirect costs equal approximately 100 percent of pretax wages and adjusts the hourly wage rates by multiplying by two for a fully loaded hourly wage rate The Department adopts this as the estimate of the hourly value of time for changes in time use for onthejob activities
pp
Implementing the proposals likely would require regulated entities to engage workforce members or consultants for certain activities The Department assumes that an information security analyst would perform most of the activities proposed in the NPRM consistent with the existing Security Rule requirements The Department expects that a computer and information systems manager would revise policies and procedures a training and development specialist would revise the necessary workforce training a lawyer would revise business associate agreements and a compensation and benefits manager would revise health plan documents for plan sponsors To the extent that these assumptions affect the Departments estimate of costs the Department solicits comment on its assumptions particularly assumptions in which the Department identifies the level of workforce member
eg
analyst manager licensed professional that would be engaged in activities and the amount of time that particular types of workforce members spend conducting activities related to this RIA as further described below Table 3 lists pay rates for occupations referenced in the cost estimates for the NPRM
ppTable 3Occupational Pay Rates 944pp
The Department
assumes that most regulated entities would be able to incorporate changes to their workforce training into existing cybersecurity awareness training programs and Security Rule training rather than conduct a separate training because the total time frame for compliance from date of publication of a final rule would be 240 days945
pp
The changes proposed in this NPRM would apply to covered entities
ie
health care providers that conduct covered electronic transactions health plans and health care clearinghouses and their business associates including subcontractors The Department estimates the number of covered entities to be 822600 business establishments see table 4 By calculating costs for establishments rather than firms946
some burdens may be overestimated because certain costs would be borne by a parent organization rather than each separate facility Similarly benefits and transfers would be overestimated because entity assumptions flow through to those quantifications However decisions about the level of an organization that is responsible for implementing certain requirements likely varies across the health care industry The Department requests data on the extent to which certain burdens are borne by each facility versus an umbrella organization
pp
According to Census data947
there are 954 Direct Health and Medical Insurance Carrier firms out of a total 5822 Insurance Carrier firms such that health and medical insurance firms make up approximately 164 percent of insurance firms 9545822948
Also according to Census data there are 2506 Third Party Administration of Insurance and Pension Funds firms and 8375 establishments This category also includes clearinghouses The Department assumes that 164 percent of these firms service health and medical insurance because that is equivalent to the share of insurance firms that are health and medical As a result the Department estimates that 411 firms categorized as Third Party Administrators are affected by the proposals in this NPRM 2506 164 Similarly the Department estimates that 1374 associated establishments would be affected by the proposals in this NPRM 8375 total establishments 164 Most of these are business associates Based on data from the Departments HIPAA audits and experience administering the HIPAA Rules we are aware of approximately 36 clearinghouses See table 4 below
pp
There were 56289 community pharmacies including 19261 pharmacy and drug store firms operating in the US in 2023949
Small pharmacies generally use pharmacy services administration organizations PSAOs to provide administrative services such as conducting negotiations Based on information from industry the Department estimates that the proposed rule would affect fewer than 10 PSAOs and we include this within the estimated 1 million business associates affected by the proposals in this NPRM950
The Department assumes that
print page 996
costs affecting pharmacies are incurred at each pharmacy and drug store establishment and each PSAO
ppTable 4Estimated Number Type and Size Threshold of Covered Entitiespp
The Department also estimated the percentage of rural and urban health care providers by matching health care provider data from CMS951
Health Resources Services Administration952
and the Statistics of US Businesses SUSB 953
with county population data from the US Census Bureau954
We determined whether a health care provider was rural or urban based on OMBs standards for delineating metropolitan and micropolitan statistical areas955
Consistent with OMBs standard we considered a county to be rural if it has fewer than 50000 inhabitants956
This includes micropolitan areas towns and cities between 10000 and 49999 and counties outside of metropolitan statistical areas and micropolitan areas Based on this analysis we estimate that 78 percent of health care providers operate in rural areas
pp
The Department adopts the estimate of approximately 1000000 business associates including subcontractors as stated in the 2024 ICR and the 2013 Modifications to the HIPAA Privacy Security Enforcement and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health HITECH Act and the Genetic Information Nondiscrimination Act and Other Modifications to the HIPAA Rules final rule957
We considered whether to increase this figure in our updates but did not do so because many business associates serve multiple covered entities We lack sufficient data to estimate the number of such businesses more precisely but we believe that the number of business associates is highly dynamic and dependent on multiple market factors including expansion and consolidation among various lines of business changing laws and legal interpretations and emerging technologies We include subcontractors of business associates within our estimate because they are business associates of business associates
ppThe Department welcomes comments on the number or types of regulated entities that would be affected by the proposals in this proposed rule and the extent to which they may experience costs or other burdens not already accounted for in the cost estimates The Department also requests comment on the number of health plan documents that would need to be revised if any The Department additionally requests detailed comment on any situations other than those identified here in which covered entities or business associates would be affected by the proposals in this rulemakingpp
Within this NPRM the Department is for the first time including estimates of health plan sponsors potential costs of compliance with specific
print page 997
administrative physical and technical safeguards of the Security Rule The Department relied on data from AHRQ and the US Census to estimate the number of firms offering group health plans 19 million958
and multiplied that by the percentage that offer at least one selfinsured plan to calculate the number of plan sponsors that would be likely to receive ePHI and be subject to the requirements of 45 CFR 164314b 1943484 382 742411 We solicit comments on whether group health plans or thirdparty administrators address any Security Rule requirements for plan sponsors so the plan sponsors would not have an additional burden or would have a smaller burden than estimated below
pp
The number of individuals potentially affected by the proposed changes to the Security Rule includes most of the United States population approximately 337 million specifically those who have received any health care in the past seven years and whose ePHI is likely created received maintained or transmitted by a regulated entity Statistics about the number of individuals affected by breaches of PHI provide insight into known instances where safeguards were breached although the effects of the Security Rule extend farther than that to all ePHI Data from the 2022 Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Year 2022 959
revealed nearly 42 million individuals affected by breaches of PHI in that year Thirdparty sources reported approximately 133 million individuals affected by health care breaches in 2023960
According to UnitedHealth Group the 2024 breach of its clearinghouse subsidiary Change Healthcare may have affected approximately onethird of the US population or 112 million individuals961
The Department believes that the range of individuals potentially affected by the proposed regulatory changes would be from 42 million to 337 million
ppThe Department has reported HIPAAHITECH breach data annually since 2009 Table 5 shows the data as reported to Congress for the past five years We relied on this data combined with breach cost data from industry sources to analyze the potential savings of the NPRMppTable 5Breaches of PHIppBelow the Department provides the basis for its estimated quantifiable costs resulting from the proposed changes to specific provisions of the Security Rule Many of the estimates are based on assumptions formed through OCRs experience with compliance and enforcement and accounts from stakeholders For each cost the Department provides its main estimate as well as additional high and low estimates for some costs to account for any uncertainty in the compliance approach of regulated entitiesppAll estimates in this section are based on subject matter expertise The Department requests information or data points from commenters to further refine its estimates and assumptionspp
The Department estimates that all regulated entities would need to conduct a Security Rule Compliance Audit because this would be a new requirement under proposed 45 CFR 164308a14 Although some regulated entities have mistakenly conducted such an audit in lieu of a risk analysis the Department believes that costs for the compliance audit as a separate requirement should be attributed to the proposed changes in the NPRM Further because this would be an annual requirement the Department is including this as a recurring cost The Department estimates that regulated entities would need an average of 2 hours of labor by an information systems analyst to conduct the compliance audit based on the assumption that regulated entities have already documented Security Rule compliance activities as currently required This would result in total estimated costs of 437205288 1822600 regulated entities 2 hours 11994 The respective low and high estimates would be 025 and 25 hours of information systems analyst labor resulting in respective total estimated costs of 546506611 1822600 regulated entities 025 hours 11994 and 546506610 1822600 regulated entities 25 hours 11994
print page 998
ppFor proposed 45 CFR 164308b the Department estimates that business associates that handle ePHI would need to spend an average of 2 hours with a low estimate of 025 hours and high estimate of 25 hours analyzing how their cybersecurity measures comply with the proposed requirements for technical safeguards and producing a verification report for covered entities at the hourly wage rate of an information security analyst This estimate assumes that business associates have already documented existing safeguards policies and procedures so that the costs attributable to the new requirement are incremental and would total approximately 239880000 1 million business associates 2 hours 11994 with a low estimate of 29985000 1 million business associates 025 hours 11994 and high estimate of 299850000 1 million business associates 25 hours 11994ppUnder 45 CFR 164308b the Department further estimates that each covered entity would need to spend an average of 30 minutes with 15 minutes as a low estimate and 90 minutes as a high estimate requesting and obtaining compliance reports from its business associates about their deployment of technical safeguards required by the Security Rule at the hourly wage of an information security analyst This assumes that in most instances business associates would produce the required verification for covered entities without being prompted by a request because they would be required to do so by the Security Rule as proposed in the NPRM It further assumes that covered entities have readily available means of contacting business associates such as via email and that the contact could be a single email draft sent in a batch The average time burden per entity depends on verification frequency likely influenced by entities average number of business associates and how frequently entities change business associates The low estimate assumes that entities verify less frequently whereas the high estimate assumes entities verify more frequently At the wage rate of an information security analyst this would result in estimated total costs for covered entities of 49331322 822600 covered entities 05 hours 11994 with a low estimate of 24665661 822600 covered entities 025 hours 11994 and high estimate of 147993966 822600 covered entities 15 hours 11994ppThe proposed requirement to obtain verification of compliance with technical safeguards also would apply to business associates with respect to their subcontractors However we believe that a much smaller number of business associates rely on subcontractors compared to the number of covered entities that rely on business associates to conduct activities on their behalf Thus we estimate that on average business associates would need 5 minutes annually to obtain verification from their subcontractors that the subcontractors have complied with technical safeguards as required by the Security Rule The estimate includes only the time needed for business associates to send a mass email to subcontractors because we have already addressed the burden on business associates of producing the verification in the previous section and that estimate includes burdens on subcontractors The high estimate for this activity would be an average of 15 minutes per business associate and a low estimate would be for business associates to 2 minutes on this activity At the wage rate of an information security analyst this would add estimated total costs for business associates of 9995000 1000000 business associates 0083 hours 11994 with a high estimate of 29985000 1000000 business associates 25 hours 11994pp
The Department estimates that regulated entities are likely to incur additional costs to implement a process to notify other regulated entities when a workforce members access to ePHI is terminated or changed under proposed 45 CFR 164308a9ii This estimate assumes that notifications will take an average of 1 hour annually per regulated entity This results in new estimated costs totaling 84021860 1822600 regulated entities 1 hour 4610962
ppThe Department estimates that on average regulated entities would have an information security analyst spend 15 hours deploying MFA as specifically required under proposed 45 CFR 164312f2ii This would be a onetime firstyear burden that includes an average of 30 minutes for a regulated entity to select an MFA solution that allows them to meet the requirements of the proposal without creating workflow disruptions or delays This estimate would vary depending on how prevalent MFA is in the industry when and if the requirements of the NPRM are finalized As a widely accepted information security practice the Department believes that many large entities have already deployed MFA and the costs range from zero to only a few dollars per user The low estimate would be 01 hours on average assuming that many entities already have some form of MFA and the high estimate would be 175 hours assuming that few entities have MFA At the loaded wage rate of an information security analyst the total estimated cost would be 327903966 1822600 regulated entities 15 hours 11994 with a low estimated total of 218602644 1822600 regulated entities 1 hour 11994 and a high estimated total of 382554627 1822600 regulated entities 175 hours 11994 The Department applies this cost in the first year only because minimal additional labor is needed to maintain this safeguard once it has been deployedpp
The Department believes that most large regulated entities and many mediumsized regulated entities have segmented their information networks to some degree however additional actions may be needed to more fully protect ePHI as required under proposed 45 CFR 164312a2vi Further small entities may not have been aware of the importance of segmenting networks or taken steps to segment their networks The Department estimates that each regulated entity would spend an average of 45 hours to set up network segmentation in the first year of compliance with a final rule with a low estimate of 4 hours and a high estimate of 5 hours at the hourly wage of an information security analyst The Department further assumes that in the following years the burden to maintain the segmented network would be minimal and incorporated into the maintenance requirements The total first year estimated cost of the network segmentation requirement would be 983711898 1822600 regulated entities 45 hours 11994 with a low estimated total of 874410576 1822600 regulated entities 4 hours
print page 999
11994 and a high estimate of 1093013220 1822600 regulated entities 5 hours 11994
pp
The Department believes that large regulated entities have already disabled unused network ports and removed extraneous software as part of existing configuration requirements However the Department believes that small and mediumsized regulated entities are less likely to have performed these actions and thus would incur a new burden to implement these aspects of configuration management proposed at 45 CFR 164312c2ii and iv The Department estimates that 629796 establishments are owned by small and mediumsized covered entities963
which is approximately 7656 percent of all covered entities 629796822600 The Department applies that percentage to the estimated number of business associates 07656 1000000 to arrive at the estimated number of regulated entities with quantifiably increased burdens from these proposed requirements to disable unused ports and remove extraneous software We estimate that for these 1395396 regulated entities 629796 covered entities 765600 business associates an average annual burden of 30 minutes would be needed at the wage rate of an information security analyst to make needed changes to configuration management specifically disabling unused ports and removing extraneous software This would result in estimated total cost increases of 83681898 13953960 regulated entities 05 hours 11994 with a low estimate of 41840949 1395396 regulated entities 025 hours 11994 based on an estimated annual burden of 15 minutes per affected entity and a high estimate of 109301322 1822600 regulated entities 050 hours 11994 based on an estimated annual burden of 30 minutes for all regulated entities
ppThe Department estimates that each regulated entity would spend an average of 3 hours conducting penetration testing with a low estimate of 2 hours and a high estimate of 10 hours at the hourly wage of an information security analyst The Department expects that there might be a high degree of variability between entities depending on their size and technological sophistication Large entities have more endpoints to test and thus have greater exposure The Department also believes there is room for significant variability in the effort that regulated entities may apply to this activity At the wage rate of an information security analyst this would result in estimated total annual costs for regulated entities of 655807932 1822600 regulated entities 3 hours 11994 with a low estimated total of 437205288 1822600 regulated entities 2 hours 11994 and high estimated total of 2186026440 1822600 regulated entities 10 hours 11994ppThe Department estimates that business associates would need to notify other regulated entities in the event that they activate their contingency plan once business associate agreements are revised according to proposed 45 CFR 164314a2iD The Department believes this is unlikely to occur more frequently than once per year and that the time to do so would be minimal because the proposed requirement does not specify the means or scope of such notification The Department estimates that business associates would need an average of 30 minutes with 15 minutes as a low estimate and 45 minutes as a high estimate to report to other regulated entities as applicable when their contingency plan is activated at the wage rate of an information security analyst for a total annual cost of 59970000 1000000 business associates 05 hours 11994 with a low estimated total of 29985000 1000000 business associates 025 hours 11994 and high estimated total of 89955000 1000000 business associates 075 hours 11994ppThe Department estimates that health care insurers and thirdparty administrators would need to revise health plan documents to reflect that health plan sponsors that receive ePHI that is not limited to summary health information or disenrollment information are protecting ePHI with the administrative physical and technical safeguards detailed in the Security Rule as proposed These 6162 entities collectively would be responsible for updating approximately 742411 health plan documents at the wage rate of a compensation and benefits manager The Departments estimate assumes that on average each plan document requires 30 minutes to update for a total estimated cost of 53876766 1742411 05 hours 14514 The Department has attributed these costs solely to health plans and not health plan sponsors because the health plan is the regulated entityppThe Department anticipates that regulated entities would need to develop new or modified policies and procedures for the proposed new requirements to obtain or provide verification of business associates compliance with the Security Rules requirements for technical safeguards conducting a Security Rule compliance audit and reporting the activation of a contingency plan as well as other proposed changes depending on the regulated entities existing policies and procedures The Department estimates that the costs associated with developing such policies and procedures would be the labor of a computer and information systems manager for an average of 35 hours with 25 hours as a low estimate and 6 hours as a high estimate depending on the number of entities with written policies and procedures and their degree of specificity This would result in total annual costs of 1108432416 1822600 regulated entities 35 hours 17376 with a low estimated total of 791737440 1822600 regulated entities 25 hours 17376 and high estimated total of 1900169856 1822600 regulated entities 6 hours 17376 The existing rule requires updates to policies and procedures in response to environmental or operational changes affecting the security of the ePHI and as a result the Department is estimating additional costs for new policies related to this proposed rule as an incremental increasepp
The Department anticipates that regulated entities would be able to incorporate new content into existing Security Rule training programs and that the costs associated with doing so would be attributed to the labor of a training specialist for an estimated 2 hours for total annual costs of 252247840 1822600 regulated entities 2 hours 6920 The low estimate for this activity is 126123920 1822600 regulated entities 1 hour 6920 and the high estimate is 378371760 1822600 regulated entities 3 hours 6920 Many of the changes in the NPRM require the
print page 1000
adoption of standard cybersecurity practices as applied specifically to address the confidentiality integrity and availability of ePHI so we expect that an information security analyst would be familiar with this content These estimated costs would address any required revisions to training for workforce members within the first year of compliance with a final rule Any further recurring component is likely to be implemented into regularly scheduled employee training and thus would not be directly attributable to the proposals in this NPRM
pp
The NPRM proposes to provide a transition period in proposed 45 CFR 164318 for regulated entities to revise business associate agreements to comply with the proposed changes to the requirements of the Security Rule The proposed transition period would allow regulated entities to revise existing agreements by the earlier of the contract renewal date that falls after the compliance date of a final rule or within one year of the rules effective date For a large share of existing agreements this would allow regulated entities to complete the revisions on a rolling basis according to the dates they are renewed The Department estimates that 1822600 964
business associate agreements would need to be revised if this NPRM is adopted and that on average the portion of this activity that results from the rules modifications would take an hour of a lawyers time for each regulated entity This would result in annual costs of 309258768 1822600 regulated entities 1 hour 16968 The Department recognizes that this estimate may not fully account for all revised business associate agreements However the Department believes that in some instances one hour of time is more than would be needed We also believe it is likely that for some regulated entities a professional other than a lawyer would be responsible for the revised agreements at a lower hourly wage For some large business associates the Department believes that a single agreement is used for most of its customers The Departments estimates assume that most agreements would be revised within the first year and accounts for all of them within that time period This would be considered a onetime cost in other words it is not carried over into future years As with all the estimates in this NPRM the Department invites comments about the assumptions underlying the proposed cost projections
pp
Proposed 45 CFR 164314b2 would mandate that group health plan documents require their health plan sponsors who receive ePHI that is not limited to summary health information or enrollment or disenrollment information to deploy the administrative physical and technical safeguards for ePHI required by the Security Rule and notify their group health plans upon activation of the plan sponsors contingency plan Currently plan documents must require such health plan sponsors to have safeguards in place but not necessarily the safeguards specified in the Security Rule965
The Department estimates that an additional 5242 hours of labor would be needed for each affected health plan sponsor to bring its security safeguards for ePHI into compliance with the Security Rule standards and to notify group health plans when its contingency plan is activated over and above the actions attributable to safeguards already in place for ePHI and for sponsors electronic information systems generally The Security Rule compliance activities attributed to group health plan sponsors are shown in table 7 below
ppMost compliance activities would be performed by a workforce member at the hourly wage rate of an information security analyst 11994 while documentation of maintenance would be performed at the rate of a management analyst 11108 and notification of termination or change of workforce members access to ePHI would be performed by an office administrative assistant 4610 This would result in estimated total first year costs for health plan sponsors of 4658781219 as shown in detail in table 7ppThe Department summarizes in tables 6 and 7 the estimated costs that regulated entities approximately 4655 million and plan sponsors approximately 4659 million respectively would experience in the first year of implementing the proposed regulatory changes The Department anticipates that these costs would be for the following activities conducting a Security Rule compliance audit obtaining verification of business associates and subcontractors compliance with technical safeguards providing verification of business associates compliance with technical safeguards providing notification of termination or change of workforce members access to ePHI deploying MFA and penetration testing segmenting networks disabling unused ports removing extraneous software notifying covered entities or business associates as applicable upon activation of a contingency plan and updating health plan documents policies and procedures workforce training and business associate agreements These costs would also include health plan sponsors deploying safeguards for their relevant electronic information systems to meet Security Rule standards and notifying group health plans upon activation of a plan sponsors contingency planppTable 6First Year Cost Estimates for Regulated Entities Proposed Compliance Obligations
appThe Department presents the estimated cost of health plan sponsors compliance with the proposed new requirements in table 7 belowppTable 7First Year Cost Estimates of Health Plan Sponsors Proposed Compliance Obligations
appTogether regulated entities and affected health plan sponsors estimated first year costs of compliance with the proposals in the NPRM would be approximately 9314 million or 9 billionppThe covered entities that are operated by the Department would be affected by the changes in a similar manner to other covered entities and such costs have been factored into the estimates above The Department has not identified other costs to the Department related to the changes in the NPRM A reduction in the number of large breaches affecting 500 or more individuals per incident would benefit the Department by enabling it to focus its resources on a smaller number of breach investigations and potentially resolve such investigations more quicklypp
A key goal of strengthening the cybersecurity posture of regulated entities is to reduce the number and severity of security incidents including breaches of ePHI The Department believes that compliance with the proposed changes which align with industry guidelines and best practices would benefit regulated entities by reducing the cost of breaches Although the costs of implementing the proposed cybersecurity measures would be significant the costs of responding to breaches of ePHI are much higher According to industry data the average cost of a health care breach in 2023 rose to 1093 million the highest among all industries studied966
and the per record cost of a breach involving personally identifiable information across all industries was 183967
These costs include detection and investigation activities notification activities postbreach response activities and activities attempting to minimize the loss of business Thus the benefits of the proposed rule would be to reduce the harms of health care breaches described in the preamble The Department believes that implementing the changes in the NPRM would reduce both the incidence of breaches in health care and the costs of mitigating breaches when they occur
pp
The Department also analyzed the potential cost savings of proposals that
print page 1002
correspond to major factors affecting the costs of large breaches as identified in published reports968
The Department estimates that at a minimum performing the following actions would quantifiably reduce costs 1 encryption 2 penetration testing 3 requiring MFA and notification of termination of access to ePHI 4 increasing employee training and 5 reducing noncompliance with regulations These factors would account for an estimated 236 percent decrease in large breach costs969
For health care breaches this corresponds to an estimated cost savings of 26 million per large breach in high incidence years and 21 million per large breach in low incidence years
pp
A fundamental benefit of the proposed rule would be to decrease the effects of breaches on individuals who are the subjects of ePHI namely patients and health plan members Breaches of ePHI may cause harm to individuals in many ways including loss of reputation and personal dignity and financial and medical fraud which may result in false debts impaired credit and even health threats from misuse of health insurance credentials by another individual Healthcare data which includes medical histories and personal identification can last a lifetime The information collected can be used for ransom to commit tax frauds to provide supporting disability documentation to send fake bills to insurance providers to obtain healthcare prescription drugs medical treatment and to obtain government benefits like Medicare and Medicaid 970
Hackers can use stolen personal medical and financial data to take out a bank loan in the victims name and change direct deposit information in payroll systems allowing them to steal wages as well971
In addition medical identity fraud can impact the victims credit score and health insurance premiums and may result in unexpected legal fees972
Medical identity fraud also enables thieves to obtain medical treatment using the victims stolen ePHI This can lead to the thiefs medical conditions being incorporated into the victims medical records and impacting the victims ability to receive appropriate medical treatment based on accurate records in the future or any care at all depending on whether the thief has exhausted the victims insurance benefits973
Overall recovering compromised ePHI and addressing the consequences of breached information can be a long and arduous process that can cost victims large amounts of time energy and money974
pp
Breaches of ePHI maintained by health care systems can also pose a threat to the medical wellbeing of affected individuals Cyberattacks on health care organizations can include the deployment of malware that compromises the function of both internal and external medical devices Such software can alter the dosages of sensitive medicines or shut down devices while they are in use thus affecting patient care975
Some of the medical devices that are vulnerable to malicious software attacks include insulin pumps and cardiac implant devices976
The consequences of a cyberattack on such a medical device can be fatal
pp
Cyberattacks on relevant electronic information systems also hinder the efficiency of hospitals and limit the quality of care provided to patients Breaches of relevant electronic information systems negatively affect the routine functions of health care organizations They can affect the availability of ePHI and relevant electronic information systems and redirect critical resources from patient care to addressing the cybersecurity attack A 2020 cyberattack on a large covered entity disrupted communication and clinician access to medical records including to individualized chemotherapy plan templates and tools for communicating during treatment preparation and delivery977
In the first week following the attack the hospitals ability to provide critical outpatient care was reduced by 40 percent and infusion visit volume decreased by 52 percent Many patients had to be transferred to other sites to minimize delays in receiving critical medications The effects of this data breach are not unique to this provider There is evidence that cyberattacks on health care organizations decrease the number of patients they are able to treat in a given day and staff utilization978
Decreases in efficiency and number of treated patients also cause health care facilities to lose revenue because of their inability to provide care during a cybersecurity event
pp
Similar to the effects of breaches of ePHI on individuals health care organizations and facilities also experience reputational and financial impacts because of cybersecurity attacks Hospitals can lose the communitys trust and be subject to lawsuits from individuals whose data was compromised979
Organizations that experience cybersecurity attacks can experience reputational harm and other monetary costs such as those associated with providing breach notifications paying fines to regulators and damages to individuals and providing credit monitoring and identity theftrelated services980
The harm to an organizations reputation is difficult to quantify but it can also affect the quality of care administered to individuals981
Privacy and security of ePHI are paramount to individuals feeling safe and at ease sharing their IIHI with clinicians Security breaches can negatively impact a patients confidence in a health care organization if they believe their information and privacy may be compromised This can cause them to delay seeking treatment or
print page 1003
withhold information from health care practitioners ultimately compromising the decisionmaking capacity of their health care provider to administer the best quality of care982
Decreasing the number and scope of health care breaches would reduce the harms of such breaches and would be a significant benefit of the proposals in the NPRM
ppKey inputs to the estimation of costs of this proposed rule include the numbers of regulated entities and health plan sponsors The Department has not previously quantified the costs of Security Rule compliance for health plan sponsors because the existing requirements are for plan documents to require such sponsors to implement administrative physical and technical safeguards but not necessarily to comply with the specific requirements of the Security Rule Therefore the proposed requirement to comply with the proposed changes to the Security Rule along with the number of affected plan sponsors approximately 740000 results in a significant increase in overall cost estimates compared to the existing rule The benefits of improved security for ePHI accrue to individuals regulated entities and health plan sponsors and are significant The Department has discussed the benefits aboveppThe Department seeks to reduce the risk and mitigate the effects of breaches of ePHI and related information systems through the proposals included in this NPRM Because the frequency and magnitude of cybersecurity events are inherently difficult to predict we chose to conduct a breakeven analysis in lieu of a cost savings analysis The Department solicits comments with any information and data on the incidence and negative consequences of cybersecurity breachespp
The
Department examined two different data points the annual number of individuals affected by health care breaches and the annual number of large breaches Additionally the Department considered a high and a low baseline based on the number of breaches and affected individuals per year The Department calculated the high baseline as the average of the three highest values in the 6 years of available data 2018 to 2023 shown in table 8 and the low baseline as the average of the three lowest values
ppTable 8Data on Breaches of
e
PHIpp
The high baseline used 669 breaches and a total of 71 million individuals affected and the low baseline used 440 breaches and 29 million individuals affected984
The high baseline represents years with higher incidence of breaches whereas the low baseline represents years with lower incidence
pp
For each data point the Department calculated the number of breaches or affected individuals by which the affected universe would have to decrease for the proposed rule to fully offset the annualized costs of regulated entities985
Table 9 and the discussion that follows analyses the costs and cost savings based on the number of individuals affected by breaches in a year and the cost per individuals ePHI or medical record
ppTable 9BreakEven Thresholds by Number of Affected IndividualsppThe analysis in table 9 suggests that this NPRM would break even cost savings would match monetized costs incurred if the number of affected individuals is reduced by approximately 45 million In years with a high incidence of breaches this would be a reduction of approximately 7 percent and in lowincidence years this would be a decrease of 164 percent Thus if the proposed changes in the NPRM reduce the number of affected individuals by 7 to 16 percent the rule would pay for itself Alternatively the same cost savings may be achieved by lowering the cost per affected individuals ePHI by 7 percent 35 and 16 percent 82 respectivelyppTable 10 analyzes the potential cost savings for regulated entities based on the annual number of large breaches of ePHI and the cost per breach as shown belowppTable 10BreakEven Thresholds by Number of Large BreachesppIn table 10 the Department assumes that the average cost per breach in industry reports 111 million calculated as the average of the three highest values in table 9 adjusted for inflation refers to large breaches of ePHI The analysis in table 10 suggests that the NPRM would break even if the annual number of large breaches is reduced by approximately 202 In highincidence years this would be a reduction of approximately 30 percent and in lowincidence years this would be a decrease of 59 percent Alternatively the same cost savings may be achieved by lowering the cost per breach by 30 percent 34 million and 9 percent 66 million respectivelyppThe Department welcomes public comment on any benefits or drawbacks of the following alternatives it considered but did not propose while developing this proposed rule We also request comment on whether the Department should reconsider any of the alternatives considered and if so whyppWe considered not proposing revisions to the Security Rule However the Department believes that not revising the Security Rule would result in continued increases in both the number and size of breaches Such increases would result in an exponential increase in costs as shown in table 8 above If the modifications to the Security Rule result in even modest improvements to the security of ePHI the reduction in the number andor size of breaches would reduce the overall costs associated with breaches including the costs of mitigating harm resulting from such breachespp
The Department considered proposing a separate standard for regulated entities to secure email transmissions In the Departments Cybersecurity Performance Goals986
the Department identifies email security as an essential goal for reducing risk from common emailbased threats such as email spoofing phishing and fraud Therein the Department points to basic email protection controls identified in the Health Industry Cybersecurity Practices such as spamvirus checking and realtime deny lists as well as strategies that may be deployed across small medium and large organizations including MFA for email access email encryption workforce education and advance tooling
eg
URL click protection via analytics attachment sandboxing987
pp
The Department is aware of the threat that email poses to the information systems of regulated entities and to the confidentiality integrity and availability of ePHI988
However the Department believes that it is important that the Security Rule remain technologyneutral and that the security measures we propose in this NPRM apply to a regulated entitys information systems broadly including email programs For example in this NPRM the Department proposes to require regulated entities to encrypt all ePHI at rest and in transit and proposes a transmission security standard in which regulated entities would be required to deploy technical controls to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network989
Therefore the Department believes it is unnecessary to promulgate a separate standard for email security Because the other technical controls such as encryption and MFA are already incorporated into the requirements that would protect relevant electronic information systems the Department believes that adopting a separate secure email standard would duplicate costs without creating a net benefit
pp
Additionally the Department considered whether to heighten the existing expectation 990
for regulated entities to inform individuals before transmitting ePHI to the individual via unencrypted email in response to a request for access under 45 CFR 164524 by this means We considered whether to require such notification for different types of requests such as different categories of PHI
eg
billing lab results etc determining whether the individual had already received such notice or providing notification upon each disclosure Instead the Department has proposed to clarify that notification must be provided for each request made by the individual under the individual right of access at 45 CFR 164524 for their ePHI to be transmitted via unsecure email We believe that requiring a regulated entity to determine whether the individual had already received such notification would be more burdensome than incorporating the notification into the access request process and instead have proposed We estimate that this could increase burdens for providing access via unsecure means by approximately one minute per request of this type We lack data to estimate the number of requests for access via unsecure means
pp
Consistent with the requirement that the Secretary adopt security standards that take into account the needs and capabilities of small health care providers and rural health care providers991
the Department considered excepting small and rural health care providers from the requirement to perform penetration testing at proposed 45 CFR 164308h2iii to lower anticipated costs of the rule for such providers The Department estimates that approximately 90 percent of providers are small based on revenue Thus the estimated cost reduction from this exemption as compared to the proposed requirement for all regulated entities would be approximately 266389139 822600 9 3 hours 11994 wage of an information security analyst annually While the Department is aware of the cost implications of this requirement for small and rural health care providers we also believe that penetration testing is a critical component of managing vulnerability to cyberthreats across the health care sector Additionally we believe that setting different requirements for cybersecurity for small and rural health care providers would lead such health care providers to believe that they can limit their investment in cybersecurity Given that a significant amount of health care is provided by small and rural health care providers limiting their investment in cybersecurity would create a sizable gap in security protections Such a gap has the potential to increase such providers attractiveness to cybercriminals
ppThe Department also considered proposing to permit small and rural health care providers to adopt alternate compensating controls in lieu of the specified implementation specifications to meet certain standards After careful consideration the Department concluded that it potentially could be just as costly to identify and adopt compensating controls that are reasonable and appropriate for small and rural health care practices Small and rural health care providers would likely need to either hire personnel or contract with cybersecurity experts to identify potential compensating controls that would meet the relevant standard and provide implementation support Accordingly the Department declines to put forward such proposals at this timepp
The Department considered the requirements of the Federal Information Security Modernization Act FISMA 992
and whether compliance with FISMA by Federal agencies that are also regulated entities would be comparable to meeting the proposals in this NPRM FISMA requires each Federal agency to develop document and implement an agencywide program to provide information security for the information and information systems that support the operations and assets of the agency including those provided or managed by another agency contractor or other source993
After careful consideration the Department does not believe that a regulated entitys compliance with FISMA would necessarily ensure compliance with all applicable proposed requirements in this NPRM because FISMAs requirements and the Security Rules requirements are designed to serve different purposes FISMA primarily focuses on securing Federal information systems while the Security Rule applies specifically to ePHI This NPRM contains specific proposed requirements not found in FISMA which are tailored to ensure the confidentiality integrity and availability of ePHI Therefore although the Department believes that FISMA requirements are consistent with those in the Security Rule and the proposals in this NPRM we decline to propose that compliance with FISMA requirements would be a comparable alternative to compliance with the proposals in this NPRM Instead we believe that FISMA requirements complement the Security Rule and the proposed requirements and will facilitate the ability of regulated entities that are also subject to FISMA to fulfill their compliance with the HIPAA Rules
pp
The Department considered proposing additional modifications to the definition of information system The Security Rule currently defines the term information system as an interconnected set of information resources under the same direct management control that shares common functionality and includes hardware software information data applications communications and people994
This definition is based on the definition of general support system or system in the appendix to the 1996 version of OMB Circular A130 Security of Federal Automated Information Systems995
We considered proposing to remove the phrase under the same direct management control as a potential way to clarify the application of the definition to cloudbased computing Cloud computing applications play an important role in health care today For example many health care providers have implemented cloudbased electronic health records EHRs and practice management systems These applications are used to create receive maintain and transmit ePHI and as such should be included as components of a covered entitys relevant electronic information system a term which is based upon the term information system After careful consideration we have decided to retain the phrase under the same direct
print page 1006
management control and instead clarify in the preamble how the definition of information system applies in cloud computing environments The Department also requests comment on the definition of information system and the extent of control a regulated entity has with respect to applications in cloud computing environments
pp
We also considered proposing to adopt the definition of information system in the Paperwork Reduction Act of 1995 PRA and the current operative version of OMB Circular A130996
The PRA and OMB Circular A130 define information system as a discrete set of information resources organized for the collection processing maintenance use sharing dissemination or disposition of information The Department declined to adopt this definition because the existing definition in the Security Rule based on the definition of system in the 1996 version of OMB Circular A130 more accurately reflects the typical components of an information system and the full extent of resources that are addressed by the Security Rule Additionally the definition of information system in the PRA and current operative version of OMB Circular A130 contains some terms that are defined by the HIPAA Rules and some that are not As a result adopting this definition would require the Department to propose definitions to such additional terms and to ensure that the manner in which the terms with existing definitions are used is consistent with those existing definitions and we are concerned that such change could cause significant confusion for regulated entities
ppWe do not believe that either of the alternative definitions considered would have generated a quantifiable change in costs because the alternatives would be clarifications to existing requirements and would not have changed the scope of the Security Rules applicabilitypp
The Department considered proposing an exception to the MFA authentication requirement that would permit regulated entities in the future to adopt other technologies in lieu of MFA that might offer a more secure method of authenticating user identity997
Based on discussions with cybersecurity experts the Department believes that MFA is likely to remain the most secure method for authenticating user identity in future years It may take different forms but it will still at its core meet the definition of MFA proposed in this NPRM for the foreseeable future998
ppWhile the Department acknowledges that technology will continue to evolve we are unable to predict when and whether future technology will address identity verification and exceed the level of protection offered by MFA This uncertainty renders us unable to articulate requirements specific enough to justify a purposeful exception Because of the uncertainty surrounding new technologies we are also unable to estimate costs of adopting this alternative Our current view is that proposing and codifying such an exception would be premature but we will revisit the proposed specific requirement for MFA if adopted and reconsider the need for an exception should a more secure technology emergeppThe Department considered requiring regulated entities to comply with all of the proposals in this NPRM by the compliance date rather than proposing transition provisions for existing business associate agreements or other contractual arrangements Had the Department taken that approach we would have proposed that regulated entities update all existing business associate agreements by the proposed compliance date to comply with all applicable proposed requirements in this NPRM While the Department believes that many of the proposals in this NPRM are consistent with the Security Rule as it currently exists we are also concerned that too many regulated entities are not currently compliant with the Security Rule Given the demonstrable increase in breaches we believe that it is more important for regulated entities to first improve their cybersecurity posture by coming into compliance with all applicable proposed requirements in this NPRM if adopted Upon doing so the Department anticipates that regulated entities will be better positioned to evaluate their contractual needs and to modify existing business associate agreements For this reason the Department has proposed the transition provisions in proposed 45 CFR 164318 Not allowing for a transition period could have an opportunity cost whereby regulated entities spend their limited time revising business associate agreements instead of enhancing their cybersecurity posture The Department believes that this could result in duplicative costs because some regulated entities may identify the need for additional changes to business associate agreements after they have fully evaluated their changed cybersecurity needs The Department estimates that small regulated entities may be more likely to experience that outcome without a transition period and thus the alternative of no transition period would cause a potential onetime increase in costs of 278332891 1822600 regulated entities 9 1 hour 16968 lawyer hourly wageppRelatedly the Department considered proposing similar transition provisions for group health plans and plan sponsors that would provide these entities with additional time to update plan documents to align with new proposed requirements in this NPRM if adopted However the Department believes that affected plans and plan sponsors would be able to complete any necessary updates by the proposed compliance date The Department believes that updating plan documents is not as complex a task as evaluating potential new contractual needs to meet business associate obligations Additionally plan sponsors do not have Security Rule obligations independent of plan documents and thus would not be obligated to implement the requirements proposed in this NPRM absent updates to the plan documents The result of a transition period for updating plan documents would be merely to delay compliance with the changed Security Rule requirements and therefore delay improvements to their cybersecurity posture not to reduce costs Accordingly we are not proposing such transition provisions in this NPRMpp
The Department has examined the economic implications of this proposed rule as required by the RFA If a rule has a significant economic impact on a substantial number of small entities the RFA requires agencies to analyze regulatory options that would reduce the economic effect of the rule on small entities As discussed in greater detail below this analysis concludes and the Secretary proposes to certify that the proposed rule if finalized would not
print page 1007
result in a significant economic effect on a substantial number of small entities
pp
For purposes of the RFA small entities include small businesses nonprofit organizations and small governmental jurisdictions The Act defines small entities as 1 a proprietary firm meeting the size standards of the SBA 2 a nonprofit organization that is not dominant in its field and 3 a small government jurisdiction of less than 50000 population The Department has determined that roughly 90 percent or more of all health care providers meet the SBA size standard for a small business as shown in table 4 or are a nonprofit organization Therefore the Department estimates that there would be 740348 small entities affected by the proposals in this proposed rule999
The SBA size standard for health care providers ranges between a maximum of 9 million and 47 million in annual receipts depending upon the type of entity as shown in table 4 above1000
pp
With respect to health insurers the SBA size standard is a maximum of 47 million in annual receipts and for pharmacy benefits and clearinghouses it is 455 million1001
While some insurers are classified as nonprofit it is possible they are dominant in their market For example a number of Blue CrossBlue Shield insurers are organized as nonprofit entities and yet they dominate the health insurance market in the States where they are licensed1002
pp
With respect to business associates they provide a wide range of services for covered entities including computer infrastructure clearinghouse activities leased office equipment and professional services such as legal accounting business planning and marketing The SBA size thresholds for these industries ranges from 155 million for lawyers to 47 million for clearinghouses1003
pp
For the reasons stated below the Department does not expect that the cost of compliance would be significant for small entities Nor does the Department expect that the cost of compliance would fall disproportionately on small entities Although many of the regulated entities affected by the proposals in this proposed rule are small entities they would not bear a disproportionate cost burden compared to the other entities subject to the rule The projected total costs are discussed in detail in the RIA The Department does not view this as a substantial burden because the result of the changes would be annualized costs per regulated entity of approximately 1235 23 billion 1004
1822600 regulated entities The perentity costs represent the costs per establishment As a result smaller entities costs are lower because they have fewer establishments Larger regulated entities
ie
firms that have multiple facilities
ie
establishments would experience higher costs than the average cost per establishment because each firm would need to apply the proposals to all of their establishments In the context of the RFA HHS generally considers an economic impact exceeding 3 percent of annual revenue to be significant and 5 percent or more of the affected small entities within an identified industry to represent a substantial number
pp
More than 5 percent of the small covered entities listed under the NAICS codes in table 4 are oneestablishment firms with fewer than five employees1005
so the analysis must determine how the effects of the quantified costs on oneestablishment firms compare to their revenues As explained above the cost for a oneestablishment firm is 1235 so only small firms whose revenues are below 41167 1235003 would experience an effect exceeding 3 percent
ppAmong the NAICS codes for health care providers the small firms with the lowest revenues are oneestablishment HMO Health Maintenance Organization Medical Centers NAICS 621491 with fewer than five employees which had an estimated average yearly revenue in 2021 of 108000 Residential Intellectual and Developmental Disability Facilities NAICS 623210 had the second lowest revenues for oneestablishment firms with fewer than five employees with 180000 Offices of Mental Health Practitioners NAICS 621330 have the third lowest revenues for oneestablishment firms with fewer than five employees with 189000 Thus the Department believes that almost all regulated entities have annual revenues that exceed these amountsppThe Department acknowledges that there may be very small firmsnamely firms without employeeswhose revenues are below 41167 We believe that such firms would comply with the regulation by purchasing services from software and webhosting companies whose costs may increase as a result of the proposed changes Such software and webhosting companies would be business associates and thus costs to them are already accounted for We believe that to the extent that these business associates decide to recover their minor cost increases by raising the prices of the services sold to nonemployer firms these incremental costs passed through to their smallfirm customers would be negligible because they will be spread among many nonemployer firmspp
The Department has separately analyzed the effects of the NPRM on health plan sponsors and does not view the projected costs as a significant burden because the proposed changes would result in annualized costs per plan sponsor of approximately 6133 4552995816742411 health plan sponsors The quantified impact of 6133 per health plan sponsor would only apply to those sponsors whose annual revenue is 204433 or less1006
The Department believes there are few if any group health plan sponsors with annual revenues below this amount because the average revenue of a US business with 14 employees is 387000 1007
and employers with 01 employees are unlikely to sponsor a group health plan
pp
Accordingly the Department believes that this proposed rule if adopted would be unlikely to affect a substantial
print page 1008
number of small entities that meet the RFA threshold Thus this analysis concludes and the Secretary proposes to certify that the NPRM would not result in a significant economic effect on a substantial number of small entities
pp
HIPAA requires the Department to consider the needs and capabilities of small and rural health care providers1008
As we explained in our 2003 analysis of the effect of the Security Rule on small and rural health care providers the scalability provisions preclude the need to precisely define those categories1009
We have long considered the effect of our rules on small businesses in the Small Entity Analysis discussed above However because of the breadth of changes proposed in this NPRM the Department has considered more closely how it would affect rural health care providers There are approximately 2000 rural hospitals1010
comprising nearly 30 percent of all hospitals 205774651011
and the Department estimates approximately 7 to 8 percent of all health care providers operate in rural areas counties or micropolitan areas with fewer than 50000 inhabitants See Regulated Entities Affected in Section VA2 Baseline Conditions above
pp
Because rural health care providers are more likely to be small businesses they would be affected in a manner similar to small entities as demonstrated in the Small Entity Analysis above Likewise to the extent that Tribal health care providers are in rural areas which many are1012
our analysis of the effects on rural health care providers generally also applies However Tribal health providers have the benefit of access to centralized supportive services for health IT and EHR adoption which other rural providers may lack1013
A primary barrier to both adoption of health information technology health IT and deployment of cybersecurity safeguards in rural communities is limited access to highspeed internet Rural health care providers such as hospitals have adopted EHRs at a lower rate than nonrural hospitals1014
and thus may also have fewer electronic information systems that are subject to the Security Rule requirements which could ease some burdens of compliance However as EHR adoption has increased in rural hospitals1015
so too have the risks of cybersecurity attacks1016
Rural health care providers are more likely to have limited resources to update legacy information technology IT systems implement new or changed regulatory requirements and respond to large breaches Additionally the health IT workforce is more limited in rural areas which may affect the ability of rural health care providers to access inperson technical assistance Because most rural hospitals are located more than 35 miles from another hospital responding to cyberattacks may be more challenging1017
We request comment on the burdens these proposals would impose on rural health care providers including rural hospitals
pp
Rural health care providers and other regulated entities can avail themselves of grants and incentives to improve broadband access and adoption of health IT1018
For cybersecurity in particular the White House in partnership with private companies announced the availability of direct assistance to rural health care providers on cybersecurity in the form of grants discounts and technical advice1019
Additionally CISA has compiled a list of free services and tools available to regulated entities from private and public sector entities CISA also has published in partnership with the Joint Cyber Defense Collaborative a list of cybersecurity resources especially focused on highrisk communities1020
And the Advanced Research Projects Agency for Health announced plans to invest 50 million to develop an autonomous solution for addressing cyberthreats to assist hospitals in defending their information systems1021
pp
Cybersecurity is as essential for small and rural health care providers and their business associates as it is for large and urban regulated entities The seamless flow of data and increased connectivity means that threats to one health care provider do not affect only that one health care provider regardless of size or location The effects on patient care may be greater in rural environments where fewer alternatives exist if care is delayed or denied as a result of a cyberattack or malfunction1022
As discussed in the preamble the factors described at 45 CFR 164306b2 provide the flexibility for small and rural providers in particular to adopt security measures that are reasonable and appropriate for their circumstances
pp
As required by EO 13132 on Federalism1023
the Department has examined the provisions in the proposed regulation for their effects on the relationship between the Federal Government and the States EO 13132 establishes certain requirements that an agency must meet when it promulgates a proposed rule and subsequent final rule that imposes substantial direct requirement costs on State and local governments preempts State law or otherwise has federalism implications In the Departments view the proposed rule would not have any federalism implications
pp
The federalism implications of the Security Rule were also assessed as required by EO 13132 and published as part of the preambles to the final rules on February 20 2003 1024
and January
print page 1009
25 20131025
Regarding preemption HIPAA dictates the relationship between State law and HIPAA regulatory requirements1026
The Health Information Technology for Economic and Clinical Health Act of 2009 HITECH Act provides that the HIPAA preemption provisions shall apply to the HITECH Act provisions and requirements1027
As explained by the House report that accompanied the American Recovery and Reinvestment Act of 2009 the HITECH Act would not only apply HIPAAs preemption provisions to the HITECH Act requirements but it would also preserve the HIPAA privacy and security standards to the extent that they are consistent with the HITECH Act1028
pp
A requirement standard or implementation specification adopted in accordance with HIPAA and the HIPAA Rules supersedes any contrary provision of State law subject to certain exceptions1029
Specifically State law would be preempted under the Security Rule only when 1 a regulated entity finds it impossible to comply with both State and Federal requirements or 2 the provision of State law stands as an obstacle to accomplishing and executing the purposes and objectives of the Administrative Simplification provisions or the HITECH Act1030
Although a few States
eg
California and New York have promulgated or are in the process of promulgating regulations pertaining to cybersecurity in health care that may be more stringent than the Security Rule the Department believes that a regulated entity could comply with both sets of requirements by adhering to the more stringent standard Thus in such cases the State law would not be an obstacle to the accomplishment and execution of HIPAA or the HITECH Act
ppThe proposed modifications to the Security Rule would further the Congressional intent to improve the Medicare and Medicaid programs by the development of health information systems that are private and secure The Departments proposals promote the safety efficiency and effectiveness of the health care system by refining the security standards established by Congress and implemented in the 2003 and 2013 Final Rules The statute contemplated that the security measures adopted by all regulated entities including State and local governments would evolve over time in accordance with the security risks they face and the NPRM proposals are in the nature of enhancing these existing requirements Thus the Department does not believe that the rule would impose substantial direct compliance costs on State and local governments that are not required by statuteppThe Department anticipates that the most significant direct costs on State and local governments would be for conducting a Security Rule compliance audit notifying covered entities or business associates as applicable upon activation of a contingency plan notifying covered entities of changes or termination of workforce members access to ePHI deploying MFA removing extraneous software and penetration testing providing or obtaining verification of business associates compliance with technical safeguards updating health plan documents updating policies and procedures and updating workforce training However the costs involved can be attributed to the statutory requirements of the Administrative Simplification provisions of HIPAA and would be similar in kind to those borne by nongovernmentoperated regulated entities which the proposed RIA above addresses in detailppIn considering the principles in and requirements of EO 13132 the Department believes that these proposed modifications to the Security Rule would not significantly affect the rights roles and responsibilities of the States and requests comment on this analysispp
Section 654 of the Treasury and General Government Appropriations Act of 1999 1031
requires Federal departments and agencies to determine whether a proposed policy or regulation could affect family wellbeing If the determination is affirmative then the Department or agency must prepare an impact assessment to address criteria specified in the law This proposed rule is expected to strengthen family wellbeing because it would ensure a baseline of security measures for individuals PHI and medical information and decisions based on that information are at the heart of family decision making If finalized the provisions in this proposed rule may be carried out only by the Federal Government because it would modify Federal law on cybersecurity in health care ensuring that American families have confidence that the privacy of their PHI is secured by consistent safeguards regardless of the State where they are located when health care is provided Such health care privacy and is vital for individuals who seek or access health care
pp
Under the PRA1032
agencies are required to submit to OMB for review and approval any reporting or recordkeeping requirements inherent in a proposed or final rule and are required to publish such proposed requirements for public comment To fairly evaluate whether an information collection should be approved by the OMB section 3506c2A of the PRA requires that the Department solicit comment on the following issues
pp1 Whether the information collection is necessary and useful to carry out the proper functions of the agencypp2 The accuracy of the agencys estimate of the information collection burdenpp3 The quality utility and clarity of the information to be collectedpp4 Recommendations to minimize the information collection burden on the affected public including automated collection techniquesppThe PRA requires consideration of the time effort and financial resources necessary to meet the information collection requirements referenced in this section The Department solicits public comments on its assumptions and burden estimates in this NPRM as summarized belowpp
In this RIA the Department proposes to revise certain information collection requirements associated with this NPRM and as such would revise the information collection last prepared in 2024 and approved under OMB control 094500031033
The proposed revisions to the information collection describe all new and adjusted information
print page 1010
collection requirements for regulated entities pursuant to the implementing regulation for HIPAA at 45 CFR parts 160 and 164 the HIPAA Privacy Security Breach Notification and Enforcement Rules HIPAA Rules
ppThe estimated annual labor burden presented by the regulatory modifications is 77067552 burden hours at a firstyear cost of 9314106174 These figures respectively represent the sum of 37781637 new burden hours at a cost of 4655324954 for compliance by regulated entities and 39285915 new burden hours at a cost of 4658781219 for compliance by health plan sponsorspp
The overall total burden for respondents to comply with the information collection requirements of all of the HIPAA Privacy Security and Breach Notification Rules including new burdens presented by proposed program changes is estimated to be 925144023 burden hours at a cost of 109085104674 plus 163499411 in capital costs for a total estimated annual burden of 109248604085 after the effective date of the final rule This estimate is based on a total of 1202562864 responses for a total of 2565011 respondents The total burden for the HIPAA Rules including the changes proposed in this NPRM would result in a decrease of 28838213 burden hours and a cost increase of 1911898144 in comparison to the baseline in the ICR associated with the 2024 Privacy Rule to Support Reproductive Health Care Privacy1034
This is the result of multiples changes such as decreasing burden hours for some existing requirements increasing the estimated number of covered entities adding new Security Rule requirements and expanding the pool of respondents for the Security Rule by adding requirements for health plan sponsors
ppDetails describing the burden analysis for the proposals associated with this RIA are presented below and explained further in the ICR associated with the NPRMppBelow is a summary of the significant program changes and adjustments proposed since the approved 2024 ICR because the ICR addresses regulatory burdens associated with the full suite of HIPAA Rules the changes and adjustments include updated data and estimates for some provisions of the HIPAA Rules that are not affected by this proposed rule These program changes and adjustments form the bases for the burden estimates presented in the ICR associated with this NPRMpp1 Updating the number of covered entitiespp2 Updating hourly wage ratespp3 Adjusting downward the number of estimated requests for an exception to Federal preemption of State law to the prior baseline of 1 request per yearpp4 Adjusting downward the estimated hourly burden for regulated entities to report security incidents not breaches from 20 hours per monthly report to 10 hours per monthly reportpp5 Updating the number of research disclosuresppIn addition to the adjustments above the Department proposes to add new annual estimated burdens as a result of program changes as followspp1 A burden of 2 hours for each regulated entity to conduct a Security Rule compliance auditpp2 A burden of 2 hours for each business associate including each subcontractor to provide verification of compliance with technical safeguardspp3 A burden of 5 hours for each covered entity to obtain verification of business associates compliance with technical safeguardspp4 A burden of 083 hours for each business associate to obtain verification of subcontractors compliance with technical safeguardspp5 A burden of 1 hour for each regulated entity to provide notification to other regulated entities of workforce members termination of access to ePHIpp6 A burden of 15 hours for each regulated entity to deploy MFApp7 A burden of 45 hours for each regulated entity to perform network segmentationpp8 A burden of 5 hours for approximately 7656 percent of regulated entities to disable unused ports and remove extraneous softwarepp9 A burden of 3 hours for each regulated entity to conduct penetration testingpp10 A burden of 5 hours for each regulated entity to notify covered entities or business associates as applicable upon activation of a contingency planpp11 A burden of 5 hours for each insurer and thirdparty administrator to update health plan documentspp12 A burden of 2 hours for each regulated entity to update the content of its cybersecurity awareness and Security Rule training programpp13 A burden of 35 hours for each regulated entity to update its policies and procedurespp14 A burden of 1 hour for each regulated entity to update business associate agreementspp15 A burden of 5292 hours for each health plan sponsor to modify safeguards for its relevant electronic information systems to meet Security Rule standardsppFor the reasons stated in the preamble the Department of Health and Human Services proposes to amend 45 CFR subtitle A subchapter C parts 160 and 164 as set forth belowpp1 The authority citation for part 160 continues to read as follows pp
Authority
42 USC 1302a 42 USC 1320d1320d9 sec 264 Pub L 104191 110 Stat 20332034 42 USC 1320d2 note 5 USC 552 secs 1340013424 Pub L 1115 123 Stat 258279 and sec 1104 of Pub L 111148 124 Stat 146154
pp2 Amend 160103 by revising the definition of Electronic media to read as follows pp
Electronic media
means
pp
1 Electronic storage material on which data may be recorded maintained or processed This includes but is not limited to hard drives
print page 1011
removable media magnetic tape optical disk and any other form of digital memory or storage
pp2 Transmission media used to exchange information already in electronic storage material Transmission media includes but is not limited to the internet extranet or intranet leased lines dialup lines private and public networks and the physical movement of removabletransportable electronic storage materialpp1 The authority citation for part 164 continues to read as follows pp
Authority
42 USC 1302a 42 USC 1320d1320d9 sec 264 Pub L 104191 110 Stat 20332034 42 USC 1320d2note and secs 1340013424 Pub L 1115 123 Stat 258279
pp2 Revise and republish subpart C to read as follows ppAppendix A to Subpart C of Part 164Security Standards Matrixpp
Authority
42 USC 1320d2 and 1320d4 42 USC 17931
ppA covered entity or business associate must comply with the applicable standards implementation specifications and requirements of this subpart with respect to electronic protected health information of a covered entityppAs used in this subpart the following terms have the following meaningspp
Access
means the ability or the means necessary to read write modify delete transmit or communicate datainformation or otherwise use any component of an information system This definition applies to access as used in this subpart not as used in subpart D or E of this part
pp
Administrative safeguards
are administrative actions and related policies and procedures to manage the selection development implementation and maintenance including updating and modifying of security measures to protect electronic protected health information and to manage the conduct of the covered entitys or business associates workforce in relation to the protection of that information
pp
Authentication
means the corroboration that a person or technology asset is the one they are claiming to be
pp
Availability
means the property that data or information is accessible and useable upon demand by an authorized person or technology asset
pp
Confidentiality
means the property that data or information is not made available or disclosed to unauthorized persons technology assets or processes
pp
Deploy
means to configure technology for use and implement such technology
pp
Electronic information system
means interconnected set of electronic information resources under the same direct management control that shares common functionality An electronic information system generally includes technology assets such as hardware software electronic media information and data
pp
Encryption
means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key
pp
Facility
means the physical premises and the interior and exterior of a buildings
pp
Implement
means to put into effect and be in use operational and function as expected throughout the covered entity or business associate
pp
Information system
means an interconnected set of information resources under the same direct management control that shares common functionality An information system generally includes hardware software information data communications and people
pp
Integrity
means the property that data or information have not been altered or destroyed in an unauthorized manner
pp
Malicious software
means software or firmware intended to perform an unauthorized action or activity that will have adverse impact on an electronic information system andor the confidentiality integrity or availability of electronic protected health information Examples include but are not limited to viruses worms Trojan horses spyware and some forms of adware
pp
Multifactor authentication
means authentication of the users identity through verification of at least two of the following three categories
pp1 Information known by the user including but not limited to a password or personal identification number PINpp2 Item possessed by the user including but not limited to a token or a smart identification cardpp3 Personal characteristic of the user including but not limited to fingerprint facial recognition gait typing cadence or other biometric or behavioral characteristicspp
Password
means confidential authentication information composed of a string of characters such as letters numbers spaces and other symbols
pp
Physical safeguards
are physical measures and related policies and procedures to protect a covered entitys or business associates relevant electronic information systems and related facilities and equipment from natural and environmental hazards and unauthorized intrusion
pp
Relevant electronic information system
means an electronic information system that creates receives maintains or transmits electronic protected health information or that otherwise affects the confidentiality integrity or availability of electronic protected health information
pp
Risk
means the extent to which the confidentiality integrity or availability of electronic protected health information is threatened by a potential circumstance or event
pp
Security
or
security measures
encompass all of the administrative physical and technical safeguards in or applied to an information system
pp
Security incident
means any of the following
pp1 The attempted or successful unauthorized access use disclosure modification or destruction of information in an information systempp2 The attempted or successful unauthorized interference with system operations in an information systempp
Technical controls
means the technical mechanisms contained in the hardware software or firmware components of an electronic information system that are primarily implemented and executed by the electronic information system to protect the information system and data therein
pp
Technical safeguards
means the technology technical controls and related policies and procedures governing the use of the technology that protects and controls access to electronic protected health information
pp
Technology asset
means the components of an electronic information system including but not
print page 1012
limited to hardware software electronic media information and data
pp
Threat
means any circumstance or event with the potential to adversely affect the confidentiality integrity or availability of electronic protected health information
pp
User
means a person with authorized access
pp
Vulnerability
means a flaw or weakness in an information system information system security procedures design implementation or technical controls that could be intentionally exploited or accidentally triggered by a threat
pp
Workstation
means an electronic computing device and electronic media stored in its immediate environment Workstation includes but is not limited to the following types of devices a server desktop computer laptop computer virtual device and mobile device such as a smart phone or tablet
pp
a
General requirements
Each covered entity and business associate must do the following with respect to all electronic protected health information it creates receives maintains or transmits
pp1 Ensure the confidentiality integrity and availability of the electronic protected health informationpp2 Protect against any reasonably anticipated threats or hazards to the confidentiality integrity or availability of the electronic protected health informationpp3 Protect against any reasonably anticipated uses or disclosures of the electronic protected health information that are not permitted or required under subpart E of this partpp4 Ensure compliance by its workforce with this subpart and all administrative physical and technical safeguards implemented in accordance with this subpartpp
b
Flexibility of approach
1 Covered entities and business associates may use any reasonable and appropriate security measures that allow the covered entity or business associate to implement the standards and implementation specifications as specified in this subpart
pp2 In deciding which security measures to use a covered entity or business associate must take into account all of the following factorsppi The size complexity and capabilities of the covered entity or business associateppii The covered entitys or the business associates technical infrastructure hardware and software security capabilitiesppiii The costs of security measuresppiv The probability and criticality of potential risks to electronic protected health informationppv The effectiveness of the security measure in supporting the resiliency of the covered entity or business associatepp
c
Standards and implementation specifications
A covered entity or business associate must comply with the applicable standards including their implementation specifications as provided in this subpart
ppa A covered entity or business associate must in accordance with 164306 and 164316 implement all of the following administrative safeguards to protect the confidentiality integrity and availability of all electronic protected health information that it creates receives maintains or transmitspp
1
Standard Technology asset inventory
i
General
Conduct and maintain an accurate and thorough written inventory and a network map of the covered entitys or business associates electronic information systems and all technology assets that may affect the confidentiality integrity or availability of electronic protected health information
pp
ii
Implementation specifications
A
Inventory
Develop a written inventory of the covered entitys or business associates technology assets that contains the identification version person accountable and location of each technology asset
pp
B
Network map
Develop a network map that illustrates the movement of electronic protected health information throughout the covered entitys or business associates electronic information systems including but not limited to how electronic protected health information enters and exits such information systems and is accessed from outside of such information systems
pp
C
Maintenance
Review and update the written inventory of technology assets required by paragraph a1iiA of this section and the network map required by paragraph a1iiB of this section in the following circumstances
pp
1 On an ongoing basis but at least once every 12 months
pp
2 When there is a change in the covered entitys or business associates environment or operations that may affect electronic protected health information including but not limited to the adoption of new technology assets the upgrading updating or patching of technology assets newly recognized threats to the confidentiality integrity or availability of electronic protected health information a sale transfer merger or consolidation of all or part of the covered entity or business associate with another person a security incident that affects the confidentiality integrity and availability of electronic protected health information and relevant changes in Federal State Tribal or territorial law
pp
2
Standard Risk analysis
i
General
Conduct an accurate and comprehensive written assessment of the potential risks and vulnerabilities to the confidentiality integrity and availability of all electronic protected health information created received maintained or transmitted by the covered entity or business associate
pp
ii
Implementation specifications
A
Assessment
The written assessment must include at a minimum all of the following
pp
1 A review of the technology asset inventory required by paragraph a1iiA of this section and the network map required by paragraph a1iiB of this section to identify where electronic protected health information may be created received maintained or transmitted within the covered entitys or business associates electronic information systems
pp
2 Identification of all reasonably anticipated threats to the confidentiality integrity and availability of electronic protected health information that the covered entity or business associate creates receives maintains or transmits
pp
3 Identification of potential vulnerabilities and predisposing conditions to the covered entitys or business associates relevant electronic information systems
pp
4 An assessment and documentation of the security measures the covered entity or business associate uses to ensure the confidentiality integrity and availability of the electronic protected health information created received maintained or transmitted by the covered entity or business associate
pp
5 A reasonable determination of the likelihood that each threat identified in accordance with paragraph a2iiA
2 of this section will exploit the vulnerabilities identified in accordance with paragraph a2iiA
3 of this section
pp
6 A reasonable determination of the potential impact of each threat identified in accordance with paragraph a2iiA
2 of this section successfully exploiting the vulnerabilities identified in accordance with paragraph a2iiA
3 of this section
print page 1013
pp
7 An assessment of risk level for each threat identified in accordance with paragraph a2iiA
2 of this section and vulnerability identified in accordance with paragraph a2iiA
3 of this section based on the determinations made in accordance with paragraphs a2iiA
5 and
6 of this section
pp
8 An assessment of the risks to electronic protected health information posed by entering into or continuing a business associate contract or other written arrangement with any prospective or current business associate respectively based on the written verification obtained from the prospective or current business associate in accordance with paragraph b1 of this section
pp
B
Maintenance
Review verify and update the written assessment on an ongoing basis but at least once every 12 months and in accordance with paragraph a1iiC
2 of this section in response to a change in the covered entitys or business associates environment or operations that may affect electronic protected health information
pp
3
Standard Evaluation
i
General
Perform a written technical and nontechnical evaluation to determine whether a change in the covered entitys or business associates environment or operations may affect the confidentiality integrity or availability of electronic protected health information
pp
ii
Implementation specifications
A
Performance
Perform a written technical and nontechnical evaluation within a reasonable period of time before making a change in the covered entitys or business associates environment or operations as described in paragraph a1iiC
2 of this section
pp
B
Response
Respond to the written technical and nontechnical evaluation in accordance with the covered entitys or business associates risk management plan required by paragraph a5iiA of this section
pp
4
Standard Patch management
i
General
Implement written policies and procedures for applying patches and updating the configurations of the covered entitys or business associates relevant electronic information systems
pp
ii
Implementation specifications
A
Policies and procedures
Establish written policies and procedures for identifying prioritizing acquiring installing evaluating and verifying the timely installation of patches updates and upgrades throughout the covered entitys or business associates relevant electronic information systems
pp
B
Maintenance
Review and test written policies and procedures required by paragraph a4iiA of this section at least once every 12 months and modify such policies and procedures as reasonable and appropriate
pp
C
Application
Patch update and upgrade the configurations of relevant electronic information systems in accordance with the written policies and procedures required by paragraph a4iiA of this section and based on the results of the covered entitys or business associates risk analysis required by paragraph a2 of this section the vulnerability scans required by 164312h2i the monitoring of authoritative sources required by 164312h2ii and penetration tests required by 164312h2iii within a reasonable and appropriate period of time as follows except to the extent that an exception at paragraph a4iiD of this section applies
pp
1 Within 15 calendar days of identifying the need to patch update or upgrade the configuration of a relevant electronic information system to address a critical risk in accordance with this paragraph a4iiC where a patch update or upgrade is available or where a patch update or upgrade is not available within 15 calendar days of a patch update or upgrade becoming available
pp
2 Within 30 calendar days of identifying the need to patch update or upgrade the configuration of a relevant electronic information system to address a high risk in accordance with this paragraph a4iiC where a patch update or upgrade is available or where a patch update or upgrade is not available within 30 calendar days of a patch update or upgrade becoming available
pp
3 As determined by and documented in the covered entitys or business associates policies and procedures under paragraph a4iiA of this section for all other patches updates and upgrades to the configuration of a relevant electronic information system
pp
D
Exceptions
This paragraph a4iiD applies only to the extent that a covered entity or business associate documents that an exception in this paragraph a4iiD applies and that all other applicable conditions are met
pp
1 A patch update or upgrade to the configuration of a relevant electronic information system is not available to address a risk identified in the risk analysis under paragraph a2 of this section
pp
2 The only available patch update or upgrade would adversely affect the confidentiality integrity or availability of electronic protected health information
pp
E
Alternative measures
Where an exception at paragraph a4iiD of this section applies a covered entity or business associate must document in realtime the existence of an applicable exception and implement reasonable and appropriate compensating controls in accordance with paragraph a4iiF of this section
pp
F
Compensating controls
To the extent that a covered entity or business associate determines that an exception at paragraph a4iiD of this section applies a covered entity or business associate must implement reasonable and appropriate security measures to address the identified risk in a timely manner as required by paragraph a5iiD of this section until a patch update or upgrade that does not adversely affect the confidentiality integrity or availability of electronic protected health information becomes available
pp
5
Standard Risk management
i
General
Implement security measures sufficient to reduce risks and vulnerabilities to all electronic protected health information to a reasonable and appropriate level
pp
ii
Implementation specifications
A
Planning
Establish and implement a written risk management plan for reducing risks to all electronic protected health information including but not limited to those risks identified by the risk analysis under paragraph a2iiA of this section to a reasonable and appropriate level
pp
B
Maintenance
Review the written risk management plan required by paragraph a5iiA of this section at least once every 12 months and as reasonable and appropriate in response to changes in the risk analysis made in accordance with paragraph a2iiB of this section and modify as reasonable and appropriate
pp
C
Priorities
The written risk management plan must prioritize the risks identified in the risk analysis required by paragraph a2iiA of this section based on the risk levels determined by such risk analysis
pp
D
Implementation
Implement security measures in a timely manner to address the risks identified in the covered entitys or business associates risk analysis in accordance with the priorities established under paragraph a5iiC of this section
pp
6
Standard Sanction policy
i
General
Apply appropriate sanctions against workforce members who fail to comply with the security policies and
print page 1014
procedures of the covered entity or business associate
pp
ii
Implementation specifications
A
Policies and procedures
Establish written policies and procedures for sanctioning workforce members who fail to comply with the security policies and procedures of the covered entity or business associate
pp
B
Modifications
Review written sanctions policies and procedures at least once every 12 months and modify as reasonable and appropriate
pp
C
Application
Apply and document appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate in accordance with the written policies and procedures for sanctioning workforce members required by paragraph a6iiA of this section
pp
7
Standard Information system activity review
i
General
Implement written policies and procedures for regularly reviewing records of activity in the covered entitys or business associates relevant electronic information systems
pp
ii
Implementation specifications
A
Policies and procedures
Establish written policies and procedures for retaining and reviewing records of activity in the covered entitys or business associates relevant electronic information systems by persons and technology assets including the frequency for reviewing such records
pp
B
Scope
Records of activity in the covered entitys or business associates relevant electronic information systems by persons andor technology assets include but are not limited to audit trails event logs firewall logs system logs data backup logs access reports antimalware logs and security incident tracking reports
pp
C
Record review
Review records of activity in a covered entitys or business associates relevant electronic information systems by persons and technology assets as often as reasonable and appropriate for the type of report or log and document such review
pp
D
Record retention
Retain records of activity in the covered entitys or business associates relevant electronic information systems by persons and technology assets for a period of time that is reasonable and appropriate for the type of report or log
pp
E
Response
Where a suspected or known security incident is identified during the review required by paragraph a7iiC of this section respond in accordance with the covered entitys or business associates security incident response plan required by paragraph a12iiA
1 of this section
pp
F
Maintenance
Review and test the written policies and procedures required by paragraph a7iiA of this section at least once every 12 months and modify as reasonable and appropriate
pp
8
Standard Assigned security responsibility
In writing identify the security official who is responsible for the development and implementation of the policies and procedures written or otherwise and deployment of technical controls required by this subpart for the covered entity or business associate
pp
9
Standard Workforce security
i
General
Implement written policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information and relevant electronic information systems and to prevent those workforce members who are not authorized to have access from obtaining access to electronic protected health information and relevant electronic information systems
pp
ii
Implementation specifications
A
Authorization andor supervision
Establish and implement written procedures for the authorization andor supervision of workforce members who access electronic protected health information or relevant electronic information systems or who work in facilities where electronic protected health information or relevant electronic information systems might be accessed
pp
B
Workforce clearance procedure
Establish and implement written procedures to determine that the access of a workforce member to electronic protected health information or relevant electronic information systems is appropriate in accordance with paragraph a10iiB of this section
pp
C
Modification and termination procedures
1 Establish and implement written procedures in accordance with paragraph a9iiC
2 of this section to terminate a workforce members access to electronic protected health information and relevant electronic information systems and to facilities where electronic protected health information or relevant electronic information systems might be accessed
pp
2 A workforce members access must be terminated as soon as possible but no later than one hour after the employment of or other arrangement with a workforce member ends
pp
D
Notification
1 Establish and implement written procedures in accordance with paragraph a9iiD
2 of this section to notify another covered entity or business associate of a change in or termination of access where the workforce member is or was authorized to access such electronic protected health information or relevant electronic information systems by the covered entity or business associate making the notification
pp
2 Notification must occur as soon as possible but no later than 24 hours after a change in or termination of a workforce members authorization to access electronic protected health information or relevant electronic information systems maintained by such other covered entity or business associate
pp
E
Maintenance
Review and test written policies and procedures required under paragraph a9iiA through D of this section at least once every 12 months and modify as reasonable and appropriate
pp
10
Standard Information access management
i
General
Establish and implement written policies and procedures for authorizing access to electronic protected health information and relevant electronic information systems that are consistent with the applicable requirements of subpart E of this part
pp
ii
Implementation specifications
A
Isolating health care clearinghouse functions
If a health care clearinghouse is part of a larger organization the clearinghouse must establish and implement written policies and procedures that protect the electronic protected health information and relevant electronic information systems of the clearinghouse from unauthorized access by the larger organization
pp
B
Access authorization
Establish and implement written policies and procedures for granting and revising access to electronic protected health information and relevant electronic information systems as necessary and appropriate for each prospective user and technology asset to carry out their assigned functions
pp
C
Authentication management
Establish and implement written policies and procedures for verifying the identities of users and technology assets prior to accessing the covered entitys or business associates relevant electronic information systems including written policies and procedures for implementing multifactor authentication technical controls required by 164312f2ii through v
pp
D
Access determination and modification
Establish and implement written policies and procedures that based upon the covered entitys or the business associates access authorization policies determine document review and modify the access of each user and technology asset to specific components
print page 1015
of the covered entitys or business associates relevant electronic information systems
pp
E
Network segmentation
Establish and implement written policies and procedures that ensure that a covered entitys or business associates relevant electronic information systems are segmented to limit access to electronic protected health information to authorized workstations
pp
F
Maintenance
Review and test the written policies and procedures required by this paragraph a10ii at least once every 12 months and modify as reasonable and appropriate
pp
11
Standard Security awareness training
i
General
Implement security awareness training for all workforce members on protection of electronic protected health information and information systems as necessary and appropriate for the members of the workforce to carry out their assigned functions
pp
ii
Implementation specifications
A
Training
A covered entity or business associate must develop and implement security awareness training for all workforce members that addresses all of the following
pp
1 The written policies and procedures with respect to electronic protected health information required by this subpart as necessary and appropriate for the workforce members to carry out their assigned functions
pp
2 Guarding against detecting and reporting suspected or known security incidents including but not limited to malicious software and social engineering
pp
3 The written policies and procedures for accessing the covered entitys or business associates relevant electronic information systems including but not limited to safeguarding passwords setting unique passwords of sufficient strength to ensure the confidentiality integrity and availability of electronic protected health information and limitations on sharing passwords
pp
B
Timing
A covered entity or business associate must provide security awareness training as follows
pp
1 As required by paragraph a11iiA of this section to each member of its workforce by no later than the compliance date and at least once every 12 months thereafter
pp
2 As required by paragraph a11iiA of this section to each new member of its workforce within a reasonable period of time but no later than 30 days after the person first has access to the covered entitys or business associates relevant electronic information systems
pp
3 On a material change to the policies or procedures required by this subpart to each member of its workforce whose functions are affected by such change within a reasonable period of time but no later than 30 days after the material change occurs
pp
C
Ongoing education
A covered entity or business associate must provide its workforce members ongoing reminders of their security responsibilities and notifications of relevant threats including but not limited to new and emerging malicious software and social engineering
pp
D
Documentation
A covered entity or business associate must document that the training required by paragraph a11iiA of this section and ongoing reminders required by paragraph a11iiC of this section have been provided
pp
12
Standard Security incident procedures
i
General
Implement written policies and procedures to respond to security incidents
pp
ii
Implementation specifications
A
Planning and testing
1 Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the covered entity or business associate will respond to suspected or known security incidents in accordance with paragraph a12iiB of this section
pp
2 Implement written procedures for testing and revising security incident response plans required by paragraph a12iiA
1 of this section
pp
3 Review and test security incident response plans and procedures required by paragraph a12iiA
1 of this section at least once every 12 months document the results of such tests and modify security incident response plans and procedures as reasonable and appropriate
pp
B
Response
1 Identify and respond to suspected or known security incidents
pp
2 Mitigate to the extent practicable harmful effects of security incidents that are suspected or known to the covered entity or business associate
pp
3 Identify and remediate to the extent practicable the root causes of security incidents that are suspected or known to the covered entity or business associate
pp
4 Eradicate the security incidents that are suspected or known to the covered entity or business associate
pp
5 For suspected and known security incidents develop and maintain documentation of investigations analyses mitigation and remediation
pp
13
Standard Contingency plan
i
General
Establish and implement as needed a written contingency plan consisting of written policies and procedures for responding to an emergency or other occurrenceincluding but not limited to fire vandalism system failure natural disaster or security incidentthat adversely affects relevant electronic information systems
pp
ii
Implementation specifications
A
Criticality analysis
Perform and document an assessment of the relative criticality of the covered entitys or business associates relevant electronic information systems and technology assets in its relevant electronic information systems
pp
B
Data backups
Establish and implement written procedures to create and maintain exact retrievable copies of electronic protected health information including verification that the electronic protected health information has been copied accurately
pp
C
Information systems backups
Establish and implement written procedures to create and maintain backups of the covered entitys or business associates relevant electronic information systems including verification of success of backups
pp
D
Disaster recovery plan
1 Establish and implement as needed written procedures to restore loss of the covered entitys or business associates critical relevant electronic information systems and data within 72 hours of the loss
pp
2 Establish and implement as needed written procedures to restore loss of the covered entitys or business associates other relevant electronic information systems and data in accordance with the criticality analysis required by paragraph a13iiA of this section
pp
E
Emergency mode operation plan
Establish and implement as needed written procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode
pp
F
Testing and revision procedures
1 Establish written procedures for testing and revising contingency plans as required by this paragraph a13 in accordance with paragraph a13iiF
2 of this section
pp
2 Review and test contingency plans required by this paragraph a13 at least once every 12 months document the results of such tests and modify such contingency plans as reasonable and appropriate in accordance with the results of those tests
print page 1016
pp
14
Standard Compliance audit
Perform and document an audit at least once every 12 months of the covered entitys or business associates compliance with each standard and implementation specification in this subpart
pp
b1
Standard Business associate contracts and other arrangements
iA A covered entity may permit a business associate to create receive maintain or transmit electronic protected health information on the covered entitys behalf only if the covered entity obtains satisfactory assurances in accordance with 164314a that the business associate will comply with this subpart and verifies that the business associate has deployed technical safeguards in accordance with the requirements of 164312
ppB A covered entity is not required to obtain such satisfactory assurances or verification from a business associate that is a subcontractorppii A business associate may permit a business associate that is a subcontractor to create receive maintain or transmit electronic protected health information on its behalf only if the business associate obtains satisfactory assurances in accordance with 164314a that the subcontractor will comply with the requirements of this subpart and verifies that the business associate that is a subcontractor has deployed technical safeguards in accordance with the requirements of 164312pp
2
Implementation specifications
i
Written contract or other arrangement
Document the satisfactory assurances required by paragraph b1i or ii of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of 164314a
pp
ii
Written verification
Obtain written verification from the business associate at least once every 12 months that the business associate has deployed the technical safeguards as required by 164312 through both of the following
ppA A written analysis of the business associates relevant electronic information systems by a person with appropriate knowledge of and experience with generally accepted cybersecurity principles and methods for ensuring the confidentiality integrity and availability of electronic protected health information to verify compliance with each standard and implementation specification in 164312ppB A written certification that the analysis has been performed and is accurate by a person who has the authority to act on behalf of the business associatepp
3
Standard Delegation to business associate
i A covered entity or business associate may permit a business associate to serve as their designated security official
ppii A covered entity or business associate that delegates actions activities or assessments required by this subpart to a business associate remains liable for compliance with all applicable provisions of this subpartppEach covered entity and business associate must in accordance with 164306 and 164316 implement all of the following physical safeguards to protect the confidentiality integrity and availability of all electronic protected health information that it creates receives maintains or transmitspp
a
Standard Facility access controls
1
General
Establish and implement written policies and procedures to limit physical access to all of its relevant electronic information systems and the facility or facilities in which they are housed while ensuring that properly authorized access is allowed
pp
2
Implementation specifications
i
Contingency operations
Establish and implement as needed written procedures that allow facility access in support of the covered entitys or business associates contingency plan required by 164308a13
pp
ii
Facility security plan
Establish and implement written policies and procedures to safeguard all facilities and the equipment therein from unauthorized physical access tampering and theft
pp
iii
Access management and validation procedures
Establish and implement written procedures to authorize and manage a persons access to facilities based on their role or function including visitor management
pp
iv
Physical maintenance records
Establish and implement written policies and procedures to document repairs and modifications to the physical components of a facility that are related to security including but not limited to hardware walls doors locks and security cameras
pp
v
Maintenance
For each facility review and test the written policies and procedures required by this paragraph a2 at least once every 12 months and modify such policies and procedures as reasonable and appropriate
pp
b
Standard Workstation use
1
General
Establish and implement written policies and procedures that govern the use of workstations that access electronic protected health information or the covered entitys or business associates relevant electronic information systems
pp
2
Implementation specifications
i
Policies and procedures
The written policies and procedures must specify all of the following with respect to a workstation that accesses electronic protected health information or the covered entitys or business associates relevant electronic information systems
ppA The functions for which a workstation may be usedppB The manner in which a workstation may be used to perform those functionsppC The physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information including the removal of such workstations from a facility and the movement of such workstations within and outside of a facilitypp
ii
Maintenance
Review and test written policies and procedures at least once every 12 months and modify as reasonable and appropriate
pp
c
Standard Workstation security
Implement and modify physical safeguards for all workstations that access electronic protected health information or relevant electronic information systems to address the written policies and procedures for workstation use required by paragraph b of this section and restrict access to authorized users
pp
d
Standard Technology asset controls
1
General
Establish and implement written policies and procedures that govern the receipt and removal of technology assets that maintain electronic protected health information into and out of a facility and the movement of these assets within the facility
pp
2
Implementation specifications
i
Disposal
Establish and implement written policies and procedures for disposal of electronic protected health information and the technology assets on which it is maintained based on current standards for disposing of such technology assets
pp
ii
Media sanitization
Establish and implement written procedures for removal of electronic protected health information from electronic media such that the electronic protected health information cannot be recovered based on current standards for sanitizing electronic media before the media are made available for reuse
pp
iii
Maintenance
Review and test the written policies and procedures required by paragraphs d2i and ii
print page 1017
of this section at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriate
ppEach covered entity or business associate must in accordance with 164306 and 164316 implement all of the following technical safeguards including technical controls to protect the confidentiality integrity and availability of all electronic protected health information that it creates receives maintains or transmitspp
a
Standard Access control
1
General
Deploy technical controls in relevant electronic information systems to allow access only to users and technology assets that have been granted access rights
pp
2
Implementation specifications
i
Unique identification
Assign a unique name number andor other identifier for tracking each user and technology asset in the covered entity or business associates relevant electronic information systems
pp
ii
Administrative and increased access privileges
Separate user identities from identities used for administrative and other increased access privileges
pp
iii
Emergency access procedure
Establish and implement as needed written and technical procedures for obtaining necessary electronic protected health information during an emergency
pp
iv
Automatic logoff
Deploy technical controls that terminate an electronic session after a predetermined time of inactivity that is reasonable and appropriate
pp
v
Login attempts
Deploy technical controls that disable or suspend the access of a user or technology asset to relevant electronic information systems after a reasonable and appropriate predetermined number of unsuccessful authentication attempts
pp
vi
Network segmentation
Deploy technical controls to ensure that the covered entitys or business associates relevant electronic information systems are segmented in a reasonable and appropriate manner
pp
vii
Data controls
Deploy technical controls to allow access to electronic protected health information only to those users and technology assets that have been granted access rights to the covered entitys or business associates relevant electronic information systems as specified in 164308a10
pp
viii
Maintenance
Review and test the effectiveness of the procedures and technical controls required by this paragraph a2 at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriate
pp
b
Standard Encryption and decryption
1
General
Deploy technical controls to encrypt and decrypt electronic protected health information using encryption that meets prevailing cryptographic standards
pp
2
Implementation specification
Encrypt all electronic protected health information at rest and in transit except to the extent that an exception at paragraph b3 of this section applies
pp
3
Exceptions
This paragraph b3 applies only to the electronic protected health information directly affected by one or more of the following exceptions and only to the extent that the covered entity or business associate documents that an exception applies and that all other applicable conditions are met
ppi The technology asset in use does not support encryption of the electronic protected health information consistent with prevailing cryptographic standards and the covered entity or business associate establishes and implements a written plan to migrate electronic protected health information to a technology asset that supports encryption consistent with prevailing cryptographic standards within a reasonable and appropriate period of timeppii An individual requests pursuant to 164524 to receive their electronic protected health information in an unencrypted manner and has been informed of the risks associated with the transmission receipt and storage of unencrypted electronic protected health information This exception does not apply where such individual will receive their electronic protected health information pursuant to 164524 and the technology used by the individual to receive the electronic protected health information is controlled by the covered entity or its business associateppiii During an emergency or other occurrence that adversely affects the covered entitys or business associates relevant electronic information systems in which encryption is infeasible and the covered entity or business associate implements reasonable and appropriate compensating controls in accordance with and determined by the covered entitys or business associates contingency plan under 164308a13ppiv The technology asset in use is a device under section 201h of the Food Drug and Cosmetic Act 21 USC 321h that has been authorized for marketing by the Food and Drug Administration as followsppA Pursuant to a submission received before March 29 2023 provided that the covered entity or business associate deploys in a timely manner any updates or patches required or recommended by the manufacturer of the deviceppB Pursuant to a submission received on or after March 29 2023 where the device is no longer supported by its manufacturer provided that the covered entity or business associate has deployed any updates or patches required or recommended by the manufacturer of the deviceppC Pursuant to a submission received on or after March 29 2023 where the device is supported by its manufacturerpp
4
Alternative measures
i
Alternative measures
Where an exception at paragraph b3 of this section applies a covered entity or business associate must document in realtime the existence of an applicable exception and implement reasonable and appropriate compensating controls in accordance with paragraph b4ii of this section
pp
ii
Compensating controls
A To the extent that a covered entity or business associate determines that an exception at paragraph b3i ii or iii or b3ivA or B of this section applies the covered entity or business associate must secure such electronic protected health information by implementing reasonable and appropriate compensating controls reviewed and approved by the covered entitys or business associates designated Security Official
ppB To the extent that a covered entity or business associate determines that an exception at paragraph b3ivC of this section applies the covered entity or business associate shall be presumed to have implemented reasonable and appropriate compensating controls where the covered entity or business associate has deployed the security measures prescribed and as instructed by the authorized label for the device including any updates or patches recommended or required by the manufacturer of the devicepp
C To the extent that a covered entity or business associate is implementing compensating controls under this paragraph b4ii the implementation and effectiveness of compensating controls must be reviewed documented and signed by the designated Security Official at least once every 12 months or in response to environmental or operational changes whichever is more frequent to continue securing electronic protected health information and relevant electronic information systems
print page 1018
pp
5
Maintenance
Review and test the effectiveness of the technical controls required by this paragraph b at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriate
pp
c
Standard Configuration management
1
General
Establish and deploy technical controls for securing the covered entitys or business associates relevant electronic information systems and technology assets in its relevant electronic information systems including workstations in a consistent manner and maintain such electronic information systems and technology assets according to the covered entitys or business associates established secure baselines
pp
2
Implementation specifications
i
Antimalware protection
Deploy technology assets andor technical controls that protect all of the covered entitys or business associates technology assets in its relevant electronic information systems against malicious software including but not limited to viruses and ransomware
pp
ii
Software removal
Remove extraneous software from the covered entitys or business associates relevant electronic information systems
pp
iii
Configuration
Configure and secure operating systems and software consistent with the covered entitys or business associates risk analysis under 164308a2
pp
iv
Network ports
Disable network ports in accordance with the covered entitys or business associates risk analysis under 164308a2
pp
v
Maintenance
Review and test the effectiveness of the technical controls required by this paragraph c at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriate
pp
d
Standard Audit trail and system log controls
1
General
Deploy technology assets andor technical controls that record and identify activity in the covered entitys or business associates relevant electronic information systems
pp
2
Implementation specifications
i
Monitor and identify
The covered entity or business associate must deploy technology assets andor technical controls that monitor in realtime all activity in its relevant electronic information systems identify indications of unauthorized persons or unauthorized activity as determined by the covered entitys or business associates risk analysis under 164308a2 and alert workforce members of such indications in accordance with the policies and procedures required by 164308a7
pp
ii
Record
The covered entity or business associate must deploy technology assets andor technical controls that record in realtime all activity in its relevant electronic information systems
pp
iii
Retain
The covered entity or business associate must deploy technology assets andor technical controls to retain records of all activity in its relevant electronic information systems as determined by the covered entitys or business associates policies and procedures for information system activity review at 164308a7iiA
pp
iv
Scope
Activity includes creating accessing receiving transmitting modifying copying or deleting any of the following
ppA Electronic protected health informationppB Relevant electronic information systems and the information thereinpp
v
Maintenance
Review and test the effectiveness of the technology assets andor technical controls required by this paragraph d at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriate
pp
e
Standard Integrity
Deploy technical controls to protect electronic protected health information from improper alteration or destruction both at rest and in transit and review and test the effectiveness of such technical controls at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriate
pp
f
Standard Authentication
1
General
Deploy technical controls to verify that a person or technology asset seeking access to electronic protected health information andor the covered entitys or business associates relevant electronic information systems is the one claimed
pp
2
Implementation specifications
i
Information access management policies
Deploy technical controls in accordance with the covered entitys or business associates information access management policies and procedures under 164308a10 including technical controls that require users to adopt unique passwords that are consistent with the current recommendations of authoritative sources
pp
ii
Multifactor authentication
A Deploy multifactor authentication to all technology assets in the covered entitys or business associates relevant electronic information systems to verify that a person seeking access to the relevant electronic information systems is the user that the person claims to be
ppB Deploy multifactor authentication for any action that would change a users privileges to the covered entitys or business associates relevant electronic information systems in a manner that would alter the users ability to affect the confidentiality integrity or availability of electronic protected health informationpp
iii
Exceptions
Deployment of multifactor authentication is not required in any of the following circumstances
ppA The technology asset in use does not support multifactor authentication and the covered entity or business associate establishes and implements a written plan to migrate electronic protected health information to a technology asset that supports multifactor authentication within a reasonable and appropriate period of timeppB During an emergency or other occurrence that adversely affects the covered entitys or business associates relevant electronic information systems or the confidentiality integrity or availability of electronic protected health information in which multifactor authentication is infeasible and the covered entity or business associate implements reasonable and appropriate compensating controls in accordance with its emergency access procedures under paragraph a2iii of this section and the covered entitys or business associates contingency plan under 164308a13ppC The technology asset in use is a device under section 201h of the Food Drug and Cosmetic Act 21 USC 321h that has been authorized for marketing by the Food and Drug Administration as followspp
1 Pursuant to a submission received before March 29 2023 provided that the covered entity or business associate has deployed any updates or patches required or recommended by the manufacturer of the device
pp
2 Pursuant to a submission received on or after March 29 2023 where the device is no longer supported by its manufacturer provided that the covered entity or business associate has deployed any updates or patches required or recommended by the manufacturer of the device
pp
3 Pursuant to a submission received on or after March 29 2023 where the device is supported by its manufacturer
pp
iv
Alternative measures
A
Alternative measures
Where an exception at paragraph f2iii of this
print page 1019
section applies a covered entity or business associate must document in realtime the existence of an applicable exception and implement reasonable and appropriate compensating controls as required by paragraph f2ivB of this section
pp
B
Compensating controls
1 To the extent that a covered entity or business associate determines that an exception at paragraph f2iiiA or B or f2iiiC
1 or
2 of this section applies the covered entity or business associate must secure its relevant electronic information systems by implementing reasonable and appropriate compensating controls reviewed approved and signed by the covered entitys or business associates designated Security Official
pp
2 To the extent that a covered entity or business associate determines that an exception at paragraph f2iiiC
3 of this section applies the covered entity or business associate shall be presumed to have implemented reasonable and appropriate compensating controls where the covered entity or business associate has deployed the security measures prescribed and as instructed by the authorized label for the device including any updates or patches recommended or required by the manufacturer of the device
pp
3 To the extent that a covered entity or business associate is implementing compensating controls under this paragraph f2ivB the effectiveness of compensating controls must be reviewed and documented by the designated Security Official at least once every 12 months or in response to environmental or operational changes whichever is more frequent to continue securing electronic protected health information and its relevant electronic information systems
pp
v
Maintenance
Review and test the effectiveness of the technical controls required by this paragraph f at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriate
pp
g
Standard Transmission security
Deploy technical controls to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network and review and test the effectiveness of such technical controls at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriate
pp
h
Standard Vulnerability management
1
General
Deploy technical controls in accordance with the covered entitys or business associates patch management policies and procedures required by 164308a4iiA to identify and address technical vulnerabilities in the covered entitys or business associates relevant electronic information systems
pp
2
Implementation specifications
i
Vulnerability scanning
A Conduct automated vulnerability scans to identify technical vulnerabilities in the covered entitys or business associates relevant electronic information systems in accordance with the covered entitys or business associates risk analysis required by 164308a2 or at least once every six months whichever is more frequent
ppB Review and test the effectiveness of the technology assets that conducts the automated vulnerability scans required by paragraph h2iA of this section at least once every 12 months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriatepp
ii
Monitoring
Monitor authoritative sources for known vulnerabilities on an ongoing basis and remediate such vulnerabilities in accordance with the covered entitys or business associates patch management program under 164308a4
pp
iii
Penetration testing
Perform penetration testing of the covered entitys or business associates relevant electronic information systems by a qualified person
ppA A qualified person is a person with appropriate knowledge of and experience with generally accepted cybersecurity principles and methods for ensuring the confidentiality integrity and availability of electronic protected health informationppB Penetration testing must be performed at least once every 12 months or in accordance with the covered entitys or business associates risk analysis required by 164308a2 whichever is more frequentpp
iv
Patch and update installation
Deploy technical controls in accordance with the covered entitys or business associates patch management program under 164308a4 to ensure timely installation of software patches and critical updates as reasonable and appropriate
pp
i
Standard Data backup and recovery
1
General
Deploy technical controls to create and maintain exact retrievable copies of electronic protected health information
pp
2
Implementation specifications
i
Data backup
Create backups of electronic protected health information in accordance with the policies and procedures required by 164308a13iiB and with such frequency to ensure retrievable copies of electronic protected health information are no more than 48 hours older than the electronic protected health information maintained in the covered entity or business associates relevant electronic information systems
pp
ii
Monitor and identify
Deploy technical controls that in realtime monitor and alert workforce members about any failures and error conditions of the backups required by paragraph i2i of this section
pp
iii
Record
Deploy technical controls that record the success failure and any error conditions of backups required by paragraph i2i of this section
pp
iv
Testing
Restore a representative sample of electronic protected health information backed up as required by paragraph i2i of this section and document the results of such test restorations at least monthly
pp
j
Standard Information systems backup and recovery
Deploy technical controls to create and maintain backups of relevant electronic information systems and review and test the effectiveness of such technical controls at least once every six months or in response to environmental or operational changes whichever is more frequent and modify as reasonable and appropriate
pp
a1
Standard Business associate contracts or other arrangements
The contract or other arrangement required by 164308b2 must meet the requirements of paragraph a2i ii or iii of this section as applicable
pp
2
Implementation specifications
i
Business associate contracts
The contract must provide that the business associate will do all of the following
ppA Comply with the applicable requirements of this subpartppB In accordance with 164308b1ii ensure that any subcontractors that create receive maintain or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this sectionppC Report to the covered entity any security incident of which it becomes aware including breaches of unsecured electronic protected health information as required by 164410pp
D Report to the covered entity activation of its contingency plan under 164308a13 without unreasonable
print page 1020
delay and in no case later than 24 hours after activation of the contingency plan
pp
ii
Other arrangements
The covered entity is in compliance with paragraph a1 of this section if it has another arrangement in place that meets the requirements of 164504e3
pp
iii
Business associate contracts with subcontractors
The requirements of paragraphs a2i and ii of this section apply to the contract or other arrangement between a business associate and a subcontractor required by 164308b1ii in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate
pp
b1
Standard Requirements for group health plans
Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to 164504f1ii or iii or as authorized under 164508 a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created received maintained or transmitted to or by the plan sponsor on behalf of the group health plan
pp
2
Implementation specifications
The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to do all of the following
pp
i
Safeguard implementation
Implement the administrative physical and technical safeguards that covered entities and business associates are required to implement under 164308a 164310 and 164312
pp
ii
Separation
Ensure that the adequate separation required by 164504f2iii is supported by the administrative physical and technical safeguards implemented in accordance with paragraph b2i of this section
pp
iii
Agents
Ensure that any agent to whom it provides this information agrees to implement the administrative physical and technical safeguards in accordance with paragraph b2i of this section
pp
iv
Security incident awareness
Report to the group health plan any security incident of which it becomes aware
pp
v
Contingency plan activation
Report to the group health plan activation of its contingency plan adopted in accordance with 164308a13 as required by paragraph b2i of this section without unreasonable delay and in no case later than 24 hours after activation of the contingency plan
pp
a
Standard Documentation
A covered entity or business associate must do all of the following in written form which may be electronic taking into consideration the factors in 164306b
pp1 Document the policies and procedures required to comply with this subpart and how the covered entity or business associate considered the factors at 164306b in the development of such policies and procedurespp2 Document each action activity or assessment required by this subpartpp
b
Implementation specifications
1
Time limit
Retain the documentation required by paragraph a of this section for 6 years from the date of its creation or the date when it last was in effect whichever is later
pp
2
Availability
Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains
pp
3
Updates
Review and update documentation at least once every 12 months and within a reasonable and appropriate period of time after a security measure is modified
pp
a
Standard Effect of prior contracts or other arrangements with business associates
Notwithstanding any other provisions of this subpart a covered entity or business associate with respect to a subcontractor may allow a business associate to create receive maintain or transmit electronic protected health information pursuant to a written contract or other arrangement with such business associate that does not comply with 164308b and 164314a only in accordance with paragraph b of this section
pp
b
Implementation specification Deemed compliance
1
Qualification
Notwithstanding other sections of this subpart a covered entity or business associate with respect to a subcontractor is deemed to be in compliance with the documentation and contract requirements of 164308b and 164314a with respect to a particular business associate relationship for the time period set forth in paragraph b2 of this section if both of the following apply
pp
i Prior to DATE OF PUBLICATION OF THE FINAL RULE IN THE
Federal Register
such covered entity or business associate with respect to a subcontractor has entered into and is operating pursuant to a written contract or other written arrangement with the business associate that complies with the applicable provisions of 164308b and 164314a that were in effect on such date
pp
ii The contract or other arrangement is not renewed or modified from DATE 60 DAYS AFTER DATE OF PUBLICATION OF THE FINAL RULE IN THE
Federal Register
until DATE 240 DAYS AFTER DATE OF PUBLICATION OF THE FINAL RULE IN THE
Federal Register
pp
2
Limited deemed compliance period
A prior contract or other arrangement that meets the qualification requirements at paragraph b1 of this section shall be deemed compliant until the earlier of the following dates
pp
i The date such contract or other arrangement is renewed on or after DATE 240 DAYS AFTER DATE OF PUBLICATION OF THE FINAL RULE IN THE
Federal Register
pp
ii DATE 1 YEAR AND 60 DAYS AFTER DATE OF PUBLICATION OF THE FINAL RULE IN THE
Federal Register
pp
c
Covered entity and business associate responsibilities
Nothing in this section shall alter the requirements of a covered entity or business associate to comply with applicable provisions of this part other than 164308b and 164314a
ppIf any provision of this subpart is held to be invalid or unenforceable by its terms or as applied to any person or circumstance or stayed pending further agency action it shall be construed so as to give it maximum effect permitted by law unless such holding shall be one of utter invalidity or unenforceability in which event such provision shall be severable from this subpart and shall not affect the remainder thereof or the application of such provision to other persons not similarly situated or to other dissimilar circumstancesppDated December 20 2024ppXavier BecerrappSecretary Department of Health and Human Servicespp1
Subtitle F of title II of HIPAA Pub L 104191 110 Stat 1936 Aug 21 1996 added a new part C to title XI of the Social Security Act of 1935 SSA Public Law 74271 49 Stat 620 Aug 14 1935
see
sections 11711179 of the SSA codified at 42 USC 1320d1320d8 as well as promulgating section 264 of HIPAA codified at 42 USC 1320d2 note which authorizes the Secretary to promulgate regulations with respect to the privacy of individually identifiable health information The Privacy Rule has subsequently been amended pursuant to the Genetic Information Nondiscrimination Act of 2008 title I section 105 Public Law 110233 122 Stat 881 May 21 2008 codified at 42 USC 2000ff and the Health Information Technology for Economic and Clinical Health HITECH Act of 2009 Public Law 1115 123 Stat 226 Feb 17 2009 codified at 42 USC 139w402
pp2
45 CFR part 160 subparts A and C of 45 CFR part 164 For a history of the Security Rule
see
section IIB Regulatory History
pp3
See also
the HIPAA Privacy Rule 45 CFR part 160 and subparts A and E of 45 CFR part 164 HIPAA Breach Notification Rule 45 CFR part 164 subpart D and the HIPAA Enforcement Rule 45 CFR part 160 subparts C through E
pp4
45 CFR 160103 definition of Protected health information
pp5
45 CFR 160103 definition of Individually identifiable health information
pp6
At times throughout this NPRM the Department uses the terms health information or individuals health information to refer generically to health information pertaining to an individual or individuals In contrast the Departments use of the term IIHI refers to a category of health information defined in HIPAA and PHI is used to refer specifically to a category of IIHI that is defined by and subject to the requirements of the HIPAA Rules The HIPAA Rules exclude from the definition of PHI IIHI in employment records held by a covered entity in its role as employer IIHI in education records and certain treatment records covered by the Family Educational Rights and Privacy Act codified at 20 USC 1232g and IIHI regarding a person who has been deceased for more than 50 years 45 CFR 160103 definition of Protected health information
pp7
45 CFR 160103 definition of Electronic protected health information
pp8
See68 FR 8334 Feb 20 2003 and 78 FR 5566 Jan 25 2013
pp9
In this NPRM we and our denote the Department
pp10
See
Breach Portal Notice to the Secretary of HHS Breach of Unsecured Protected Health Information Office for Civil Rights US Department of Health and Human Services
httpsocrportalhhsgovocrbreachbreachreportjsfpp11
Presidential Memorandum on National Security Memorandum on Critical Infrastructure Security and Resilience National Security MemorandumNSM22 The White House Apr 30 2024
httpswwwwhitehousegovbriefingroompresidentialactions20240430nationalsecuritymemorandumoncriticalinfrastructuresecurityandresilience
Critical infrastructure comprises the physical and virtual assets and systems so vital to the Nation that their incapacity or destruction would have a debilitating impact on national security national economic security or national public health or safety
pp12
Id
charging an SRMA with serving as the primary Federal liaison to their designated critical infrastructure and conducting sectorspecific risk management and resilience activities
pp13
Idpp14
See eg
New York State Register 46 NY Reg 710 Division of Administrative Rules New York State Department of State Oct 2 2024
httpsdosnygovsystemfilesdocuments202410100224pdf
Invitation for Preliminary Comments on Proposed Rulemaking Cybersecurity Audits Risk Assessments and Automated Decisionmaking California Privacy Protection Agency Feb 10 2023
httpscppacagovregulationspdfinvitationforcommentspr022023pdf see also
Cal Civ Code Section 1798185
pp15
The NIST Cybersecurity Framework CSF 20 National Institute of Standards and Technology US Department of Commerce Feb 26 2024
httpsdoiorg106028NISTCSWP29pp16
Health Industry Cybersecurity Practices Managing Threats and Protecting Patients US Department of Health and Human Services and the Healthcare Public Health Sector Coordinating Council 2023
https405dhhsgovDocumentsHICPMain508pdfpp17
Start with Security A Guide for Business Federal Trade Commission Aug 2023
httpswwwftcgovsystemfilesftcgovpdf920astartwithsecurityenaug2023508final0pdfpp18
Cybersecurity Performance Goals US Department of Health and Human Services Jan 2024
httpshphcyberhhsgovperformancegoalshtmlpp19
Sec 1174b1 of the SSA 45 CFR 160104
pp20
See
sec 261 of Public Law 104191 110 Stat 1936 codified at 42 USC 1320d note
pp21
See
A Guide to the Rulemaking Process Office of the Federal Register 2011 p 8
httpswwwfederalregistergovuploads201101therulemakingprocesspdfpp22
See78 FR 5566 5569 Jan 25 2013
pp23
See42 USC 1320d4b2
pp24
45 CFR 164306d3i and d3iiA
pp25
45 CFR 164306d3iiB
pp26
See45 CFR 160104c1 which requires the Secretary to provide at least a 180day period for regulated entities to comply with modifications to standards and implementation specifications in the HIPAA Rules
pp27
45 CFR 164314a1
pp28
Public Law 104191 110 Stat 1936 Aug 21 1996 codified at 42 USC 201 note
pp29
See
HR Rep No 104496 at 6667 1996
pp30
Public Law 104191 110 Stat 1936 Aug 21 1996
pp31
Sec 262a of Public Law 104191 110 Stat 2021 Aug 21 1996 codified at 42 USC 1320d
pp32
Sec 261 of Public Law 104191 110 Stat 2021 Aug 21 1996 as amended by sec 1104a of Public Law 111148 124 Stat 146 Mar 23 2010 codified at 42 USC 1320d note
pp33
On a resolution waiving points of order against the Conference Report to HR 3103 members debated an erosion of privacy balanced against the administrative simplification provisions Thus from HIPAAs inception privacy has been a central concern to be addressed as legislative changes eased disclosures of PHI
See
142 Cong Rec H9777 and H9780
pp34
142 Cong Rec S951516 daily ed Aug 2 1996 statement of Sen Simon
pp35
See
HR Rep No 104496 Part 1 at 99100 Mar 25 1996
pp36
See
sec 262a of Public Law 104191 110 Stat 2021 adding section 1172 to the SSA codified at 42 USC 1320d1
see also
section 13404 of the American Recovery and Reinvestment Act ARRA of 2009 Public Law 1115 123 Stat 115 Feb 17 2009 codified at 42 USC 17934 applying privacy provisions and penalties to business associates of covered entities The Department codified the term covered entity and defined it using these three categories of persons 45 CFR 164103
pp37
42 USC 1320d2d2
pp38
42 USC 1320d2d2A
pp39
42 USC 1320d2d2B
pp40
42 USC 1320d2d2C
pp41
Sec 262a of Public Law 104191 110 Stat 2024 adding sec 1173a codified at 42 USC 1320d2a1
pp42
Sec 262a of Public Law 104191 110 Stat 2025 adding sec 1173d codified at 42 USC 1320d2d
pp43
Sec 262a of Public Law 104191 110 Stat 2026 adding sec 1174a codified at 42 USC 1320d3a
pp44
Sec 262a of Public Law 104191 110 Stat 2025 adding sec 1173d1 codified at 42 USC 1320d2d1
pp45
Idpp46
Sec 262a of Public Law 104191 110 Stat 2026 adding sec 1174b1 codified at 42 USC 1320d3
pp47
Sec 1102 of the SSA codified at 42 USC 1302
pp48
Sec 262a of Public Law 104191 110 Stat 2023 adding sec 1172 codified at 42 USC 1320d1
pp49
Idpp50
Title XIII of Division A and title IV of Division B of ARRA of 2009 Public Law 1115 123 Stat 115 Feb 17 2009 codified at 42 USC 201 note
pp51
Id see also
Subtitle B of title XIII of the HITECH Act codified at 42 USC 1791117912 42 USC 300jj3138
pp52
See
HR Rep No 1117 at 74 2009 accompanying HR 629 111th Cong
pp53
HR 629 Energy and Commerce Recovery and Reinvestment Act of 2009 introduced in the House on Jan 22 2009 contained nearly identical provisions to subtitle D of the HITECH Act
pp54
C Stephen Redhead The Health Information Technology for Economic and Clinical Health HITECH Act Congressional Research Service p 8 2009
httpscrsreportscongressgovproductpdfRR401619 id
at 9 Health IT which generally refers to the use of computer applications in medical practice is widely viewed as a necessary and vital component of health care reform
pp55
Subtitle D of title XIII of the HITECH Act codified at 42 USC 17921 42 USC 1793117941 and 42 USC 1795117953
pp56
See
S Rept 1113 111th Cong accompanying S 336 111th Cong at 59 2009
pp57
Sec 13401 of Public Law 1115 123 Stat 260 codified at 42 USC 17931
pp58
Sec 13401a of Public Law 1115 123 Stat 260 codified at 42 USC 17931
pp59
Sec 13401c of Public Law 1115 123 Stat 260 codified at 42 USC 17931
pp60
Sec 13421b of the HITECH Act codified at 42 USC 17951
pp61
Sec 3009a1A of the PHSA as added by sec 13101 of the HITECH Act codified at 42 USC 300jj19a1
pp62
SeePublic Law 116321 134 Stat 5072 adding sec 13412 Jan 5 2021 codified at 42 USC 17941
see also42 USC 17931
et seqpp63
SeePublic Law 116321 134 Stat 5072 adding sec 13412 Jan 5 2021 codified at 42 USC 17941
see also
sec 13401 of Public Law 1115 123 Stat 260 codified at 42 USC 17931 The HITECH Act adopts the same definition of business associate as the HIPAA Rules 45 CFR 160103 definition of Business associate
pp64
The Security Rule is codified at 45 CFR part 160 and subparts A and C of 45 CFR part 164
pp65
See45 CFR 164306a1
pp66
See45 CFR 164306a2
pp67
See45 CFR 164306a3
pp68
See45 CFR 164306a4
pp69
See
sec 262a of Public Law 104191 110 Stat 2025 Aug 21 1996 adding sec 1173d codified at 42 USC 1320d2d
pp70
63 FR 43242 Aug 12 1998
pp71
Id
at 43244
pp72
Id
at 43244 43249 4326061
pp73
Id
at 43249
pp74
See68 FR 8334 8335 Feb 20 2003
pp75
Id see also63 FR 43242 43249 Aug 12 1998
pp76
63 FR 43242 43250 Aug 12 1998
pp77
Idpp78
Id
at 4324950
pp79
Id
at 43250
pp80
45 CFR parts 160 and subparts A and C of 45 CFR part 164 68 FR 8334 Feb 20 2003
pp81
68 FR 8334 8335 837172 Feb 20 2003
pp82
Idpp83
Idpp84
Id
at 8335
pp85
Idpp86
Id
at 8336
pp87
Id
at 8343
pp88
Id
at 8346
pp89
Idpp90
Idpp91
Idpp92
Idpp93
Id
at 8336
pp94
Statement of Organization Functions and Delegations of Authority Centers for Medicare Medicaid Services 68 FR 60694 Oct 23 2003
pp95
Office for Civil Rights Delegation of Authority US Department of Health and Human Services 74 FR 38630 Aug 4 2009
see also
Statement of Organization Functions and Delegations of Authority Centers for Medicare Medicaid Services 74 FR 38663 Aug 4 2009
pp96
75 FR 40868 July 14 2010
pp97
Id
at 40871
pp98
Idpp99
78 FR 5565 Jan 25 2013 In addition to finalizing requirements of the HITECH Act that were proposed in the NPRM the Department adopted modifications to the Enforcement Rule not previously adopted in an earlier interim final rule 74 FR 56123 Oct 30 2009 and to the Breach Notification Rule not previously adopted in an interim final rule 74 FR 42739 Aug 24 2009 The Department also finalized previously proposed Privacy Rule modifications as required by the Genetic Information Nondiscrimination Act of 2008 74 FR 51698 Oct 7 2009
pp100
78 FR 5565 5589 Jan 25 2013
pp101
Sec 13401 of Public Law 1115 123 Stat 260 Feb 17 2009 codified at 42 USC 17931
pp102
78 FR 5565 5590 Jan 25 2013
see also45 CFR 164314a
pp103
78 FR 5565 5589 Jan 25 2013
pp104
68 FR 8334 8341 Feb 20 2003
pp105
78 FR 5565 5589 Jan 25 2013
pp106
Id
at 5590
pp107
Id
citing 45 CFR 164308b
pp108
As technology has evolved and cybercriminals have become more sophisticated protective measures including technology have been developed to prevent and mitigate such risks For example certain health IT may be certified through the ONC Health IT Certification Program as meeting certain criteria that address the security of information created received maintained or transmitted by that health IT
See45 CFR 170550h
pp109
45 CFR 164306b
pp110
45 CFR 164310a1
pp111
45 CFR 164310a2
pp112
National Trends in Hospital and Physician Adoption of Electronic Health Records The Office of the National Coordinator for Health Information Technology US Department of Health and Human Services
httpswwwhealthitgovdataquickstatsnationaltrendshospitalandphysicianadoptionelectronichealthrecordspp113
See
20202025 Federal Health IT Strategic Plan The Office of the National Coordinator for Health Information Technology US Department of Health and Human Services p 6 Oct 2020
httpswwwhealthitgovsitesdefaultfilespage202010Federal20Health20IT20Strategic20Plan20202025pdfpp114
Among other things the Cures Act provided ONC in collaboration with NIST and other relevant agencies within the Department with the authority to convene publicprivate and publicpublic partnerships to build consensus and develop or support a trusted exchange framework including a common agreement among health information networks nationally The purpose of this work is to ensure full networktonetwork exchange of health information Sec 4003b of Public Law 114255 130 Stat 1165 Dec 13 2016 codified at 42 USC 300jj11c The Cures Act also provides penalties for any developer of certified health IT health information exchange or network and appropriate disincentives for any health care provider determined by the Inspector General to have committed information blocking Sec 4004b2 of Public Law 114255 130 Stat 1165 Dec 13 2016 codified at 42 USC 300jj52
pp115
See
Frequently Asked Question Health Information Exchange The Benefits The Office of the National Coordinator for Health Information Technology US Department of Health and Human Services
httpswwwhealthitgovfaqwhyhealthinformationexchangeimportantpp116
See
Genevieve P Kanter et al Beyond Security PatchesFundamental Incentive Problems in Health Care Cybersecurity JAMA Health Forum Volume 2 Issue 10 p e212969 Oct 8 2021
httpsjamanetworkcomjournalsjamahealthforumfullarticle2784981
Chon Abraham et al Muddling through cybersecurity Insights from the US healthcare industry Business Horizons Volume 62 Issue 4 p 539548 p 539 JulyAug 2019
httpswwwsciencedirectcomsciencearticleabspiiS0007681319300436
Eric Perakslis Responding to the Escalating Cybersecurity Threat to Health Care The New England Journal of Medicine Volume 387 Issue 9 Sept 1 2022
httpswwwnejmorgdoiabs101056NEJMp2205144
Anthony James Cartwright The elephant in the room cybersecurity in healthcare Journal of Clinical Monitoring and Computing Volume 37 Issue 5 p 11231132 Apr 24 2023
httpslinkspringercomarticle101007s10877023010135pp117
Report on Improving Cybersecurity In The Health Care Industry Health Care Industry Cybersecurity Task Force p 1 June 2017
httpswwwphegovpreparednessplanningcybertfdocumentsreport2017pdfpp118
The NIST Cybersecurity Framework CSF 20
supra
note 15
pp119
Health Industry Cybersecurity Practices Managing Threats and Protecting Patients
supra
note 16
pp120
Cybersecurity Performance Goals
supra
note 18
pp121
See
20162017 HIPAA Audits Industry Report Office for Civil Rights US Department of Health and Human Services Dec 2020
httpswwwhhsgovsitesdefaultfileshipaaauditsindustryreportpdfpp122
See
sec 262 of Public Law 104191 110 Stat 2023 Aug 21 1996 codified at 42 USC 1320d1f added sec 1172f of the SSA
see also
About NCVHS National Committee on Vital and Health Statistics
wwwncvhshhsgovpp123
See
Letter from NCVHS Chair Jacki Monson to HHS Secretary Xavier Becerra May 10 2022
httpsncvhshhsgovwpcontentuploads202205NCVHSRecommendationstoStrengthenCybersecurityinHC05102022508pdf see also
Letter from NCVHS Chair Jacki Monson to HHS Secretary Xavier Becerra Nov 29 2023
httpsncvhshhsgovwpcontentuploads202401LettertotheSecretaryRecommendationstoStrengthentheHIPAASecurityRule508pdfpp124
42 USC 1320d1f
pp125
Subtitle F of title II of HIPAA Public Law 104191 110 Stat 1936 Aug 21 1996
pp126
Sec 261 of Public Law 104191 110 Stat 2021 Aug 21 1996 as amended by sec 1104a of Public Law 111148 124 Stat 146 Mar 23 2010 codified at 42 USC 1320d note
pp127
See
statement of Sen Simon
supra
note 34
see also
155 Cong Rec H1562 statement of Rep Markey stating that ARRA includes provisions for health IT with builtin privacy and security Implementation of the Health Information Technology for Economic and Clinical Health HITECH Act Hearing Before the House Committee on Energy and Commerce Subcommittee on Health 111th Cong 1112 2010 statement of Rep Schakowsky explaining that the HITECH Act strengthened Federal privacy and security laws to protect personal identifying information from misuse to ensure that individuals would be willing to use electronic records
pp128
Statement of Sen Simon
supra
note 34
pp129
See
section 1173d2 of HIPAA codified at 42 USC 1320d2d2 and section 13401 of ARRA codified at 42 USC 17931a and 45 CFR 164306
pp130
See
Hadi Ghayoomi et al Assessing resilience of hospitals to cyberattack Digital Health p 2 2021
httpsdoiorg10117720552076211059366
Beyond Security PatchesFundamental Incentive Problems in Health Care Cybersecurity
supra
note 116 Jessica Brewer et al An Insight into the Current Security Posture of Healthcare IT A National Security Concern The Institute for Critical Infrastructure Technology p 3 2019
httpswwwicitechorgpostaninsightintothecurrentsecuritypostureofhealthcareitanationalsecurityconcernpp131
Cost of a Data Breach Report 2023 IBM p 13 2023 explaining that the average cost of a health care data breach was 713 million in 2020
httpswwwibmcomreportsdatabreachpp132
Report on Improving Cybersecurity In The Health Care Industry
supra
note 117 p 1415
pp133
Idpp134
An Insight into the Current Security Posture of Healthcare IT A National Security Concern
supra
note 130 p 3
pp135
See eg Caleb J Kumar New Dangers in the New World Cyber Attacks in the Healthcare Industry Intersect Volume 10 No 3 p 3 2017pp136
An Insight into the Current Security Posture of Healthcare IT A National Security Concern
supra
note 130 p 3
pp137
Report on Improving Cybersecurity In The Health Care Industry
supra
note 117 p 2
pp138
Id
at 18
pp139
CISA INSIGHTS Provide Medical Care Is In Critical Condition Analysis and Stakeholder Decision Support to Minimize Further Harm Cybersecurity Infrastructure Security Agency US Department of Homeland Security p 1215 Sept 2021
httpswwwcisagovsitesdefaultfilespublicationsCISAInsightProvideMedicalCareSep2021pdfpp140
Idpp141
See
Assessing resilience of hospitals to cyberattack
supra
note 130 Claire C McGlave et al Hacked to Pieces The Effects of Ransomware Attacks on Hospitals and Patients SSRN Oct 4 2023
httpspapersssrncomsol3paperscfmabstractid4579292pp142
Hacked to Pieces The Effects of Ransomware Attacks on Hospitals and Patients
supra
note 141 p 14
pp143
The 2024 Study on Cyber Insecurity In Healthcare The Cost and Impact on Patient Safety and Care Ponemon Institute p 3 2024 The report sponsored by Proofpoint Inc included survey responses from 648 IT and IT security practitioners at USbased health care organizations
pp144
Id
at p 5
pp145
See
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 p 1 citing several media reports that attributed patient deaths to cybersecurity attacks
pp146
Id
citing Joseph Marks Ransomware attack might have caused another death The Washington Post Oct 1 2021
httpswwwwashingtonpostcompolitics20211001ransomwareattackmighthavecausedanotherdeath
pp147
Assessing resilience of hospitals to cyberattack
supra
note 130 p 2
pp148
Kerri Reeves Cyberattacks Not a Matter of If but When Radiology Matters MarApr 2024
httpswwwproquestcomscholarlyjournalscyberattacksnotmatterifwhendocview2957757956se2accountid12786pp149
Idpp150
Mitchell Tarka et al The crippling effects of a cyberattack at an academic level 1 trauma center An orthopedic perspective Injury p 10951101 2023
httpspubmedncbinlmnihgov36801172pp151
Idpp152
Assessing resilience of hospitals to cyberattack
supra
note 130 p 13
pp153
See
Paige Minemyer AMA 80 of docs have lost revenue amid disruptions from Change Healthcare cyberattack Fierce Healthcare Apr 10 2024
httpswwwfiercehealthcarecompracticesama80docshavelostrevenueamiddisruptionschangehealthcarecyberattack
AHA survey Change Healthcare cyberattack having significant disruptions on patient care hospitals finances Mar 15 2024
httpswwwahaorgnewsnews20240315ahasurveychangehealthcarecyberattackhavingsignificantdisruptionspatientcarehospitalsfinances see also
Sean Lyngaas Were hemorrhaging money US health clinics try to stay open after unprecedented cyberattack CNN Mar 9 2024
httpswwwcnncom20240309techmedicalsupplychaincybersecurityindexhtmlpp154
Christian Dameff et al Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US JAMA Network Open May 8 2023
httpsjamanetworkcomjournalsjamanetworkopenfullarticle2804585pp155
Idpp156
On July 29 2024 the Department announced that the Office of the National Coordinator for Health Information Technology was being renamed the Assistant Secretary for Technology Policy and Office of the National Coordinator for Health Information Technology In this NPRM we continue to use ONC for publications cited that predate the renaming of that office 89 FR 60903 July 29 2024
pp157
See eg45 CFR 170315d6 7 12 and 13 For more information on the ONC Health IT Certification Program visit
httpswwwhealthitgovtopiccertificationehrscertificationhealthitpp158
The ONC Health IT Certification Program specifies at 45 CFR 170550h the privacy and security certification framework for Health IT Modules Section 170550h identifies a mandatory minimum set of the certification criteria that ONCAuthorized Certification Bodies ONC ACBs must ensure are also included as part of specific Health IT Modules that are presented for certification
See
Certification Companion Guide Privacy and Security The Office of the National Coordinator for Health Information Technology US Department of Health and Human Services May 7 2024
httpswwwhealthitgovsitesdefaultfiles2015EdCCGPrivacyandSecuritypdfpp159
See45 CFR 171102 definition of Electronic health information
pp160
See eg
Medicare Promoting Interoperability Program 42 CFR 49524 eligible hospitals and critical access hospitals must use certified electronic health record technology CEHRT with limited exceptions to comply with the programs meaningful use requirements Meritbased Incentive Payment System MIPS Promoting Interoperability performance category 42 CFR 4141375 requiring MIPS eligible clinicians to use CEHRT as defined in 42 CFR 4141305 to comply with reporting requirements for the Promoting Interoperability performance category
pp161
See eg
Health Industry Cybersecurity Practices Managing Threats and Protecting Patients
supra
note 16
pp162
See eg
The NIST Cybersecurity Framework CSF 20
supra
note 15
pp163
See eg
Cybersecurity Performance Goals
supra
note 18
pp164
See eg
CrossSector Cybersecurity Performance Goals Cybersecurity Infrastructure Security Agency US Department of Homeland Security Mar 2023
httpswwwcisagovsitesdefaultfiles202303CISACPGREPORTv101FINALpdfpp165
See generally45 CFR 164308a The NIST Cybersecurity Framework CSF 20
supra
note 15 Cybersecurity Performance Goals
supra
note 18
pp166
Derrick Tin et al Cyberthreats A primer for health care professionals The American Journal of Emergency Medicine p 182183 Apr 2023
httpsdoiorg101016jajem202304001pp167
SeePublic Law 104191 110 Stat 2021 Aug 21 1996 codified at 42 USC 1320d note Sec 4101 of ARRA Public Law 1115 123 Stat 467 Feb 17 2009 amending sec 1848 of the SSA codified at 42 USC 1395w4
pp168
JaWanna Henry et al ONC Data Brief Adoption of Electronic Health Record Systems among US NonFederal Acute Care Hospitals 20082015 The Office of the National Coordinator for Health Information Technology US Department of Health and Human Services p 1 May 2016
httpswwwhealthitgovsitesdefaultfilesbriefs2015hospitaladoptiondbv17pdf
A Basic EHR collects information on patient demographics problem lists medication lists and discharge summaries It also includes computerized provider order entry for medications and enables clinicians to view certain reports
Id
at Appendix
pp169
ONC Data Brief Adoption of Electronic Health Record Systems among US NonFederal Acute Care Hospitals 20082015
supra
note 168 p 1 When used here certified EHR Technology means EHR technology that meets the technological capability functionality and security requirements adopted by the Department as certification criteria at 45 CFR part 170
see also
Certified EHR Technology The Office of the National Coordinator for Health Information Technology US Department of Health and Human Services Sept 6 2013
httpswwwcmsgovmedicareregulationsguidancepromotinginteroperabilityprogramscertifiedehrtechnology
In order to efficiently capture and share patient data health care providers need certified electronic health record EHR technology CEHRT that stores data in a structured format Structured data allows health care providers to easily retrieve and transfer patient information and use the EHR in ways that can aid patient care
pp170
See
sec 4003b and 4004b2 of Public Law 114255 130 Stat 1165 Dec 13 2016 codified at 42 USC 300jj11c and 42 USC 300jj52
pp171
Dustin Charles et al ONC Data Brief Interoperability among US Nonfederal Acute Care Hospitals 2014 The Office of the National Coordinator for Health Information Technology US Department of Health and Human Services p 1 Aug 2015
httpswwwhealthitgovsitesdefaultfilesbriefsoncdatabrief25interoperabilityv16final081115pdfpp172
Meghan Hufstader Gabriel et al ONC Data Brief Interoperable Exchange of Patient Health Information Among US Hospitals 2023 The Office of the National Coordinator for Health Information Technology US Department of Health and Human Services p 1 May 2024
httpswwwhealthitgovsitesdefaultfiles202405InteroperableExchangeofPatientHealthInformationAmongUSHospitals2023pdfpp173
Wesley Barker et al ONC Data Brief Hospital Capabilities to Enable Patient Electronic Access to Health Information 2021 The Office of the National Coordinator for Health Information Technology US Department of Health and Human Services p 2 and 5 Oct 2022 estimates based on nonFederal acute care hospitals and applications configured to meet the application programming interface API specifications in the hospitals EHR
httpswwwhealthitgovsitesdefaultfiles202212hospitalcapabilitiestoenablepatientaccessONCDB2021Updatedpdfpp174
Catherine Strawley et al ONC Data Brief Hospital Use of APIs to Enable Data Sharing Between EHRs and Apps The Office of the National Coordinator for Health Information Technology US Department of Health and Human Services p 2 Sept 2023 estimates based on nonFederal acute care hospitals using standardsbased APIs to enable patient access
httpswwwhealthitgovsitesdefaultfiles202309DB68Hospital20Use20of20APIs20to20Enable20Data20Sharing508pdfpp175
See
Determination That A Public Health Emergency Exists Nationwide as the Result of the 2019 Novel Coronavirus Administration for Strategic Preparedness Response US Department of Health and Human Services Jan 31 2020
httpsasprhhsgovlegalPHEPages2019nCoVaspx
Renewal of Determination that a Public Health Emergency Exists As a Result of the Continued Consequences of the Coronavirus Disease 2019 COVID19 Pandemic Administration for Strategic Preparedness Response US Department of Health and Human Services Feb 9 2023
httpsasprhhsgovlegalPHEPagesCOVID199Feb2023aspx
Notification of Enforcement Discretion for Telehealth Remote
Communications During the COVID19 Nationwide Public Health Emergency Office for Civil Rights US Department of Health and Human Services Jan 20 2021
httpswwwhhsgovhipaaforprofessionalsspecialtopicsemergencypreparednessnotificationenforcementdiscretiontelehealthindexhtmlpp176
Yuriy Pylypchuk et al ONC Data Brief Use of Telemedicine among OfficeBased Physicians 2021 The Office of the National Coordinator for Health Information Technology US Department of Health and Human Services p 1 Mar 2023
httpswwwhealthitgovsitesdefaultfiles202304DB65TelemedicinePhysicians508pdfpp177
Nduma N Basil Health Records Database and Inherent Security Concerns A Review of the Literature Cureus p 3 Oct 11 2022 The increase in networked medical equipment and devices implies that if there is a security breach in the form of hacking then traffic on the network can slow down and interfere with the delivery of healthcare services
httpswwwncbinlmnihgovpmcarticlesPMC9647912pp178
Idpp179
Guidance Document Information for Healthcare Organizations about FDAs Guidance for Industry Cybersecurity for Networked Medical Devices Containing OffTheShelf OTS Software US Food Drug Administration US Department of Health and Human Services Feb 2005
httpswwwfdagovregulatoryinformationsearchfdaguidancedocumentsinformationhealthcareorganizationsaboutfdasguidanceindustrycybersecuritynetworkedmedicalpp180
Elizabeth Gourd Increase in healthcare cyberattacks affecting patients with cancer The Lancet p 1215 Sept 2021
httpsdoiorg101016S1470204521004514pp181
See
Mayo Clinic
httpswwwmayoclinicorgpp182
An ethical hacker is a cybersecurity researcher who uses penetration testing techniques to test an organizations cybersecurity and information technology IT security
See
Ed Tittel How to Become a White Hat Hacker Business News Daily June 17 2024
httpswwwbusinessnewsdailycom10713whitehathackercareerhtmlpp183
See
Foued Badrouchi et al Cybersecurity Vulnerabilities in Biomedical Devices A Hierarchical Layered Framework Internet of Things Use Cases for the Healthcare Industry p 15758 2020
see also
Monte Reel et al Its Way Too Easy to Hack the Hospital Bloomberg Businessweek Nov 2015
httpswwwbloombergcomfeatures2015hospitalhackpp184
See
Cybersecurity Vulnerabilities in Biomedical Devices A Hierarchical Layered Framework
supra
note 183 p 15758
pp185
See also
Its Way Too Easy to Hack the Hospital
supra
note 183 Nicole M Thomasian et al Cybersecurity in the internet of Medical Things Health Policy and Technology Sept 2021
httpsdoiorg101016jhlpt2021100549pp186
Cybersecurity in the internet of Medical Things
supra
note 185
pp187
Idpp188
Idpp189
Idpp190
Report to Congressional Committees Medical Device Cybersecurity Agencies Need to Update Agreement to Ensure Effective Coordination US Government Accountability Office p 1 Dec 2023
httpswwwgaogovassetsd24106683pdfpp191
Medical Device Interoperability US Food Drug Administration US Department of Health and Human Services
httpswwwfdagovmedicaldevicesdigitalhealthcenterexcellencemedicaldeviceinteroperabilitypp192
Guidance for Industry and Food Drug Administration Staff Cybersecurity in Medical Devices Quality System Considerations and Content of Premarket Submissions US Food Drug Administration US Department of Health and Human Services Sept 27 2023
httpswwwfdagovmedia119933downloadpp193
45 CFR 160103 definition of Health care provider
pp194
Where an application developer meets the HIPAA Rules definition of health care provider and engages in standard electronic transactions such as billing an insurance company for its services it is a covered entity for the purposes of the HIPAA Rules including the Security Rule Where an application developer is not regulated under the HIPAA Rules other Federal laws may apply to the application developer or the application such as the FTC Act
See eg
FTC Act codified at 15 USC 4158
pp195
See eg
Kea Turner et al Sharing patientgenerated data with healthcare providers findings from a 2019 national survey Journal of the American Medical Informatics Association p 371376 Nov 12 2020
httpsdoiorg101093jamiaocaa272
Accenture Federal Services Conceptualizing a Data Infrastructure for the Capture Use and Sharing of PatientGenerated Health Data in Care Delivery and Research through 2024 The Office of the National Coordinator for Health Information Technology US Department of Health and Human Services p 5 Jan 2018
httpswwwhealthitgovsitesdefaultfilesoncpghdfinalwhitepaperpdf see also
Jolaade Kalinowski et al Smart device ownership and use of social media wearable trackers and health apps among Black women with hypertension in the United States JMIR Cardio preprint
httpspreprintsjmirorgpreprint59243pp196
See
Conceptualizing a Data Infrastructure for the Capture Use and Sharing of PatientGenerated Health Data in Care Delivery and Research through 2024
supra
note 195 p 1 Asos Mahmood et al mHealth Apps Use and Their Associations With Healthcare DecisionMaking and Health Communication Among Informal Caregivers Evidence From the National Cancer Institutes Health Information National Trends Survey American Journal of Health Promotion p 4052 Jan 2024
httpsjournalssagepubcomhhsnihidmoclcorgdoi10117708901171231202861pp197
See88 FR 75191 Nov 1 2023 Ritu Agarwal et al Augmenting physicians with artificial intelligence to transform healthcare Challenges and opportunities Journal of Economics Management Strategy p 360374 Mar 2024
httpsonlinelibrarywileycomhhsnihidmoclcorgdoi101111jems12555
Becca Beets et al Surveying Public Perceptions of Artificial Intelligence in Health Care in the United States Systematic Review Journal of Medical internet Research 2023
httpsdoiorg10219640337pp198
Michael E Matheny et al Artificial Intelligence in Health Care A Report from the National Academy of Medicine Journal of the American Medical Association p 50910 2020
httpsjamanetworkcomhhsnihidmoclcorgjournalsjamafullarticle2757958pp199
2023 HIMSS Healthcare Cybersecurity Survey Healthcare Information and Management Systems Society p 19 Mar 1 2024
httpswwwhimssorgsiteshdefilesmediafile202403012023himsscybersecuritysurveyxpdfpp200
Id
at 16 Generative AI is a type of software that uses statistical models that generalize the patterns and structures of existing data to either reorganize existing data or create new content Risk In Focus Generative AI And The 2024 Election Cycle Cybersecurity Infrastructure Security Agency US Department of Homeland Security
httpswwwcisagovsitesdefaultfiles202405ConsolidatedRiskinFocusGenAIElectionsV2508cpdfpp201
2023 HIMSS Healthcare Cybersecurity Survey
supra
note 199 p 22
pp202
See
Lizzie Roehrs CSL Professor explores DNA as data storage University of Illinois UrbanaChampaign The Grainger College of Engineering Coordinated Science Laboratory Aug 25 2020
httpscslillinoisedunewsandmediacslprofessorexploresdnadatastorage
Cheng Kai Lim et al A biological camera that captures and stores images directly into DNA nature communications July 3 2023
httpswwwnaturecomarticless4146702338876w
Devasier Bennet et al Current and emerging opportunities in biological mediumbased computing and digital data storage Nano Select p 883 May 2022
httpsdoiorghhsnihidmoclcorg101002nano202100275pp203
88 FR 75191 Nov 1 2023
pp204
Id
at 75214
pp205
See
HHS Artificial Intelligence AI Strategy AI Council AI Community of Practice US Department of Health and Human Services June 6 2024
httpswwwhhsgovprogramstopicsitesaistrategyindexhtml
About the HHS Office of the Chief Artificial Intelligence Officer OCAIO US Department of Health and Human Services June 6 2024
httpswwwhhsgovprogramstopicsitesaiocaioindexhtml see also
Advancing Governance Innovation and Risk Management for Agency Use of Artificial Intelligence M2410 Office of Management and Budget Executive Office of the President Mar 28 2024
httpswwwwhitehousegovwpcontentuploads202403M2410AdvancingGovernanceInnovationandRiskManagementforAgencyUseofArtificialIntelligencepdfpp206
See eg89 FR 37522 37642 May 6 2024 and 89 FR 1192 1244 Jan 9 2024
pp207
John Riggi The importance of cybersecurity in protecting patient safety American Hospital Association Center for Health Innovation
httpswwwahaorgcentercybersecurityandriskadvisoryservicesimportancecybersecurityprotectingpatientsafety In 2016 PHI was valued at 50 times the worth of financial information on the black market Diane Doebele Koch Is the HIPAA Security Rule Enough to Protect Electronic Personal Health Information PHI in the Cyber Age Journal of Health Care Finance p 22 Spring 2016 citing Beth Kutscher Healthcare underspends on Cybersecurity as attacks accelerate Modern Healthcare Mar 3 2016
httpswwwmodernhealthcarecomarticle20160303NEWS160309922healthcareunderspendsoncybersecurityasattacksaccelerate New Dangers in the New World Cyber Attacks in the Healthcare Industry
supra
note 135 p 3 stolen medical data sells for 1020 times more than credit card data
pp208
Gilbert MunozCornejo et al Analyzing the urbanrural divide the role of location time and breach characteristics in US hospital security incidents 20122021 Discover Health Systems June 17 2024
httpslinkspringercomarticle101007s44250024001056textSpecifically2C20our20study20shows20thattrend20of20breaches20over20timepp209
Lynne Coventry et al Cybersecurity in healthcare A narrative review of trends threats and ways forward Maturitas p 46 July 2018
httpswwwmaturitasorgarticleS0378512218301658abstractpp210
Idpp211
See
Breach Portal Notice to the Secretary of HHS Breach of Unsecured Protected Health Information
supra
note 10
pp212
Idpp213
Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Year 2022 Office for Civil Rights US Department of Health and Human Services p 89 2022
httpswwwhhsgovsitesdefaultfilesbreachreporttocongress2022pdfpp214
Change Healthcare is a health care clearinghouse and a subsidiary of UnitedHealth Group
httpswwwchangehealthcarecom
On the morning of Feb 21 2024 Optum another subsidiary of UnitedHealth Group reported that it was experiencing enterprisewide connectivity issues By that afternoon the announcement changed to a network interruption related to a cyber security issue and explained that once Change Healthcare became aware of the outside threat in the interest of protecting our partners and patients we took immediate action to disconnect our systems to prevent further impact
See
Optum Solution Status Optum Inc UnitedHealth Group
httpssolutionstatusoptumcomincidentshqpjz25fn3n7
last accessed on July 16 2024 On Mar 13 2024 the Department announced that it would be initiating an investigation into the incident
See
Letter from OCR Director Melanie Fontes Rainer to Colleagues Mar 13 2024
httpswwwhhsgovsitesdefaultfilescyberattackchangehealthcarepdf
Andrew Witty UnitedHealth Group Chief Executive Officer in his testimony to Congress estimated that the breach of Change Healthcare may involve the PHI of onethird of Americans Hacking Americas Health Care Assessing the Change Healthcare Cyber Attack and Whats Next Subcommittee on Oversight and Investigations of the Committee on Energy and Commerce Hearing Before the Committee on Finance May 1 2024
httpswwwfinancesenategovhearingshackingamericashealthcareassessingthechangehealthcarecyberattackandwhatsnext
Change Healthcare filed its breach report with the Department on July 19 2024 Breach Portal Notice to the Secretary of HHS Breach of Unsecured Protected Health Information
supra
note 10 Change Healthcares breach report currently identifies 100 million individuals as the approximate number of individuals affected
httpsocrportalhhsgovocrbreachbreachreportjsf
However Change Healthcare is still determining the number of individuals affected The posting on the HHS Breach Portal will be amended if Change Healthcare updates the total number of individuals affected by this breach Change Healthcare Cybersecurity Incident Frequently Asked Questions Office for Civil Rights US Department of Health and Human Services
httpswwwhhsgovhipaaforprofessionalsspecialtopicschangehealthcarecybersecurityincidentfrequentlyaskedquestionsindexhtmlpp215
internet Crime Report internet Crime Complaint Center Federal Bureau of Investigation p 13 2023
httpswwwic3govMediaPDFAnnualReport2023IC3Reportpdfpp216
Report on Improving Cybersecurity In The Health Care Industry
supra
note 117 p 16
pp217
Chon Abraham et al Muddling through cybersecurity Insights from the US healthcare industry
supra
note 116 p 539548 540
pp218
Ransomware Attacks Surge in 2023 Attacks on Healthcare Sector Nearly Double The Cyber Threat Intelligence Integration Center Office of the Director of National Intelligence Feb 28 2024
httpswwwdnigovfilesCTIICdocumentsproductsRansomwareAttacksSurgein2023pdfpp219
Report on Improving Cybersecurity In The Health Care Industry
supra
note 117 p 14
pp220
Idpp221
Presidential Memorandum on National Security Memorandum on Critical Infrastructure Security and Resilience
supra
note 11
pp222
2024 Data Breach Investigations Report Healthcare Snapshot Verizon Business p 12 May 1 2024 The report describes misdelivery as sending information to the wrong recipient whether by electronic or physical means
httpswwwverizoncombusinessresourcesreportsdbir2024industriesintrohealthcaredatabreachespp223
Press release HHS Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation for 475 Million Office for Civil Rights US Department of Health and Human Services Feb 6 2024
httpswwwhhsgovaboutnews20240206hhsofficecivilrightssettlesmaliciousinsidercybersecurityinvestigationhtmlpp224
Press release Snooping in Medical Records by Hospital Security Guards Leads to 240000 HIPAA Settlement Office for Civil Rights US Department of Health and Human Services June 15 2023
httpswwwhhsgovaboutnews20230615snoopingmedicalrecordsbyhospitalsecurityguardsleads240000hipaasettlementhtmlpp225
Remediation and Guidance Hub Falcon Content Update for Windows Hosts CrowdStrike
httpswwwcrowdstrikecomfalconcontentupdateremediationandguidancehubpp226
See
Data Integrity Detecting and Responding to Ransomware and Other Destructive Events NIST Special Publication 180026A National Institute of Standards and Technology US Department of Commerce p 1 Dec 2020
httpsnvlpubsnistgovnistpubsSpecialPublicationsNISTSP180026pdfpp227
Likely eCrime Actor Uses Filenames Capitalizing on July 19 2024 Falcon Sensor Content Issues in Operation Targeting LATAMBased CrowdStrike Customers CrowdStrike Blog July 20 2024
httpswwwcrowdstrikecombloglikelyecrimeactorcapitalizingonfalconsensorissuespp228
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 p 2 explaining that NCVHS conducted an inquiry into whether compliance with the Security Rule had improved since the Department released the results of its 20162017 audit of selected provisions of the Security Rule and found that not much had changed Muddling through cybersecurity Insights from the US healthcare industry
supra
note 116 p 540 There is enough evidence to suggest that US healthcare organizations lack a deliberate organized and comprehensive cyberresilience strategy
pp229
See
Susan Kiser et al Ransomware Healthcare Industry at Risk Journal of Business and Accounting p 6566 Fall 2021 Meghan Hufstader Gabriel Data Breach Locations Types and Associated Characteristics Among US Hospitals American Journal of Managed Care p 78 Feb 2018 Is the HIPAA Security Rule Enough to Protect Electronic Personal Health Information PHI in the Cyber Age
supra
note 207 p 2023
pp230
Chris Hayhurst On Guard Staying Vigilant Against Medical Device Vulnerabilities Biomedical Instrumentation Technology Volume 54 Issue 3 p 169 MayJune 2020 Report on Improving Cybersecurity In The Health Care Industry
supra
note 117 p 2
pp231
2021 HIMSS Healthcare Cybersecurity Survey Healthcare Information and Management Systems Society p 18 Jan 28 2022
httpswwwhimssorgsiteshdefilesmediafile202201282021himsscybersecuritysurveypdfpp232
Muddling through cybersecurity Insights from the US healthcare industry
supra
note 116 p 543
pp233
Id
at 542
pp234
See68 FR 8334 8352 Feb 20 2003 In the preamble to the 2003 Security Rule the Department explained that it had determined that an inventory requirement was unnecessary because it is redundant of other requirements We assumed that covered entities and later all regulated entities would have performed this activity by virtue of having implemented the security measures required under the security management process standard
pp235
Muddling through cybersecurity Insights from the US healthcare industry
supra
note 116 p 542543
pp236
Eric C Reese Healthcares cybersecurity stakes reach alarming levels Health Facilities Management Magazine Volume 76 Issue 8 p 22 Nov 2022
pp237
68 FR 8334 8343 Feb 20 2003
pp238
45 CFR 164308a1iiA
pp239
45 CFR 164308a1iiB 20162017 HIPAA Audits Industry Report
supra
note 121 p 4
pp240
20162017 HIPAA Audits Industry Report
supra
note 121 p 4
pp241
Id
at 11
pp242
Id
at 27
pp243
Id
at 30
pp244
Id
at 27 and 30
pp245
See
OCR News Releases Bulletins Office for Civil Rights US Department of Health and Human Services
httpswwwhhsgovocrnewsroomindexhtmlpp246
See
Resolution Agreement Doctors Management Services Inc Office for Civil Rights US Department of Health and Human Services Oct 31 2023
httpswwwhhsgovhipaaforprofessionalscomplianceenforcementagreementsdmsracapindexhtml
Press Release HHS Office for Civil Rights Settles Ransomware CyberAttack Investigation Office for Civil Rights US Department of Health and Human Services Oct 31 2023
httpswwwhhsgovaboutnews20231031hhsofficecivilrightssettlesransomwarecyberattackinvestigationhtml see also
Breach Portal Notice to the Secretary of HHS Breach of Unsecured Protected Health Information
supra
note 10
pp247
HHS Office for Civil Rights Settles Ransomware CyberAttack Investigation
supra
note 246
pp248
See
Resolution Agreement Montefiore Medical Center Office for Civil Rights US Department of Health and Human Services Nov 17 2023
httpswwwhhsgovhipaaforprofessionalscomplianceenforcementagreementsmontieforeindexhtml
HHS Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation for 475 Million
supra
note 223
pp249
Muddling through cybersecurity Insights from the US healthcare industry
supra
note 116 p 541 Start with Security A Guide for Business
supra
note 17
pp250
See45 CFR 164312a1 and e1 PRDS1 and 2 Framework for Improving Critical Infrastructure Cybersecurity Cybersecurity Framework CSF Version 11 National Institute of Standards and Technology US Department of Commerce Apr 16 2018
httpsnvlpubsnistgovnistpubsCSWPNISTCSWP04162018pdf
PRDS01 and 02 The NIST Cybersecurity Framework CSF 20
supra
note 15
pp251
2021 HIMSS Healthcare Cybersecurity Survey
supra
note 231 p 23
pp252
See
Hacking Americas Health Care Assessing the Change Healthcare Cyber Attack and Whats Next
supra
note 214 According to CEO Andrew Witty intruders used compromised credentials to remotely access an application used to enable remote access to desktops which did not have MFA The Departments investigation into the Change Healthcare breach is ongoing and no conclusion has been reached with respect to its cause or whether Change Healthcare was in violation of the Security Rule
pp253
45 CFR 164308a4iiB and 164312a1 The NIST Cybersecurity Framework CSF 20
supra
note 15 Framework for Improving Critical Infrastructure Cybersecurity
supra
note 250
pp254
RSMA The NIST Cybersecurity Framework CSF 20
supra
note 15
pp255
PRIP9 Framework for Improving Critical Infrastructure Cybersecurity
supra
note 250
pp256
45 CFR 164304 definition of Security incident The definition of security incident includes both attempted and successful incidents A successful incident is one in which a threat actor is able to without authorization access use disclose modify or destroy information or interfere with system operations in an information system
pp257
See eg
Montefiore Medical Center
supra
note 248
pp258
University of Texas MD Anderson Cancer Center
v
US Department of Health and Human Services
985 F3d 472 478 5th Cir 2021
pp259
Idpp260
Idpp261
Sec 1173d2B of Pub L 104191 110 Stat 2026 Aug 21 1996 codified at 42 USC 1320d2
pp262
68 FR 8334 8336 Feb 20 2003
pp263
42 USC 17931a 78 FR 5566 Jan 25 2013
pp264
78 FR 5566 Jan 25 2013
pp265
Id
at 5591
pp266
See68 FR 8334 8341 Feb 20 2003
pp267
Id
at 8344
pp268
See
20162017 HIPAA Audits Industry Report
supra
note 121 p 4 Most covered entities failed to meet the requirements for other selected provisions in the audit such as adequately safeguarding protected health information PHI OCR also found that most covered entities and business associates failed to implement the HIPAA Security Rule requirements for risk analysis and risk management Enforcement Highlights Office for Civil Rights US Department of Health and Human Services
httpswwwhhsgovhipaaforprofessionalscomplianceenforcementdataenforcementhighlightsindexhtmlpp269
See eg
Montefiore Medical Center
supra
note 248 Doctors Management Services Inc
supra
note 246
pp270
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 p 2 detailing the inquiry undertaken by NCVHS into the scope and breadth of security risks and how to best address those challenges
pp271
Idpp272
See42 USC 1320d1f
pp273
See
Letter from NCVHS Chair Jacki Monson 2022
supra note 123
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123
pp274
See
Letter from NCVHS Chair Jacki Monson 2022
supra
note 123 p 4 citing a survey performed by a College of Healthcare Information Management Executives CHIME as explained at Jill McKeon 32 of Healthcare Organizations Have a Comprehensive Security Program Health IT Security Nov 22 2021
httpshealthitsecuritycomnews32ofhealthcareorganizationshaveacomprehensivesecurityprogram
pp275
See
Letter from NCVHS Chair Jacki Monson 2022
supra
note 123 p 4
see also
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 1
pp276
See
Letter from NCVHS Chair Jacki Monson 2022
supra
note 123 p 510
see also
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 2
pp277
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 14
pp278
Id
at Appendix p 45
pp279
Id
at Appendix p 46
pp280
Id
at Appendix p 67
pp281
Id
at Appendix p 78
pp282
Id
at 910
pp283
The Department has issued among other things a video presentation on trends in real world cyberattacks a cybersecurity checklist and infographic guidance on ransomware a crosswalk with the NIST CSF and an ongoing series of newsletters on various topics pertaining to cybersecurity
See
Cyber Security Guidance Material Office for Civil Rights US Department of Health and Human Services
httpswwwhhsgovhipaaforprofessionalssecurityguidancecybersecurityindexhtmlpp284
See87 FR 19833 Apr 6 2022
pp285
See
proposed 45 CFR 164306b2v
pp286
68 FR 8334 8336 Feb 20 2003
pp287
Id
at 8346
pp288
Id
At that time the Security Rule applied directly only to covered entities As discussed above Congress later extended the application of the Security Rule directly to business associates
pp289
68 FR 8334 8343 Feb 20 2003
pp290
Idpp291
78 FR 5566 5589 Jan 25 2013
pp292
42 USC 1320d2d1Av
pp293
See
Why Health Care is Harder to Access in Rural America US Government Accountability Office May 16 2023 When local hospitals close in rural areas residents have to travel more than 20 miles further to receive common health care and 40 miles further to receive less common health care such as substance use disorder treatment Such rural areas generally have fewer health care providers overall
httpswwwgaogovblogwhyhealthcareharderaccessruralamericapp294
See
A National Staffing Emergency in Rural Health Care American Hospital Association Dec 19 2023
httpswwwahaorgadvancinghealthpodcast20231220nationalstaffingemergencyruralhealthcarepp295
See
Debi Primeau How Small Organizations Handle HIPAA Compliance Journal of the American Health Information Management Association Volume 88 Issue 4 p 1821 19 Apr 2017 Kat Jercich Rural hospitals are more vulnerable to cyberattacksheres how they can protect themselves Healthcare IT News Sept 8 2021
see also
Tami Lichtenberg Recovering from a Cybersecurity Attack and Protecting the Future in Small Rural Health Organizations Oct 4 2023
httpswwwruralhealthinfoorgruralmonitorcybersecurityattackspp296
See
How Small Organizations Handle HIPAA Compliance
supra
note 295 p 19 Rural hospitals are more vulnerable to cyberattacksheres how they can protect themselves
supra
note 295
pp297
Too Small to Be Attacked by Cybercriminals Not So Fast SameDay Surgery Volume 43 Issue 7 July 2019
httpswwwreliasmediacomarticles144561toosmalltobeattackedbycybercriminalsnotsofastpp298
Percent of Hospitals By Type that Possess Certified Health IT Health IT QuickStat 52 Sept 2018
httpswwwhealthitgovdataquickstatspercenthospitalstypepossesscertifiedhealthit
Officebased Physician Electronic Health Record Adoption Health IT QuickStat 50
httpswwwhealthitgovdataquickstatsofficebasedphysicianelectronichealthrecordadoptionpp299
How Small Organizations Handle HIPAA Compliance
supra
note 295 p 19
pp300
See idpp301
Id see also
Recovering from a Cybersecurity Attack and Protecting the Future in Small Rural Health Organizations
supra
note 295
pp302
Too Small to Be Attacked by Cybercriminals Not So Fast
supra
note 297
pp303
Recovering from a Cybersecurity Attack and Protecting the Future in Small Rural Health Organizations
supra
note 295
pp304
Idpp305
Idpp306
See eg
Fact Sheet BidenHarris Administration Bolsters Protections for Americans Access to Healthcare Through Strengthening Cybersecurity The White House June 10 2024
httpswwwwhitehousegovbriefingroomstatementsreleases20240610factsheetbidenharrisadministrationbolstersprotectionsforamericansaccesstohealthcarethroughstrengtheningcybersecurity
How Do Ransomware Attacks Impact Rural Hospitals National Institute for Health Care Management Foundation p 1 2024
httpsnihcmorgassetsarticlesFINALNIHCMRIHannahNeprash20240801132728ushqpdfpp307
How Do Ransomware Attacks Impact Rural Hospitals
supra
note 306 p 2
pp308
Idpp309
Idpp310
Kevin Collier An Illinois hospital is the first health care facility to link its closing to a ransomware attack NBC News June 12 2023
httpswwwnbcnewscomtechsecurityillinoishospitallinksclosureransomwareattackrcna85983pp311
Idpp312
Fact Sheet BidenHarris Administration Bolsters Protections for Americans Access to Healthcare Through Strengthening Cybersecurity
supra
note 306
pp313
See eg
Free Cybersecurity Services and Tools Cybersecurity Infrastructure Security Agency US Department of Homeland Security
httpswwwcisagovresourcestoolsresourcesfreecybersecurityservicesandtools
Cyber Hygiene Services Cybersecurity Infrastructure Security Agency US Department of Homeland Security
httpswwwcisagovcyberhygieneservices
Cybersecurity Resources for HighRisk Communities Cybersecurity Infrastructure Security Agency US Department of Homeland Security
httpswwwcisagovaudienceshighriskcommunitiescybersecurityresourceshighriskcommunitiespp314
See eg45 CFR 164306
pp315
See
sec 261 of Pub L 104191 110 Stat 2021 Aug 21 1996 as amended by sec 1104a of Pub L 111148 124 Stat 146 Mar 23 2010 codified at 42 USC 1320d note
pp316
Idpp317
42 USC 1320d1c1 and 2
pp318
42 USC 1320d1c2B
pp319
See42 USC 1320d7 definition of Standard
pp320
See42 USC 1320d2a1
pp321
65 FR 50312 50320 Aug 17 2000
see also42 USC 1320d2b c and d sec 264c of HIPAA
pp322
65 FR 50312 50320 Aug 17 2000
pp323
45 CFR 160103 definition of Standard
pp324
63 FR 43242 43249 Aug 12 1998 68 FR 8334 8341 Feb 20 2003
pp325
78 FR 5566 558991 569395 Jan 25 2013
pp326
63 FR 43249 Aug 12 1998 68 FR 8341 Feb 20 2003
pp327
42 USC 1320d2d1A
pp328
ANSINISTITL Standard National Institute of Standards and Technology US Department of Commerce Feb 3 2023
httpswwwnistgovprogramsprojectsansinistitlstandardpp329
See
section 13412a of the HITECH Act as amended by section 1 of Public Law 116321 134 Stat 5072 Jan 5 2021 codified at 42 USC 17941a1
pp330
Idpp331
See
Letter from NCVHS Chair Jacki Monson 2022
supra
note 123 Letter from NCVHS Chair Jacki Monson 2023
supra
note 123
pp332
42 USC 1320d1f
pp333
42 USC 1320d1c3Aii
pp334
45 CFR 160103 definition of Electronic media
pp335
78 FR 5566 Jan 25 2013
pp336
Id
at 5576
pp337
Idpp338
Idpp339
A standard telephone line often described as a traditional landline uses circuitswitched voice communication service technologies through the Public Switched Telephone Network The information transmitted through such traditional telephones is not electronic
pp340
VoIP technologies convert audio into a digital signal that is then transmitted over the internet
See
Voice Over internet Protocol VoIP Federal Communications Commission
httpswwwfccgovgeneralvoiceoverinternetprotocolvoippp341
A 2022 report by the Federal Communications Commission stated that the number of fixed retail switchedaccess lines declined over the past three years at a compound annual rate of 123 while interconnected VoIP subscriptions increased at a compound annual growth rate of 07
See
2022 COMMUNICATIONS MARKETPLACE REPORT Federal Communications Commission p 122 Dec 30 2022
httpsdocsfccgovpublicattachmentsFCC22103A1pdfpp342
See
NIST Privacy Framework A Tool for Improving Privacy Through Enterprise Risk Management Version 10 National Institute of Standards and Technology US Department of Commerce p 29 Jan 16 2020 see definition of data processing
httpsnvlpubsnistgovnistpubsCSWPNISTCSWP01162020pdfpp343
See
Maithilee Joshi et al Delegated Authorization Framework for EHR Services Using AttributeBased Encryption IEEE Transactions on Services Computing Volume 14 No 6 p 1 2021 discussing that health care providers are increasingly using Cloudbased EHR services to manage ePHI which increases the possibility of attacks on ePHI
httpsebiquityumbcedugetapublication1126pdf see also
Security Standards Technical Safeguards HIPAA Security Series Office for Civil Rights US Department of Health and Human Services May 2005 revised Mar 2007 The goal of encryption is to protect ePHI from being accessed and viewed by unauthorized users
httpswwwhhsgovsitesdefaultfilesocrprivacyhipaaadministrativesecurityruletechsafeguardspdflanguageespp344
The Department previously acknowledged that information transmitted by a telephone voice response system in response to a telephone request and some voice technology digitally produced from an information system and transmitted by telephone are both covered by this definition See 68 FR 8334 8342 Feb 20 2003 75 FR 40868 40874 July 14 2010 and 78 FR 5566 5575 Jan 25 2013
pp345
78 FR 5566 55755576 Jan 25 2013
pp346
45 CFR 164304 definition of Access
pp347
45 CFR 164304 definition of User
pp348
45 CFR 164304 definition of Security incident
pp349
45 CFR 164308a3i proposed 45 CFR 164308a9i
pp350
45 CFR 164304 definition of Administrative safeguards
pp351
45 CFR 164304 definitions of Administrative safeguards Physical safeguards and Technical safeguards
pp352
See also
Special Publication 80082r3 Guide to Operational Technology Security National Institute of Standards and Technology section 621 p 97 Identity Management and Access Control PRAC discussing the need of organizations to apply authentication controls for users devices and processes within the technology environment September 2023
pp353
While the Department also regulates adoption and meaningful use of certified EHR technology such as the actions of the enduser with respect to having and meaningfully using certified health IT to meet certain requirements such as those requirements for the Promoting Interoperability performance category of the Meritbased Incentive Payment System MIPS sections 1848q2Biv and 1848o2 of the SSA the definitions proposed in this NPRM would apply only to regulated entities compliance with the Security Rule
pp354
University of Texas MD Anderson Cancer Center supra
note 258 p 478
pp355
Idpp356
See
proposed 45 CFR 164308b1i and ii and b2ii
pp357
See
proposed 45 CFR 164312a1
pp358
See
proposed 45 CFR 164312a2iv
pp359
See45 CFR 164310a1
pp360
See45 CFR 164312a1
pp361
45 CFR 164304 definition of Physical safeguards
pp362
See
NIST definition of malware Glossary Computer Security Resource Center National Institute for Standards and Technology US Department of Commerce
httpscsrcnistgovglossarytermmalwarepp363
Health Industry Cybersecurity Practices Managing Threats and Protecting Patients
supra
note 16
pp364
Id
at 15
pp365
Idpp366
Cybersecurity Performance Goals
supra
note 18
pp367
Idpp368
See
HIPAA and Cybersecurity Authentication Cybersecurity Newsletter Office for Civil Rights US Department of Health and Human Services June 2023
httpswwwhhsgovhipaaforprofessionalssecurityguidancecybersecuritynewsletterjune2023indexhtmlpp369
Id
citing Implementing PhishingResistant MFA Cybersecurity Infrastructure Security Agency US Department of Homeland Security Oct 2022
httpswwwcisagovsitesdefaultfilespublicationsfactsheetimplementingphishingresistantmfa508cpdf NIST also has issued draft defined characteristics for phishingresistant authenticators
See
David Temoshok et al Digital Identity Guidelines NIST Special Publication 800634 2pd Second Public Draft National Institute of Standards and Technology US Department of Commerce p 36 Aug 21 2024
httpscsrcnistgovpubssp8006342pdpp370
See
proposed 45 CFR 164312f2ii
pp371
See
HIPAA and Cybersecurity Authentication
supra
note 368 citing David Temoshok et al Digital Identity Guidelines NIST Special Publication 800634 Initial Public Draft National Institute of Standards and Technology US Department of Commerce p 17 Dec 2022
httpsnvlpubsnistgovnistpubsSpecialPublicationsNISTSP800634ipdpdf
pp372
NIST defines token as a portable usercontrolled physical device
eg
smart card or memory stick used to store cryptographic information and possibly also perform cryptographic functions
See
NIST definition of token Glossary Computer Security Resource Center National Institute of Standards and Technology US Department of Commerce citing Elaine Barker et al Recommendation for Key Management Part 2Best Practices for Key Management Organizations NIST Special Publication 80057 Part 2 Revision 1 National Institute of Standards and Technology US Department of Commerce May 2019
httpscsrcnistgovglossarytermtokentextNIST20SP208002D632D320under20Tokenpossibly20also20perform20cryptographic20functionspp373
Letter from NCVHS Chair Jacki Monson 2022
supra
note 123 p 7
pp374
See
Digital Identity Guidelines Authentication and Lifecycle Management NIST Special Publication 80063B National Institute of Standard and Technology section 533 Use of Biometrics Oct 16 2023
httpspagesnistgov800633sp80063bhtmlsec5
We recognize that some of the example characteristics may not satisfy todays standards however the Department anticipates that they may in the future and proposes that they be included as examples such that regulated entities will be permitted to use them when the relevant standards are updated to allow for such use
pp375
45 CFR 164304 definition of Password
pp376
See45 CFR 164304 definition of Facility
pp377
45 CFR 164306
pp378
See eg
Steve Alder 89 Million Banner Health Data Breach Settlement Gets Final Approval The HIPAA Journal Apr 27 2020
httpswwwhipaajournalcom89millionbannerhealthdatabreachsettlementgetsfinalapproval
describing a settlement to cover claims stemming from an attack on a health systems payment processing system used in the food and beverage outlets of its hospitals
pp379
63 FR 8334 8340 Feb 20 2003
pp380
45 CFR 164308a1iA
pp381
45 CFR 164308a1iB Section 164306a requires regulated entities to comply with four general requirements to protect ePHI
pp382
See
NIST definition of risk Glossary Computer Security Resource Center National Institute of Standards and Technology US Department of Commerce citing William Newhouse et al Multifactor Authentication for ECommerce NIST Special Publication 180017 National Institute of Standards and Technology US Department of Commerce July 2019
httpscsrcnistgovglossarytermriskpp383
45 CFR 164304b2iv
pp384
45 CFR 164308a1iiA proposed 45 CFR 164308a2i
pp385
45 CFR 164304 definition of Security or Security measures
pp386
45 CFR 164304 definition of Security or Security measures
pp387
See
NIST definition of firewall Glossary Computer Security Resource Center National Institute of Standards and Technology US Department of Commerce
httpscsrcnistgovglossarytermfirewallpp388
See generally University of Texas MD Anderson Cancer Center supra
note 258 p 478
pp389
For example in the 2003 Final Rule we explained that in developing technical safeguards the Department proposed technical security services requirements and specific technical security mechanisms with implementation specifications without carving out or limiting these items to policies and procedures about the requirements
See68 FR 8334 8354 Feb 20 2003
pp390
45 CFR 164304 definition of Technical safeguards
pp391
Proposed 45 CFR164308a2iiA
2
pp392
See
NIST definition of threat Glossary Computer Security Resource Center National Institute of Standards and Technology US Department of Commerce
httpscsrcnistgovglossarytermthreatpp393
See45 CFR 160502 of the 2003 interim final rule 68 FR 18895 18898 Apr 17 2003
pp394
45 CFR 160103 definition of Person
pp395
45 CFR 164304 definition of User
pp396
See
Defending Against Common CyberAttacks Cybersecurity Newsletter Office for Civil Rights US Department of Health and Human
Services Mar 2022
httpswwwhhsgovhipaaforprofessionalssecurityguidancecybersecuritynewsletterfirstquarter2022indexhtmlpp397
Idpp398
Id
The National Vulnerability Database is the US government repository of standardsbased vulnerability management data
See
National Vulnerability Database National Institute of Standards and Technology US Department of Commerce
httpsnvdnistgovpp399
Known Exploited Vulnerabilities Catalog Cybersecurity Infrastructure Security Agency US Department of Homeland Security
httpswwwcisagovknownexploitedvulnerabilitiescatalogpp400
See
NIST definition of vulnerability Glossary Computer Security Resource Center National Institute of Standards and Technology US Department of Commerce
httpscsrcnistgovglossarytermvulnerabilitypp401
Proposed 45 CFR 164308a2iiA
7
pp402
Proposed 45 CFR 164308a4i
pp403
Proposed 45 CFR 164312h1
pp404
45 CFR 164304 definition of Workstation
pp405
See eg45 CFR 164310b and c
pp406
See42 USC 1320d2d
pp407
See42 USC 1320d2d2A
pp408
See 42 USC 1320d2d2Bi
pp409
See42 USC 1320d2d2Bii
pp410
See42 USC 1320d2d2C
pp411
The factors are 1 the technical capabilities of records systems used to maintain health information 2 the costs of security measures 3 the need for training 4 the value of audit trails in computerized record systems and 5 the needs and capabilities of small and rural health care providers
See42 USC 1320d2d1Aiv
pp412
See University of Texas MD Anderson Cancer Center supra
note 258 p 478
pp413
68 FR 8334 8343 Feb 20 2023
pp414
See
What is the difference between addressable and required implementation specifications in the Security Rule Office for Civil Rights US Department of Health and Human Services HIPAA FAQ 2020 Dec 28 2022
httpswwwhhsgovhipaaforprofessionalsfaq2020whatisthedifferencebetweenaddressableandrequiredimplementationspecificationsindexhtmlpp415
See45 CFR 164306d3 What is the difference between addressable and required implementation specifications in the Security Rule
supra
note 414
pp416
The Department has consistently attempted to dispel the notion that addressable implementation specifications are optional
See eg
Security 101 for Covered Entities HIPAA Security Series Centers for Medicare Medicaid Services p 6 Nov 2004 revised Mar 2007
httpswwwhhsgovsitesdefaultfilesocrprivacyhipaaadministrativesecurityrulesecurity101pdflanguagees Controlling Access to ePHI For Whose Eyes Only Cybersecurity Newsletter
Office for Civil Rights US Department of Health and Human Services July 14 2021
httpswwwhhsgovhipaaforprofessionalssecurityguidancecybersecuritynewslettersummer2021indexhtml and HIPAA Security Rule Facility Access ControlsWhat are they and how do you implement them Cybersecurity Newsletter
Office for Civil Rights US Department of Health and Human Services
Aug 2024 httpswwwhhsgovhipaaforprofessionalssecurityguidancecybersecuritynewsletteraugust2024indexhtmlpp417
Letter from NCVHS Chair Jacki Monson 2022
supra
note 123 p 2
pp418
Id
at Appendix p 4
pp419
Idpp420
Id
at 5
pp421
See68 FR 8334 8336 Feb 20 2003
pp422
68 FR 8334 8341 Feb 20 2003
see also
Jennifer Cawthra et al Data Integrity Identifying and Protecting Assets Against Ransomware and Other Destructive Events NIST Special Publication 180025A National Institute of Standards and Technology US Department of Commerce p 1 Dec 2020 The CIA triad represents the three pillars of information security confidentiality integrity and availability
httpswwwnccoenistgovpublication180025VolAindexhtmlpp423
42 USC 1320d2d2A and C
pp424
Section 164530c includes the Privacy Rule standard and implementation specification for safeguarding PHI It requires covered entities to have in place appropriate administrative physical and technical safeguards to protect the privacy of PHI Additionally it requires covered entities to reasonably safeguard PHI from intentional or unintentional uses or disclosures that violate the Privacy Rule and to limit incidental uses or disclosures made pursuant to a permissible or required use or disclosure of PHI
pp425
42 USC 1320d2d
pp426
Joint Task Force Managing Information Security Risk Organization Mission and Information System View NIST Special Publication 80039 Appendix B National Institute of Standards and Technology US Department of Commerce p B5 Mar 2011
httpsnvlpubsnistgovnistpubsLegacySPnistspecialpublication80039pdfpp427
Ron Ross et al Developing CyberResilient Systems A Systems Security Engineering Approach NIST Special Publication 800160 Volume 2 Revision 1 National Institute of Standards and Technology US Department of Commerce p 1 Dec 2021
httpsnvlpubsnistgovnistpubsSpecialPublicationsNISTSP800160v2r1pdfpp428
Proposed 45 CFR 164308a12i
pp429
Proposed 45 CFR 164308a13i
pp430
Proposed 45 CFR 164308a4i
pp431
Proposed 45 CFR 164312h1
pp432
See
Letter from NCVHS Chair Jacki Monson 2022
supra
note 123 p 510
pp433
See68 FR 8334 8344 Feb 20 2003
pp434
See45 CFR 164502b and 164514d
pp435
45 CFR 164308a5iiA
pp436
45 CFR 164308a5iiB
pp437
45 CFR 164308a5iiC
pp438
45 CFR 164308a5iiD
pp439
45 CFR 164308a7iiA
pp440
45 CFR 164308a7iiB
pp441
45 CFR 164308b3
pp442
See
proposed revisions to 45 CFR 164316 for a more fulsome discussion of documentation requirements
pp443
See
proposed revisions to 45 CFR 164306c and d for a more fulsome discussion of the distinction between required and addressable implementation specifications
pp444
See
The NIST Cybersecurity Framework CSF 20
supra
note 15
pp445
See78 FR 5566 55725573 Jan 25 2013 explaining reasons for adopting proposal to apply the business associate provisions of the HIPAA Rules to subcontractors and thus provides in the definition of business associate that a business associate includes a subcontractor that creates receives maintains or transmits protected health information on behalf of the business associate
pp446
See eg
OCR information about the Change Healthcare cybersecurity incident Change Healthcare Cybersecurity Incident Frequently Asked Questions US Department of Health and Human Services July 30 2024
httpswwwhhsgovhipaaforprofessionalsspecialtopicschangehealthcarecybersecurityincidentfrequentlyaskedquestionsindexhtmlpp447
See
Guidance on HIPAA Cloud Computing Office for Civil Rights US Department of Health and Human Services A covered entity or business associate that engages a cloud service provider CSP should understand the cloud computing environment or solution offered by a particular CSP so that the covered entity or business associate can appropriately conduct its own risk analysis and establish risk management policies as well as enter into appropriate business associate agreements
httpswwwhhsgovhipaaforprofessionalsspecialtopicshealthinformationtechnologycloudcomputingindexhtmlpp448
Cybersecurity Performance Goals
supra
note 18
pp449
See
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 5
pp450
See68 FR 8333 8352 Feb 20 2003
pp451
See
Making a List and Checking it Twice HIPAA and IT Asset Inventories Cybersecurity Newsletter Office for Civil Rights US Department of Health and Human Services Aug 25 2020
httpswwwhhsgovhipaaforprofessionalssecurityguidancecybersecuritynewslettersummer2020indexhtmlpp452
Idpp453
See
The NIST Cybersecurity Framework CSF 20
supra
note 15 p 3
pp454
Proposed 45 CFR 164308a1iiA
pp455
Idpp456
See eg
New York State Register
supra
note 14
pp457
Making a List and Checking it Twice HIPAA and IT Asset Inventories
supra
note 451
pp458
Idpp459
NIST defines the Internet of Things as the network of devices that contain the hardware software firmware and actuators which allow the devices to connect interact and freely exchange data and information NIST definition of Internet of Things Glossary Computer Security Resource Center National Institute of Standards and Technology US Department of Commerce
httpscsrcnistgovglossaryterminternetofthingspp460
See
Guidance on Risk Analysis Office for Civil Rights US Department of Health and Human Services July 22 2019
httpswwwhhsgovhipaaforprofessionalssecurityguidanceguidanceriskanalysisindexhtmllanguageespp461
Id see also
Jeffrey A Marron Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide NIST Special Publication 80066 Revision 2 National Institute of Standards and Technology US Department of Commerce p2884 Feb 2024
httpsnvlpubsnistgovnistpubsSpecialPublicationsNISTSP80066r2pdfpp462
See
Guidance on Risk Analysis
supra
note 460
pp463
See idpp464
See
Security Risk Assessment Tool Office for Civil Rights and Office of the National Coordinator for Health Information Technology US Department of Health and Human Services updated Sept 5 2023
httpswwwhealthitgovtopicprivacysecurityandhipaasecurityriskassessmenttoolpp465
See
HIPAA Security Rule National Institute of Standards and Technology US Department of Commerce Jan 3 2011 updated July 21 2022
httpswwwnistgovprogramsprojectssecurityhealthinformationtechnologyhipaasecurityrulepp466
See
HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework Office for Civil Rights US Department of Health and Human Services June 2020
httpswwwhhsgovguidancesitesdefaultfileshhsguidancedocumentsnistcsftohipaasecurityrulecrosswalk02222016finalpdfpp467
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461
pp468
See idpp469
This component of the assessment would be accomplished under the NPRM if adopted through compliance with the proposed standard for technology asset inventory at proposed 45 CFR 164308a1i Under the current Security Rule we consider the technology asset inventory to be a component of the standard for risk analysis
pp470
Risk Analyses vs Gap AnalysesWhat is the difference Cybersecurity Newsletter Office for Civil Rights US Department of Health and Human Services Apr 2018
httpswwwhhsgovsitesdefaultfilescybersecuritynewsletterapril2018pdfpp471
Joint Task Force Guide for Conducting Risk Assessments NIST Special Publication 80030 Revision 1 National Institute of Standards and
Technology US Department of Commerce Sept 2012
httpsnvlpubsnistgovnistpubsLegacySPnistspecialpublication80030r1pdfpp472
Id
at Appendix I
see also
Reducing the Significant Risk of Known Exploited Vulnerabilities Cybersecurity Infrastructure Security Agency US Department of Homeland Security Nov 3 2021
httpswwwcisagovsitesdefaultfilespublicationsReducingtheSignificantRiskofKnownExploitedVulnerabilities211103pdfpp473
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461 p 1622
pp474
20162017 HIPAA Audits Industry Report
supra
note 121
pp475
Idpp476
Press Release HHS Office for Civil Rights Settles HIPAA Security Rule Failures for 950000 US Department of Health and Human Services July 1 2024
httpsprodwwwhhsgovcloudhhsgovaboutnews20240701hhsofficecivilrightssettleshipaasecurityrulefailures950000htmlpp477
See
Montefiore Medical Center
supra
note 248
pp478
See
Doctors Management Services Inc
supra
note 246
pp479
See
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 46
pp480
Proposed 45 CFR 164308a2iiA
pp481
Proposed 45 CFR 164308a2iiA
1
pp482
Proposed 45 CFR 164308a2iiA
2
pp483
Proposed 45 CFR 164308a2iiA
3
pp484
Proposed 45 CFR 164308a2iiA
4
pp485
Proposed 45 CFR 164308a2iiA
5
pp486
Proposed 45 CFR 164308a2iiA
6
pp487
Proposed 45 CFR 164308a2iiA
7
pp488
Proposed 45 CFR 164308a2iiA
8
pp489
See
NCVHS recommendation to test at multiple points in the life cycle of a system including at every significant change throughout the life of the system Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 6
pp490
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461 Security Rule Guidance Material Office for Civil Rights US Department of Health and Human Services Feb 16 2024
httpswwwhhsgovhipaaforprofessionalssecurityguidanceindexhtmllanguageespp491
See
Defending Against Common CyberAttacks
supra
note 396
pp492
It may not be reasonable and appropriate for a regulated entity to patch software or update a system configuration where the risk of introducing a change is greater than the status quo risk or where the regulated entity does not own or manage a networked device For example instances where it might not be reasonable and appropriate to patch or update an information system include 1 where a system needs to run continuously for mission critical support and is not patched or updated during its lifetime and 2 where the regulated entitys testing of such patch or update indicates potential adverse impacts or where industry is reporting adverse impacts of such patch or update This does not negate the regulated entitys need to address the vulnerability with a compensating control For example where a hospital discovers a vulnerability on a device that is connected to its network but owned and managed by a business associate the hospital may not have access to install a patch but it should employ a compensating control such as disabling or limiting that devices access to the hospitals network
pp493
See
Guidance on Software Vulnerabilities and Patching Cybersecurity Newsletter Office for Civil Rights US Department of Health and Human Services June 2018
httpswwwhhsgovsitesdefaultfilesjune2018newslettersoftwarepatchespdfpp494
See
Securing Your Legacy System Security Cybersecurity Newsletter Office for Civil Rights US Department of Health and Human Services Oct 2021
httpswwwhhsgovhipaaforprofessionalssecurityguidancecybersecuritynewsletterfall2021indexhtmlpp495
See
Guidance on Software Vulnerabilities and Patching
supra
note 493
pp496
See
Murugiah Souppaya et al Guide to Enterprise Patch Management Planning Preventive Maintenance for Technology NIST Special Publication 80040 Revision 4 National Institute of Standards and Technology US Department of Commerce Apr 2022
httpsnvlpubsnistgovnistpubsSpecialPublicationsNISTSP80040r4pdfpp497
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 1 Letter from NCVHS Chair Jacki Monson 2022
supra
note 123 p 89
pp498
An explanation of risk rating is provided above in the discussion of the proposed standard for risk analysis and associated implementation specifications
pp499
Cybersecurity Performance Goals
supra
note 18
pp500
See
proposed 45 CFR 164308a2
pp501
Cybersecurity Performance Goals
supra
note 18
pp502
See
6 Basics of Risk Analysis and Risk Management HIPAA Security Series Volume 2 Paper 6 Centers for Medicare Medicaid Services June 2005 revised Mar 2007
httpswwwhhsgovsitesdefaultfilesocrprivacyhipaaadministrativesecurityruleriskassessmentpdflanguageespp503
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461
pp504
See id
at 18
pp505
See id
at 25
pp506
Idpp507
See
proposed 45 CFR 164306d and 164316b1
pp508
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461 p 27
pp509
See id
at 31
pp510
See idpp511
The 2024 Study on Cyber Insecurity in Health Care The Cost and Impact on Patient Safety and Care
supra
note 143 p 7
pp512
See
How Sanction Policies Can Support HIPAA Compliance Cybersecurity Newsletter Office for Civil Rights US Department of Health and Human Services Oct 2023
httpswwwhhsgovhipaaforprofessionalssecurityguidancecybersecuritynewsletteroctober2023indexhtmlftn10pp513
68 FR 8334 8347 Feb 20 2003
pp514
65 FR 82462 82747 Dec 28 2000
pp515
68 FR 8334 8347 Feb 20 2003
pp516
65 FR 82462 82562 Dec 28 2000
pp517
See
Security Standards Administrative Safeguards HIPAA Security Series Volume 2 Paper 2 Centers for Medicare Medicaid Services May 2005 revised Mar 2007
httpswwwhhsgovsitesdefaultfilesocrprivacyhipaaadministrativesecurityruleadminsafeguardspdf see also
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461 p 33
pp518
Records of sanction activity should be retained for at least six years
See45 CFR 164316 and 164530e2
pp519
See65 FR 82462 82562 Dec 28 2000
pp520
Idpp521
Idpp522
See
Security Standards Administrative Safeguards
supra
note 517
pp523
See45 CFR 164308a1iiC 164530e1
see also65 FR 82462 82747 Dec 28 2000 All members of a covered entitys workforce are subject to sanctions for violations
pp524
Workstations may also be referred to as endpoints
See
Memorandum on Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Systems through Endpoint Detection and Response Office of Management and Budget Executive Office of the President p 1 Oct 8 2021
httpswwwwhitehousegovwpcontentuploads202110M2201pdfpp525
See
Security Standards Administrative Safeguards
supra
note 517 p 56
pp526
See id
at 6
pp527
Idpp528
See
Managing Malicious Insider Threats Cybersecurity Newsletter Office for Civil Rights US Department of Health and Human Services Aug 2019
httpswwwhhsgovhipaaforprofessionalssecurityguidancecybersecuritynewslettersummer2019indexhtmlpp529
Idpp530
Idpp531
Idpp532
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461 p 33
pp533
See id
at 34
pp534
See idpp535
See
Security Standards Administrative Safeguards
supra
note 517 p 7
see also
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461 p 3034
pp536
See
Press Release HHS Office for Civil Rights Settles HIPAA Security Rule Failures for 950000 US Department of Health and Human Services July 1 2024
httpsprodwwwhhsgovcloudhhsgovaboutnews20240701hhsofficecivilrightssettleshipaasecurityrulefailures950000htmlpp537
See
Montefiore Medical Center
supra
note 248
pp538
See45 CFR 164308a1iiD
pp539
See
Doctors Management Services Inc
supra
note 246
pp540
Idpp541
See
proposed 45 CFR 164308a12iiB
pp542
See
Security Standards Administrative Safeguards
supra
note 517 p 7
pp543
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461
pp544
See
Press Release City Health Department failed to terminate former employees access to protected health information US Department of Health and Human Services Oct 30 2020
httpspublic3pagefreezercomcontentHHSgov31122020T0851httpswwwhhsgovaboutnews20201030cityhealthdepartmentfailedterminateformeremployeesaccessprotectedhealthinformationhtmlpp545
See
Security Standards Administrative Safeguards
supra
note 517 p 811
pp546
See
Summary of the HIPAA Security Rule US Department of Health and Human Services Oct 19 2022
httpswwwhhsgovhipaaforprofessionalssecuritylawsregulationsindexhtmlpp547
See45 CFR 164502b and 164514d
pp548
See
Security Standards Administrative Safeguards
supra
note 517 p 9
pp549
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461
pp550
See id
at 36
pp551
See
proposed 45 CFR 164308a9i
pp552
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461 p 36
pp553
See idpp554
See
Security Standards Administrative Safeguards
supra
note 517 p 10
pp555
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461 p 37
pp556
See
Insider Threats and Termination Procedures Cybersecurity Newsletter Office for Civil Rights US Department of Health and Human Services Nov 2017
httpswwwhhsgovsitesdefaultfilesnovembercybersecuritynewsletter11292017pdfpp557
See
Managing Malicious Insider Threats
supra
note 528
pp558
Idpp559
See45 CFR 164308a4iiC
pp560
See
Security Standards Administrative Safeguards
supra
note 517 p 1011
pp561
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461
pp562
See
proposed 45 CFR 164308a9iiA
pp563
See
proposed 45 CFR 164308a9iiB
pp564
See
proposed 45 CFR 164308a9iiE
pp565
Cybersecurity Performance Goals
supra
note 18
pp566
See
Security Standards Administrative Safeguards
supra
note 517 p11
pp567
See eg
Resolution Agreement Banner Health Office for Civil Rights US Department of Health and Human Services Dec 20 2022
httpswwwhhsgovhipaaforprofessionalscomplianceenforcementagreementsbannerhealthracapindexhtml
Montefiore Medical Center
supra
note 248
pp568
See45 CFR 164502b and 164514d
pp569
See
Press Release OCR Imposes a 215 Million Civil Money Penalty against Jackson Health System for HIPAA Violation US Department of Health and Human Services Oct 19 2019
httpspublic3pagefreezercombrowseHHSgov31122020T0851httpswwwhhsgovaboutnews20191023ocrimposesa215millioncivilmoneypenaltyagainstjhsforhipaaviolationshtml see also
Notice of Proposed Determination Jackson Health System Office for Civil Rights US Department of Health and Human Services July 22 2019
httpspublic3pagefreezercombrowseHHSgov31122020T0851httpswwwhhsgovsitesdefaultfilesjacksonhealthsystemnoticeoffinaldetermination508pdf
Notice of Final Determination Jackson Health System Office for Civil Rights US Department of Health and Human Services Oct 15 2019
httpspublic3pagefreezercombrowseHHSgov31122020T0851httpswwwhhsgovsitesdefaultfilesjacksonhealthsystemnoticeoffinaldetermination508pdfpp570
See
Press Release HHS Office for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking US Department of Health and Human Services Feb 2 2023
httpswwwhhsgovaboutnews20230202hhsofficeforcivilrightssettleshipaainvestigationwitharizonahospitalsystemhtmlpp571
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461
pp572
45 CFR 160103 definition of Health care clearinghouse
pp573
45 CFR 164500b
see also
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461 p 38
pp574
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461 p 38
pp575
45 CFR 164308a4iiC
pp576
45 CFR 164308a4iiB
pp577
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461
pp578
See45 CFR 164308a3 proposed 45 CFR 164308a9i
pp579
See
proposed 45 CFR 164312f2ii through iv
pp580
See
Train Your Workforce so They Dont Get Caught by a Phish Cybersecurity Newsletter Office for Civil Rights US Department of Health and Human Services July 2017
httpswwwhhsgovsitesdefaultfilesjuly2017ocrcybernewsletterpdfpp581
See
Training Materials Office for Civil Rights US Department of Health and Human Services
httpswwwhhsgovhipaaforprofessionalstrainingindexhtmlpp582
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461
pp583
See
Resolution Agreement West Georgia Ambulance Inc Office for Civil Rights US Department of Health and Human Services Dec 23 2019
httpswwwhhsgovsitesdefaultfileswestgeorgiaracappdfpp584
Cybersecurity Performance Goals
supra
note 18
pp585
Idpp586
Proposed 45 CFR 164308a11iiA
1
pp587
Proposed 45 CFR 164308a11iiA
2
pp588
Proposed 45 CFR 164308a11iiA
3 Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 1 Letter from NCVHS Chair Jacki Monson 2022
supra
note 123 p 67
pp589
45 CFR 164308a5iiA
pp590
Proposed 45 CFR 164308a11iiB
1
pp591
Proposed 45 CFR 164308a11iiB
2
pp592
Proposed 45 CFR 164308a11iiB
3
pp593
See
HIPAA Security Rule Security Incident Procedures Cybersecurity Newsletter Office for Civil Rights US Department of Health and Human Services Oct 2022
httpswwwhhsgovhipaaforprofessionalssecurityguidancecybersecuritynewsletteroctober2022indexhtmlpp594
Idpp595
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461
pp596
See
Paul Cichonski et al Computer Security Incident Handling Guide Recommendations of the National Institute of Standards and Technology NIST Special Publication 80061 Revision 2 National Institute of Standards and Technology US Department of Commerce Aug 2012
httpswwwnistgovprivacyframeworknistsp80061pp597
The NIST Cybersecurity Framework CSF 20 removed emphasis on Actions regarding a detected cybersecurity incident are taken in original
supra
note 15 p 9
pp598
Idpp599
Proposed 45 CFR 164308a12iiA
1
pp600
See eg
Joint Task Force Security and Privacy Controls for Information Systems and
Organizations NIST Special Publication 80053 Revision 5 National Institute of Standards and Technology US Department of Commerce p 157 Sept 2020
httpsnvlpubsnistgovnistpubsSpecialPublicationsNISTSP80053r5pdfpp601
Cybersecurity Performance Goals
supra
note 18
see also
proposed 45 CFR 164314a2iC
pp602
Cybersecurity Performance Goals
supra
note 18
pp603
Idpp604
See
Computer Security Incident Handling Guide Recommendations of the National Institute of Standards and Technology
supra
note 597
pp605
See eg
New York State Register
supra
note 14 Invitation for Preliminary Comments on Proposed Rulemaking Cybersecurity Audits Risk Assessments and Automated Decisionmaking
supra
note 14
see also
Cal Civ Code Section 1798185
pp606
See
Plan A B Contingency Plan Cybersecurity Newsletter Office for Civil Rights US Department of Health and Human Services Mar 2018
httpswwwhhsgovsitesdefaultfilesmarch2018ocrcybernewslettercontingencyplanningpdfpp607
See
Kate Conger et al What Is Crowdstrike New York Times July 19 2024
httpswwwnytimescom20240719businesswhatiscrowdstrikehtmlsearchResultPosition2 see also
Remediation and Guidance Hub Falcon Content Update for Windows Hosts July 31 2024
httpswwwcrowdstrikecomfalconcontentupdateremediationandguidancehubpp608
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461
see also
Security Standards Administrative Safeguards
supra
note 517 p 1922
pp609
See
Press Release HHS Office for Civil Rights Settles HIPAA Security Rule Failures for 950000 US Department of Health and Human Services July 1 2024
httpsprodwwwhhsgovcloudhhsgovaboutnews20240701hhsofficecivilrightssettleshipaasecurityrulefailures950000htmlpp610
See
Security Standards Administrative Safeguards
supra
note 517 p 22
pp611
See
proposed 45 CFR 164308a13iiA
pp612
See
Cybersecurity Program Audit Guide GAO23104705 US Government Accountability Office p 1 Sept 28 2023
httpswwwgaogovproductsgao23104705 see also
Security and Privacy Controls for Information Systems and Organizations
supra
note 600
pp613
See
The IIAs Three Lines Model An update of the Three Lines of Defense The Institute of Internal Auditors p 4 Sept 9 2020
httpswwwtheiiaorgglobalassetsdocumentsresourcestheiiasthreelinesmodelanupdateofthethreelinesofdefensejuly2020threelinesmodelupdatedenglishpdfpp614
We believe that health plans that are subject to HIPAA and to the Employee Retirement Income Security Act of 1974 could comply with the proposed compliance audit requirement and follow the Employee Benefits Security Administrations Cybersecurity Program Best Practices which specifies that all such plans have a reliable annual third party audit of security controls Cybersecurity Program Best Practices Employee Benefits Security Administration US Department of Labor p 1 2 Apr 2021
httpswwwdolgov
sitesdolgovfilesebsapdffilesbestpracticespdf
Cybersecurity Guidance Update Employee Benefits Security Administration US Department of Labor Sept 6 2024
httpswwwdolgovagenciesebsakeytopicsretirementbenefitscybersecuritycomplianceassistancerelease202401pp615
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461
pp616
Id
at 54
pp617
Idpp618
See45 CFR 164306a1
pp619
See45 CFR 164308b
pp620
See
proposed 45 CFR 164308b1i and ii
pp621
Idpp622
See
proposed 45 CFR 164308b2ii
pp623
Idpp624
Proposed 45 CFR 164308b2iiA
pp625
Idpp626
Proposed 45 CFR 164308b2iiB
pp627
Cybersecurity Performance Goals
supra
note 18
see also
proposed 45 CFR 164308b2i
pp628
Cybersecurity Performance Goals
supra
note 18
pp629
Proposed 45 CFR 164308b3i
pp630
Proposed 45 CFR 164308b3ii
pp631
Considerations for Securing Electronic Media and Devices Office for Civil Rights US Department of Health and Human Services p 1 Aug 2018
httpswwwhhsgovsitesdefaultfilescybersecuritynewsletteraugust2018deviceandmediacontrolspdfpp632
See eg
Sonali Sachdeva et al Unraveling the role of cloud computing in health care system and biomedical sciences Heliyon Apr 2 2024 These days numerous commercial merchants are intermingling with hospitals as well as healthcare providers to establish healthcarebased cloud computing networks
httpswwwncbinlmnihgovhhsnihidmoclcorgpmcarticlesPMC11004887 see also id
Microsoft Google and Amazon have instantly realized that the majority of hospitals will not continue working with servers that are privately owned as well as controlled Increase in healthcare cyberattacks affecting patients with cancer
supra
note 180 In 2021 an attack against oncology services targeted data stored in cloudbased systems and affected patients in several States
pp633
See45 CFR 164304 definition of Physical safeguards
pp634
45 CFR 164310a2i
pp635
45 CFR 164310b
pp636
45 CFR 164310c
pp637
Considerations for Securing Electronic Media and Devices
supra
note 631 p 2
pp638
Idpp639
See University of Texas MD Anderson Cancer Center supra
note 258 p 479
pp640
Resolution Agreement Advocate Health Care Network Medical Group Office for Civil Rights US Department of Health and Human Services July 8 2016
pp641
Resolution Agreement University of Rochester Medical Center Office for Civil Rights US Department of Health and Human Services Oct 30 2019 describing a violation of the standard for device and media controls
pp642
See
discussion of 45 CFR 164306
pp643
See University of Texas MD Anderson Cancer Center supra
note 258
pp644
See45 CFR 164304 proposed definitions of Relevant electronic information systems and Technology assets
pp645
See
discussion of proposals to revise 45 CFR 164316
pp646
See45 CFR 164304 proposed definition of Implement
pp647
See
proposed 45 CFR 164308a13
pp648
See
Workstation Security Dont Forget About Physical Security Office for Civil Rights US Department of Health and Human Services p 2 May 2018
httpswwwhhsgovsitesdefaultfilescybersecuritynewslettermay2018workstationsecuritypdfpp649
See
proposed 45 CFR 164308a11iiA
1
pp650
Considerations for Securing Electronic Media and Devices
supra
note 631 p 1
pp651
Idpp652
See id
for a list of questions that regulated entities should consider when developing their policies and procedures regarding device and media controls
pp653
See
Richard Kissel et al Guidelines for Media Sanitization NIST Special Publication 80088 Revision 1 National Institute of Standards and Technology US Department of Commerce Dec 2014
httpscsrcnistgovpublicationsdetailsp80088rev1final see also
Proper Disposal of Electronic Devices Cybersecurity Infrastructure Security Agency US Department of Homeland Security Feb 1 2021
httpswwwcisagovnewseventsnewsproperdisposalelectronicdevicespp654
See
Guidelines for Media Sanitization
supra
note 653
see also
Proper Disposal of Electronic Devices
supra
note 653
pp655
Guidance on Disposing of Electronic Devices and Media Office for Civil Rights US Department of Health and Human Services p 1 July 2018
httpswwwhhsgovsitesdefaultfilescybersecuritynewsletterjuly2018Disposalpdfpp656
Id
at 2
pp657
Idpp658
Idpp659
Security Standards Technical Safeguards
supra
note 343 p 4
pp660
A superuser is a user that is authorized and therefore trusted to perform securityrelevant functions that ordinary users are not authorized to perform NIST definition of superuser Glossary Computer Security Resource Center National Institute of Standards and Technology US Department of Commerce
httpscsrcnistgovglossarytermsuperuserpp661
See45 CFR 164306d for an explanation of required and addressable implementation specifications
pp662
45 CFR 164312a2i
pp663
45 CFR 164312a2ii
pp664
45 CFR 164312a2iii
pp665
45 CFR 164312a2iv
pp666
45 CFR 164312a2i
pp667
45 CFR 164312a2ii
pp668
Security Standards Technical Safeguards
supra
note 343 p 5
pp669
45 CFR 164312a2iii
pp670
Security Standards Technical Safeguards
supra
note 343 p 6
pp671
Idpp672
45 CFR 164312a2iv
pp673
Security Standards Technical Safeguards
supra
note 343 p 7
pp674
Understanding the Importance of Audit Controls Cybersecurity Newsletter Office for Civil Rights US Department of Health and Human Services p 1 Jan 2017
httpswwwhhsgovsitesdefaultfilesjanuary2017cybernewsletterpdflanguageespp675
Idpp676
Id
at 2
pp677
Idpp678
Security Standards Technical Safeguards
supra
note 343 p 7
pp679
Idpp680
Id
at 9
pp681
Id
at 10
pp682
45 CFR 164312e2i
pp683
68 FR 8334 8357 Feb 20 2003
pp684
For example the ONC Health IT Certification Program requires that certified health IT certified to the enduser device encryption certification criterion at 45 CFR 170315d7 must encrypt electronic health information stored on enduser devices after use of the technology on those devices stops or prevent electronic health information from being locally stored on enduser devices after use of the technology on those devices stops
See also
Security Standards Technical Safeguards
supra
note 343 p 7
pp685
How to Protect the Data that is Stored on Your Devices Cybersecurity Infrastructure Security Agency US Department of Homeland Security access July 26 2024
httpswwwcisagovresourcestoolstraininghowprotectdatastoredyourdevices see also
Karen Scarfone et al Information Technology Laboratory ITL Bulletin August 2020 Security Considerations for Exchanging Files Over the internet National Institute of Standards and Technology US Department of Commerce Aug 2020
httpscsrcnistgovfilespubsshareditlbitlbul202008pdfpp686
45 CFR 164306d
pp687
Banner Health
supra
note 567
pp688
Resolution Agreement Lifespan Office for Civil Rights US Department of Health and Human Services June 26 2020
httpswwwhhsgovsitesdefaultfileslifespanracapsignedpdfpp689
Resolution Agreement Yakima Valley Memorial Hospital Office for Civil Rights US Department of Health and Human Services May 15 2023
httpswwwhhsgovhipaaforprofessionalscomplianceenforcementagreementsyakimaracapindexhtmlpp690
Idpp691
See
Montefiore Medical Center
supra
note 248
pp692
See eg
HHS Office for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking
supra
note 570
pp693
Idpp694
The Home Depot Reports Findings in Payment Data Breach Investigation Home Depot Nov 6 2014
httpsirhomedepotcomnewsreleases201411062014014517315pp695
See45 CFR 164304 proposed definitions of Deploy and Implement
pp696
Security Standards Technical Safeguards
supra
note 343 p 3
pp697
Id
at 4
pp698
Cybersecurity Performance Goals
supra
note 18
pp699
Id
at 34
pp700
See45 CFR 164308a4 and proposed 45 CFR 164308a10
pp701
See
Controlling Access to ePHI For Whose Eyes Only
supra
note 416
pp702
Defending Against Common CyberAttacks
supra
note 396
pp703
See45 CFR 170315d1
pp704
Cybersecurity Performance Goals
supra
note 18
pp705
See45 CFR 170315d6
pp706
Controlling Access to ePHI For Whose Eyes Only
supra
note 416
pp707
Idpp708
For example Windows 10 operating system allows users to customize security options to automatically logout a user after a specified period of inactivity
pp709
See45 CFR 170315d5
pp710
Brute Force Attacks Conducted by Cyber Actors Cybersecurity Infrastructure Security Agency US Department of Homeland Security May 6 2020
httpswwwcisagovnewseventsalerts20180327bruteforceattacksconductedcyberactorspp711
Security and Privacy Controls for Information Systems and Organizations
supra
note 600 p 39
pp712
See
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 3 recommending that the Department require network segmentation as part of a layered security approach segregating network components based on user characteristics such as corporate network compared to business associate network Layering Network Security Through Segmentation Cybersecurity Infrastructure Security Agency US Department of Homeland Security
httpswwwcisagovsitesdefaultfilespublicationslayeringnetworksecuritysegmentationinfographic5080pdf
Health Industry Cybersecurity Practices Managing Threats and Protecting Patients
supra
note 16 pp 23 and 31 PRIR01 The NIST Cybersecurity Framework CSF 20
supra
note 15
pp713
Layering Network Security Through Segmentation
supra
note 712
pp714
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 3
pp715
Cybersecurity Performance Goals
supra
note 18
pp716
Controlling Access to ePHI For Whose Eyes Only
supra
note 416
pp717
Idpp718
Idpp719
Idpp720
See45 CFR 402 The presumption applies unless it can be rebutted in accordance with the breach risk assessment described in 45 CFR 1644022
pp721
45 CFR 164402
pp722
Karen Scarfone et al Guide to Storage Encryption Technologies for End User Devices Recommendations of the National Institute of Standards and Technology NIST Special Publication 800111 National Institute of Standards and Technology US Department of Commerce Nov 2007
httpsnvlpubsnistgovnistpubsLegacySPnistspecialpublication800111pdfpp723
74 FR 19600 1900919010 Apr 27 2009
pp724
45 CFR 164402
pp725
Controlling Access to ePHI For Whose Eyes Only
supra
note 416
pp726
See68 FR 8334 8357 Feb 20 2003
pp727
Controlling Access to ePHI For Whose Eyes Only
supra
note 416
pp728
Idpp729
See
discussion of 45 CFR 164312
infrapp730
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 2
pp731
The Department is also proposing to delete the implementation specification for encryption at 45 CFR 164312e2ii because we are proposing to address the substantive requirements of that implementation specification in proposed 45 CFR 164312b2
pp732
Cybersecurity Performance Goals
supra
note 18 Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 2
pp733
See45 CFR 170315d7 and 170210a
pp734
For example adoption of health IT that is certified through the ONC Health IT Certification Program as having the technical capability to encrypt or prevent the local storage of electronic health information stored on enduser devices after use of the technology on those devices stops may contribute to a regulated entitys compliance with the proposed implementation specification for encryption and decryption
See45 CFR 170315d7 Additionally the proposed implementation specification generally is consistent with the Health Data Technology and Interoperability Patient Engagement Information Sharing and Public Health Interoperability HTI2 NPRM proposal to modify 45 CFR 170315d7 should it be finalized to include requirements that authentication credentials be protected using industrystandard encryption and decryption
See89 FR 6353637 63778 Aug 5 2024
pp735
Messaging in the context of telehealth is discussed in Department guidance on telehealth
See
Guidance on How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for AudioOnly Telehealth Office for Civil Rights US Department of Health and Human Services June 13 2022
httpswwwhhsgovhipaaforprofessionalsprivacyguidancehipaaaudiotelehealthindexhtmlpp736
For example health IT certified through the ONC Health IT Certification Program as meeting the view download and transmit to 3rd party certification criterion must be able to create and transmit continuity of care document summaries to patients through email via an encrypted method of electronic transmission
See45 CFR 170315e1
pp737
The ONC Health IT Certification Program sets forth at 45 CFR 170550h the privacy and security certification framework for Health IT Modules Section 170550h identifies a mandatory minimum set of the certification criteria that ONC ACBs must ensure are also included as part of specific Health IT Modules that are presented for certification For example to meet the standardized API for patient and population services certification criterion the ONC Health IT Certification Program requires that a Health IT Module presented for testing and certification must demonstrate the ability to establish a secure and trusted connection with an application requesting data for patients
See45 CFR 170315g10
see also45 CFR 170215
pp738
See
Resource for Health Care Providers on Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth Office for Civil Rights US Department of Health and Human Services Oct 17 2023
httpswwwhhsgovhipaaforprofessionalsprivacyguidanceresourcehealthcareproviderseducatingpatientsindexhtmlpp739
See45 CFR part 171 85 FR 25642 25815 May 1 2020
pp740
See eg45 CFR part 171
pp741
45 CFR 164308a13
pp742
See
Next Steps Toward Managing Legacy Medical Device Cybersecurity Risks MITRE Corporation Nov 2023
httpswwwmitreorgsitesdefaultfiles202311PR233695ManagingLegacyMedicalDevice20CybersecurityRiskspdf
Principles and Practices for the Cybersecurity of Legacy Medical Devices International Medical Device Regulators Forum p 8 Apr 11 2023
httpswwwimdrforgsitesdefaultfiles202304IMDRF20Principles20and20Practices20 of20Cybersecurity20for2020Legacy20 Medical20Devices20Final2028N70291pdfpp743
Cybersecurity US Food Drug Administration US Department of Health and Human Services
httpswwwfdagovmedicaldevicesdigitalhealthcenterexcellencecybersecuritypp744
See
sec 3305 of Public Law 117328 126 Stat 5832 Dec 29 2022 codified at 21 USC 360n2
see also
Cybersecurity in Medical Devices Frequently Asked Questions FAQs US Food Drug Administration US Department of Health and Human Services
httpswwwfdagovmedicaldevicesdigitalhealthcenterexcellencecybersecuritymedicaldevicesfrequentlyaskedquestionsfaqspp745
Celia Paulsen et al Glossary of Key Information Security Terms NIST Interagency and Internal Reports 7298 Revision 3 National Institute of Standards and Technology US Department of Commerce July 3 2019
httpsnvlpubsnistgovnistpubsir2019NISTIR7298r3pdfpp746
The Department does not propose to require that the periodic review include a review of whether the conditions of the exception continue to apply because when the conditions qualifying for an exception change such that an exception no longer applies a regulated entity would be expected to resume compliance with the standard for encryption and decryption and the associated implementation specifications without exception
pp747
Defending Against Common CyberAttacks
supra
note 396
see also
HIPAA and Cybersecurity Authentication
supra
note 368
pp748
Cybersecurity Performance Goals
supra
note 18
pp749
Idpp750
See
proposed 45 CFR 164312c2
pp751
What Happened to My Data Update on Preventing Mitigating and Responding to Ransomware Cybersecurity Newsletter Office for Civil Rights US Department of Health and Human Services Dec 2019
httpswwwhhsgovhipaaforprofessionalssecurityguidancecybersecuritynewsletterfall2019indexhtmlpp752
See
Understanding AntiVirus Software Cybersecurity Infrastructure Security Agency US Dept of Homeland Security June 30 2009 rev Sept 27 2019
httpswwwcisagovnewseventsnewsunderstandingantivirussoftwarepp753
Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Systems through Endpoint Detection and Response M2201 Office of Management and Budget Executive Office of the President p 1 Oct 8 2021
httpswwwwhitehousegovwpcontentuploads202110M2201pdfpp754
Defending Against Common CyberAttacks
supra
note 396
pp755
Idpp756
Idpp757
Idpp758
See
proposed 45 CFR 164308a2
pp759
What Happened to My Data Update on Preventing Mitigating and Responding to Ransomware
supra
note 751
pp760
Defending Against Common CyberAttacks
supra
note 396
pp761
Security Standards Technical Safeguards
supra
note 343 p 7
pp762
Idpp763
Cybersecurity Performance Goals
supra
note 18
pp764
The criterion for auditing actions on health information requires adoption of health IT that has
the technical capability to record actions related to electronic health information restrict the ability for auditing to be disabled to a limited set of users if the technology permits detect whether an audit log has been altered and not allow actions recorded related to electronic health information to be changed overwritten or deleted by technology
See45 CFR 170315d10
see45 CFR 170315d2
see also45 CFR 170210e
pp765
See eg
Montefiore Medical Center
supra
note 248
pp766
See
proposed 45 CFR 164308a2
pp767
Security Standards Technical Safeguards
supra
note 343 p 8
pp768
Idpp769
Idpp770
Idpp771
45 CFR 170315d8
pp772
Security Standards Technical Safeguards
supra
note 343 p 9
pp773
Letter from NCVHS Chair Jacki Monson 2022
supra
note 123 p 6
pp774
Risks of Default Passwords on the internet Cybersecurity Infrastructure Security Agency US Department of Homeland Security Oct 7 2016
httpswwwcisagovnewseventsalerts20130624risksdefaultpasswordsinternetpp775
MultiFactor Authentication Cybersecurity Infrastructure Security Agency US Department of Homeland Security Jan 5 2022
httpswwwcisagovsitesdefaultfilespublicationsMFAFactSheetJan22508pdf
Letter from NCVHS Chair Jacki Monson 2022
supra
note 123 pp 78
pp776
Letter from NCVHS Chair Jacki Monson 2022
supra
note 123 pp 78
pp777
Cybersecurity Performance Goals
supra
note 18
pp778
See89 FR 63498 63574 63506 63528 Aug 5 2024 proposed 45 CFR 170315d13ii of ASTPONCs HTI2 NPRM
pp779
See
proposed 45 CFR 164312f2iiiB
pp780
See
proposed 45 CFR 164308a13
pp781
See
proposed 45 CFR 164312a2iii
pp782
See
Next Steps Toward Managing Legacy Medical Device Cybersecurity Risks
supra
note 742 Principles and Practices for the Cybersecurity of Legacy Medical Devices
supra
note 742 p 8
pp783
Cybersecurity
supra
note 743
pp784
See
sec 3305 of Public Law 117328 126 Stat 5832 Dec 29 2022 codified at 21 USC 360n2
see also
Cybersecurity in Medical Devices Frequently Asked Questions FAQs
supra
note 744
pp785
Proposed 45 CFR 164312f2ivA
pp786
Glossary of Key Information Security Terms
supra
note 745
pp787
Securing Your Legacy System Security
supra
note 494
pp788
The Department does not propose that the periodic review include a review that the conditions of the exception continue to apply because a regulated entity would be expected to resume compliance with the implementation specification of multifactor authentication when such exception no longer applies
pp789
Glossary of Key Information Security Terms
supra
note 745
pp790
See45 CFR 170315d9
pp791
Security Standards Technical Safeguards
supra
note 343 p 1011
pp792
Defending Against Common CyberAttacks
supra
note 396
pp793
Idpp794
See
Cybersecurity Alerts Advisories Cybersecurity Infrastructure Security Agency US Department of Homeland Security
httpswwwcisagovnewseventscybersecurityadvisoriespp795
See
Bulletins Cybersecurity Infrastructure Security Agency US Department of Homeland Security
httpswwwcisagovnewseventsbulletinspp796
See
Health Sector Cybersecurity Coordination Center HC3 Office of the Chief Information Officer US Department of Health and Human Services
httpswwwhhsgovaboutagenciesasaociohc3indexhtmlpp797
Free Cybersecurity Services and Tools
supra
note 313
pp798
Cyber Hygiene Services
supra
note 313
pp799
Cybersecurity Resources for HighRisk Communities
supra
note 313
pp800
Letter from NCVHS Chair Jacki Monson 2022
supra
note 123 p 89
pp801
Cybersecurity Performance Goals
supra
note 18
pp802
Defending Against Common CyberAttacks
supra
note 396
pp803
Idpp804
This study is not specific to health care Costs and Consequences of Gaps in Vulnerability Response ServiceNow and Ponemon Institute p 3 2019
httpswwwservicenowcomcontentdamservicenowassetspublicenusdoctyperesourcecenteranalystreportponemonstateofvulnerabilityresponsepdfpp805
See
proposed 45 CFR 164308a4
pp806
National Vulnerability Database
supra
note 398
pp807
Known Exploited Vulnerabilities Catalog
supra
note 399
pp808
Glossary of Key Information Security Terms
supra
note 745
pp809
Defending Against Common CyberAttacks
supra
note 396
pp810
See
proposed 45 CFR 164308a2
pp811
See
proposed 45 CFR 164308a5
pp812
Defending Against Common CyberAttacks
supra
note 396
pp813
See
Securing Your Legacy System Security
supra
note 494
pp814
See
proposed 45 CFR 164308a5 and 164312h1
pp815
See
Plan A B Contingency Plan
supra
note 606
pp816
See
Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule A Cybersecurity Resource Guide
supra
note 461 p 49
pp817
Idpp818
45 CFR 164314a2iA
pp819
45 CFR 164314a2iB
pp820
45 CFR 164314a2iC
pp821
Section 164504e provides that when a covered entity and its business associate are both governmental entities they do not have to negotiate a business associate agreement and may provide adequate assurances for its uses and disclosures of PHI if they enter into a memorandum of understanding or adopt a regulation that has the force and effect of law that incorporates the requirements of a business associate agreement 65 FR 82462 82597 82677 Dec 28 2000
see also68 FR 8334 8360 Feb 20 2003 164314a provisions are drawn from and intended to support the analogous privacy protections provided for by 45 CFR 164504e and discussed in the 2000 Privacy Rule 78 FR 5566 5590 Jan 25 2013 removed the specific requirements under 45 CFR 164314 for a memorandum of understanding when both a covered entity and business associate are government entities and referred to the parallel requirements of the Privacy Rule at 45 CFR 164504e3
pp822
45 CFR 164304 definition of Security incident
pp823
See45 CFR 164314a
pp824
Where a business associate experiences a security incident that meets the definition of a breach at 45 CFR 164402 the business associate must comply with the requirements of the Breach Notification Rule
See45 CFR part 160 and subparts A and D of 45 CFR part 164 Specifically the Breach Notification Rule requires a business associate to report a breach of unsecured PHI to a covered entity without unreasonable delay and in no case later than 60 days from the discovery of the breach
See45 CFR 164410b
pp825
Testimony of Andrew Witty
supra
note 214 According to CEO Andrew Witty intruders attempt to gain access to UnitedHealth Groups electronic information systems every 70 seconds or more than 450000 times per year
pp826
45 CFR 164308a7i
pp827
Idpp828
See45 CFR 164308a7i proposed 45 CFR 164308a13i
pp829
68 FR 8334 8351 Feb 20 2003
pp830
Since 1980 the United States has experienced 265 weather and climate disasters in which the overall damages reached or exceeded US1 billion Kristie L Ebi et al Extreme Weather and Climate Change Population Health and Health System Implications Annual Review of Public Health Jan 2021
httpspubmedncbinlmnihgov33406378 see also
Climate Change Indicators US and Global Temperature US Environmental Protection Agency June 27 2024 2023 was the warmest year on record and 20142023 was the warmest decade on record since thermometerbased observations began
httpswwwepagovclimateindicatorsclimatechangeindicatorsusandglobaltemperaturepp831
Annual Report to Congress on HIPAA Privacy Security and Breach Notification Rule Compliance For Calendar Year 2022 Office for Civil Rights US Department of Health and Human Services p 8 2022 From 2018 to 2022 the number of breaches affecting fewer than 500 individuals increased 1 percent and breaches affecting 500 or more individuals rose 107 percent
httpswwwhhsgovsitesdefaultfilescompliancereporttocongress2022pdfpp832
Unraveling the role of cloud computing in health care system and biomedical sciences
supra
note 632 These days numerous commercial merchants are intermingling with hospitals as well as healthcare providers to establish healthcarebased cloud computing networks
see also id
Microsoft Google and Amazon have instantly realized that the majority of hospitals will not continue working with servers that are privately owned as well as controlled Increase in healthcare cyberattacks affecting patients with cancer
supra
note 180 In 2021 an attack against oncology services targeted data stored in cloudbased systems and affected patients in several States
pp833
Nicole Perlroth et al Cyberattack Hits Ukraine Then Spreads Internationally The New York Times June 27 2017 discussing a worldwide ransomware attack in 2017
httpswwwnytimescom20170627technologyransomwarehackershtmlpp834
See68 FR 8334 Feb 20 2003
pp835
See78 FR 5566 Jan 25 2013
pp836
A subcontractor of a business associate also would be required to make such report to the business associate
See45 CFR 164314a2iii applying the requirements in paragraphs a2i and ii to business associate agreements between business associates and subcontractors in the same manner as they apply to business associate agreements between covered entities and business associates
pp837
See45 CFR 164410
pp838
Saheed Oladimeji et al SolarWinds hack explained Everything you need to know TechTarget Nov 3 2023 SolarWinds is a software company and one of its products that was part of a supply chain attack is an IT performance monitoring system that had privileged access to IT systems
httpswwwtechtargetcomwhatisfeatureSolarWindshackexplainedEverythingyouneedtoknowpp839
As discussed in greater detail above the Department is proposing to renumber the standard for the contingency plan as 45 CFR 164308a13 and to require a written contingency plan for responding to an emergency or other occurrence that adversely affects relevant electronic information systems as opposed to the current standard which applies when the emergency or other occurrence damages information systems that contain ePHI
pp840
Proposed 45 CFR 164314a2iC and D Cybersecurity Performance Goals
supra
note 18
pp841
Proposed 45 CFR 164308a13i
pp842
The ping command is a network diagnostic and firewalls often block incoming pings to prevent attackers from learning more about the organizations network Karen Scarfone et al Guidelines on Firewalls and Firewall Policy NIST Special Publication 80041 Revision 1 National Institute of Standards and Technology US Department of Commerce p 31 Sept 2009
httpsdoiorg106028NISTSP80041r1pp843
45 CFR 164314a2iC
pp844
While we are proposing in this NPRM in 45 CFR 164308a13i to specifically include a security incident as an example of an emergency or occurrence that may damage a relevant electronic information system for which a contingency plan would be required we believe that this is a clarification rather than a change
pp845
See45 CFR 164504f1ii
pp846
See45 CFR 164504f1iii
pp847
45 CFR 160103 definition of Group health plan
pp848
45 CFR 164314b2i
pp849
45 CFR 164504f2iii requires the plan documents to describe an employee or class of employee who receives PHI for payment health care operations or other matters related to the group health plan restrict access to PHI and use of PHI by such employees to the plan administration functions that the plan sponsor performs for the group health plan and provide an effective mechanism for resolving any issues of noncompliance by such persons
pp850
45 CFR 164314b2ii
pp851
45 CFR 164314b2iii
pp852
45 CFR 164314b2iv
pp853
65 FR 82462 82508 Dec 28 2000
pp854
See
2024 Data Breach Investigations Report Verizon Business 2024
httpswwwverizoncombusinessresourcesreportsdbirpp855
65 FR 82462 82508 Dec 28 2000
see also68 FR 8334 8360 Feb 20 2003 164314b provisions are drawn from and intended to support the analogous privacy protections provided for by 45 CFR 164504f and discussed in the 2000 Privacy Rule
pp856
CrossSector Cybersecurity Performance Goals
supra
note 164
pp857
Proposed 45 CFR 164308a2i
pp858
Proposed 45 CFR 164308 164310 164312 and 164316
pp859
The plan sponsor would implement a contingency plan because it is one of the requirements of the administrative safeguards of the Security Rule and would be implemented based on the proposed requirements in 45 CFR 164314b2i
pp860
45 CFR 164306b2i
pp861
45 CFR 164306b2ii
pp862
45 CFR 164306b2iii
pp863
45 CFR 164306b2iv
pp864
See
Resolution Agreement Peachstate Health Management Inc Office for Civil Rights US Department of Health and Human Services Apr 28 2021
httpswwwhhsgovhipaaforprofessionalscomplianceenforcementagreementspeachstateindexhtml
West Georgia Ambulance Inc
supra
note 583
see also
20162017 HIPAA Audits Industry Report
supra
note 121 p 27 the Department found that only 31 percent of regulated entities audited had safeguarded ePHI through risk analysis activities including developing and implementing policies and procedures
pp865
In 2003 the Department declined a commenters suggestion to change the term periodically to at least annually At that time we said that documentation must be updated as needed to reflect security measures currently in effect and that the requirement allowed individual entities to establish review and update cycles as deemed necessary because it would vary dependent
upon a given entitys size configuration environment operational changes and the security measures implemented 68 FR 8334 8361 Feb 20 2003
pp866
HIPAA set forth the compliance dates for the initial standards 42 USC 1320d4
see also68 FR 8334 8351 Feb 20 2003
pp867
Similarly a business associate subcontractor would need to report to the business associate
See
Business Associate Contracts Office for Civil Rights US Department of Health and Human Services June 16 2017 A business associate also is a subcontractor that creates receives maintains or transmits PHI on behalf of another business associate
httpswwwhhsgovhipaaforprofessionalscoveredentitiessamplebusinessassociateagreementprovisionsindexhtmlpp868
Proposed 45 CFR 164314a2iD
pp869
The Department has previously included transition provisions to ensure that important functions of the health care system were not impeded
See eg65 FR 82462 Dec 28 2000 67 FR 53182 Aug 14 2002 78 FR 5566 Jan 25 2013
pp870
See
proposed 45 CFR 164308b1i
pp871
See idpp872
45 CFR 164314a2iA
pp873
45 CFR 164314a2iB
pp874
Or to the business associate from a business associate subcontractor
pp875
Proposed 45 CFR 164314a2iD
pp876
Or business associates contract with the subcontractor
pp877
45 CFR 164306a
pp878
45 CFR 164508a1iiA
pp879
45 CFR 164308a1iiB
pp880
See
PostQuantum Cryptography Quantum Background US Department of Homeland Security last accessed July 23 2024
httpswwwdhsgovquantum see also
QuantumReadiness Migration to PostQuantum Cryptography Cybersecurity Infrastructure Security Agency National Security Agency and National Institute of Standards and Technology p 1 Aug 21 2023
httpsmediadefensegov2023Aug212003284212110CSIQUANTUMREADINESSPDFpp881
PostQuantum Cryptography Quantum Background
supra
note 880
pp882
See
PostQuantum Cryptography PQC Computer Security Resource Center National Institute of Standards and Technology US Department of Commerce July 19 2024
httpswwwnistgovpqcryptopp883
See
PostQuantum Cryptography Quantum Background
supra
note 880
pp884
See
PostQuantum Cryptography PQC
supra
note 882
pp885
Idpp886
See id
removed emphasis from postquantum cryptography in original
pp887
National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems National Security MemorandumNSM10 The White House May 4 2022
httpswwwwhitehousegovbriefingroomstatementsreleases20220504nationalsecuritymemorandumonpromotingunitedstatesleadershipinquantumcomputingwhilemitigatingriskstovulnerablecryptographicsystemspp888
Idpp889
See
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 2 providing NCVHS recommendations to strengthen the HIPAA Security Rule
pp890
See
QuantumReadiness Migration to PostQuantum Cryptography Cybersecurity Infrastructure Security Agency National Security Agency and National Institute of Standards and Technology p 1 Aug 21 2023
httpsmediadefensegov2023Aug212003284212110CSIQUANTUMREADINESSPDFpp891
Idpp892
Sec 238g of Public Law 115232 132 Stat 169798 Aug 13 2018 10 USC 2358 note definition of AI
pp893
Kathryn Marchesini et al Getting the Best out of Algorithms in Health Care HealthITbuzz Assistant Secretary for Technology Policy US Department of Health and Human Services June 15 2022
httpswwwhealthitgovbuzzblogelectronichealthandmedicalrecordsgettingthebestoutofalgorithmsinhealthcarepp894
See
Nazish Khalid et al Privacypreserving artificial intelligence in healthcare Techniques and applications Computers in Biology and Medicine Volume 158 p 1 May 2023
httpswwwsciencedirectcomsciencearticlepiiS001048252300313XrefpdfdownloadfrRR2rr8a7dac430d6d07d5pp895
See
Artificial Intelligence Program Research on AIMachine Learning MLBased Medical Devices US Food Drug Administration US Department of Health and Human Services June 10 2024
httpswwwfdagovmedicaldevicesmedicaldeviceregulatoryscienceresearchprogramsconductedoselartificialintelligenceprogramresearchaimlbasedmedicaldevicespp896
Idpp897
See
Michael D Howell et al Three Epochs of Artificial Intelligence in Health Care Journal of the American Medical Association Volume 331 Number 3 Jan 16 2024
httpsjamanetworkcomjournalsjamafullarticle2813874pp898
See
Aaron A Tierney et al Ambient Artificial Intelligence Scribes to Alleviate the Burden of Clinical Documentation New England Journal of Medicine Catalyst Feb 21 2024
httpscatalystnejmorgdoifull101056CAT230404pp899
Idpp900
Julia AdlerMilstein et al NextGeneration Artificial Intelligence for Diagnosis From Predicting Diagnostic Labels to Wayfinding Journal of the American Medical Association Dec 9 2021
httpsjamanetworkcomhhsnihidmoclcorgjournalsjamafullarticle2787207pp901
Idpp902
See
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 8 providing NCVHS recommendations to strengthen the HIPAA Security Rule s
ee also
William Dixon et al 3 ways AI will change the nature of cyber attacks World Economic Forum June 19 2019
httpswwwweforumorgagenda201906aiispoweringanewgenerationofcyberattackitsalsoourbestdefencepp903
3 ways AI will change the nature of cyber attacks
supra
note 902
pp904
Idpp905
Idpp906
Idpp907
Where a regulated entity is maintaining ePHI for research purposes as described by 45 CFR 164512i the regulated entity is not performing a covered function
pp908
See
Jordan Pearson ChatGPT Can Reveal Personal Information From Real People Google Researchers Show Vice Nov 29 2023
httpswwwvicecomenarticlechatgptcanrevealpersonalinformationfromrealpeoplegoogleresearchersshow see also
Bridget McArthur AI chatbot blamed for psychosocial workplace training gaffe at Bunbury prison ABC Southwest Aug 20 2024
httpswwwabcnetaunews20240821aichatbotpsychosocialtrainingbunburyregionalprison104230980pp909
See
Nick Easen Why generative AI presents a fundamental security risk Raconteur Sept 9 2024
httpswwwraconteurnettechnologywhygenerativeaipresentsafundamentalsecuritythreatpp910
See45 CFR 164308a1iiA and B proposed 45 CFR 164308a2i and a5i
pp911
Artificial Intelligence Risk Management Framework AI RMF 10 NIST AI 1001 National Institute of Standards and Technology US Department of Commerce Jan 2023
httpsnvlpubsnistgovnistpubsaiNISTAI1001pdf see also
Joint Guidance on Deploying AI System Securely Cybersecurity Infrastructure Security Agency US Department of Homeland Security Apr 15 2024
httpswwwcisagovnewseventsalerts20240415jointguidancedeployingaisystemssecurelypp912
45 CFR 164508
pp913
See
Letter from NCVHS Chair Jacki Monson 2023
supra
note 123 Appendix p 8
pp914
88 FR 75191 Nov 1 2023
pp915
Idpp916
89 FR 1192 Jan 9 2024
pp917
Idpp918
Health Data Technology and Interoperability Certification Program Updates Algorithm Transparency and Information Sharing HTI1 final rule The Office of the National Coordinator for Health IT US Department of Health and Human Services Mar 7 2024
httpswwwhealthitgovtopiclawsregulationandpolicyhealthdatatechnologyandinteroperabilitycertificationprogramtextONC27s20HTI2D120final20ruleimplementation20specifications2C20and20certification20criteriapp919
See
Tarun Kumar Vashishth et al Virtual Reality VR and Augmented Reality AR Transforming Medical Applications Oct 2023
httpswwwresearchgatenetpublication374814301VirtualRealityVRandAugmentedRealityARTransformingMedicalApplicationspp920
Idpp921
See
Evangelia Manika et al AR and VR devices in the healthcare business legal and ethical challenges International Bar Association July 6 2023
httpswwwibanetorgARVRdevicesinthehealthcarebusiness see also
Sajin Somarajan Minimizing ARVR Security And Privacy Risks Infosys Digital Experience accessed July 23 2024
httpsblogsinfosyscomdigitalexperiencemobilityminimizingarvrsecurityandprivacyriskshtmlpp922
See
AR and VR devices in the healthcare business legal and ethical challenges
supra
note 921
see also
Minimizing ARVR Security And Privacy Risks
supra
note 921
pp923
See
AR and VR devices in the healthcare business legal and ethical challenges
supra
note 921
see also
Minimizing ARVR Security And Privacy Risks
supra
note 921
pp924
See
proposed 45 CFR 164308a4i
pp925
45 CFR 164312a1
pp926
45 CFR 164312d
see
proposed 45 CFR 164308a10iiC and 164312f1
pp927
45 CFR 164308b and 164314a
pp928
See
Raj Mehta et al The future of cyber in the future of health The evolving role of cybersecurity in health care Deloitte 2020
httpswww2deloittecomusenpagesadvisoryarticlesfutureofcybersecurityhealthcarehtmlpp929
Idpp930
Id
regarding DevSecOps
pp931
58 FR 51735 Oct 4 1993
pp932
76 FR 3821 Jan 21 2011
pp933
88 FR 21879 Apr 11 2023
pp934
Public Law 96354 94 Stat 1164 Sept 19 1980 codified at 5 USC 601612
pp935
Public Law 1044 109 Stat 48 Mar 22 1995 codified at 2 USC 1501
pp936
64 FR 43255 Aug 4 1999
pp937
Sec 202 of Public Law 1044 109 Stat 64 Mar 22 1995 codified at 2 USC 1532a
pp938
Also referred to as the Congressional Review Act 5 USC 801
et seqpp939
Next Steps Toward Managing Legacy Medical Device Cybersecurity Risks
supra
note 742 p 6
pp940
View ICR Office of Information and Regulatory Affairs Office of Management and Budget July 9 2024
httpswwwreginfogovpublicdoPRAViewICRrefnbr2024010945002pp941
63 FR 43242 Aug 12 1998
pp942
68 FR 8334 Feb 20 2003
pp943
78 FR 5566 Jan 25 2013
pp944
See
Occupational employment and wagesMay 2023 US Department of Labor Bureau of Labor Statistics Table 1 National employment and wage data from the Occupational Employment and Wage Statistics survey by occupation Apr 3 2024
httpswwwblsgovnewsreleasepdfocwagepdfpp945
This includes 60 days from publication of a final rule to the effective date and an additional 180 days until the compliance date
pp946
A firm may be an umbrella organization that encompasses multiple establishments
pp947
2021 Statistics of US Businesses SUSB Annual Data Tables by Establishment Industry United States Census Bureau US States 6digit NAICS Dec 2023
httpswwwcensusgovdatatables2021econsusb2021susbannualhtmlpp948
This percentage was rounded
pp949
See
2023 NCPA Digest sponsored by Cardinal Health National Community Pharmacists Association Table 5 p 9 2023
httpswwwcardinalhealthcomcontentdamcorpwebdocumentsReportcardinalhealth2023ncpadigestpdf see also
2021 Statistics of US Businesses SUSB Annual Data Tables by Establishment Industry
supra
note 947
pp950
See
Scott Pace The Role and Value of Pharmacy Services Administrative Organizations PSAOs Impact Management Group p 3 July 20 2022
httpscontentnaicorgsitesdefaultfilescallmaterialsThe20Role20and20Value20of20Pharmacy20Services20Administrative20July202022pdf see also
The Role of Pharmacy Services Administrative Organizations for Independent Retail and Small Chain Pharmacies Avalere Health p 4 Sept 30 2021
httpsdocumentsncslorgwwwncsl
FoundationsponsorviewsTheRoleofPSAOsIndependentPharmaciespdf
pp951
See
Provider of Services FileInternet Quality Improvement and Evaluation SystemHome Health Agency Ambulatory Surgical Center and Hospice Providers Centers for Medicare Medicaid Services 2024
httpsdatacmsgovprovidercharacteristicshospitalsandotherfacilitiesproviderofservicesfileinternetqualityimprovementandevaluationsystemhomehealthagencyambulatorysurgicalcenterandhospiceproviders
Provider of Services FileHospital NonHospital Facilities Centers for Medicare Medicaid Services 2024
httpsdatacmsgovprovidercharacteristicshospitalsandotherfacilitiesproviderofservicesfilehospitalnonhospitalfacilitiespp952
See
Area Health Resources Files Health Resources Services Administration US Department of Health and Human Services 20222023 County Level Data
httpsdatahrsagovdatadownloaddataAHRFAHRFpp953
See
2021 Statistics of US Businesses SUSB Annual Data Tables by Establishment Industry
supra
note 947
pp954
See
Delineation Files US Census Bureau US Department of Commerce 2023
httpswwwcensusgovgeographiesreferencefilestimeseriesdemometromicrodelineationfileshtmlpp955
See generally86 FR 37770 July 16 2021
pp956
See86 FR 37770 37778 July 16 2021
pp957
78 FR 5565 Jan 25 2013
pp958
See
Medical Expenditure Panel SurveyInsurance Component Tables IA1 and IA2 Agency for Healthcare Research and Quality 2023
httpsmepsahrqgovdatastatssummtablesinsrnationalseries12023ic23iagpdfgl116xft35gaMTE0MDI5NzI0LjE3MDk2NjQ0NDMga45NDTD15CJMTczMTEwMzQ4OS4yLjEuMTczMTEwMzUzNS4xNC4wLjA
showing the number of establishments and percent offering health plans and County Business Patterns 2021 United States Census Bureau April 27 2023
httpswwwcensusgovdatadatasets2021econcbp2021cbphtml
providing the ratio of firms to establishments We assume one health plan sponsor per firm that offers a selfinsured group health plan
pp959
See
Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Year 2022
supra
note 213 p 9 2023
pp960
See
Steve Alder December 2023 Healthcare Data Breach Report The HIPAA Journal Jan 18 2024
httpswwwhipaajournalcomdecember2023healthcaredatabreachreportpp961
See
What We Learned Change Healthcare Cyber Attack US House of Representatives Committee on Energy Commerce May 3 2024
httpsenergycommercehousegovpostswhatwelearnedchangehealthcarecyberattackpp962
See
table 3 wage rate for Office and Administrative Support Occupations
pp963
As defined by having 500 or fewer employees
See
2021 Statistics of US Businesses SUSB Annual Data Tables by Establishment Industry
supra
note 947
pp964
This is the estimated total number of covered entities and business associates
pp965
See45 CFR 164314b requiring that a group health plan ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created received maintained or transmitted to or by the plan sponsor on behalf of the group health plan
pp966
See
Cost of a Data Breach Report 2023
supra
note 131 p 13
pp967
Id
at 18
pp968
The impact factor costs and cost savings are based on estimates for all breaches from the annual IBM Security and Ponemon Institute Costs of a Data Breach Reports for years 20182023
See id
at p 28
pp969
The Department calculated the percentage decrease as a share of the sum of factor costs from the average breach cost 218915 180358 187703 221593 2328674450000 0236
pp970
See
New Dangers in the New World Cyber Attacks in the Healthcare Industry
supra
note 135 p 3
pp971
See
Is the HIPAA Security Rule Enough to Protect Electronic Personal Health Information PHI in the Cyber Age
supra
note 207
see also
Adam Wright et al The Big Phish Cyberattacks Against US Healthcare Systems Journal of General Internal Medicine Volume 31 p 11151118 May 13 2016
httpswwwncbinlmnihgovpmcarticlesPMC5023604pp972
See
Thomas Clifford Provider Liability and Medical Identity Theft Can I Get Your Insurance Number Northwestern Journal of Law Social Policy Volume 12 p 45 2016
httpsscholarlycommonslawnorthwesternedunjlspvol12iss12pp973
Idpp974
Idpp975
See
Assessing resilience of hospitals to cyberattack
supra
note 130
see also
Ashley Carman MEDJACK tactic allows cyber criminals to enter healthcare networks undetected SC Media June 4 2015 Medjack means a medical device hijack that attackers use to exploit outdated and unpatched medical devices
httpswwwscmagazinecomnewsmedjacktacticallowscybercriminalstoenterhealthcarenetworksundetectedpp976
See
New Dangers in the New World Cyber Attacks in the Healthcare Industry
supra
note 135
pp977
See
Steven Ades et al Cancer Care in the Wake of a Cyberattack How to Prepare and What to Expect JCO Oncology Practice Volume 18 p 2324 Aug 2 2021
httpspubmedncbinlmnihgov34339260pp978
See
Assessing resilience of hospitals to cyberattack
supra
note 130
pp979
See
Mohammed Alkinoon et al Measuring Health Care Data Breaches Information Security Applications Volume 13009 p 265277 Aug 11 2021
httpsdlacmorgdoi101007978303089432022pp980
See
The Big Phish Cyberattacks Against US Healthcare Systems
supra
note 971 p 11151118
pp981
See
Health Records Database and Inherent Security Concerns A Review of the Literature
supra
note 177
pp982
Id see also
Victoria Kisekka et al The Effectiveness of Health Care Information Technologies Evaluation of Trust Security Beliefs and Privacy as Determinants of Health Care Outcomes Journal of Medical Internet Research Volume 20 Apr 11 2018
httpspubmedncbinlmnihgov29643052pp983
For this analysis a record is the ePHI of one individual
pp984
See
Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Year 2022
supra
note 213 p 9 2023 December 2023 Healthcare Data Breach Report
supra
note 960
pp985
The breakeven calculations presented here only include regulated entities because breach data is not available for health plan sponsors Including sponsors and assuming they have the same rate of breaches would result in a similar breakeven point in terms of percent decrease from baseline
pp986
Cybersecurity Performance Goals
supra
note 18
pp987
Idpp988
According to the 2021 Verizon Data Breach Investigations Report phishing was present in 36 of breaches up from 25 last year and 23 of malware was delivered through email
See
Technical Volume 2 Cybersecurity Practices for Medium and Large Healthcare Organizations Cybersecurity Practice 1 Email Protection Systems HHS Healthcare Public Health Sector Coordinating Council p 13 2023
https405dhhsgovDocumentstechvol2508pdf
citing a 2021 Verizon Data Breach Investigations Report
pp989
See
proposed 45 CFR 164312b2 and g
pp990
See
Individuals Right under HIPAA to Access their Health Information 45 CFR 164524 What is the liability of a covered entity in responding to an individuals access request to send the individuals PHI to a third party Office for Civil Rights US Department of Health and Human Services
httpswwwhhsgovhipaaforprofessionalsprivacyguidanceaccessindexhtmlpp991
42 USC 1320d2d1Av
pp992
Public Law 113283 Dec 18 2014 codified at 44 USC 3551
et seq
pp993
Idpp994
45 CFR 164304 definition of Information system
pp995
Managing Information as a Strategic Resource Circular No A130 Management of Federal Information Resources Appendix III Security of Federal Automated Information Resources Office of Management and Budget Executive Office of the President Feb 8 1996
httpsgeorgewbushwhitehousearchivesgovombcircularsa130a130htmlpp996
Public Law 10413 109 Stat 166 May 22 1995 codified at 44 USC 35028 definition of information system
see also
Managing Information as a Strategic Resource Circular No A130 Office of Management and Budget Executive Office of the President p 31 Jul 28 2016 definition of information system
httpswwwwhitehousegovwpcontentuploadslegacydrupalfilesombcircularsA130a130revisedpdfpp997
Proposed 45 CFR 164312f2ii
pp998
45 CFR 164304 proposed definition of Multifactor authentication
pp999
740348 822609 covered entities 90
pp1000
See
Table of Small Business Size Standards US Small Business Administration Mar 17 2023
httpswwwsbagovsitessbagovfiles202306Table20of20Size20StandardsEffective20March20172C2020232028229pdfpp1001
Idpp1002
Market Share and Enrollment of Largest Three InsurersLarge Group Market Kaiser Family Foundation 2019
httpswwwkfforgotherstateindicatormarketshareandenrollmentoflargestthreeinsurerslargegroupmarketcurrentTimeframe0sortModel7B22colId2222Location2222sort2222asc227Dpp1003
See
Table of Small Business Size Standards
supra
note 1000
pp1004
This figure is rounded and represents annualized costs discounted at a 2 percent rate The actual figure is 2251258305
pp1005
SUSB 2017 reports average revenue per firm by employment size The size categories begin with less than 5 employees followed by 5 to 10 employees and so on with the largest categories representing firms with 2500 to 4999 employees and 5000 or more employees 2017 Statistics of US Businesses Annual Data Tables by Establishment Industry May 2021
httpswwwcensusgovdatatables2017econsusb2017susbannualhtml
We inflated these revenues to 2021 dollars using the GDP deflator to estimate average revenues in each employment class in 2021 because that is the latest year for which data is reported
See
2021 Statistics of US Businesses SUSB Annual Data Tables by Establishment Industry
supra
note 947 We then concluded that more than 5 percent of the firms whose revenues fall below the SBA thresholds see table 4 belong to the fewer than 5 employees category and operate a single establishment
pp1006
6133 is 3 percent of 204433
pp1007
Average Small Business Revenue What To Know Fora Financial Jan 11 2023
httpswwwforafinancialcomblogsmallbusinessaveragesmallbusinessrevenuepp1008
42 USC 1320d2d
pp1009
See68 FR 8334 8341 Feb 20 2003
pp1010
See
Fact Sheet BidenHarris Administration Bolsters Protections for Americans Access to Healthcare Through Strengthening Cybersecurity
supra
note 306
See also
table 4 above SBA size threshold for hospitals
pp1011
See
2021 Statistics of US Businesses SUSB Annual Data Tables by Establishment Industry
supra
note 947 count of hospitals
pp1012
The Indian Health Service funds a network of over 600 hospitals clinics and health stations on or near Indian reservations in service areas that are rural isolated and underserved Justification of Estimates for Appropriations Committees Fiscal Year 2025 Indian Health Service US Department of Health and Human Services p CJ39 Mar 5 2024
pp1013
See id
at p CJ6375
pp1014
See
Telehealth and Health Information Technology in Rural Healthcare Rural Health Information Hub
httpswwwruralhealthinfoorgtopicstelehealthhealthitchallengesforruralcommunitiespp1015
See
Percent of Hospitals By Type that Possess Certified Health IT
supra
note 298
pp1016
Kat Jercich Rural hospitals are more vulnerable to cyberattacksheres how they can protect themselves
supra
note 295
pp1017
See
Fact Sheet BidenHarris Administration Bolsters Protections for Americans Access to Healthcare Through Strengthening Cybersecurity s
upra
note 306
pp1018
Hannah Neprash et al What happens to rural hospitals during a ransomware attack Evidence from Medicare data The Journal of Rural Health Mar 17 2024
httpspubmedncbinlmnihgov38494590
For information about grants and incentives available for improving broadband access and adoption of health IT
see eg
Funding Programs BroadbandUSA National Telecommunications and Information Administration US Department of Commerce
httpsbroadbandusantiadocgovfundingprograms
Rural Health Care Program Federal Communications Commission
httpswwwfccgovgeneralruralhealthcareprogrampp1019
See
Fact Sheet BidenHarris Administration Bolsters Protections for Americans Access to Healthcare Through Strengthening Cybersecurity s
upra
note 306
pp1020
See eg
Free Cybersecurity Services and Tools
supra
note 313 Cybersecurity Resources for HighRisk Communities
supra
note 313
pp1021
See
Fact Sheet BidenHarris Administration Bolsters Protections for Americans Access to Healthcare Through Strengthening Cybersecurity s
upra
note 306
see also
UPGRADE Universal Patching and Remediation for Autonomous Defense Advanced Research Projects Agency for Health May 20 2024
httpsarpahgovresearchandfundingprogramsupgradepp1022
What happens to rural hospitals during a ransomware attack Evidence from Medicare data s
upra
note 1018
pp1023
64 FR 43255 Aug 4 1999
pp1024
68 FR 8334 8373 Feb 20 2003
pp1025
78 FR 5566 5686 Jan 25 2013
pp1026
42 USC 1320d7
pp1027
Sec 13421a of the HITECH Act
see also45 CFR part 160 subpart B
pp1028
See
MAKING SUPPLEMENTAL APPROPRIATIONS FOR JOB PRESERVATION AND CREATION INFRASTRUCTURE INVESTMENT ENERGY EFFICIENCY AND SCIENCE ASSISTANCE TO THE UNEMPLOYED AND STATE AND LOCAL FISCAL STABILIZATION FOR THE FISCAL YEAR ENDING SEPTEMBER 30 2009 AND FOR OTHER PURPOSES Conf Report to Accompany HR 1 p 502 Feb 12 2009
pp1029
42 USC 1320d7a 45 CFR 160203
pp1030
See45 CFR 160202 definition of Contrary Preemption also applies if the provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives and purposes of sec 264 of HIPAA Sec 264 of HIPAA contains the provisions pertaining to the privacy of individually identifiable health information
pp1031
Public Law 105277 112 Stat 2681528 Oct 21 1998 codified at 5 USC 601 note
pp1032
Public Law 10413 109 Stat 163 May 22 1995 codified at 44 USC 101 note
pp1033
View ICR
supra
note 940
pp1034
IdppFR Doc 202430983 Filed 122724 415 pmppBILLING CODE 415301Pp
