Proposed Rule2024-30983
HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
January 6, 2025
Issuing agencies
Health and Human Services Department
Abstract
The Department of Health and Human Services (HHS or "Department") is issuing this notice of proposed rulemaking (NPRM) to solicit comment on its proposal to modify the Security Standards for the Protection of Electronic Protected Health Information ("Security Rule") under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). The proposed modifications would revise existing standards to better protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). The proposals in this NPRM would increase the cybersecurity for ePHI by revising the Security Rule to address: changes in the environment in which health care is provided; significant increases in breaches and cyberattacks; common deficiencies the Office for Civil Rights has observed in investigations into Security Rule compliance by covered entities and their business associates (collectively, "regulated entities"); other cybersecurity guidelines, best practices, methodologies, procedures, and processes; and court decisions that affect enforcement of the Security Rule.
Full Text
<html>
<head>
<title>Federal Register, Volume 90 Issue 3 (Monday, January 6, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 3 (Monday, January 6, 2025)]
[Proposed Rules]
[Pages 898-1022]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-30983]
[[Page 897]]
Vol. 90
Monday,
No. 3
January 6, 2025
Part III
Department of Health and Human Services
-----------------------------------------------------------------------
45 CFR Parts 160 and 164
HIPAA Security Rule To Strengthen the Cybersecurity of Electronic
Protected Health Information; Proposed Rule
��Federal Register / Vol. 90 , No. 3 / Monday, January 6, 2025 /
Proposed Rules��
[[Page 898]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
RIN 0945-AA22
HIPAA Security Rule To Strengthen the Cybersecurity of Electronic
Protected Health Information
AGENCY: Office for Civil Rights (OCR), Office of the Secretary,
Department of Health and Human Services.
ACTION: Notice of proposed rulemaking; notice of Tribal consultation.
-----------------------------------------------------------------------
SUMMARY: The Department of Health and Human Services (HHS or
``Department'') is issuing this notice of proposed rulemaking (NPRM) to
solicit comment on its proposal to modify the Security Standards for
the Protection of Electronic Protected Health Information (``Security
Rule'') under the Health Insurance Portability and Accountability Act
of 1996 (HIPAA) and the Health Information Technology for Economic and
Clinical Health Act of 2009 (HITECH Act). The proposed modifications
would revise existing standards to better protect the confidentiality,
integrity, and availability of electronic protected health information
(ePHI). The proposals in this NPRM would increase the cybersecurity for
ePHI by revising the Security Rule to address: changes in the
environment in which health care is provided; significant increases in
breaches and cyberattacks; common deficiencies the Office for Civil
Rights has observed in investigations into Security Rule compliance by
covered entities and their business associates (collectively,
``regulated entities''); other cybersecurity guidelines, best
practices, methodologies, procedures, and processes; and court
decisions that affect enforcement of the Security Rule.
DATES:
Comments: Submit comments on or before March 7, 2025.
Meeting: Pursuant to Executive Order 13175, Consultation and
Coordination with Indian Tribal Governments, the Department of Health
and Human Services' Tribal Consultation Policy, and the Department's
Plan for Implementing Executive Order 13175, the Office for Civil
Rights solicits input from Tribal officials as the Department develops
the modifications to the HIPAA Security Rule at 45 CFR part 160 and
subparts A and C of 45 CFR part 164. The Tribal consultation meeting
will be held on February 6, 2025, at 2 p.m. to 3:30 p.m. eastern time.
ADDRESSES: You may submit comments, identified by RIN Number 0945-AA22,
by any of the following methods. Please do not submit duplicate
comments.
<bullet> Federal eRulemaking Portal: You may submit electronic
comments at <a href="https://www.regulations.gov">https://www.regulations.gov</a> by searching for the Docket ID
number HHS-OCR-0945-AA22. Follow the instructions at <a href="https://www.regulations.gov">https://www.regulations.gov</a> for submitting electronic comments. Attachments
should be in Microsoft Word or Portable Document Format (PDF).
<bullet> Regular, Express, or Overnight Mail: You may mail written
comments to the following address only: U.S. Department of Health and
Human Services, Office for Civil Rights, Attention: HIPAA Security Rule
NPRM, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue
SW, Washington, DC 20201. Please allow sufficient time for mailed
comments to be timely received in the event of delivery or security
delays.
Please note that comments submitted by fax or email and those
submitted after the comment period will not be accepted.
Inspection of Public Comments: All comments received by the
accepted methods and due date specified above may be posted without
change to content to <a href="https://www.regulations.gov">https://www.regulations.gov</a>, which may include
personal information provided about the commenter, and such posting may
occur after the closing of the comment period. However, the Department
may redact certain non-substantive content from comments or attachments
to comments before posting, including: threats, hate speech, profanity,
sensitive health information, graphic images, promotional materials,
copyrighted materials, or individually identifiable information about a
third-party individual other than the commenter. In addition, comments
or material designated as confidential or not to be disclosed to the
public will not be accepted. Comments may be redacted or rejected as
described above without notice to the commenter, and the Department
will not consider in rulemaking any redacted or rejected content that
would not be made available to the public as part of the administrative
record.
Docket: For complete access to background documents, the plain-
language summary of the proposed rule of not more than 100 words in
length required by the Providing Accountability Through Transparency
Act of 2023, or posted comments, go to <a href="https://www.regulations.gov">https://www.regulations.gov</a> and
search for Docket ID number HHS-OCR-0945-AA22.
Tribal consultation meeting: To participate in the Tribal
consultation meeting, you must register in advance at <a href="https://hhsgov.zoomgov.com/meeting/register/vJItdOyhrjgoHxJWMDxozrxT98yXyCO3lks">https://hhsgov.zoomgov.com/meeting/register/vJItdOyhrjgoHxJWMDxozrxT98yXyCO3lks</a>.
FOR FURTHER INFORMATION CONTACT: Marissa Gordon-Nguyen at (202) 240-
3110 or (800) 537-7697 (TDD), or by email at <a href="/cdn-cgi/l/email-protection#1c535f4e4c6e756a7d7f655c74746f327b736a"><span class="__cf_email__" data-cfemail="622d213032100b1403011b220a0a114c050d14">[email protected]</span></a>.
SUPPLEMENTARY INFORMATION: The discussion below includes an Executive
Summary, a description of relevant statutory and regulatory authority
and history, the justification for this proposed regulation, a section-
by-section description of the proposed modifications, and a regulatory
impact analysis and other required regulatory analyses. The Department
solicits public comment on all aspects of the proposed rule. The
Department requests that persons commenting on the provisions of the
proposed rule label their discussion of any particular provision or
topic with a citation to the section of the proposed rule being
addressed and identify the particular request for comment being
addressed, if applicable.
Table of Contents
I. Executive Summary
A. Overview
B. Applicability
C. Table of Abbreviations/Commonly Used Acronyms in This
Document
II. Statutory Authority and Regulatory History
A. Statutory Authority and History
1. Health Insurance Portability and Accountability Act of 1996
(HIPAA)
2. Health Information Technology for Economic and Clinical
Health (HITECH) Act
B. Regulatory History
1. 1998 Security Rule Notice of Proposed Rulemaking
2. 2003 Final Rule
3. 2009 Delegation of Authority
4. 2013 Omnibus Rulemaking
III. Justification for This Proposed Rulemaking
A. Strong Security Standards Are Essential to Protecting the
Confidentiality, Integrity, and Availability of ePHI and Ensuring
Quality and Efficiency in the Health Care System
B. The Health Care Environment Has Changed Since the Security
Rule Was Last Revised and Will Continue To Evolve
C. Regulated Entities' Compliance With the Requirements of the
Security Rule Is Inconsistent
D. It Is Reasonable and Appropriate To Strengthen the Security
Rule To Address the Changes in the Health Care Environment and
Clarify the Compliance Obligations of Regulated Entities
1. Congress and the Department Anticipated That Security
Standards
[[Page 899]]
Safeguards Would Evolve To Address Changes in the Health Care
Environment
2. NCVHS Believes That the Security Standards Evolve To Address
Changes in the Health Care Environment
3. A Strengthened Security Rule Would Continue To Be Flexible
and Scalable While Providing Regulated Entities With Greater Clarity
4. Small and Rural Health Care Providers Must Implement Strong
Security Measures To Provide Efficient and Effective Health Care
5. A Strengthened Security Rule Is Critical to an Efficient and
Effective Health Care System
E. The Secretary Must Develop Standards for the Security of ePHI
Because None Have Been Developed by an ANSI-Accredited Standard
Setting Organization
IV. Section-by-Section Description of the Proposed Amendments to the
Security Rule
A. Section 160.103--Definitions
1. Current Provision
2. Issues To Address
3. Proposals
4. Request for Comment
B. Section 164.304--Definitions
1. Clarifying the Definition of ``Access''
2. Clarifying the Definition of ``Administrative Safeguards''
3. Clarifying the Definition of ``Authentication''
4. Clarifying the Definition of ``Availability''
5. Clarifying the Definition of ``Confidentiality''
6. Adding Definitions of ``Deploy'' and ``Implement''
7. Adding a Definition of ``Electronic Information System''
8. Modifying the Definition of ``Information System''
9. Modifying the Definition of ``Malicious software''
10. Adding a Definition of ``Multi-factor Authentication'' (MFA)
11. Clarifying the Definition of ``Password''
12. Clarifying the Definition of ``Physical Safeguards''
13. Adding a Definition of ``Relevant Electronic Information
System''
14. Adding a Definition of ``Risk''
15. Clarifying the Definitions of ``Security or Security
Measures'' and ``Security Incident''
16. Adding Definitions of ``Technical Controls''
17. Modifying the Definition of ``Technical Safeguards''
18. Adding a Definition of ``Technology Asset''
19. Adding a Definition of ``Threat''
20. Clarifying the Definition of ``User''
21. Adding a Definition of ``Vulnerability''
22. Clarifying the Definition of ``Workstation''
23. Request for Comment
C. Section 164.306--Security Standards: General Rules
1. Current Provisions
2. Issues To Address
3. Proposals
4. Request for Comment
D. Section 164.308--Administrative Safeguards
1. Current Provisions
2. Issues To Address
3. Proposals
4. Request for Comment
E. Section 164.310--Physical Safeguards
1. Current Provisions
2. Issues To Address
3. Proposals
4. Request for Comment
F. Section 164.312--Technical Safeguards
1. Current Provisions
2. Issues To Address
3. Proposals
4. Request for Comment
G. Section 164.314--Organizational Requirements
1. Section 164.314(a)(1)--Standard: Business Associate Contracts
or Other Arrangements
2. Section 164.314(b)(1)--Standard: Requirements for Group
Health Plans
3. Request for Comment
H. Section 164.316--Documentation Requirements
1. Current Provisions
2. Issues To Address
3. Proposals
4. Request for Comment
I. Section 164.318--Transition Provisions
1. Current Provisions and Issues To Address
2. Proposal
3. Request for Comment
J. Section 164.320--Severability
K. New and Emerging Technologies Request for Information
1. Quantum Computing
2. Artificial Intelligence (AI)
3. Virtual and Augmented Reality (VR and AR)
4. Request for Comment
V. Regulatory Impact Analysis
A. Executive Order 12866 and Related Executive Orders on
Regulatory Review
1. Summary of Costs and Benefits
2. Baseline Conditions
3. Costs of the Proposed Rule
4. Benefits of the Proposed Rule
5. Comparison of Benefits and Costs
B. Regulatory Alternatives to the Proposed Rule
C. Regulatory Flexibility Act--Small Entity Analysis
D. Executive Order 13132--Federalism
E. Assessment of Federal Regulation and Policies on Families
F. Paperwork Reduction Act of 1995
1. Explanation of Estimated Annualized Burden Hours
I. Executive Summary
A. Overview
In this notice of proposed rulemaking (NPRM), the Department of
Health and Human Services (HHS or ``Department'') proposes
modifications to the Security Standards for the Protection of
Electronic Protected Health Information (``Security Rule''), issued
pursuant to section 262(a) of the Administrative Simplification
provisions of title II, subtitle F, of the Health Insurance Portability
and Accountability Act of 1996 (HIPAA).\1\ The Security Rule \2\ is one
of several rules, collectively known as the HIPAA Rules,\3\ that
protect the privacy and security of individuals' protected health
information \4\ (PHI), which is individually identifiable health
information \5\ (IIHI) transmitted by or maintained in electronic media
or any other form or medium, with certain exceptions.\6\ The Security
Rule applies only to electronic PHI (ePHI), which is IIHI that is
transmitted by or maintained in electronic media.\7\
---------------------------------------------------------------------------
\1\ Subtitle F of title II of HIPAA (Pub. L. 104-191, 110 Stat.
1936 (Aug. 21, 1996)) added a new part C to title XI of the Social
Security Act of 1935 (SSA), Public Law 74-271, 49 Stat. 620 (Aug.
14, 1935), (see sections 1171-1179 of the SSA (codified at 42 U.S.C.
1320d-1320d-8)), as well as promulgating section 264 of HIPAA
(codified at 42 U.S.C. 1320d-2 note), which authorizes the Secretary
to promulgate regulations with respect to the privacy of
individually identifiable health information. The Privacy Rule has
subsequently been amended pursuant to the Genetic Information
Nondiscrimination Act of 2008, title I, section 105, Public Law 110-
233, 122 Stat. 881 (May 21, 2008) (codified at 42 U.S.C. 2000ff),
and the Health Information Technology for Economic and Clinical
Health (HITECH) Act of 2009, Public Law 111-5, 123 Stat. 226 (Feb.
17, 2009) (codified at 42 U.S.C. 139w-4(0)(2)).
\2\ 45 CFR part 160 subparts A and C of 45 CFR part 164. For a
history of the Security Rule, see section II.B, ``Regulatory
History.''
\3\ See also the HIPAA Privacy Rule, 45 CFR part 160 and
subparts A and E of 45 CFR part 164; HIPAA Breach Notification Rule,
45 CFR part 164, subpart D; and the HIPAA Enforcement Rule, 45 CFR
part 160, subparts C through E.
\4\ 45 CFR 160.103 (definition of ``Protected health
information'').
\5\ 45 CFR 160.103 (definition of ``Individually identifiable
health information'').
\6\ At times throughout this NPRM, the Department uses the terms
``health information'' or ``individuals' health information'' to
refer generically to health information pertaining to an individual
or individuals. In contrast, the Department's use of the term
``IIHI'' refers to a category of health information defined in
HIPAA, and ``PHI'' is used to refer specifically to a category of
IIHI that is defined by and subject to the requirements of the HIPAA
Rules. The HIPAA Rules exclude from the definition of PHI: IIHI in
employment records held by a covered entity in its role as employer;
IIHI in education records and certain treatment records covered by
the Family Educational Rights and Privacy Act (codified at 20 U.S.C.
1232g); and IIHI regarding a person who has been deceased for more
than 50 years. 45 CFR 160.103 (definition of ``Protected health
information'').
\7\ 45 CFR 160.103 (definition of ``Electronic protected health
information'').
---------------------------------------------------------------------------
The Security Rule was initially published in 2003 and most recently
revised in 2013.\8\ Since its publication, there have been significant
changes to the environment in which health care is provided and how the
health care industry operates. Today, cybersecurity is a concern that
touches nearly every facet of modern health care, certainly more than
it did in 2003 or even 2013.
[[Page 900]]
Almost every stage of modern health care relies on stable and secure
computer and network technologies, including, but not limited to, the
following: appointment scheduling, prescription orders, telehealth
visits, medical devices, patient records, medical and pharmacy claims
submissions and billing, insurance coverage verifications, payroll,
facilities access and management, internal and external communications,
and clinician resources. These tools and technologies are an integral
part of the modern health care system, but they also present
opportunities for bad actors to cause harm through hacking, ransomware,
and other means. Covered entities and business associates
(collectively, ``regulated entities'') may also experience malfunctions
and inadvertent errors that threaten the confidentiality, integrity, or
availability of ePHI. Thus, cyberattacks, malfunctions, and inadvertent
errors can negatively affect the provision of health care, as well as
the efficiency and effectiveness of the health care system.
---------------------------------------------------------------------------
\8\ See 68 FR 8334 (Feb. 20, 2003) and 78 FR 5566 (Jan. 25,
2013).
---------------------------------------------------------------------------
As discussed in greater detail below, in recent years, there has
been an alarming growth in the number of breaches affecting 500 or more
individuals reported to the Department, the overall number of
individuals affected by such breaches, and the rampant escalation of
cyberattacks using hacking and ransomware. The Department is concerned
by the increasing numbers of breaches and other cybersecurity incidents
experienced by regulated entities. We \9\ are also increasingly
concerned by the upward trend in the numbers of individuals affected by
such incidents and the magnitude of the potential harms from such
incidents.\10\
---------------------------------------------------------------------------
\9\ In this NPRM, ``we'' and ``our'' denote the Department.
\10\ See ``Breach Portal: Notice to the Secretary of HHS Breach
of Unsecured Protected Health Information,'' Office for Civil
Rights, U.S. Department of Health and Human Services, <a href="https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf">https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf</a>.
---------------------------------------------------------------------------
In recognition of those potential harms and the health care
sector's importance to the economy and security of the U.S., the
President has designated ``Healthcare and Public Health'' as a critical
infrastructure sector \11\ and the Department as the Sector Risk
Management Agency (SRMA).\12\ In addition, to address concerns about
the increasing level of cybercrime, the President has charged Federal
agencies with ``establishing and implementing minimum requirements for
risk management'' and robustly enforcing those requirements and Federal
laws to help manage that risk.\13\ We believe that a comprehensive and
updated Security Rule is critical to accomplishing these directives and
to the Department's effectiveness as the SRMA for the Healthcare and
Public Health sector.
---------------------------------------------------------------------------
\11\ Presidential Memorandum on National Security Memorandum on
Critical Infrastructure Security and Resilience, National Security
Memorandum/NSM-22, The White House (Apr. 30, 2024), <a href="https://www.whitehouse.gov/briefing-room/presidential-actions/2024/04/30/national-security-memorandum-on-critical-infrastructure-security-and-resilience/">https://www.whitehouse.gov/briefing-room/presidential-actions/2024/04/30/national-security-memorandum-on-critical-infrastructure-security-and-resilience/</a> (``Critical infrastructure comprises the physical
and virtual assets and systems so vital to the Nation that their
incapacity or destruction would have a debilitating impact on
national security, national economic security, or national public
health or safety.'').
\12\ Id. (charging an SRMA with serving as the primary Federal
liaison to their designated critical infrastructure and
``conduct[ing] sector-specific risk management and resilience
activities'').
\13\ Id.
---------------------------------------------------------------------------
In further recognition of these concerns, States have promulgated
or are in the process of promulgating regulations that would require
the adoption of certain standards or measures for the protection of
sensitive information, such as PHI.\14\ While these proposed
regulations may contain helpful guidance for regulated entities, none
specifically focus on ensuring the security of ePHI and the information
systems that create, receive, maintain, or transmit ePHI. Additionally,
a patchwork of State-specific laws may create difficulties for
regulated entities that are located or operate in multiple States.
Several entities, including Federal agencies, have published and
maintained guidelines, best practices, methodologies, procedures, and
processes for protecting the security of sensitive information,
including PHI. Some examples of these resources include the National
Institute of Standards and Technology's (NIST's) ``Cybersecurity
Framework,'' \15\ the HHS 405(d) Program's ``Health Industry
Cybersecurity Practices: Managing Threats and Protecting Patients,''
\16\ the Federal Trade Commission's (FTC's) ``Start with Security: A
Guide for Business,'' \17\ and the Department's ``Cybersecurity
Performance Goals'' (CPGs).\18\ We believe that the proliferation of
such documents in recent years has been helpful, and we have considered
them in the development of this NPRM. However, in light of the
increasing number and sophistication of cybersecurity incidents, we do
not believe that these documents are sufficiently instructive for
regulated entities to help improve their compliance with the Security
Rule.
---------------------------------------------------------------------------
\14\ See, e.g., ``New York State Register,'' 46 N.Y. Reg. 7-10,
Division of Administrative Rules, New York State Department of State
(Oct. 2, 2024), <a href="https://dos.ny.gov/system/files/documents/2024/10/100224.pdf">https://dos.ny.gov/system/files/documents/2024/10/100224.pdf</a>; ``Invitation for Preliminary Comments on Proposed
Rulemaking: Cybersecurity Audits, Risk Assessments, and Automated
Decisionmaking,'' California Privacy Protection Agency (Feb. 10,
2023), <a href="https://cppa.ca.gov/regulations/pdf/invitation_for_comments_pr_02-2023.pdf">https://cppa.ca.gov/regulations/pdf/invitation_for_comments_pr_02-2023.pdf</a>; see also Cal. Civ. Code
Section 1798.185.
\15\ ``The NIST Cybersecurity Framework (CSF) 2.0,'' National
Institute of Standards and Technology, U.S. Department of Commerce
(Feb. 26, 2024), <a href="https://doi.org/10.6028/NIST.CSWP.29">https://doi.org/10.6028/NIST.CSWP.29</a>.
\16\ ``Health Industry Cybersecurity Practices: Managing Threats
and Protecting Patients,'' U.S. Department of Health and Human
Services and the Healthcare & Public Health Sector Coordinating
Council (2023), <a href="https://405d.hhs.gov/Documents/HICP-Main-508.pdf">https://405d.hhs.gov/Documents/HICP-Main-508.pdf</a>.
\17\ ``Start with Security: A Guide for Business,'' Federal
Trade Commission (Aug. 2023), <a href="https://www.ftc.gov/system/files/ftc_gov/pdf/920a_start_with_security_en_aug2023_508_final_0.pdf">https://www.ftc.gov/system/files/ftc_gov/pdf/920a_start_with_security_en_aug2023_508_final_0.pdf</a>.
\18\ ``Cybersecurity Performance Goals,'' U.S. Department of
Health and Human Services (Jan. 2024), <a href="https://hphcyber.hhs.gov/performance-goals.html">https://hphcyber.hhs.gov/performance-goals.html</a>.
---------------------------------------------------------------------------
Under its statutory authority to administer and enforce the HIPAA
Rules, the Department modifies the HIPAA Rules as needed, but does not
modify a standard or implementation specification more than once every
12 months.\19\ The Department makes the determination that such
modifications may be needed using information it receives on an ongoing
basis--from the Department's Federal advisory committee on HIPAA, the
public, regulated entities, media reports, and its own analysis of the
state of privacy and security for IIHI. As referenced above, and
discussed in greater detail below, while the Department believes that
the Security Rule generally continues to accomplish the goals of
HIPAA,\20\ we believe that it would be appropriate to consider
modifying the Security Rule to address the following:
---------------------------------------------------------------------------
\19\ Sec. 1174(b)(1) of the SSA; 45 CFR 160.104.
\20\ See sec. 261 of Public Law 104-191, 110 Stat. 1936
(codified at 42 U.S.C. 1320d note).
---------------------------------------------------------------------------
<bullet> Significant changes in technology.
<bullet> Changes in breach trends and cyberattacks.
<bullet> HHS' Office for Civil Rights' (OCR's) enforcement
experience.
<bullet> Other guidelines, best practices, methodologies,
procedures, and processes for protecting ePHI.
<bullet> Court decisions that affect enforcement of the Security
Rule.
B. Applicability
The effective date of a final rule would be 60 days after
publication.\21\ Regulated entities would have until the ``compliance
date'' to establish and implement policies, procedures, and practices
to achieve compliance with any new or modified standards.
[[Page 901]]
Regulated entities would be permitted to comply earlier than the
compliance date, but the Department would not take action against them
for noncompliance with the proposed changes that occurs before the
compliance date. Except as otherwise provided, 45 CFR 160.105 provides
that regulated entities must comply with the applicable new or modified
standards or implementation specifications no later than 180 days from
the effective date of any such change. The Department has previously
noted that the 180-day general compliance period for new or modified
standards would not apply where a different compliance period is
provided in the regulation for one or more provisions.\22\ However, the
compliance period cannot be less than the statutory minimum of 180
days.\23\
---------------------------------------------------------------------------
\21\ See ``A Guide to the Rulemaking Process,'' Office of the
Federal Register (2011), p. 8, <a href="https://www.federalregister.gov/uploads/2011/01/the_rulemaking_process.pdf">https://www.federalregister.gov/uploads/2011/01/the_rulemaking_process.pdf</a>.
\22\ See 78 FR 5566, 5569 (Jan. 25, 2013).
\23\ See 42 U.S.C. 1320d-4(b)(2).
---------------------------------------------------------------------------
While we recognize that we are proposing to substantially revise
the regulatory text, the Department believes that most of the existing
Security Rule's obligations for regulated entities would not be
substantially changed by the proposed modifications. Instead, the
proposed modifications would explicitly codify those activities that
are critical to protecting the security of ePHI as requirements and
provide greater detail for such requirements in the regulatory text.
For example, regulated entities are already required to conduct an
accurate and thorough risk analysis. While not specified in the
regulatory text of the Security Rule, an accurate and thorough risk
analysis requires a regulated entity to perform an inventory of its
technology assets, determine how ePHI moves through its information
systems, and identify the locations within its information systems (or
components thereof) where ePHI may be created, received, maintained, or
transmitted. Applying such an approach protects ePHI across all phases
of the data lifecycle consistent with the purpose of the Security Rule.
The proposals to require a regulated entity to inventory its technology
assets and map the movement of ePHI through its information systems
would illuminate considerations to be included in the regulated
entity's risk analysis.
As another example, implementing a mechanism to encrypt ePHI is an
addressable implementation specification under the standard for access
control at 45 CFR 164.312(a)(2)(iv). Under the existing Security Rule,
a regulated entity must assess whether encryption is a reasonable and
appropriate safeguard in its environment, when analyzed with reference
to its likely contribution to protecting ePHI, and implement encryption
if reasonable and appropriate.\24\ If encryption is not reasonable and
appropriate, a regulated entity must document why it would not be
reasonable and appropriate for it to implement the safeguard and must
implement an equivalent alternative measure if reasonable and
appropriate.\25\ As discussed in greater detail below, encryption is
built into most software today, and where it is not, there are
affordable and easily implemented solutions that can encrypt sensitive
information. Thus, it generally would be reasonable and appropriate for
regulated entities to implement a mechanism to encrypt ePHI, and
regulated entities should already have done so in most circumstances.
By expressly requiring regulated entities to encrypt ePHI, with limited
exceptions, the Department's proposal would reflect our expectations in
the current cybersecurity environment and eliminate the need for
regulated entities to perform an analysis of whether encryption is
reasonable and appropriate.
---------------------------------------------------------------------------
\24\ 45 CFR 164.306(d)(3)(i) and (d)(3)(ii)(A).
\25\ 45 CFR 164.306(d)(3)(ii)(B).
---------------------------------------------------------------------------
Thus, most of the modifications we are proposing would provide
regulated entities with greater clarity and specificity regarding how
to fulfill their obligations and the Department's expectations.
Accordingly, we do not believe that the proposed rule would pose
unique implementation challenges that would justify an extended
compliance period (i.e., a period longer than the standard 180 days
provided in 45 CFR 160.105). Further, the Department believes that
adherence to the standard compliance period is necessary to timely
address the circumstances described in this NPRM. Thus, the Department
proposes to apply the standard compliance date of 180 days after the
effective date of a final rule.\26\
---------------------------------------------------------------------------
\26\ See 45 CFR 160.104(c)(1), which requires the Secretary to
provide at least a 180-day period for regulated entities to comply
with modifications to standards and implementation specifications in
the HIPAA Rules.
---------------------------------------------------------------------------
To help reduce administrative burdens on regulated entities, the
Department proposes to add a provision at 45 CFR 164.318 affording
regulated entities a transition period (beyond the 180-day compliance
period) to modify business associate contracts (herein referred to as
``business associate agreements'') or other written arrangements \27\
that would qualify for the longer transition period, as discussed
further below.
---------------------------------------------------------------------------
\27\ 45 CFR 164.314(a)(1).
---------------------------------------------------------------------------
The Department seeks comment on the proposed compliance period and
transition period.
C. Table of Abbreviations/Commonly Used Acronyms in This Document
As used in this preamble, the following terms and abbreviations
have the meanings noted below.
------------------------------------------------------------------------
Term Meaning
------------------------------------------------------------------------
AI................................ Artificial Intelligence.
ANSI.............................. American National Standards
Institute.
AR................................ Augmented Reality.
ARRA.............................. American Recovery and Reinvestment
Act of 2009.
ASTP/ONC.......................... Assistant Secretary for Technology
Policy and Office of the National
Coordinator for Health Information
Technology.
CISA.............................. Cybersecurity & Infrastructure
Security Agency.
CMS............................... Centers for Medicare & Medicaid
Services.
CPG............................... Cybersecurity Performance Goal.
Department or HHS................. Department of Health and Human
Services.
EHR............................... Electronic Health Record.
E.O............................... Executive Order.
ePHI.............................. Electronic Protected Health
Information.
FDA............................... Food & Drug Administration.
FISMA............................. Federal Information Security
Modernization Act.
FTC............................... Federal Trade Commission.
Health IT......................... Health Information Technology.
[[Page 902]]
HIPAA............................. Health Insurance Portability and
Accountability Act of 1996.
HITECH Act........................ Health Information Technology for
Economic and Clinical Health Act of
2009.
ICR............................... Information Collection Request.
IIHI.............................. Individually Identifiable Health
Information.
IT................................ Information Technology.
MFA............................... Multi-factor Authentication.
NAICS............................. North American Industry
Classification System.
NCVHS............................. National Committee on Vital and
Health Statistics.
NIST.............................. National Institute of Standards and
Technology.
NPRM.............................. Notice of Proposed Rulemaking.
OCR............................... Office for Civil Rights.
OMB............................... Office of Management and Budget.
ONC............................... Office of the National Coordinator
for Health Information Technology.
PHI............................... Protected Health Information.
PRA............................... Paperwork Reduction Act of 1995.
PSAO.............................. Pharmacy Services Administration
Organizations.
RFA............................... Regulatory Flexibility Act.
RIA............................... Regulatory Impact Analysis.
SBA............................... Small Business Administration.
SRMA.............................. Sector Risk Management Agency.
SSA............................... Social Security Act of 1935.
UMRA.............................. Unfunded Mandates Reform Act of
1995.
VR................................ Virtual Reality.
------------------------------------------------------------------------
II. Statutory Authority and Regulatory History
A. Statutory Authority and History
1. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
In 1996, Congress enacted HIPAA \28\ to reform the health care
delivery system to ``improve portability and continuity of health
insurance coverage in the group and individual markets'' \29\ and ``to
simplify the administration of health insurance.'' \30\ Through
subtitle F of HIPAA, Congress amended title XI of the Social Security
Act of 1935 (SSA) by adding part C, entitled ``Administrative
Simplification.'' \31\ A primary purpose of part C is to improve the
Medicare and Medicaid programs and ``the efficiency and effectiveness
of the health care system, by encouraging the development of a health
information system through the establishment of uniform standards and
requirements for the electronic transmission of certain health
information.'' \32\
---------------------------------------------------------------------------
\28\ Public Law 104-191, 110 Stat. 1936 (Aug. 21, 1996)
(codified at 42 U.S.C. 201 note).
\29\ See H.R. Rep. No. 104-496, at 66-67 (1996).
\30\ Public Law 104-191, 110 Stat. 1936 (Aug. 21, 1996).
\31\ Sec. 262(a) of Public Law 104-191, 110 Stat. 2021 (Aug. 21,
1996) (codified at 42 U.S.C. 1320d).
\32\ Sec. 261 of Public Law 104-191, 110 Stat. 2021 (Aug. 21,
1996), as amended by sec. 1104(a) of Public Law 111-148, 124 Stat.
146 (Mar. 23, 2010) (codified at 42 U.S.C. 1320d note).
---------------------------------------------------------------------------
Congress recognized that the development of a health information
system that enabled the electronic transmission of IIHI as required by
HIPAA would pose risks to the privacy of confidential health
information and viewed individual privacy, confidentiality, and data
security as critical to support the shift from a paper-based
recordkeeping system for health information to a digital one.\33\
Congress intended for the law to enhance individuals' trust in health
care providers, which required that the law provide additional
protection for the confidentiality of IIHI. As described by a Member of
Congress at the time of the law's passage: ``[t]his standardization,
however, accelerates the creation of large databases containing
personally identifiable information. All this information is
transmitted over electronic networks. We need to be very careful about
how safe and secure that information is from prying eyes. Some of it
may be extremely sensitive and could be used in a malicious or
discriminatory manner.'' \34\ Moreover, Congress considered that health
care reform required an approach that would not compromise privacy as
health information became more accessible.\35\
---------------------------------------------------------------------------
\33\ On a resolution waiving points of order against the
Conference Report to H.R. 3103, members debated an ``erosion of
privacy'' balanced against the administrative simplification
provisions. Thus, from HIPAA's inception, privacy has been a central
concern to be addressed as legislative changes eased disclosures of
PHI. See 142 Cong. Rec. H9777 and H9780.
\34\ 142 Cong. Rec. S9515-16 (daily ed. Aug. 2, 1996) (statement
of Sen. Simon).
\35\ See H.R. Rep. No. 104-496 Part 1, at 99-100 (Mar. 25,
1996).
---------------------------------------------------------------------------
Congress applied the Administrative Simplification provisions
directly to three types of persons referred to in regulation as covered
entities: health plans, health care clearinghouses, and health care
providers who transmit information electronically in connection with a
transaction for which HHS has adopted a standard.\36\ Under HIPAA,
covered entities are required to maintain reasonable and appropriate
administrative, physical, and technical safeguards \37\ to: (1) ensure
the integrity and confidentiality of information; \38\ (2) protect
against any reasonably anticipated threats or hazards to the security
or integrity of the information and unauthorized uses or disclosures of
the information; \39\ and (3) otherwise ensure compliance with HIPAA by
the officers and employees of covered entities.\40\
---------------------------------------------------------------------------
\36\ See sec. 262(a) of Public Law 104-191, 110 Stat. 2021,
adding section 1172 to the SSA (codified at 42 U.S.C. 1320d-1); see
also section 13404 of the American Recovery and Reinvestment Act
(ARRA) of 2009, Public Law 111-5, 123 Stat. 115 (Feb. 17, 2009)
(codified at 42 U.S.C. 17934) (applying privacy provisions and
penalties to business associates of covered entities). The
Department codified the term ``covered entity'' and defined it using
these three categories of persons. 45 CFR 164.103.
\37\ 42 U.S.C. 1320d-2(d)(2).
\38\ 42 U.S.C. 1320d-2(d)(2)(A).
\39\ 42 U.S.C. 1320d-2(d)(2)(B).
\40\ 42 U.S.C. 1320d-2(d)(2)(C).
---------------------------------------------------------------------------
HIPAA required the Secretary to adopt uniform standards ``to enable
health information to be exchanged electronically.'' \41\ Congress also
directed the Secretary to, among other things, adopt standards for the
security of IIHI.\42\ The statute also directed the Secretary to adopt
initial security standards within 18 months of its
[[Page 903]]
enactment.\43\ In adopting security standards for health information,
HIPAA requires the Secretary to consider all of the following: \44\
---------------------------------------------------------------------------
\41\ Sec. 262(a) of Public Law 104-191, 110 Stat. 2024, adding
sec. 1173(a) (codified at 42 U.S.C. 1320d-2(a)(1)).
\42\ Sec. 262(a) of Public Law 104-191, 110 Stat. 2025, adding
sec. 1173(d) (codified at 42 U.S.C. 1320d-2(d)).
\43\ Sec. 262(a) of Public Law 104-191, 110 Stat. 2026, adding
sec. 1174(a) (codified at 42 U.S.C. 1320d-3(a)).
\44\ Sec. 262(a) of Public Law 104-191, 110 Stat. 2025, adding
sec. 1173(d)(1) (codified at 42 U.S.C. 1320d-2(d)(1)).
---------------------------------------------------------------------------
<bullet> The technical capabilities of record systems used to
maintain health information.
<bullet> The costs of security measures.
<bullet> Training for persons who have access to health
information.
<bullet> The value of audit trails in computerized record systems.
<bullet> The needs and capabilities of small health care providers
and rural health care providers.\45\
---------------------------------------------------------------------------
\45\ Id.
---------------------------------------------------------------------------
Congress contemplated that the Department's rulemaking authorities
under HIPAA would not be static. In fact, Congress specifically built
in a mechanism to adapt such regulations as technology and health care
evolve, directing the Secretary to review and adopt modifications to
the Administrative Simplification standards, including the security
standards, as determined appropriate, but not more frequently than once
every 12 months.\46\ That statutory directive complements the
Secretary's general rulemaking authority to make and publish such rules
and regulations as may be necessary to the efficient administration of
the functions with which the Secretary is charged.\47\ The Secretary
may adopt either a standard developed, adopted, or modified by a
standard setting organization that relates to a standard that the
Secretary is authorized or required to adopt under the Administrative
Simplification provisions, or a standard that is different if the
different standard will substantially reduce administrative costs to
health care providers and health plans.\48\ If no standard has been
adopted by any standard setting organization, the Secretary shall rely
on the recommendations of the National Committee on Vital and Health
Statistics (NCVHS) and consult with Federal and State agencies and
private organizations.\49\
---------------------------------------------------------------------------
\46\ Sec. 262(a) of Public Law 104-191, 110 Stat. 2026, adding
sec. 1174(b)(1) (codified at 42 U.S.C. 1320d-3).
\47\ Sec. 1102 of the SSA (codified at 42 U.S.C. 1302).
\48\ Sec. 262(a) of Public Law 104-191, 110 Stat. 2023, adding
sec. 1172 (codified at 42 U.S.C. 1320d-1).
\49\ Id.
---------------------------------------------------------------------------
2. Health Information Technology for Economic and Clinical Health
(HITECH) Act
On February 17, 2009, Congress enacted the Health Information
Technology for Economic and Clinical Health Act of 2009 (HITECH Act),
part of the American Recovery and Reinvestment Act of 2009 (ARRA),\50\
promoting the nationwide adoption and standardization of health
information technology (health IT) to support the electronic sharing of
clinical data. The HITECH Act created financial incentives for health
IT use among health care practitioners by providing funding for
investing in health IT infrastructure, purchasing certified electronic
health records (EHRs), and training on and the dissemination of best
practices to integrate health IT.\51\ The Purpose statement of an
accompanying House of Representatives report \52\ on the Energy and
Commerce Recovery and Reinvestment Act \53\ recognizes that widespread
health IT adoption ``has the potential to ameliorate many of the
quality and efficiency problems endemic to our health care system.''
Congress also understood that ``[e]nsuring the privacy and security of
electronic health information is critical to the success'' of this
immense effort to promote health IT adoption.\54\ As a result, the
HITECH Act also introduced substantial changes to the HIPAA regulations
by mandating stronger safeguards for the privacy and security of
ePHI.\55\
---------------------------------------------------------------------------
\50\ Title XIII of Division A and title IV of Division B of ARRA
of 2009, Public Law 111-5, 123 Stat. 115 (Feb. 17, 2009) (codified
at 42 U.S.C. 201 note).
\51\ Id.; see also Subtitle B of title XIII of the HITECH Act
(codified at 42 U.S.C. 17911-17912), 42 U.S.C. 300jj-31-38.
\52\ See H.R. Rep. No. 111-7, at 74 (2009), accompanying H.R.
629, 111th Cong.
\53\ H.R. 629, Energy and Commerce Recovery and Reinvestment Act
of 2009, introduced in the House on Jan. 22, 2009, contained nearly
identical provisions to subtitle D of the HITECH Act.
\54\ C. Stephen Redhead, ``The Health Information Technology for
Economic and Clinical Health (HITECH) Act,'' Congressional Research
Service, p. 8 (2009), <a href="https://crsreports.congress.gov/product/pdf/R/R40161/9">https://crsreports.congress.gov/product/pdf/R/R40161/9</a>; id. at 9 (``[Health IT], which generally refers to the use
of computer applications in medical practice, is widely viewed as a
necessary and vital component of health care reform.'').
\55\ Subtitle D of title XIII of the HITECH Act (codified at 42
U.S.C. 17921, 42 U.S.C. 17931-17941, and 42 U.S.C. 17951-17953).
---------------------------------------------------------------------------
The HITECH Act's security requirements focused on safeguarding an
individual's health information while allowing covered entities to
rapidly adopt new technologies to improve the quality and efficiency of
patient care.\56\ Specifically, the HITECH Act extends the application
of the Security Rule's provisions on administrative, physical, and
technical safeguards and documentation requirements to business
associates of covered entities, making those business associates
subject to civil and criminal liability for violations of the Security
Rule.\57\ The HITECH Act also requires existing business associate
agreements to incorporate new security requirements.\58\ Additionally,
the HITECH Act requires the Secretary to regularly issue guidance on
the most effective and appropriate technical safeguards.\59\
---------------------------------------------------------------------------
\56\ See S. Rept. 111-3, 111th Cong. accompanying S. 336, 111th
Cong., at 59 (2009).
\57\ Sec. 13401 of Public Law 111-5, 123 Stat. 260 (codified at
42 U.S.C. 17931).
\58\ Sec. 13401(a) of Public Law 111-5, 123 Stat. 260 (codified
at 42 U.S.C. 17931).
\59\ Sec. 13401(c) of Public Law 111-5, 123 Stat. 260 (codified
at 42 U.S.C. 17931).
---------------------------------------------------------------------------
In enacting the HITECH Act, Congress affirmed that the existing
HIPAA Rules were to remain in effect to the extent that they are
consistent with the HITECH Act and directed the Secretary to revise the
HIPAA Rules as necessary for consistency with the HITECH Act.\60\
Congress confirmed that the new law was not intended to have any effect
on authorities already granted under HIPAA to the Department, including
part C of title XI of the SSA.\61\ Thus, Congress affirmed the
Secretary's ongoing rulemaking authority to modify the Security Rule's
standards and implementation specifications as often as every 12 months
when appropriate, including to strengthen security protections for
IIHI.
---------------------------------------------------------------------------
\60\ Sec. 13421(b) of the HITECH Act (codified at 42 U.S.C.
17951).
\61\ Sec. 3009(a)(1)(A) of the PHSA, as added by sec. 13101 of
the HITECH Act (codified at 42 U.S.C. 300jj-19(a)(1)).
---------------------------------------------------------------------------
In 2021, the HITECH Act was amended to require the HHS Secretary to
further encourage regulated entities to bolster their cybersecurity
practices.\62\ The amendment requires the Department to consider
certain recognized security practices of regulated entities when making
determinations relating to certain Security Rule compliance and
enforcement activities.\63\
---------------------------------------------------------------------------
\62\ See Public Law 116-321, 134 Stat. 5072, adding sec. 13412
(Jan. 5, 2021) (codified at 42 U.S.C. 17941); see also 42 U.S.C.
17931 et seq.
\63\ See Public Law 116-321, 134 Stat. 5072, adding sec. 13412
(Jan. 5, 2021) (codified at 42 U.S.C. 17941); see also sec. 13401 of
Public Law 111-5, 123 Stat. 260 (codified at 42 U.S.C. 17931) (The
HITECH Act adopts the same definition of business associate as the
HIPAA Rules.); 45 CFR 160.103 (definition of ``Business
associate'').
---------------------------------------------------------------------------
B. Regulatory History
The Security Rule requires regulated entities to implement
administrative, physical, and technical safeguards to
[[Page 904]]
protect ePHI.\64\ Specifically, regulated entities must ensure the
confidentiality, integrity, and availability of all ePHI they create,
receive, maintain, or transmit; \65\ protect against reasonably
anticipated threats or hazards to the security or integrity of the
information \66\ and reasonably anticipated impermissible uses or
disclosures; \67\ and ensure compliance by their workforce.\68\
---------------------------------------------------------------------------
\64\ The Security Rule is codified at 45 CFR part 160 and
subparts A and C of 45 CFR part 164.
\65\ See 45 CFR 164.306(a)(1).
\66\ See 45 CFR 164.306(a)(2).
\67\ See 45 CFR 164.306(a)(3).
\68\ See 45 CFR 164.306(a)(4).
---------------------------------------------------------------------------
1. 1998 Security Rule Notice of Proposed Rulemaking
The Administrative Simplification provisions of HIPAA instructed
the Secretary to adopt several standards concerning electronic
transmission of health information, including those for the security of
health information.\69\ In accordance with these provisions, the
Department published the Security and Electronic Signature Standards;
Proposed Rule (``1998 Proposed Rule'') on August 12, 1998.\70\
---------------------------------------------------------------------------
\69\ See sec. 262(a) of Public Law 104-191, 110 Stat. 2025 (Aug.
21, 1996), adding sec. 1173(d) (codified at 42 U.S.C. 1320d-2(d)).
\70\ 63 FR 43242 (Aug. 12, 1998).
---------------------------------------------------------------------------
In support of developing the national standards mandated under
HIPAA's Administrative Simplification provisions, the Secretary, with
significant input from the health care industry, defined a set of
principles for guiding choices for the standards to be adopted by the
Secretary.\71\ The principles were based on direct specifications in
HIPAA and also took the purpose of the law and generally desirable
principles into account. Based on this work, the Department proposed
that each HIPAA standard should be clear and unambiguous but technology
neutral, improve the efficiency and effectiveness of the health care
system, meet the needs of covered entities related to ease of use and
affordability of adoption, and maintain consistency or alignment with
other HIPAA standards adopted by an organization accredited by the
American National Standards Institute (ANSI) and using the ANSI process
for adopting such standards.\72\
---------------------------------------------------------------------------
\71\ Id. at 43244.
\72\ Id. at 43244, 43249, 43260-61.
---------------------------------------------------------------------------
In describing its general approach to the 1998 Proposed Rule, the
Department defined the security standard as a set of requirements with
implementation features that covered entities must include in their
operations to assure the security of individuals' ePHI.\73\ The
security standard was based on three basic concepts that were derived
from the Administrative Simplification provisions of HIPAA and
consistent with the characteristics the Department identified as
appropriate for all HIPAA Rules.\74\ First, the standard should be
comprehensive and coordinated to address all aspects of security.
Second, it should be scalable, so that it could be effectively
implemented by covered entities of all types and sizes. Third, it
should not be linked to specific technologies, allowing covered
entities the flexibility to make use of future technology
advancements.\75\
---------------------------------------------------------------------------
\73\ Id. at 43249.
\74\ See 68 FR 8334, 8335 (Feb. 20, 2003).
\75\ Id.; see also 63 FR 43242, 43249 (Aug. 12, 1998).
---------------------------------------------------------------------------
The 1998 Proposed Rule included four categories of requirements
that a covered entity would have to address to safeguard the
confidentiality, integrity, and availability of ePHI. They were as
follows:
<bullet> Administrative procedures.
<bullet> Physical safeguards.
<bullet> Technical security services.
<bullet> Technical mechanisms.
The implementation specifications described some of the
requirements in greater detail, based on our determination regarding
the level of instruction necessary to implement such requirements.\76\
The Department viewed all categories as equally important.\77\
---------------------------------------------------------------------------
\76\ 63 FR 43242, 43250 (Aug. 12, 1998).
\77\ Id.
---------------------------------------------------------------------------
The proposed standard did not address the extent to which a covered
entity should implement the specifications.\78\ Instead, the Department
proposed to require that each covered entity assess its own security
needs and risks and devise, implement, and maintain appropriate
security to address its business requirements. The Department believed
that this approach would leave a significant amount of flexibility for
covered entities and balance the needs of securing health data against
risk with the economic cost of doing so.\79\
---------------------------------------------------------------------------
\78\ Id. at 43249-50.
\79\ Id. at 43250.
---------------------------------------------------------------------------
2. 2003 Final Rule
The Department issued the final Security Rule \80\ on February 20,
2003 (``2003 Final Rule''). In accordance with the Administrative
Simplification provisions of HIPAA, the 2003 Final Rule adopted
standards for the security of ePHI to be implemented by covered
entities.
---------------------------------------------------------------------------
\80\ 45 CFR parts 160 and subparts A and C of 45 CFR part 164;
68 FR 8334 (Feb. 20, 2003).
---------------------------------------------------------------------------
The Department reiterated the purposes and guiding principles it
articulated in the 1998 Proposed Rule and repeated that the protection
of the privacy of information depends in large part on the existence of
security measures to protect that information.\81\ The Department noted
that there were still no standard measures in the health care industry
that address all aspects of the security of ePHI while it is being
stored or during the exchange of that information between entities.\82\
The Department explained that the use of the security standards would
improve the Medicare and Medicaid programs, other Federal health
programs and private health programs, and the effectiveness and
efficiency of the health care industry in general by establishing a
level of protection for ePHI.\83\
---------------------------------------------------------------------------
\81\ 68 FR 8334, 8335, 8371-72 (Feb. 20, 2003).
\82\ Id.
\83\ Id.
---------------------------------------------------------------------------
Provisions of the 2003 Final Rule did not mirror the 1998 Proposed
Rule; rather, the Department finalized only certain changes. The
Department noted, for example, that to maintain consistency with the
use of terms as they appear in the statute and other previously
released HIPAA Rules (i.e., the HIPAA Privacy and Transactions Rules),
it was changing some terminology from the 1998 Proposed Rule, replacing
the terms ``requirement'' with ``standard'' and ``implementation
feature'' with ``implementation specification.'' \84\
---------------------------------------------------------------------------
\84\ Id. at 8335.
---------------------------------------------------------------------------
According to the Department, the comments received in response to
the 1998 Proposed Rule overwhelmingly validated its basic assumptions
that the covered entities were so varied in terms of installed
technology, size, resources, and relative risk, that it would be
impossible to dictate a specific solution or set of solutions that
would be usable by all covered entities.\85\ Similarly, we received
numerous comments expressing the view that the security standards
should not be overly prescriptive because the speed with which
technology is evolving could make specific requirements obsolete and
might in fact deter technological progress. Accordingly, the Department
framed the standards in the 2003 Final Rule in terms that were as
generic as possible and that could generally be met through a variety
of approaches or technologies.\86\ The standards, we
[[Page 905]]
explained, do not allow organizations to make their own rules, only
their own technology choices.\87\
---------------------------------------------------------------------------
\85\ Id.
\86\ Id. at 8336.
\87\ Id. at 8343.
---------------------------------------------------------------------------
We also recognized that entities could minimize risk through their
security practices, but likely could never completely eliminate all
risk. In the preamble to the 2003 Final Rule, the Department
acknowledged that there is no such thing as a totally secure system
that carries no risks to security.\88\ The Department opined that
Congress' intent in the use of the word ``ensure'' in section 1173(d)
of the SSA was to set an exceptionally high goal for the security of
ePHI. However, we also recognized that Congress anticipated that some
trade-offs would be necessary, and that ``ensuring'' protection did not
mean doing so without any regard to the cost.\89\ As such, the
Department explained that we expected a covered entity to protect that
information to the best of its ability.\90\ Thus, a covered entity
would be expected to balance the identifiable risks to and
vulnerabilities of ePHI with the cost of various protective measures,
while also taking into consideration the size, complexity, and
capabilities of the covered entity.\91\
---------------------------------------------------------------------------
\88\ Id. at 8346.
\89\ Id.
\90\ Id.
\91\ Id.
---------------------------------------------------------------------------
In the 2003 Final Rule, the Department introduced the concept of
``addressable'' implementation specifications, which it distinguished
from ``required'' implementation specifications. The goal was to
provide covered entities with even more flexibility.\92\ While none of
the implementation specifications were optional, designating some of
the implementation specifications as addressable provided each covered
entity with the ability to determine whether certain implementation
specifications were reasonable and appropriate safeguards for that
entity, based on its risk analysis, risk mitigation strategy,
previously implemented security measures, and the cost of
implementation.\93\
---------------------------------------------------------------------------
\92\ Id.
\93\ Id. at 8336.
---------------------------------------------------------------------------
3. 2009 Delegation of Authority
On October 7, 2003, the Secretary delegated authority for
administering and enforcing the Security Rule to the Administrator of
the Centers for Medicare & Medicaid Services (CMS).\94\ The Secretary
issued a notice on August 4, 2009, superseding the previous delegation
and replacing it with a delegation authority to the Director of OCR
effective July 27, 2009.\95\
---------------------------------------------------------------------------
\94\ ``Statement of Organization, Functions, and Delegations of
Authority,'' Centers for Medicare & Medicaid Services, 68 FR 60694
(Oct. 23, 2003).
\95\ ``Office for Civil Rights; Delegation of Authority,'' U.S.
Department of Health and Human Services, 74 FR 38630 (Aug. 4, 2009);
see also ``Statement of Organization, Functions, and Delegations of
Authority,'' Centers for Medicare & Medicaid Services, 74 FR 38663
(Aug. 4, 2009).
---------------------------------------------------------------------------
4. 2013 Omnibus Rulemaking
Following the enactment of the HITECH Act, the Department issued an
NPRM, entitled ``Modifications to the HIPAA Privacy, Security, and
Enforcement Rules Under the Health Information Technology for Economic
and Clinical Health [HITECH] Act'' (``2010 Proposed Rule''),\96\ to
propose implementation of certain HITECH Act requirements. In the 2010
Proposed Rule, the Department noted that it had not amended the
Security Rule since 2003.\97\ We further explained that information
gleaned from contact with the public since that time, OCR's enforcement
experience, and technical corrections needed to eliminate ambiguity
provided the impetus for the Department's actions to propose certain
regulatory changes beyond those required by the HITECH Act.\98\
---------------------------------------------------------------------------
\96\ 75 FR 40868 (July 14, 2010).
\97\ Id. at 40871.
\98\ Id.
---------------------------------------------------------------------------
In 2013, the Department issued the final rule ``Modifications to
the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules
Under the Health Information Technology for Economic and Clinical
Health [HITECH] Act and the Genetic Information Nondiscrimination Act,
and Other Modifications to the HIPAA Rules'' (``2013 Omnibus
Rule''),\99\ which implemented applicable provisions of the HITECH Act
to strengthen security protections for individuals' health information
maintained in EHRs.
---------------------------------------------------------------------------
\99\ 78 FR 5565 (Jan. 25, 2013). In addition to finalizing
requirements of the HITECH Act that were proposed in the NPRM, the
Department adopted modifications to the Enforcement Rule not
previously adopted in an earlier interim final rule, 74 FR 56123
(Oct. 30, 2009), and to the Breach Notification Rule not previously
adopted in an interim final rule, 74 FR 42739 (Aug. 24, 2009). The
Department also finalized previously proposed Privacy Rule
modifications as required by the Genetic Information
Nondiscrimination Act of 2008, 74 FR 51698 (Oct. 7, 2009).
---------------------------------------------------------------------------
For example, the Department modified the Security Rule to implement
the HITECH Act's provisions that extended direct liability for
compliance with the Security Rule to business associates.\100\ We
explained that before the enactment of the HITECH Act, the Security
Rule did not directly apply to business associates of covered entities.
The HITECH Act extended the application of the Security Rule's
administrative, physical, and technical safeguards requirements, as
well as the rule's policies and procedures and documentation
requirements, to business associates in the same manner as the
requirements apply to covered entities, making those business
associates civilly and criminally liable for violations of the Security
Rule.\101\ The Department noted that the Security Rule requires a
covered entity to establish business associate agreements that obligate
business associates to implement administrative, physical, and
technical safeguards that reasonably and appropriately protect the
confidentiality, integrity, and availability of the ePHI that they
create, receive, maintain, or transmit on behalf of the covered
entity.\102\ Accordingly, we reasoned that business associates and
subcontractors should already have security practices in place that
comply with the Security Rule, or require only modest improvement to
come into compliance with the Security Rule requirements.\103\ Like the
2003 Final Rule,\104\ the 2013 Omnibus Rule highlighted that the
Security Rule was designed to be technology neutral and scalable and
reiterated that regulated entities have the flexibility to choose
security measures appropriate for their size, resources, and the nature
of the security risks they face.\105\ Accordingly, regulated entities
have the flexibility to choose appropriate security measures
considering their size, capabilities, the costs of the specific
security measures, and the operational impact, enabling them to
reasonably implement the standards of the Security Rule.
---------------------------------------------------------------------------
\100\ 78 FR 5565, 5589 (Jan. 25, 2013).
\101\ Sec. 13401 of Public Law 111-5, 123 Stat. 260 (Feb. 17,
2009) (codified at 42 U.S.C. 17931).
\102\ 78 FR 5565, 5590 (Jan. 25, 2013); see also 45 CFR
164.314(a).
\103\ 78 FR 5565, 5589 (Jan. 25, 2013).
\104\ 68 FR 8334, 8341 (Feb. 20, 2003).
\105\ 78 FR 5565, 5589 (Jan. 25, 2013).
---------------------------------------------------------------------------
The Department also adopted technical revisions to 45 CFR
164.306(e) to clarify that regulated entities must review and modify
security measures as needed to ensure reasonable and appropriate
protection of ePHI, and update documentation of security measures
accordingly.\106\
---------------------------------------------------------------------------
\106\ Id. at 5590.
---------------------------------------------------------------------------
Finally, because the HITECH Act made business associates directly
liable for compliance with the Security Rule, the 2013 Omnibus Rule
modified the Security Rule to clarify that a covered entity is not
required to obtain satisfactory assurance from a business associate
that is a subcontractor that the subcontractor will appropriately
safeguard its ePHI. Rather, the business
[[Page 906]]
associate of the covered entity must obtain the required satisfactory
assurances from the subcontractor to protect the security of ePHI.\107\
---------------------------------------------------------------------------
\107\ Id. (citing 45 CFR 164.308(b)).
---------------------------------------------------------------------------
III. Justification for This Proposed Rulemaking
HIPAA and the HIPAA Rules promote access to high-quality and
effective health care by establishing standards for the security of
ePHI. The standards, when implemented appropriately by regulated
entities, protect the confidentiality, integrity, and availability of
individuals' health information. Such protections promote the
electronic transmission of PHI through a national health information
system. To ensure access to high-quality health care services,
regulated entities must assure their customers (e.g., individuals,
health care providers, and health plans) of the security of the
sensitive and confidential health information the regulated entities
electronically create, receive, maintain, or transmit.
As discussed above, the Security Rule carefully balances the
benefits of safeguarding against security risks with the burdens of
implementing protective measures by permitting regulated entities to
consider several factors, including costs and available technology for
preventing and mitigating security risks,\108\ when determining which
security measures are reasonable and appropriate for protecting the
security of individuals' ePHI.\109\
---------------------------------------------------------------------------
\108\ As technology has evolved and cybercriminals have become
more sophisticated, protective measures, including technology, have
been developed to prevent and mitigate such risks. For example,
certain health IT may be certified through the ONC Health IT
Certification Program as meeting certain criteria that address the
security of information created, received, maintained, or
transmitted by that health IT. See 45 CFR 170.550(h).
\109\ 45 CFR 164.306(b).
---------------------------------------------------------------------------
For example, the Security Rule requires that a regulated entity
implement policies and procedures to limit physical access to its
electronic information systems and the facilities in which they are
housed, while ensuring that users who are authorized to access such
information systems and facilities are permitted to do so.\110\ The
implementation specifications associated with this standard only
address the need for operationalized policies and procedures related to
specific aspects of physical security.\111\ They do not dictate the
specifics of such policies and procedures because we recognize that the
nature of the physical safeguards should depend on the type of
regulated entity, its size, its level of access to ePHI, and a number
of other factors.
---------------------------------------------------------------------------
\110\ 45 CFR 164.310(a)(1).
\111\ 45 CFR 164.310(a)(2).
---------------------------------------------------------------------------
Since the Security Rule's promulgation in 2003, the environment in
which health care is provided and in which regulated entities operate
has changed significantly, including transformative changes in how
regulated entities create, receive, maintain, and transmit ePHI. For
example, as of 2021, almost 80 percent of physician offices and 96
percent of hospitals had adopted certified EHRs.\112\ The use of health
IT, including EHRs (certified or otherwise), has led to enormous
advancements in the fields of medicine and public health, not only
improving outcomes for individuals, but also assisting in addressing
the social, economic, and environmental factors that affect health on
an individual and community level.\113\ And the electronic exchange of
health information, spurred by HIPAA, the HITECH Act, and the 21st
Century Cures Act (``Cures Act''),\114\ has enabled regulated entities
and others to more quickly and efficiently share individuals' health
information, increasing the quality and efficiency of health care,
increasing patient engagement, and reducing administrative burden.\115\
However, the widespread use of health IT systems makes it even more
critical for regulated entities, regardless of their size or location,
to fully assess the risks and vulnerabilities to ePHI and their
information systems and implement strong security measures to address
those risks and vulnerabilities.
---------------------------------------------------------------------------
\112\ ``National Trends in Hospital and Physician Adoption of
Electronic Health Records,'' The Office of the National Coordinator
for Health Information Technology, U.S. Department of Health and
Human Services, <a href="https://www.healthit.gov/data/quickstats/national-trends-hospital-and-physician-adoption-electronic-health-records">https://www.healthit.gov/data/quickstats/national-trends-hospital-and-physician-adoption-electronic-health-records</a>.
\113\ See ``2020-2025 Federal Health IT Strategic Plan,'' The
Office of the National Coordinator for Health Information
Technology, U.S. Department of Health and Human Services, p. 6 (Oct.
2020), <a href="https://www.healthit.gov/sites/default/files/page/2020-10/Federal%20Health%20IT%20Strategic%20Plan_2020_2025.pdf">https://www.healthit.gov/sites/default/files/page/2020-10/Federal%20Health%20IT%20Strategic%20Plan_2020_2025.pdf</a>.
\114\ Among other things, the Cures Act provided ONC, in
collaboration with NIST and other relevant agencies within the
Department, with the authority to convene public-private and public-
public partnerships to build consensus and develop or support a
trusted exchange framework, including a common agreement among
health information networks nationally. The purpose of this work is
to ensure full network-to-network exchange of health information.
Sec. 4003(b) of Public Law 114-255, 130 Stat. 1165 (Dec. 13, 2016)
(codified at 42 U.S.C. 300jj-11(c)). The Cures Act also provides
penalties for any developer of certified health IT, health
information exchange or network, and appropriate disincentives for
any health care provider, determined by the Inspector General to
have committed information blocking. Sec. 4004(b)(2) of Public Law
114-255, 130 Stat. 1165 (Dec. 13, 2016) (codified at 42 U.S.C.
300jj-52).
\115\ See ``Frequently Asked Question: Health Information
Exchange: The Benefits,'' The Office of the National Coordinator for
Health Information Technology, U.S. Department of Health and Human
Services, <a href="https://www.healthit.gov/faq/why-health-information-exchange-important">https://www.healthit.gov/faq/why-health-information-exchange-important</a>.
---------------------------------------------------------------------------
Experts repeatedly have expressed concern regarding the state of
cybersecurity in the health care industry.\116\ For example, in a 2017
report to Congress, experts convened by the Department pronounced,
``Now more than ever, all health care delivery organizations [. . .]
have a greater responsibility to secure their systems, medical devices,
and patient data.'' \117\ This responsibility has only increased as the
delivery of health care and the exchange of PHI have increasingly
shifted to cyberspace.
---------------------------------------------------------------------------
\116\ See Genevieve P. Kanter, et al., ``Beyond Security
Patches--Fundamental Incentive Problems in Health Care
Cybersecurity,'' JAMA Health Forum, Volume 2, Issue 10, p. e212969
(Oct. 8, 2021), <a href="https://jamanetwork.com/journals/jama-health-forum/fullarticle/2784981">https://jamanetwork.com/journals/jama-health-forum/fullarticle/2784981</a>; Chon Abraham, et al., ``Muddling through
cybersecurity: Insights from the U.S. healthcare industry,''
Business Horizons, Volume 62, Issue 4, p. 539-548, p. 539 (July-Aug.
2019), <a href="https://www.sciencedirect.com/science/article/abs/pii/S0007681319300436">https://www.sciencedirect.com/science/article/abs/pii/S0007681319300436</a>; Eric Perakslis, ``Responding to the Escalating
Cybersecurity Threat to Health Care,'' The New England Journal of
Medicine, Volume 387, Issue 9 (Sept. 1, 2022), <a href="https://www.nejm.org/doi/abs/10.1056/NEJMp2205144">https://www.nejm.org/doi/abs/10.1056/NEJMp2205144</a>; Anthony James Cartwright, ``The
elephant in the room: cybersecurity in healthcare,'' Journal of
Clinical Monitoring and Computing, Volume 37, Issue 5, p. 1123-1132
(Apr. 24, 2023), <a href="https://link.springer.com/article/10.1007/s10877-023-01013-5">https://link.springer.com/article/10.1007/s10877-023-01013-5</a>.
\117\ ``Report on Improving Cybersecurity In The Health Care
Industry,'' Health Care Industry Cybersecurity Task Force, p. 1
(June 2017), <a href="https://www.phe.gov/preparedness/planning/cybertf/documents/report2017.pdf">https://www.phe.gov/preparedness/planning/cybertf/documents/report2017.pdf</a>.
---------------------------------------------------------------------------
Despite advancements in technology, including health IT, the core
requirements of the Security Rule remain relevant and applicable today.
In fact, they serve as a foundation for more recently promulgated
cybersecurity guidelines, best practices, processes, and procedures.
Security management, regular monitoring and review of information
system activity, information access management, security awareness and
training, contingency planning, encryption, and authentication all
continue to be represented in the most well-known cybersecurity
frameworks, including the NIST's Cybersecurity Framework,\118\ the HHS
405(d) Program's ``Health Industry Cybersecurity Practices: Managing
[[Page 907]]
Threats and Protecting Patients,'' \119\ and the Department's
CPGs.\120\
---------------------------------------------------------------------------
\118\ ``The NIST Cybersecurity Framework (CSF) 2.0,'' supra note
15.
\119\ ``Health Industry Cybersecurity Practices: Managing
Threats and Protecting Patients,'' supra note 16.
\120\ ``Cybersecurity Performance Goals,'' supra note 18.
---------------------------------------------------------------------------
While these concepts remain highly relevant and applicable, the
Department has concerns regarding the sufficiency of the security
measures implemented by regulated entities. OCR's experience
investigating allegations of Security Rule violations, reports received
by OCR of breaches of unsecured PHI, and the results of the audits
conducted by OCR in 2016-2017 demonstrate that regulated entities are
not consistently complying with the Security Rule's requirements.\121\
Additionally, the Department is concerned about the extent to which
regulated entities have updated their security measures to adjust to
the changes in the health care environment and their operations,
including new and emerging threats to the confidentiality, integrity,
and availability of ePHI.
---------------------------------------------------------------------------
\121\ See ``2016-2017 HIPAA Audits Industry Report,'' Office for
Civil Rights, U.S. Department of Health and Human Services (Dec.
2020), <a href="https://www.hhs.gov/sites/default/files/hipaa-audits-industry-report.pdf">https://www.hhs.gov/sites/default/files/hipaa-audits-industry-report.pdf</a>.
---------------------------------------------------------------------------
And the Department is not alone in its concerns. NCVHS serves as
the Department's advisory body for HIPAA.\122\ Given the increase in
cybersecurity incidents affecting the health care sector, NCVHS held a
series of public hearings on cybersecurity to better understand how to
protect ePHI and individuals. In response to those hearings, NCVHS
submitted several recommendations to the Department regarding the
importance of strengthening the Security Rule.\123\ As discussed above,
HIPAA requires the Secretary to rely on NCVHS' recommendations \124\
with respect to standards promulgated under the statute.
---------------------------------------------------------------------------
\122\ See sec. 262 of Public Law 104-191, 110 Stat. 2023 (Aug.
21, 1996) (codified at 42 U.S.C. 1320d-1(f)), added sec. 1172(f) of
the SSA; see also ``About NCVHS,'' National Committee on Vital and
Health Statistics, <a href="http://www.ncvhs.hhs.gov">www.ncvhs.hhs.gov</a>.
\123\ See Letter from NCVHS Chair Jacki Monson to HHS Secretary
Xavier Becerra (May 10, 2022), <a href="https://ncvhs.hhs.gov/wp-content/uploads/2022/05/NCVHS-Recommendations-to-Strengthen-Cybersecurity-in-HC-05-10-2022-508.pdf">https://ncvhs.hhs.gov/wp-content/uploads/2022/05/NCVHS-Recommendations-to-Strengthen-Cybersecurity-in-HC-05-10-2022-508.pdf</a>; see also Letter from NCVHS Chair Jacki
Monson to HHS Secretary Xavier Becerra (Nov. 29, 2023), <a href="https://ncvhs.hhs.gov/wp-content/uploads/2024/01/Letter-to-the-Secretary-Recommendations-to-Strengthen-the-HIPAA-Security-Rule_508.pdf">https://ncvhs.hhs.gov/wp-content/uploads/2024/01/Letter-to-the-Secretary-Recommendations-to-Strengthen-the-HIPAA-Security-Rule_508.pdf</a>.
\124\ 42 U.S.C. 1320d-1(f).
---------------------------------------------------------------------------
Given the importance of strong security measures, the changed
environment and operations for health care, uncertainty expressed by
regulated entities regarding their compliance obligations, deficiencies
identified by OCR in its investigations of regulated entities, and the
recommendations of NCVHS, we believe that it is necessary and
appropriate for the Department to propose modifications to clarify and
strengthen the Security Rule.
A. Strong Security Standards Are Essential to Protecting the
Confidentiality, Integrity, and Availability of ePHI and Ensuring
Quality and Efficiency in the Health Care System
A primary purpose of HIPAA's Administrative Simplification
provisions \125\ is to, among other things, ``improve [. . .] the
efficiency and effectiveness of the health care system, by encouraging
the development of a health information system through the
establishment of uniform standards and requirements for the electronic
transmission of certain health information.'' \126\ As Congress
recognized when it enacted HIPAA, protecting the security of ePHI is
essential for accomplishing this goal. Members of Congress acknowledged
at that time that the provisions of HIPAA would create electronic
databases of PHI, enabling the PHI to be transmitted electronically
with both the benefits and risks that accompany such electronic
transactions.\127\ Congressional statements leading up to HIPAA's
enactment demonstrate Congress' recognition of the potential risks of
the shift from paper recordkeeping to electronic: ``We need to be very
careful about how safe and secure that information is from prying eyes.
Some of it may be extremely sensitive and could be used in a malicious
or discriminatory manner.'' \128\ Accordingly, HIPAA required the
establishment of strict security standards for health information.
---------------------------------------------------------------------------
\125\ Subtitle F of title II of HIPAA, Public Law 104-191, 110
Stat. 1936 (Aug. 21, 1996).
\126\ Sec. 261 of Public Law 104-191, 110 Stat. 2021 (Aug. 21,
1996), as amended by sec. 1104(a) of Public Law 111-148, 124 Stat.
146 (Mar. 23, 2010) (codified at 42 U.S.C. 1320d note).
\127\ See statement of Sen. Simon, supra note 34; see also 155
Cong. Rec. H1562 (statement of Rep. Markey) (stating that ARRA
includes provisions for health IT with built-in privacy and
security); Implementation of the Health Information Technology for
Economic and Clinical Health (HITECH) Act: Hearing Before the House
Committee on Energy and Commerce Subcommittee on Health, 111th Cong.
11-12 (2010) (statement of Rep. Schakowsky) (explaining that the
HITECH Act strengthened Federal privacy and security laws to protect
personal identifying information from misuse to ensure that
individuals would be willing to use electronic records).
\128\ Statement of Sen. Simon, supra note 34.
---------------------------------------------------------------------------
As discussed above, the Security Rule, as amended by the HITECH
Act, specifically requires regulated entities to maintain reasonable
and appropriate administrative, physical, and technical safeguards to
ensure the confidentiality, integrity, and availability of ePHI; to
protect against any reasonably anticipated threats or hazards to the
security or integrity of ePHI and unauthorized uses or disclosures of
ePHI; and ensure compliance with the Administrative Simplification
provisions by officers and workforce members of regulated
entities.\129\
---------------------------------------------------------------------------
\129\ See section 1173(d)(2) of HIPAA (codified at 42 U.S.C.
1320d-2(d)(2)) and section 13401 of ARRA (codified at 42 U.S.C.
17931(a)) and 45 CFR 164.306.
---------------------------------------------------------------------------
It is reasonable to anticipate that regulated entities will need to
protect ePHI against cyberattacks and unauthorized uses and disclosures
of ePHI by their workforce members. Experts estimate the costs to the
U.S. from cyberattacks on health care facilities to be
significant.\130\ According to one study, health care data breach costs
to affected organizations have increased by more than 50 percent since
2020, making health care data breaches more expensive than data
breaches in any other sector, at an average cost of almost $10.1
million per breach.\131\ Yet these costs, though sizeable, do not fully
take into account the practical implications of poor or ineffective
cybersecurity protocols. A failure to implement adequate security
measures may lead to: financial loss; reputational harm for affected
individuals and affected regulated entities; privacy loss; and safety
concerns.\132\ Additionally, breaches of unsecured PHI may lead to
identity theft, fraud, stock manipulation, and competitive
disadvantage.\133\ According to a study funded by the Institute for
Critical Infrastructure Technology, victims of medical identity theft
incur on average costs of $13,500 to recover from that theft.\134\
Unlike financial information, much of an individual's PHI is
[[Page 908]]
immutable. For example, an individual's date and location of birth and
their health history will not change, even if their address might. In
contrast, an individual's passwords, bank account numbers, and other
financial information can all be changed. Thus, PHI can continue to be
exploited throughout an individual's lifetime, making PHI likely to be
far more valuable than an individual's credit card information.\135\
---------------------------------------------------------------------------
\130\ See Hadi Ghayoomi, et al., ``Assessing resilience of
hospitals to cyberattack,'' Digital Health, p. 2 (2021), <a href="https://doi.org/10.1177/20552076211059366">https://doi.org/10.1177/20552076211059366</a>; ``Beyond Security Patches-
Fundamental Incentive Problems in Health Care Cybersecurity,'' supra
note 116; Jessica Brewer, et al., ``An Insight into the Current
Security Posture of Healthcare IT: A National Security Concern,''
The Institute for Critical Infrastructure Technology, p. 3 (2019),
<a href="https://www.icitech.org/post/an-insight-into-the-current-security-posture-of-healthcare-it-a-national-security-concern">https://www.icitech.org/post/an-insight-into-the-current-security-posture-of-healthcare-it-a-national-security-concern</a>.
\131\ ``Cost of a Data Breach Report 2023,'' IBM, p. 13 (2023)
(explaining that the average cost of a health care data breach was
$7.13 million in 2020), <a href="https://www.ibm.com/reports/data-breach">https://www.ibm.com/reports/data-breach</a>.
\132\ ``Report on Improving Cybersecurity In The Health Care
Industry,'' supra note 117, p. 14-15.
\133\ Id.
\134\ ``An Insight into the Current Security Posture of
Healthcare IT: A National Security Concern,'' supra note 130, p. 3.
\135\ See, e.g., Caleb J. Kumar, ``New Dangers in the New World:
Cyber Attacks in the Healthcare Industry,'' Intersect, Volume 10,
No. 3, p. 3 (2017).
---------------------------------------------------------------------------
On the surface, the harms that result from a breach of ePHI or a
cyberattack on a regulated entity's electronic information systems, as
discussed above, are not significantly different than those that would
result from a breach of information in another sector. However, the
reality is, as discussed above, that the implications of such harms are
far greater in the health care sector because of their potential to
adversely affect an individual's health or quality of life, or even to
cost an individual their life.\136\ As stated by the Health Care
Industry Cybersecurity Task Force in its 2017 report on the state of
cybersecurity in health care: ``The health care system cannot deliver
effective and safe care without deeper digital connectivity. If the
health care system is connected, but insecure, this connectivity could
betray patient safety, subjecting them to unnecessary risk and forcing
them to pay unaffordable personal costs.'' \137\ In the event of a
cybersecurity incident, patients' health, including their lives, may be
at risk where such incident creates impediments to the provision of
health care, such as interference with the operations of a critical
medical device, or to the administrative or clinical operations of a
regulated entity, such as preventing the scheduling of appointments or
viewing of an individual's health history.\138\
---------------------------------------------------------------------------
\136\ ``An Insight into the Current Security Posture of
Healthcare IT: A National Security Concern,'' supra note 130, p. 3.
\137\ ``Report on Improving Cybersecurity In The Health Care
Industry,'' supra note 117, p. 2.
\138\ Id. at 18.
---------------------------------------------------------------------------
According to a Cybersecurity & Infrastructure Security Agency
(CISA) statistical analysis of the effects of a hypothetical
cyberattack on a model hospital, a hospital's relative performance will
suffer amidst a cyberattack.\139\ The analysis found that the
hypothetical cyberattack would lead to hospital strain from
inaccessible patient schedules and records, disrupted communication,
and delays in processing and communicating test results in time to
effectively treat individuals.\140\ While the analysis did not find any
deaths directly attributable to the hypothetical attack, it is logical
to conclude that deaths--or at least worsened outcomes--are a
significant risk where there are disruptions in communications, as well
as delays in processing and communicating test results, especially for
emergent or acute medical cases. For example, an inability to access an
individual's pharmacy records could affect the ability of a pharmacist
to identify known interactions between newly prescribed medications and
an existing medication list, potentially leading to an individual's
injury or death. Other studies have similarly found that cyberattacks
can have a substantial effect on access to health care, and potentially
mortality.\141\ In fact, a more recent study found that cyberattacks
had disproportionately negative effects on in-hospital mortality rates
for Black patients who were already admitted to the hospital at the
time of the cyberattack.\142\ A recent survey found that 92 percent of
surveyed health care organizations had experienced a cyberattack in the
past year \143\ and almost three-quarters of the respondents who had
experienced a cyberattack reported negative effects on patient care,
including delays in tests or procedures, longer stays, and increased
mortality rates complications from medical procedures, and patient
transfers or diversions to other facilities.\144\ A recent letter from
NCVHS referenced anecdotal accounts of patient deaths that have been
attributed to ransomware attacks.\145\ For example, in 2019, a
ransomware attack may have contributed to a baby's death at an Alabama
hospital. A change in the baby's fetal heart rate went unnoticed
because the large digital display that normally would have displayed
the information was affected by the attack. The baby, born with her
umbilical cord wrapped around her neck, suffered severe brain damage
and died nine months later.\146\
---------------------------------------------------------------------------
\139\ ``CISA INSIGHTS: Provide Medical Care Is In Critical
Condition: Analysis and Stakeholder Decision Support to Minimize
Further Harm,'' Cybersecurity & Infrastructure Security Agency, U.S.
Department of Homeland Security, p. 12-15 (Sept. 2021), <a href="https://www.cisa.gov/sites/default/files/publications/CISA_Insight_Provide_Medical_Care_Sep2021.pdf">https://www.cisa.gov/sites/default/files/publications/CISA_Insight_Provide_Medical_Care_Sep2021.pdf</a>.
\140\ Id.
\141\ See ``Assessing resilience of hospitals to cyberattack,''
supra note 130; Claire C. McGlave, et al., ``Hacked to Pieces? The
Effects of Ransomware Attacks on Hospitals and Patients,'' SSRN
(Oct. 4, 2023), <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4579292">https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4579292</a>.
\142\ ``Hacked to Pieces? The Effects of Ransomware Attacks on
Hospitals and Patients,'' supra note 141, p. 14.
\143\ ``The 2024 Study on Cyber Insecurity In Healthcare: The
Cost and Impact on Patient Safety and Care,'' Ponemon Institute, p.
3 (2024) (The report, sponsored by Proofpoint, Inc., included survey
responses from 648 IT and IT security practitioners at U.S.-based
health care organizations.).
\144\ Id. at p. 5.
\145\ See Letter from NCVHS Chair Jacki Monson (2023), supra
note 123, p. 1 (citing several media reports that attributed patient
deaths to cybersecurity attacks).
\146\ Id. (citing Joseph Marks, ``Ransomware attack might have
caused another death,'' The Washington Post (Oct. 1, 2021), <a href="https://www.washingtonpost.com/politics/2021/10/01/ransomware-attack-might-have-caused-another-death/">https://www.washingtonpost.com/politics/2021/10/01/ransomware-attack-might-have-caused-another-death/</a>).
---------------------------------------------------------------------------
Cyberattacks can divert both human and machine resources, leading
to process slowdowns, cancelled procedures, delayed hospital or unit
lockdowns and transfers, increases in wait times for individuals, both
increases and decreases in staff utilization, and a decrease in a
health care provider's capacity.\147\ A 2020 cyberattack on a large
integrated academic health system, attributed to malicious software
embedded in an email attachment opened by an employee on their laptop,
affected more than 5,000 end-user devices across 1,300 servers and led
to revenue losses of more than $63 million.\148\ Though the health care
provider's EHR was not infected, it elected to shut the EHR down
proactively. Ultimately, the covered entity ``experienced 39 days of
downtime in outpatient imaging.'' \149\
---------------------------------------------------------------------------
\147\ ``Assessing resilience of hospitals to cyberattack,''
supra note 130, p. 2.
\148\ Kerri Reeves, ``Cyberattacks: Not a Matter of If, but
When,'' Radiology Matters (Mar./Apr. 2024), <a href="https://www.proquest.com/scholarly-journals/cyberattacks-not-matter-if-when/docview/2957757956/se-2?accountid=12786">https://www.proquest.com/scholarly-journals/cyberattacks-not-matter-if-when/docview/2957757956/se-2?accountid=12786</a>.
\149\ Id.
---------------------------------------------------------------------------
In another example, a ransomware attack on an academic level 1
trauma center caused it to go without access to its EHR for 25
days,\150\ and the attack affected 5,000 computers and destroyed the
trauma center's electronic information systems that contained ePHI. The
hospital lost access to its EHR, internet, and intranet, which also
``removed functionality of hospital phones, [EHR] integrated office and
surgical scheduling, access to digitized radiology studies, and network
account access through local and remote computers.'' \151\
---------------------------------------------------------------------------
\150\ Mitchell Tarka, et al., ``The crippling effects of a
cyberattack at an academic level 1 trauma center: An orthopedic
perspective,'' Injury, p. 1095-1101 (2023), <a href="https://pubmed.ncbi.nlm.nih.gov/36801172/">https://pubmed.ncbi.nlm.nih.gov/36801172/</a> 36801172/.
\151\ Id.
---------------------------------------------------------------------------
These serious incidents and resulting effects demonstrate the
importance of planning and preparing for a potential
[[Page 909]]
cyberattack or other event that adversely affects a regulated entity's
information systems. While such planning and preparation may not
prevent all cyberattacks, it can reduce the number of successful
incidents and mitigate their effects. In fact, studies have suggested
that such preparation may allow for at least close to real-time
recovery.\152\
---------------------------------------------------------------------------
\152\ ``Assessing resilience of hospitals to cyberattack,''
supra note 130, p. 13.
---------------------------------------------------------------------------
The effects of a cyberattack are not limited to the regulated
entity that experiences it and the individuals whose ePHI is
compromised. Surveys conducted by various organizations representing
health care providers indicate that an overwhelming majority of health
care providers in the U.S. were affected by a ransomware attack on a
large health care clearinghouse.\153\ A study published in 2023
examined the effects on the of a cyberattack at a neighboring,
unaffiliated hospital on a large academic medical center.\154\ The
study found that the academic medical center experienced, among other
things, significant increases in the number of patients admitted,
ambulance arrivals, waiting room times, and patients leaving without
being seen. The study's authors concluded that their findings suggested
``that health care cyberattacks such as ransomware are associated with
greater disruptions to regional hospitals and should be treated as
disasters, necessitating coordinated planning and response efforts.''
\155\ Thus, implementing reasonable and appropriate security measures
better protects not only the regulated entity and its ePHI, but other
regulated entities with whom it interacts, and may reduce the effects
of cyberattacks and other security incidents that adversely affect the
confidentiality, integrity, or availability of ePHI.
---------------------------------------------------------------------------
\153\ See Paige Minemyer, ``AMA: 80% of docs have lost revenue
amid disruptions from Change Healthcare cyberattack,'' Fierce
Healthcare (Apr. 10, 2024), <a href="https://www.fiercehealthcare.com/practices/ama-80-docs-have-lost-revenue-amid-disruptions-change-healthcare-cyberattack">https://www.fiercehealthcare.com/practices/ama-80-docs-have-lost-revenue-amid-disruptions-change-healthcare-cyberattack</a>; ``AHA survey: Change Healthcare cyberattack
having significant disruptions on patient care, hospitals'
finances'' (Mar. 15, 2024), <a href="https://www.aha.org/news/news/2024-03-15-aha-survey-change-healthcare-cyberattack-having-significant-disruptions-patient-care-hospitals-finances">https://www.aha.org/news/news/2024-03-15-aha-survey-change-healthcare-cyberattack-having-significant-disruptions-patient-care-hospitals-finances</a>; see also Sean Lyngaas,
`` `We're hemorrhaging money': US health clinics try to stay open
after unprecedented cyberattack,'' CNN (Mar. 9, 2024), <a href="https://www.cnn.com/2024/03/09/tech/medical-supply-chain-cybersecurity/index.html">https://www.cnn.com/2024/03/09/tech/medical-supply-chain-cybersecurity/index.html</a>.
\154\ Christian Dameff, et al., ``Ransomware Attack Associated
With Disruptions at Adjacent Emergency Departments in the U.S.,''
JAMA Network Open (May 8, 2023), <a href="https://jamanetwork.com/journals/jamanetworkopen/fullarticle/2804585">https://jamanetwork.com/journals/jamanetworkopen/fullarticle/2804585</a>.
\155\ Id.
---------------------------------------------------------------------------
As discussed above, several industry organizations have published
and maintained compilations of voluntary standards, guidelines, best
practices, methodologies, procedures, and processes for protecting the
security of sensitive and confidential information, including PHI.
Additionally, certain Federal health programs now either require or
recommend the adoption of specific criteria that are intended to
protect the confidentiality, integrity, and availability of ePHI. For
example, the Health IT Certification Program maintained by the
Assistant Secretary for Technology Policy and Office of the National
Coordinator for Health Information Technology (ASTP/ONC) \156\ sets
minimum requirements for certified health IT, including criteria that
pertain to cybersecurity.\157\ These criteria are included in the
Health IT Certification Program's Health IT Privacy and Security
Framework,\158\ which identifies when technical capabilities to support
the privacy and security of electronic health information \159\ must be
included in certified health IT products. Additionally, health care
providers that participate in certain Federal health programs must use
health IT certified to these requirements.\160\ Regulated entities also
may want to consider adoption of certified health IT because it could
contribute to compliance with the Security Rule. We will continue to
work across the Department to ensure the adoption of consistent
requirements for Federal programs that support the secure electronic
exchange of health information to the extent that such consistency is
appropriate. Throughout this preamble, we provide examples of how a
regulated entity's participation in other Federal programs that require
the use of health IT certified through the ONC Health IT Certification
Program, or adoption of other Federal recommendations, such as the HHS
CPGs, might support their compliance with the proposals in this NPRM.
---------------------------------------------------------------------------
\156\ On July 29, 2024, the Department announced that the Office
of the National Coordinator for Health Information Technology was
being renamed the Assistant Secretary for Technology Policy and
Office of the National Coordinator for Health Information
Technology. In this NPRM, we continue to use ONC for publications
cited that predate the renaming of that office. 89 FR 60903 (July
29, 2024).
\157\ See, e.g., 45 CFR 170.315(d)(6), (7), (12), and (13). For
more information on the ONC Health IT Certification Program, visit
<a href="https://www.healthit.gov/topic/certification-ehrs/certification-health-it">https://www.healthit.gov/topic/certification-ehrs/certification-health-it</a>.
\158\ The ONC Health IT Certification Program specifies at 45
CFR 170.550(h) the privacy and security certification framework for
Health IT Modules. Section 170.550(h) identifies a mandatory minimum
set of the certification criteria that ONC-Authorized Certification
Bodies (ONC ACBs) must ensure are also included as part of specific
Health IT Modules that are presented for certification. See
``Certification Companion Guide Privacy and Security,'' The Office
of the National Coordinator for Health Information Technology, U.S.
Department of Health and Human Services (May 7, 2024), <a href="https://www.healthit.gov/sites/default/files/2015Ed_CCG_Privacy_and_Security.pdf">https://www.healthit.gov/sites/default/files/2015Ed_CCG_Privacy_and_Security.pdf</a>.
\159\ See 45 CFR 171.102 (definition of ``Electronic health
information'').
\160\ See, e.g., Medicare Promoting Interoperability Program, 42
CFR 495.24 (eligible hospitals and critical access hospitals must
use certified electronic health record technology (CEHRT), with
limited exceptions, to comply with the program's meaningful use
requirements); Merit-based Incentive Payment System (MIPS) Promoting
Interoperability performance category, 42 CFR 414.1375 (requiring
MIPS eligible clinicians to use CEHRT, as defined in 42 CFR
414.1305, to comply with reporting requirements for the Promoting
Interoperability performance category).
---------------------------------------------------------------------------
Additionally, as discussed above, several organizations have
published and maintained compilations of voluntary standards,
guidelines, best practices, methodologies, procedures, and processes
for protecting the security of sensitive and confidential information,
including PHI. These compilations and the State regulations discussed
above range from granular \161\ to high-level \162\ and from health
care-specific \163\ to industry agnostic.\164\ Despite these
differences, these compilations and regulations have a great deal in
common with each other--and with the Security Rule, its longevity
notwithstanding. In fact, the foundational elements of the Security
Rule, promulgated more than 20 years ago, can still be found in
cybersecurity compilations published today. They generally either
require or recommend administrative, physical, and technical safeguards
to identify and mitigate risks and vulnerabilities, implement
authentication and access controls, conduct security awareness and
training for information system users, and plan for contingencies and
incident response.\165\ Additionally, these compilations all require or
recommend the designation of a specific individual who is accountable
for implementing the requirements or recommendations. And, importantly,
they all ultimately address how to maintain the
[[Page 910]]
confidentiality, integrity, and availability of sensitive and
confidential information, including ePHI.
---------------------------------------------------------------------------
\161\ See, e.g., ``Health Industry Cybersecurity Practices:
Managing Threats and Protecting Patients,'' supra note 16.
\162\ See, e.g., ``The NIST Cybersecurity Framework (CSF) 2.0,''
supra note 15.
\163\ See, e.g., ``Cybersecurity Performance Goals,'' supra note
18.
\164\ See, e.g., ``Cross-Sector Cybersecurity Performance
Goals,'' Cybersecurity & Infrastructure Security Agency, U.S.
Department of Homeland Security (Mar. 2023), <a href="https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf">https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf</a>.
\165\ See generally 45 CFR 164.308(a); ``The NIST Cybersecurity
Framework (CSF) 2.0,'' supra note 15; ``Cybersecurity Performance
Goals,'' supra note 18.
---------------------------------------------------------------------------
A major distinguishing factor between the content of the Security
Rule and these compilations and regulations is the Security Rule's
scope. The compilations and regulations are designed to protect various
types of data and information systems broadly. In comparison, a
defining quality of the Security Rule's requirements is that they focus
specifically on the protection of ePHI and the information systems that
create, receive, maintain, or transmit ePHI. Thus, while the
foundational elements of various cybersecurity compilations and State
regulations and the Security Rule may be the same, the Security Rule
alone addresses the application of those elements to ePHI and all of
the components of information systems that create, receive, maintain,
or transmit ePHI. Thus, while the standards of the Security Rule
generally align with those of other cybersecurity standards,
frameworks, best practices, guidelines, processes, and procedures, the
specific implementation specifications of the Security Rule reflect the
particular sensitivities of the health care industry, particularly
small and rural health care providers, in a way that is necessary to
ultimately improve the efficiency and effectiveness of the health care
system and avoid imposing unreasonable compliance burdens on regulated
entities.
B. The Health Care Environment Has Changed Since the Security Rule Was
Last Revised and Will Continue To Evolve
The health care sector has undergone a dramatic transformation over
the last 24 years, and particularly in the past 10 years, spurred at
least in part by the Department's implementation of HIPAA, the HITECH
Act, and the Cures Act. The industry has shifted from one that
generally relied upon a system of paper-based recordkeeping and siloed
devices to one that depends on interconnected information systems to
maintain and exchange patient records, conduct research, run health
care provider facility management systems, and provide patient
care.\166\ This shift is largely the result of HIPAA's emphasis on the
development and use of standards and the EHR incentive funds made
available under the HITECH Act for health care providers.\167\ Data
from ASTP/ONC offer clear and convincing evidence of this shift. In
2008, before the enactment of the HITECH Act, less than 10 percent of
non-Federal acute hospitals had implemented what was referred to at the
time as a ``Basic EHR'' (i.e., an electronic health record).\168\ By
2015, six years after the enactment of the HITECH Act, almost 84
percent had adopted a Basic EHR while 96 percent had adopted a
certified EHR.\169\ The transformation was further enabled by the Cures
Act, which encouraged the development of a trusted exchange framework
for the nationwide exchange of health information and provided
penalties for health care providers, health information exchanges and
networks, and developers of certified health IT that engage in
information blocking.\170\ In 2014, 41 percent of such hospitals
routinely had electronic access to clinical information from outside
providers or sources when treating a patient.\171\ By 2023, 70 percent
of non-Federal acute care hospitals engaged in all domains of
interoperable exchange routinely or sometimes, a significant leap
forward.\172\ In 2017, only 38 percent of hospitals enabled patients to
access their health information using an application and in 2018, 57
percent enabled patient access to their clinical notes in their patient
portal; by 2021, 70 percent of hospitals enabled patients to access
their health information using an application and 82 percent enabled
patients to view their clinical notes in their patient portal.\173\ And
just a year later, the percentage of hospitals that supported patient
access through applications increased to 86 percent.\174\ Based on this
data, it is clear that HIPAA, coupled with the HITECH Act and the Cures
Act, has successfully encouraged the development of a nationwide
electronic health information system.
---------------------------------------------------------------------------
\166\ Derrick Tin, et al., ``Cyberthreats: A primer for health
care professionals,'' The American Journal of Emergency Medicine, p.
182-183 (Apr. 2023), <a href="https://doi.org/10.1016/j.ajem.2023.04.001">https://doi.org/10.1016/j.ajem.2023.04.001</a>.
\167\ See Public Law 104-191, 110 Stat. 2021 (Aug. 21, 1996)
(codified at 42 U.S.C. 1320d note); Sec. 4101 of ARRA, Public Law
111-5, 123 Stat. 467 (Feb. 17, 2009), amending sec. 1848 of the SSA
(codified at 42 U.S.C. 1395w-4).
\168\ JaWanna Henry, et al., ``ONC Data Brief: Adoption of
Electronic Health Record Systems among U.S. Non-Federal Acute Care
Hospitals: 2008-2015,'' The Office of the National Coordinator for
Health Information Technology, U.S. Department of Health and Human
Services, p. 1 (May 2016), <a href="https://www.healthit.gov/sites/default/files/briefs/2015_hospital_adoption_db_v17.pdf">https://www.healthit.gov/sites/default/files/briefs/2015_hospital_adoption_db_v17.pdf</a>; A Basic EHR collects
information on patient demographics, problem lists, medication
lists, and discharge summaries. It also includes computerized
provider order entry for medications and enables clinicians to view
certain reports. Id. at Appendix.
\169\ ``ONC Data Brief: Adoption of Electronic Health Record
Systems among U.S. Non-Federal Acute Care Hospitals: 2008-2015,''
supra note 168, p. 1; When used here, ``certified EHR Technology''
means EHR technology that meets the technological capability,
functionality, and security requirements adopted by the Department
as certification criteria at 45 CFR part 170.; see also ``Certified
EHR Technology,'' The Office of the National Coordinator for Health
Information Technology, U.S. Department of Health and Human Services
(Sept. 6, 2013), <a href="https://www.cms.gov/medicare/regulations-guidance/promoting-interoperability-programs/certified-ehr-technology">https://www.cms.gov/medicare/regulations-guidance/promoting-interoperability-programs/certified-ehr-technology</a> (``In
order to efficiently capture and share patient data, health care
providers need certified electronic health record (EHR) technology
(CEHRT) that stores data in a structured format. Structured data
allows health care providers to easily retrieve and transfer patient
information and use the EHR in ways that can aid patient care.'').
\170\ See sec. 4003(b) and 4004(b)(2) of Public Law 114-255, 130
Stat. 1165 (Dec. 13, 2016) (codified at 42 U.S.C. 300jj-11(c) and 42
U.S.C. 300jj-52).
\171\ Dustin Charles, et al., ``ONC Data Brief: Interoperability
among U.S. Non-federal Acute Care Hospitals, 2014,'' The Office of
the National Coordinator for Health Information Technology, U.S.
Department of Health and Human Services, p. 1 (Aug. 2015), <a href="https://www.healthit.gov/sites/default/files/briefs/onc_databrief25_interoperabilityv16final_081115.pdf">https://www.healthit.gov/sites/default/files/briefs/onc_databrief25_interoperabilityv16final_081115.pdf</a>.
\172\ Meghan Hufstader Gabriel, et al., ``ONC Data Brief:
Interoperable Exchange of Patient Health Information Among U.S.
Hospitals: 2023,'' The Office of the National Coordinator for Health
Information Technology, U.S. Department of Health and Human
Services, p. 1 (May 2024), <a href="https://www.healthit.gov/sites/default/files/2024-05/Interoperable-Exchange-of-Patient-Health-Information-Among-U.S.-Hospitals-2023.pdf">https://www.healthit.gov/sites/default/files/2024-05/Interoperable-Exchange-of-Patient-Health-Information-Among-U.S.-Hospitals-2023.pdf</a>.
\173\ Wesley Barker, et al., ``ONC Data Brief: Hospital
Capabilities to Enable Patient Electronic Access to Health
Information, 2021,'' The Office of the National Coordinator for
Health Information Technology, U.S. Department of Health and Human
Services, p. 2 and 5 (Oct. 2022) (estimates based on non-Federal
acute care hospitals and applications configured to meet the
application programming interface (API) specifications in the
hospital's EHR), <a href="https://www.healthit.gov/sites/default/files/2022-12/hospital_capabilities_to_enable_patient_access_ONC_DB2021-Updated.pdf">https://www.healthit.gov/sites/default/files/2022-12/hospital_capabilities_to_enable_patient_access_ONC_DB2021-Updated.pdf</a>.
\174\ Catherine Strawley, et al., ``ONC Data Brief: Hospital Use
of APIs to Enable Data Sharing Between EHRs and Apps,'' The Office
of the National Coordinator for Health Information Technology, U.S.
Department of Health and Human Services, p. 2 (Sept. 2023)
(estimates based on non-Federal acute care hospitals using
standards-based APIs to enable patient access), <a href="https://www.healthit.gov/sites/default/files/2023-09/DB68-Hospital%20Use%20of%20APIs%20to%20Enable%20Data%20Sharing_508.pdf">https://www.healthit.gov/sites/default/files/2023-09/DB68-Hospital%20Use%20of%20APIs%20to%20Enable%20Data%20Sharing_508.pdf</a>.
---------------------------------------------------------------------------
Not only is PHI increasingly maintained and transmitted
electronically, but treatment is also increasingly provided
electronically. The coronavirus disease 2019 (COVID-19) pandemic led to
a dramatic increase in the use of telemedicine.\175\ According
[[Page 911]]
to ONC data, only 15 percent of office-based physicians used any form
of telemedicine in 2018-19. In 2021, telemedicine usage increased to 87
percent.\176\ The electronic content generated or transmitted during a
telemedicine visit constitutes ePHI, so the increase in telemedicine
further increases the amount of PHI that is also ePHI.
---------------------------------------------------------------------------
\175\ See ``Determination That A Public Health Emergency Exists
Nationwide as the Result of the 2019 Novel Coronavirus,''
Administration for Strategic Preparedness & Response, U.S.
Department of Health and Human Services (Jan. 31, 2020), <a href="https://aspr.hhs.gov/legal/PHE/Pages/2019-nCoV.aspx">https://aspr.hhs.gov/legal/PHE/Pages/2019-nCoV.aspx</a>; ``Renewal of
Determination that a Public Health Emergency Exists As a Result of
the Continued Consequences of the Coronavirus Disease 2019 (COVID-
19) Pandemic,'' Administration for Strategic Preparedness &
Response, U.S. Department of Health and Human Services (Feb. 9,
2023), <a href="https://aspr.hhs.gov/legal/PHE/Pages/COVID19-9Feb2023.aspx">https://aspr.hhs.gov/legal/PHE/Pages/COVID19-9Feb2023.aspx</a>;
``Notification of Enforcement Discretion for Telehealth Remote
Communications During the COVID-19 Nationwide Public Health
Emergency,'' Office for Civil Rights, U.S. Department of Health and
Human Services (Jan. 20, 2021), <a href="https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html">https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html</a>.
\176\ Yuriy Pylypchuk, et al., ``ONC Data Brief: Use of
Telemedicine among Office-Based Physicians, 2021,'' The Office of
the National Coordinator for Health Information Technology, U.S.
Department of Health and Human Services, p. 1 (Mar. 2023), <a href="https://www.healthit.gov/sites/default/files/2023-04/DB65_TelemedicinePhysicians_508.pdf">https://www.healthit.gov/sites/default/files/2023-04/DB65_TelemedicinePhysicians_508.pdf</a>.
---------------------------------------------------------------------------
It is not only the ePHI maintained in EHRs and other electronic
recordkeeping systems that faces security risks. Medical equipment and
devices are increasingly connected through one or more networks, which
means that any issues affecting the network likely will affect the
medical equipment and devices.\177\ And some medical equipment and
devices rely on off-the-shelf operating systems, such as Windows,
Linux, and similar third-party software; \178\ thus, the medical
equipment and devices can experience the same vulnerabilities as
personal computing devices. Generally, the U.S. Food & Drug
Administration (FDA) does not need to review software patches or
configuration updates for off-the-shelf software before a device
manufacturer puts them in place because the FDA views most patches and
configuration updates as design changes that can be made without prior
discussion.\179\
---------------------------------------------------------------------------
\177\ Nduma N. Basil, ``Health Records Database and Inherent
Security Concerns: A Review of the Literature,'' Cureus, p. 3 (Oct.
11, 2022) (``The increase in networked medical equipment and devices
implies that, if there is a security breach in the form of hacking,
then traffic on the network can slow down and interfere with the
delivery of healthcare services.''), <a href="https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9647912/">https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9647912/</a>.
\178\ Id.
\179\ ``Guidance Document: Information for Healthcare
Organizations about FDA's `Guidance for Industry: Cybersecurity for
Networked Medical Devices Containing Off-The-Shelf (OTS) Software,'
'' U.S. Food & Drug Administration, U.S. Department of Health and
Human Services (Feb. 2005), <a href="https://www.fda.gov/regulatory-information/search-fda-guidance-documents/information-healthcare-organizations-about-fdas-guidance-industry-cybersecurity-networked-medical">https://www.fda.gov/regulatory-information/search-fda-guidance-documents/information-healthcare-organizations-about-fdas-guidance-industry-cybersecurity-networked-medical</a>.
---------------------------------------------------------------------------
Cybercriminals may use--or target--technology assets, such as
software or medical devices used for treating individuals. For example,
in 2021, a cyberattack on cloud-based systems supplied by a particular
company compromised the ePHI of more than 200,000 individuals and
affected the software for linear accelerators used in radiotherapy,
leading to disruptions to cancer treatment.\180\ Thus, to protect
technology assets used for treatment, the information systems that
create, receive, maintain, and transmit ePHI also must be protected. As
another example, in 2013, the Mayo Clinic \181\ hired a group of
ethical hackers \182\ to identify vulnerabilities in 40 different
medical devices.\183\ The hackers were able to gain access to all of
the devices, meaning that the devices could all be vulnerable to a
cyberattack.\184\ Such attacks may create an opening for a subsequent
attack on the device itself or on the regulated entity's information
systems that create, receive, maintain, or transmit ePHI, compromising
those information systems and the ePHI itself.\185\ It also may lead,
intentionally or not, to a loss of device integrity, which could result
in the corruption of the device's functionality or the ePHI on the
device.\186\ A cyberattack on a medical device may also reduce the
ability of the authorized person to use the device (e.g., a denial of
service attack, which is a type of cyberattack that overloads the
device by flooding the network with traffic).\187\ Depending on the
device and its use, the result of cyberattacks on a medical device
could range from little or no effect to serious injury or death.\188\
---------------------------------------------------------------------------
\180\ Elizabeth Gourd, ``Increase in health-care cyberattacks
affecting patients with cancer,'' The Lancet, p. 1215 (Sept. 2021),
<a href="https://doi.org/10.1016/S1470-2045">https://doi.org/10.1016/S1470-2045</a>(21)00451-4.
\181\ See Mayo Clinic, <a href="https://www.mayoclinic.org/">https://www.mayoclinic.org/</a>.
\182\ An ``ethical hacker'' is a cybersecurity researcher who
``use[s] penetration testing techniques to test an organization's
cybersecurity and information technology (IT) security.'' See Ed
Tittel, ``How to Become a White Hat Hacker,'' Business News Daily
(June 17, 2024), <a href="https://www.businessnewsdaily.com/10713-white-hat-hacker-career.html">https://www.businessnewsdaily.com/10713-white-hat-hacker-career.html</a>.
\183\ See Foued Badrouchi, et al., ``Cybersecurity
Vulnerabilities in Biomedical Devices: A Hierarchical Layered
Framework,'' Internet of Things Use Cases for the Healthcare
Industry, p. 157-58 (2020); see also Monte Reel, et al., ``It's Way
Too Easy to Hack the Hospital,'' Bloomberg Businessweek (Nov. 2015),
<a href="https://www.bloomberg.com/features/2015-hospital-hack/">https://www.bloomberg.com/features/2015-hospital-hack/</a>.
\184\ See ``Cybersecurity Vulnerabilities in Biomedical Devices:
A Hierarchical Layered Framework,'' supra note 183, p. 157-58.
\185\ See also ``It's Way Too Easy to Hack the Hospital,'' supra
note 183; Nicole M. Thomasian, et al., ``Cybersecurity in the
internet of Medical Things,'' Health Policy and Technology (Sept.
2021), <a href="https://doi.org/10.1016/j.hlpt.2021.100549">https://doi.org/10.1016/j.hlpt.2021.100549</a>.
\186\ ``Cybersecurity in the internet of Medical Things,'' supra
note 185.
\187\ Id.
\188\ Id.
---------------------------------------------------------------------------
According to researchers at Brown University, medical devices are a
prime target for cybercriminals. In fact, they believe, ``More than
just technically feasible, the widespread takedown of medical devices
is an imminent threat.'' \189\ A 2023 Government Accountability Office
report on medical device cybersecurity described the importance of
``robust cybersecurity controls to ensure medical device safety and
effectiveness'' because of ``the increasing integration of wireless,
internet- and network-connected capabilities, and the electronic
exchange of health information.'' \190\ The FDA has also acknowledged,
``As electronic medical devices become increasingly connected to each
other and to other technologies, the ability of connected systems to
safely, securely and effectively exchange and use the information
becomes critical. [. . .] Cybersecurity concerns rise along with the
increasing medical device interoperability.'' \191\ Accordingly, in
2023, the FDA issued updated guidance for industry and FDA staff on
requirements for cybersecurity in medical devices.\192\
---------------------------------------------------------------------------
\189\ Id.
\190\ Report to Congressional Committees, ``Medical Device
Cybersecurity: Agencies Need to Update Agreement to Ensure Effective
Coordination,'' U.S. Government Accountability Office, p. 1 (Dec.
2023), <a href="https://www.gao.gov/assets/d24106683.pdf">https://www.gao.gov/assets/d24106683.pdf</a>.
\191\ ``Medical Device Interoperability,'' U.S. Food & Drug
Administration, U.S. Department of Health and Human Services,
<a href="https://www.fda.gov/medical-devices/digital-health-center-excellence/medical-device-interoperability">https://www.fda.gov/medical-devices/digital-health-center-excellence/medical-device-interoperability</a>.
\192\ Guidance for Industry and Food & Drug Administration
Staff, ``Cybersecurity in Medical Devices: Quality System
Considerations and Content of Premarket Submissions,'' U.S. Food &
Drug Administration, U.S. Department of Health and Human Services
(Sept. 27, 2023), <a href="https://www.fda.gov/media/119933/download">https://www.fda.gov/media/119933/download</a>.
---------------------------------------------------------------------------
And then there are digital health applications. When an application
is deployed by a covered entity, an application developer may be a
business associate and subject to the Security Rule. An application
developer may also meet the HIPAA Rules' definition of ``health care
provider'' \193\ and be a covered entity.\194\ But also, individuals
are increasingly interested in accessing their ePHI using applications
and transmitting information collected by health and wellness
applications to
[[Page 912]]
their health care providers.\195\ Such applications may empower
individuals to better manage their health and participate in their
health care and provide health care providers and researchers with a
more holistic view of the individual's health at a particular point in
time and over an extended period of time.\196\ This technology, while
valuable for understanding an individual's overall health, introduces
another potential vulnerability to the security of ePHI and the
information systems that create, receive, maintain, or transmit it.
---------------------------------------------------------------------------
\193\ 45 CFR 160.103 (definition of ``Health care provider'').
\194\ Where an application developer meets the HIPAA Rules'
definition of health care provider and engages in standard
electronic transactions, such as billing an insurance company for
its services, it is a covered entity for the purposes of the HIPAA
Rules, including the Security Rule. Where an application developer
is not regulated under the HIPAA Rules, other Federal laws may apply
to the application developer or the application, such as the FTC
Act. See, e.g., FTC Act (codified at 15 U.S.C. 41-58).
\195\ See, e.g., Kea Turner, et al., ``Sharing patient-generated
data with healthcare providers: findings from a 2019 national
survey,'' Journal of the American Medical Informatics Association,
p. 371-376 (Nov. 12, 2020), <a href="https://doi.org/10.1093/jamia/ocaa272">https://doi.org/10.1093/jamia/ocaa272</a>;
Accenture Federal Services, ``Conceptualizing a Data Infrastructure
for the Capture, Use, and Sharing of Patient-Generated Health Data
in Care Delivery and Research through 2024,'' The Office of the
National Coordinator for Health Information Technology, U.S.
Department of Health and Human Services, p. 5 (Jan. 2018), <a href="https://www.healthit.gov/sites/default/files/onc_pghd_final_white_paper.pdf">https://www.healthit.gov/sites/default/files/onc_pghd_final_white_paper.pdf</a>;
see also Jolaade Kalinowski, et al., ``Smart device ownership and
use of social media, wearable trackers, and health apps among Black
women with hypertension in the United States,'' JMIR Cardio (pre-
print), <a href="https://preprints.jmir.org/preprint/59243">https://preprints.jmir.org/preprint/59243</a>.
\196\ See ``Conceptualizing a Data Infrastructure for the
Capture, Use, and Sharing of Patient-Generated Health Data in Care
Delivery and Research through 2024,'' supra note 195, p. 1; Asos
Mahmood, et al., ``mHealth Apps Use and Their Associations With
Healthcare Decision-Making and Health Communication Among Informal
Caregivers: Evidence From the National Cancer Institute's Health
Information National Trends Survey,'' American Journal of Health
Promotion, p. 40-52 (Jan. 2024), <a href="https://journals-sagepub-com.hhsnih.idm.oclc.org/doi/10.1177/08901171231202861">https://journals-sagepub-com.hhsnih.idm.oclc.org/doi/10.1177/08901171231202861</a>.
---------------------------------------------------------------------------
EHRs, networked medical devices, and applications are only the
beginning. Artificial intelligence (AI) in health care, particularly
for diagnosis and treatment, is in the nascent stages of development,
but many are eager to test its promise.\197\ After all, many experts
believe that AI promises opportunities to improve patient care,
outcomes, and population health, as well as to reduce costs.\198\ The
use of AI in health care is increasing and is expected to continue to
increase.\199\ A 2023 Healthcare Information and Management Systems
Society (HIMSS) survey of health care cybersecurity professionals
reported that approximately 50 percent of respondents' organizations
permitted the use of generative AI technology.\200\ And other new
technologies are expected shortly, as discussed below. For example,
according to reports, quantum computing may be available in the near
future, which may have ramifications for data privacy and
security.\201\ We also know that researchers are exploring methods for
storing ePHI in biological material (e.g., DNA).\202\
---------------------------------------------------------------------------
\197\ See 88 FR 75191 (Nov. 1, 2023); Ritu Agarwal, et al.,
``Augmenting physicians with artificial intelligence to transform
healthcare: Challenges and opportunities,'' Journal of Economics &
Management Strategy, p. 360-374 (Mar. 2024), <a href="https://onlinelibrary-wiley-com.hhsnih.idm.oclc.org/doi/10.1111/jems.12555">https://onlinelibrary-wiley-com.hhsnih.idm.oclc.org/doi/10.1111/jems.12555</a>; Becca Beets,
et al., ``Surveying Public Perceptions of Artificial Intelligence in
Health Care in the United States: Systematic Review,'' Journal of
Medical internet Research (2023), <a href="https://doi.org/10.2196/40337">https://doi.org/10.2196/40337</a>.
\198\ Michael E. Matheny, et al., ``Artificial Intelligence in
Health Care: A Report from the National Academy of Medicine,''
Journal of the American Medical Association, p. 509-10 (2020),
<a href="https://jamanetwork-com.hhsnih.idm.oclc.org/journals/jama/fullarticle/2757958">https://jamanetwork-com.hhsnih.idm.oclc.org/journals/jama/fullarticle/2757958</a>.
\199\ ``2023 HIMSS Healthcare Cybersecurity Survey,'' Healthcare
Information and Management Systems Society, p. 19 (Mar. 1, 2024),
<a href="https://www.himss.org/sites/hde/files/media/file/2024/03/01/2023-himss-cybersecurity-survey-x.pdf">https://www.himss.org/sites/hde/files/media/file/2024/03/01/2023-himss-cybersecurity-survey-x.pdf</a>.
\200\ Id. at 16; Generative AI is a type of software that ``uses
statistical models that generalize the patterns and structures of
existing data to either reorganize existing data or create new
content.'' ``Risk In Focus: Generative A.I. And The 2024 Election
Cycle,'' Cybersecurity & Infrastructure Security Agency, U.S.
Department of Homeland Security, <a href="https://www.cisa.gov/sites/default/files/2024-05/Consolidated_Risk_in_Focus_Gen_AI_ElectionsV2_508c.pdf">https://www.cisa.gov/sites/default/files/2024-05/Consolidated_Risk_in_Focus_Gen_AI_ElectionsV2_508c.pdf</a>.
\201\ ``2023 HIMSS Healthcare Cybersecurity Survey,'' supra note
199, p. 22.
\202\ See Lizzie Roehrs, ``CSL Professor explores DNA as data
storage,'' University of Illinois Urbana-Champaign The Grainger
College of Engineering Coordinated Science Laboratory (Aug. 25,
2020), <a href="https://csl.illinois.edu/news-and-media/csl-professor-explores-dna-data-storage">https://csl.illinois.edu/news-and-media/csl-professor-explores-dna-data-storage</a>; Cheng Kai Lim, et al., ``A biological
camera that captures and stores images directly into DNA,'' nature
communications (July 3, 2023), <a href="https://www.nature.com/articles/s41467-023-38876-w">https://www.nature.com/articles/s41467-023-38876-w</a>; Devasier Bennet, et al., ``Current and emerging
opportunities in biological medium-based computing and digital data
storage,'' Nano Select, p. 883 (May 2022), <a href="https://doi-org.hhsnih.idm.oclc.org/10.1002/nano.202100275">https://doi-org.hhsnih.idm.oclc.org/10.1002/nano.202100275</a>.
---------------------------------------------------------------------------
While the promise of these new technologies is exciting, they come
with increased risks and vulnerabilities to ePHI and the information
systems that create, receive, maintain, or transmit it. As noted by
Executive Order (E.O.) 14110, ``[AI] must be safe and secure. Meeting
this goal requires [. . .] addressing AI systems' most pressing
security risks--including with respect to biotechnology, cybersecurity,
critical infrastructure, and other national security dangers--while
navigating AI's opacity and complexity.'' \203\ For these reasons, the
E.O. required the Secretary of HHS, in consultation with the Secretary
of Defense and the Secretary of Veterans Affairs, to establish an HHS
AI Task Force to develop a strategic plan that includes policies and
frameworks on responsible deployment and use of AI and AI-enabled
technologies in the health and human services sector, including the
incorporation of safety, privacy, and security standards into the
software-development lifecycle for the protection of personally
identifiable information, such as measures to address AI-enhanced
cybersecurity threats in the health and human services sector.\204\ The
Department has taken a number of actions to address the use of AI in
health care, including establishing an AI Council, appointing a Chief
AI Officer,\205\ and taking steps to regulate the use of AI in health
care.\206\ Accordingly, regulated entities must be prepared to
identify, mitigate, and remediate such risks and vulnerabilities.
---------------------------------------------------------------------------
\203\ 88 FR 75191 (Nov. 1, 2023).
\204\ Id. at 75214.
\205\ See ``HHS Artificial Intelligence (AI) Strategy: AI
Council & AI Community of Practice,'' U.S. Department of Health and
Human Services (June 6, 2024), <a href="https://www.hhs.gov/programs/topic-sites/ai/strategy/index.html">https://www.hhs.gov/programs/topic-sites/ai/strategy/index.html</a>; ``About the HHS Office of the Chief
Artificial Intelligence Officer (OCAIO),'' U.S. Department of Health
and Human Services (June 6, 2024), <a href="https://www.hhs.gov/programs/topic-sites/ai/ocaio/index.html">https://www.hhs.gov/programs/topic-sites/ai/ocaio/index.html</a>; see also ``Advancing Governance,
Innovation, and Risk Management for Agency Use of Artificial
Intelligence,'' M-24-10, Office of Management and Budget, Executive
Office of the President (Mar. 28, 2024), <a href="https://www.whitehouse.gov/wp-content/uploads/2024/03/M-24-10-Advancing-Governance-Innovation-and-Risk-Management-for-Agency-Use-of-Artificial-Intelligence.pdf">https://www.whitehouse.gov/wp-content/uploads/2024/03/M-24-10-Advancing-Governance-Innovation-and-Risk-Management-for-Agency-Use-of-Artificial-Intelligence.pdf</a>.
\206\ See, e.g., 89 FR 37522, 37642 (May 6, 2024) and 89 FR
1192, 1244 (Jan. 9, 2024).
---------------------------------------------------------------------------
While the health care industry has generally shifted from paper
record-keeping and non-interoperable electronic devices to an
interconnected electronic health care system, it has led to an
increasing vulnerability to breaches of unsecured PHI resulting from
unauthorized uses and disclosures and cyberattacks. According to an
article published by the American Hospital Association Center for
Health Innovation, ``Health care organizations are particularly
vulnerable and targeted by cyberattacks because they possess so much
information of high monetary and intelligence value to cyber thieves
and nation-state actors.'' \207\ In fact, ``[. . .] on the dark web,
PHI is deemed more
[[Page 913]]
valuable than credit card data, enabling cybercriminals to extract as
much as [$1,000] per stolen medical record.'' \208\ Before this shift
to an interconnected electronic system, lost or misplaced paper records
or even a laptop could lead to a breach of unsecured PHI affecting
hundreds or thousands of individuals.\209\ While a breach of that size
remains significant, unauthorized access to a single workstation today
could lead to a breach that affects millions of individuals because of
the increase in interconnectivity.\210\
---------------------------------------------------------------------------
\207\ John Riggi, ``The importance of cybersecurity in
protecting patient safety,'' American Hospital Association Center
for Health Innovation, <a href="https://www.aha.org/center/cybersecurity-and-risk-advisory-services/importance-cybersecurity-protecting-patient-safety">https://www.aha.org/center/cybersecurity-and-risk-advisory-services/importance-cybersecurity-protecting-patient-safety</a>; In 2016, PHI was valued at 50 times the worth of financial
information on the black market. Diane Doebele Koch, ``Is the HIPAA
Security Rule Enough to Protect Electronic Personal Health
Information (PHI) in the Cyber Age?'' Journal of Health Care
Finance, p. 22 (Spring 2016) (citing Beth Kutscher, ``Healthcare
underspends on Cybersecurity as attacks accelerate,'' Modern
Healthcare (Mar. 3, 2016), <a href="https://www.modernhealthcare.com/article/20160303/NEWS/160309922/healthcare-underspends-on-cybersecurity-as-attacks-accelerate">https://www.modernhealthcare.com/article/20160303/NEWS/160309922/healthcare-underspends-on-cybersecurity-as-attacks-accelerate</a>.); ``New Dangers in the New World: Cyber Attacks
in the Healthcare Industry,'' supra note 135, p. 3 (``[. . .] stolen
medical data sells for 10-20 times more than credit card data.'').
\208\ Gilbert Munoz-Cornejo, et al., ``Analyzing the urban-rural
divide: the role of location, time, and breach characteristics in
U.S. hospital security incidents, 2012-2021,'' Discover Health
Systems (June 17, 2024), https://link.springer.com/article/10.1007/
s44250-024-00105-
6#:~:text=Specifically%2C%20our%20study%20shows%20that,trend%20of%20b
reaches%20over%20time.
\209\ Lynne Coventry, et al., ``Cybersecurity in healthcare: A
narrative review of trends, threats and ways forward,'' Maturitas,
p. 46 (July 2018), <a href="https://www.maturitas.org/article/S0378-5122">https://www.maturitas.org/article/S0378-5122</a>(18)30165-8/abstract.
\210\ Id.
---------------------------------------------------------------------------
Between 2018 and 2023, the number of breaches of unsecured PHI
reported to the Department grew at an alarming rate (100 percent
increase), as did the number of individuals affected by such breaches
(950 percent increase).\211\ The reports reflect rampant escalation of
cyberattacks using hacking (260 percent increase) and ransomware (264
percent increase).\212\ Based on reports made to OCR, in 2022,
approximately three-fourths of the breaches of unsecured PHI affecting
500 or more individuals were the result of hacking of electronic
equipment or a network server.\213\ In 2023, over 160 million
individuals were affected by breaches involving the PHI of 500 or more
individuals--a new record. We anticipate that 2024 will surpass that
record, particularly in light of the estimate provided by a large
covered entity regarding the number of individuals affected by a breach
of its subsidiary.\214\
---------------------------------------------------------------------------
\211\ See ``Breach Portal: Notice to the Secretary of HHS Breach
of Unsecured Protected Health Information,'' supra note 10.
\212\ Id.
\213\ ``Annual Report to Congress on Breaches of Unsecured
Protected Health Information: For Calendar Year 2022,'' Office for
Civil Rights, U.S. Department of Health and Human Services, p. 8-9
(2022), <a href="https://www.hhs.gov/sites/default/files/breach-report-to-congress-2022.pdf">https://www.hhs.gov/sites/default/files/breach-report-to-congress-2022.pdf</a>.
\214\ Change Healthcare is a health care clearinghouse and a
subsidiary of UnitedHealth Group, <a href="https://www.changehealthcare.com/">https://www.changehealthcare.com/</a>.
On the morning of Feb. 21, 2024, Optum (another subsidiary of
UnitedHealth Group) reported that it was ``experiencing enterprise-
wide connectivity issues.'' By that afternoon, the announcement
changed to a ``network interruption related to a cyber security
issue'' and explained that ``[o]nce [Change Healthcare] became aware
of the outside threat, in the interest of protecting our partners
and patients, we took immediate action to disconnect our systems to
prevent further impact.'' See ``Optum Solution Status,'' Optum,
Inc., UnitedHealth Group, <a href="https://solution-status.optum.com/incidents/hqpjz25fn3n7">https://solution-status.optum.com/incidents/hqpjz25fn3n7</a> (last accessed on July 16, 2024). On Mar. 13,
2024, the Department announced that it would be initiating an
investigation into the incident. See Letter from OCR Director
Melanie Fontes Rainer to Colleagues (Mar. 13, 2024), <a href="https://www.hhs.gov/sites/default/files/cyberattack-change-healthcare.pdf">https://www.hhs.gov/sites/default/files/cyberattack-change-healthcare.pdf</a>.
Andrew Witty, UnitedHealth Group Chief Executive Officer, in his
testimony to Congress, estimated that the breach of Change
Healthcare may involve the PHI of one-third of Americans. ``Hacking
America's Health Care: Assessing the Change Healthcare Cyber Attack
and What's Next,'' Subcommittee on Oversight and Investigations of
the Committee on Energy and Commerce, Hearing Before the Committee
on Finance (May 1, 2024), <a href="https://www.finance.senate.gov/hearings/hacking-americas-health-care-assessing-the-change-healthcare-cyber-attack-and-whats-next">https://www.finance.senate.gov/hearings/hacking-americas-health-care-assessing-the-change-healthcare-cyber-attack-and-whats-next</a>. Change Healthcare filed its breach report
with the Department on July 19, 2024. ``Breach Portal: Notice to the
Secretary of HHS Breach of Unsecured Protected Health Information,''
supra note 10. Change Healthcare's breach report currently
identifies 100 million individuals as the ``approximate number of
individuals affected.'' <a href="https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf">https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf</a>. However, Change Healthcare is still determining
the number of individuals affected. The posting on the HHS Breach
Portal will be amended if Change Healthcare updates the total number
of individuals affected by this breach. ``Change Healthcare
Cybersecurity Incident Frequently Asked Questions,'' Office for
Civil Rights, U.S. Department of Health and Human Services, <a href="https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html">https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html</a>.
---------------------------------------------------------------------------
In 2023, the Federal Bureau of Investigation's internet Crime
Complaint Center received almost 250 reports of ransomware affecting
the Healthcare and Public Health sector, the most of any of the 16
identified infrastructure sectors.\215\ The Healthcare and Public
Health sector has been the most targeted critical infrastructure sector
since at least as far back as 2015.\216\ Between 2015 and 2019,
cyberattacks on health care organizations increased by 125
percent.\217\ And between 2022 and 2023, ransomware attacks against the
U.S. health care sector increased 128 percent.\218\
---------------------------------------------------------------------------
\215\ ``internet Crime Report,'' internet Crime Complaint
Center, Federal Bureau of Investigation, p. 13 (2023), <a href="https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf">https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf</a>.
\216\ ``Report on Improving Cybersecurity In The Health Care
Industry,'' supra note 117, p. 16.
\217\ Chon Abraham, et al., ``Muddling through cybersecurity:
Insights from the U.S. healthcare industry,'' supra note 116, p.
539-548, 540.
\218\ ``Ransomware Attacks Surge in 2023; Attacks on Healthcare
Sector Nearly Double,'' The Cyber Threat Intelligence Integration
Center, Office of the Director of National Intelligence (Feb. 28,
2024), <a href="https://www.dni.gov/files/CTIIC/documents/products/Ransomware_Attacks_Surge_in_2023.pdf">https://www.dni.gov/files/CTIIC/documents/products/Ransomware_Attacks_Surge_in_2023.pdf</a>.
---------------------------------------------------------------------------
Many people, including regulated entities, inaccurately believe
that only large regulated entities that maintain electronic records
about millions of individuals are likely to face a cyberattack, and
thus that it is less important for smaller regulated entities to invest
resources in cybersecurity.\219\ In fact, smaller regulated entities
may also be the target of, or adversely affected by, cybercrime, partly
because of the interconnectedness of health care and partly because
they are less likely to have invested in cybersecurity, making them
easier targets.\220\
---------------------------------------------------------------------------
\219\ ``Report on Improving Cybersecurity In The Health Care
Industry,'' supra note 117, p. 14.
\220\ Id.
---------------------------------------------------------------------------
As explained in a recent national security memorandum,
cybercriminals are targeting critical infrastructure (i.e., the
physical and virtual assets and systems so vital to the Nation that
their incapacity or destruction would have a debilitating impact on
national security, national economic security, or national public
health or safety), and their activities may be tolerated or enabled by
other countries.\221\ Thus, it is essential that the Department and
regulated entities take steps to safeguard health care infrastructure
and ePHI.
---------------------------------------------------------------------------
\221\ Presidential Memorandum on National Security Memorandum on
Critical Infrastructure Security and Resilience supra note 11.
---------------------------------------------------------------------------
External actors are not the only, or even the greatest, threat to
the security of ePHI. According to a recent study, insiders were the
second leading cause of breaches in the health care sector in 2023,
exceeded only by ``miscellaneous errors,'' such as misdelivery.\222\
For example, a recent settlement resolved an OCR investigation
involving the theft and sale of the ePHI of more than 12,000 patients
by an employee of a large health care system.\223\ In another example,
security guards at a large health care provider were alleged to have
used their login credentials to inappropriately access ePHI.\224\ Thus,
it is critical that regulated entities improve their cybersecurity
posture to protect not only against external threats but also
[[Page 914]]
internal ones, and both intentional and accidental breaches.
---------------------------------------------------------------------------
\222\ ``2024 Data Breach Investigations Report: Healthcare
Snapshot,'' Verizon Business, p. 12 (May 1, 2024) (The report
describes misdelivery as sending information to the wrong recipient,
whether by electronic or physical means), <a href="https://www.verizon.com/business/resources/reports/dbir/2024/industries-intro/healthcare-data-breaches/">https://www.verizon.com/business/resources/reports/dbir/2024/industries-intro/healthcare-data-breaches/</a>.
\223\ Press release, ``HHS' Office for Civil Rights Settles
Malicious Insider Cybersecurity Investigation for $4.75 Million,''
Office for Civil Rights, U.S. Department of Health and Human
Services (Feb. 6, 2024), <a href="https://www.hhs.gov/about/news/2024/02/06/hhs-office-civil-rights-settles-malicious-insider-cybersecurity-investigation.html">https://www.hhs.gov/about/news/2024/02/06/hhs-office-civil-rights-settles-malicious-insider-cybersecurity-investigation.html</a>.
\224\ Press release, ``Snooping in Medical Records by Hospital
Security Guards Leads to $240,000 HIPAA Settlement,'' Office for
Civil Rights, U.S. Department of Health and Human Services (June 15,
2023), <a href="https://www.hhs.gov/about/news/2023/06/15/snooping-medical-records-by-hospital-security-guards-leads-240-000-hipaa-settlement.html">https://www.hhs.gov/about/news/2023/06/15/snooping-medical-records-by-hospital-security-guards-leads-240-000-hipaa-settlement.html</a>.
---------------------------------------------------------------------------
Emergencies or other occurrences can affect the security of ePHI
without an intentional act. For example, in 2024, CrowdStrike released
a defective update for its software on computers running Microsoft
Windows.\225\ This update affected the ability of regulated entities to
access the ePHI of millions of individuals for varying periods of time.
During this time, ePHI was unavailable, meaning that one of the key
prongs of the security triad of confidentiality, integrity, and
availability was affected.\226\ Because of the increased digitization
of PHI, it is, for example, essential that covered health care
providers engage in thoughtful contingency planning that considers how
they will proceed in the event that they are unable to access ePHI in
their EHRs. Additionally, threat actors will often seek to take
advantage of such incidents. As reported by a large subcontractor of a
business associate, less than a week after the outage, the company
``observed threat actors leveraging the event to distribute''
ransomware.\227\ The environment in which health care is delivered, the
way in which it is delivered, and the manner in which related
information is collected all mean that regulated entities must consider
a different approach to operational continuity and resiliency in the
face of such challenges. Additionally, they must be wary of the
potential for bad actors to attempt to take advantage of such events.
---------------------------------------------------------------------------
\225\ ``Remediation and Guidance Hub: Falcon Content Update for
Windows Hosts,'' CrowdStrike, <a href="https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/">https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/</a>.
\226\ See ``Data Integrity: Detecting and Responding to
Ransomware and Other Destructive Events,'' NIST Special Publication
1800-26A, National Institute of Standards and Technology, U.S.
Department of Commerce, p. 1 (Dec. 2020), <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-26.pdf">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-26.pdf</a>.
\227\ ``Likely eCrime Actor Uses Filenames Capitalizing on July
19, 2024, Falcon Sensor Content Issues in Operation Targeting LATAM-
Based CrowdStrike Customers,'' CrowdStrike Blog (July 20, 2024),
<a href="https://www.crowdstrike.com/blog/likely-ecrime-actor-capitalizing-on-falcon-sensor-issues/">https://www.crowdstrike.com/blog/likely-ecrime-actor-capitalizing-on-falcon-sensor-issues/</a>.
---------------------------------------------------------------------------
C. Regulated Entities' Compliance With the Requirements of the Security
Rule Is Inconsistent
Despite the proliferation of cybersecurity standards, guidelines,
best practices, methodologies, procedures, and processes and the
documented increase in unauthorized uses and disclosures of ePHI, many
regulated entities have been slow to strengthen their security measures
to protect ePHI and their information systems that create, receive,
maintain, or transmit it in this new environment.\228\ Among the
reasons for this are the rapid pace of EHR adoption and digitization of
health care, increased connectivity and use of cloud-based
infrastructures, limited competition and a stable customer base,
limited operating margins, and a failure to invest in cybersecurity
infrastructure.\229\ For example, regulated entities continue to rely
on legacy systems and software that are unsupported by manufacturers,
which means that the manufacturers no longer provide security patches
or other updates to address security threats and vulnerabilities.\230\
In a 2021 survey of health care cybersecurity professionals, 73 percent
reported having legacy operating systems.\231\ This apparent lack of
urgency in adopting new, supported operating systems has serious
implications for the confidentiality, integrity, and availability of
ePHI.
---------------------------------------------------------------------------
\228\ Letter from NCVHS Chair Jacki Monson (2023), supra note
123, p. 2 (explaining that NCVHS conducted an inquiry into whether
compliance with the Security Rule had improved since the Department
released the results of its 2016-2017 audit of selected provisions
of the Security Rule and found that ``not much had changed'');
``Muddling through cybersecurity: Insights from the U.S. healthcare
industry,'' supra note 116, p. 540 (``There is enough evidence to
suggest that U.S. healthcare organizations lack a deliberate,
organized, and comprehensive cyber-resilience strategy.'').
\229\ See Susan Kiser, et al., ``Ransomware: Healthcare Industry
at Risk,'' Journal of Business and Accounting, p. 65-66 (Fall 2021);
Meghan Hufstader Gabriel, ``Data Breach Locations, Types, and
Associated Characteristics Among US Hospitals,'' American Journal of
Managed Care, p. 78 (Feb. 2018); ``Is the HIPAA Security Rule Enough
to Protect Electronic Personal Health Information (PHI) in the Cyber
Age?'' supra note 207, p. 20-23.
\230\ Chris Hayhurst, ``On Guard: Staying Vigilant Against
Medical Device Vulnerabilities,'' Biomedical Instrumentation &
Technology, Volume 54, Issue 3, p. 169 (May/June 2020); ``Report on
Improving Cybersecurity In The Health Care Industry,'' supra note
117, p. 2.
\231\ ``2021 HIMSS Healthcare Cybersecurity Survey,'' Healthcare
Information and Management Systems Society, p. 18 (Jan. 28, 2022),
<a href="https://www.himss.org/sites/hde/files/media/file/2022/01/28/2021_himss_cybersecurity_survey.pdf">https://www.himss.org/sites/hde/files/media/file/2022/01/28/2021_himss_cybersecurity_survey.pdf</a>.
---------------------------------------------------------------------------
In addition, many regulated entities fail to invest adequate
resources in cybersecurity. Far too many regulated entities do not view
cybersecurity as a necessary component of their operations that allows
them to fulfill their health care missions. Anecdotal evidence suggests
that senior management often lacks awareness of cybersecurity,
including both threats and methods for protecting against such
threats.\232\ ``A lack of maturity and effectiveness of the
[information technology] function is evident when healthcare
organizations fail to maintain a current inventory of sensitive and
valuable data and where those reside.'' \233\ While maintaining an
accurate and thorough inventory of technology assets is not currently
an explicit requirement of the Security Rule, it is clearly a
fundamental component of conducting a risk analysis and many of the
other existing requirements.\234\ And yet, based on the Department's
experience, many regulated entities are not maintaining such an
inventory. At least in part because of senior management's lack of
cybersecurity awareness, many fail to invest or fail to invest
appropriately in cybersecurity infrastructure.\235\ Given the
vulnerability of ePHI and the information systems of regulated entities
and the potential effects of cyberattacks on patient safety and the
delivery of health care, it is important that regulated entities
prioritize such investments.\236\
---------------------------------------------------------------------------
\232\ ``Muddling through cybersecurity: Insights from the U.S.
healthcare industry,'' supra note 116, p. 543.
\233\ Id. at 542.
\234\ See 68 FR 8334, 8352 (Feb. 20, 2003). In the preamble to
the 2003 Security Rule, the Department explained that it had
determined that an inventory requirement was unnecessary because it
is redundant of other requirements. We assumed that covered entities
(and later all regulated entities) would have performed this
activity by virtue of having implemented the security measures
required under the security management process standard.
\235\ ``Muddling through cybersecurity: Insights from the U.S.
healthcare industry,'' supra note 116, p. 542-543.
\236\ Eric C. Reese, ``Healthcare's cybersecurity stakes reach
alarming levels,'' Health Facilities Management Magazine, Volume 76,
Issue 8, p. 22 (Nov. 2022).
---------------------------------------------------------------------------
The security of ePHI also is at risk because, despite our
explanation of the Security Rule's structure in 2003,\237\ regulated
entities are not fully complying with the standards and implementation
specifications. From 2016 to 2017, the Department conducted audits of
166 covered entities and 41 business associates regarding compliance
with selected provisions of the HIPAA Rules, including the required
implementation specifications for risk analysis \238\ and risk
management.\239\ The Department found that most regulated entities
failed to implement the Security Rule requirements for risk analysis
and risk management, requirements that are fundamental to protecting
the confidentiality, integrity, and availability of ePHI.\240\ While
most of the audited business associates reported not having experienced
any breaches of unsecured PHI, we found that those that
[[Page 915]]
had experienced a breach generally engaged in minimal or negligible
efforts to address the risk analysis and risk management
requirements.\241\ According to the report, at that time only 14
percent of covered entities and 17 percent of business associates were
``substantially fulfilling their regulatory responsibilities to
safeguard ePHI they [held] through risk analysis activities,'' \242\
while 94 percent of covered entities and 88 percent of business
associates ``failed to implement appropriate risk management activities
sufficient to reduce risks and vulnerabilities to a reasonable and
appropriate level.'' \243\ The report specifically noted that the audit
results were consistent with the findings of OCR's compliance reviews
and complaint investigations.\244\
---------------------------------------------------------------------------
\237\ 68 FR 8334, 8343 (Feb. 20, 2003).
\238\ 45 CFR 164.308(a)(1)(ii)(A).
\239\ 45 CFR 164.308(a)(1)(ii)(B); ``2016-2017 HIPAA Audits
Industry Report,'' supra note 121, p. 4.
\240\ ``2016-2017 HIPAA Audits Industry Report,'' supra note
121, p. 4.
\241\ Id. at 11.
\242\ Id. at 27.
\243\ Id. at 30.
\244\ Id. at 27 and 30.
---------------------------------------------------------------------------
Recent enforcement actions provide evidence that the results of the
2016-2017 audits were not isolated cases. In 2023, OCR entered into
seven resolution agreements with regulated entities after
investigations indicated that they had potentially violated the
Security Rule, constituting almost half of the total resolution
agreements OCR entered into that year.\245\ In each case, OCR's
investigation found evidence of multiple potential violations. For
example, in one case, a regulated entity did not detect an intrusion
into its network until 20 months later when its files were encrypted
with ransomware.\246\ OCR's investigation found evidence of potential
failures of the regulated entity to conduct a risk analysis or to
sufficiently monitor information system activity. OCR also found
evidence that the regulated entity may not have had policies and
procedures in place to implement the requirements of the Security Rule
to protect the confidentiality, integrity, and availability of
ePHI.\247\
---------------------------------------------------------------------------
\245\ See ``OCR News Releases & Bulletins,'' Office for Civil
Rights, U.S. Department of Health and Human Services, <a href="https://www.hhs.gov/ocr/newsroom/index.html">https://www.hhs.gov/ocr/newsroom/index.html</a>.
\246\ See Resolution Agreement, ``Doctors' Management Services,
Inc.,'' Office for Civil Rights, U.S. Department of Health and Human
Services (Oct. 31, 2023), <a href="https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/dms-ra-cap/index.html">https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/dms-ra-cap/index.html</a>; Press Release, ``HHS' Office for Civil Rights Settles
Ransomware Cyber-Attack Investigation,'' Office for Civil Rights,
U.S. Department of Health and Human Services (Oct. 31, 2023),
<a href="https://www.hhs.gov/about/news/2023/10/31/hhs-office-civil-rights-settles-ransomware-cyber-attack-investigation.html">https://www.hhs.gov/about/news/2023/10/31/hhs-office-civil-rights-settles-ransomware-cyber-attack-investigation.html</a>; see also
``Breach Portal: Notice to the Secretary of HHS Breach of Unsecured
Protected Health Information,'' supra note 10.
\247\ ``HHS' Office for Civil Rights Settles Ransomware Cyber-
Attack Investigation,'' supra note 246.
---------------------------------------------------------------------------
As another example, an OCR investigation of a large health care
system found indications of multiple potential violations of the
Security Rule, including failures by the regulated entity to conduct a
risk analysis, monitor and safeguard its electronic information
systems, and implement policies and procedures to record and examine
activity in its electronic information systems containing ePHI.\248\
The regulated entity was not only unable to prevent the cyberattack,
but it was unaware the attack had occurred until two years later. This
is despite the long-standing requirements of the Security Rule and the
obligations imposed on regulated entities for risk analysis and risk
management.
---------------------------------------------------------------------------
\248\ See Resolution Agreement, ``Montefiore Medical Center,''
Office for Civil Rights, U.S. Department of Health and Human
Services (Nov. 17, 2023), <a href="https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/montiefore/index.html">https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/montiefore/index.html</a>; ``HHS' Office for Civil Rights Settles Malicious Insider
Cybersecurity Investigation for $4.75 Million,'' supra note 223.
---------------------------------------------------------------------------
Despite the long-standing nature of the Security Rule and the
proliferation of guidance documents from NIST, the Department, CISA,
FTC, and others, regulated entities continue to fail to implement
reasonable and appropriate security measures as required by the
Security Rule.\249\ For example, the Security Rule and NIST guidance
have addressed encryption for data in transit and at rest for many
years.\250\ And yet, in the 2021 survey of health care cybersecurity
professionals, only half of the respondents reported having implemented
encryption for data in transit across the enterprise.\251\ Similarly,
according to its CEO, a large covered entity failed to deploy multi-
factor authentication (MFA) throughout its enterprise and experienced a
significant breach.\252\ If this is accurate, it would run counter to
long-standing provisions in both the Security Rule and NIST guidance;
the Security Rule has required the implementation of appropriate access
controls since 2003 and NIST recommends similar controls.\253\
---------------------------------------------------------------------------
\249\ ``Muddling through cybersecurity: Insights from the U.S.
healthcare industry,'' supra note 116, p. 541; ``Start with
Security: A Guide for Business,'' supra note 17.
\250\ See 45 CFR 164.312(a)(1) and (e)(1); PR.DS-1 and 2,
``Framework for Improving Critical Infrastructure Cybersecurity,''
Cybersecurity Framework (CSF) Version 1.1, National Institute of
Standards and Technology, U.S. Department of Commerce (Apr. 16,
2018), <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf</a>; PR.DS-01 and 02, ``The NIST Cybersecurity
Framework (CSF) 2.0,'' supra note 15.
\251\ ``2021 HIMSS Healthcare Cybersecurity Survey,'' supra note
231, p. 23.
\252\ See ``Hacking America's Health Care: Assessing the Change
Healthcare Cyber Attack and What's Next,'' supra note 214 (According
to CEO Andrew Witty, intruders used compromised credentials to
remotely access an application used to enable remote access to
desktops, which did not have MFA.). The Department's investigation
into the Change Healthcare breach is ongoing, and no conclusion has
been reached with respect to its cause or whether Change Healthcare
was in violation of the Security Rule.
\253\ 45 CFR 164.308(a)(4)(ii)(B) and 164.312(a)(1); ``The NIST
Cybersecurity Framework (CSF) 2.0,'' supra note 15; ``Framework for
Improving Critical Infrastructure Cybersecurity,'' supra note 250.
---------------------------------------------------------------------------
As another example, based on OCR's investigation experience, some
regulated entities are not developing and implementing compliant
response plans for security incidents, including those that are
breaches of unsecured ePHI under the Breach Notification Rule. Section
164.308(a)(6)(i) establishes the standard that requires regulated
entities to implement policies and procedures to address security
incidents, while 45 CFR 164.308(a)(6)(ii) includes the implementation
specifications for that standard. This requirement, included in the
2003 Final Rule, aligns with the NIST Cybersecurity Framework version
2.0 requirement for incident management.\254\ Similarly, NIST
Cybersecurity Framework version 1.1 recommended the execution and
maintenance of response processes and procedures to ensure response to
detected cybersecurity incidents.\255\ And yet, when OCR investigates
the circumstances surrounding breach reports, OCR continues to find
evidence that regulated entities have not implemented policies and
procedures to detect and respond to security incidents, leading to
significant time lapses between a ``successful'' security incident
\256\ and discovery of, and response to, the security incident.\257\
Thus, based on the OCR's experience investigating and enforcing the
Security Rule, the Department believes that many regulated entities
would benefit from additional instruction in regulatory text regarding
their compliance obligations to determine how to select security
[[Page 916]]
measures that are reasonable and appropriate for their circumstances.
---------------------------------------------------------------------------
\254\ RS.MA, ``The NIST Cybersecurity Framework (CSF) 2.0,''
supra note 15.
\255\ PR.IP-9, ``Framework for Improving Critical Infrastructure
Cybersecurity,'' supra note 250.
\256\ 45 CFR 164.304 (definition of ``Security incident''). The
definition of security incident includes both attempted and
successful incidents. A successful incident is one in which a threat
actor is able to, without authorization, access, use, disclose,
modify, or destroy information or interfere with system operations
in an information system.
\257\ See, e.g., ``Montefiore Medical Center,'' supra note 248.
---------------------------------------------------------------------------
We are also concerned that recent caselaw has not accurately set
forth the steps regulated entities must take to adequately protect the
confidentiality, integrity, and availability of ePHI, as required by
the statute. Specifically, in the University of Texas M.D. Anderson
Cancer Center v. HHS (``M.D. Anderson''), the U.S. Court of Appeals for
the Fifth Circuit held, among other things, that the Security Rule does
not say anything about how effective a mechanism for encryption must
be, nor does it require that an encryption mechanism provide
``bulletproof protection'' of all systems containing ePHI.\258\ Thus,
under the court's interpretation, a regulated entity can meet its
obligations under the Security Rule concerning encryption and
decryption of ePHI by implementing a mechanism to do so, without regard
for the effectiveness of the implementation.\259\ Additionally, the
court noted that the requirement for ``a mechanism'' does not
``prohibit a [regulated] entity from creating `a mechanism' by
directing employees to sign an [agreement] that requires the encryption
of portable devices.'' \260\ While the Department disagrees with the
court's interpretation that merely requiring employees to sign an
agreement to encrypt portable devices is sufficient to comply with its
Security Rule obligations to implement a mechanism to encrypt and
decrypt ePHI, the Department believes that additional clarity is
warranted to ensure that regulated entities understand their obligation
to have encryption mechanisms in place and deployed throughout the
regulated entity's enterprise to ensure the confidentiality, integrity,
and availability of ePHI.
---------------------------------------------------------------------------
\258\ University of Texas M.D. Anderson Cancer Center v. U.S.
Department of Health and Human Services, 985 F.3d 472, 478 (5th Cir.
2021).
\259\ Id.
\260\ Id.
---------------------------------------------------------------------------
Several technical safeguards currently require regulated entities
to implement a ``mechanism'' as part of complying with the associated
standard. Given that written policies and procedures alone are
insufficient to protect ePHI, and the misinterpretation of what it
means to implement a mechanism also could lead to inadequate protection
of ePHI, the Department believes that the Security Rule must be
revised, consistent with its statutory mandate, as discussed in greater
detail above.
D. It Is Reasonable and Appropriate To Strengthen the Security Rule To
Address the Changes in the Health Care Environment and Clarify the
Compliance Obligations of Regulated Entities
1. Congress and the Department Anticipated That Security Standards
Safeguards Would Evolve To Address Changes in the Health Care
Environment
By requiring that regulated entities maintain reasonable and
appropriate safeguards to protect against reasonably anticipated
threats or hazards or unauthorized uses or disclosures of ePHI,
Congress clearly anticipated that the administrative, physical, and
technical safeguards implemented to protect the security of ePHI would
need to change in response to changes in the environment in which
health care is provided.\261\ As the health care environment and the
operations of regulated entities evolve, so must the protections for
ePHI and the information systems used to create, receive, maintain, or
transmit it. For example, regulated entities must be expected to adopt
safeguards that address new risks to the security of ePHI, such as
those posed by maintaining ePHI in the cloud; the connection of medical
devices and other technology to networks; and the connection of
information systems used to create, receive, maintain, or transmit ePHI
to the same networks as those do not perform such activities. After
all, it is reasonable to anticipate that there will be new threats or
hazards to ePHI or efforts by unauthorized persons to use or disclose
such ePHI in an increasingly connected environment.
---------------------------------------------------------------------------
\261\ Sec. 1173(d)(2)(B) of Pub. L. 104-191, 110 Stat. 2026
(Aug. 21, 1996) (codified at 42 U.S.C. 1320d-2).
---------------------------------------------------------------------------
By design, the Security Rule sets a national floor for the security
measures that regulated entities are required to implement to protect
the confidentiality, integrity, and availability of ePHI. In 2003, the
Department opted to frame the standards in terms that were as generic
as possible and in a manner that enabled the standards to be met
through various approaches or technologies to ensure that regulated
entities had the flexibility to determine how best to protect the
confidentiality, integrity, and availability of ePHI based on their
specific circumstances.\262\ When we extended the Security Rule in 2013
to directly apply to business associates in accordance with the HITECH
Act,\263\ the Department acknowledged that some business associates
might not have engaged in the formal administrative safeguards required
by the Security Rule, and we made it clear that business associates
would be expected to do so going forward.\264\ Despite the changes in
the health care environment between 2003 and 2013, the Department made
minimal changes to the Security Rule at that time because we believed
that the compliance obligations of regulated entities were clear and
well-understood. In fact, when a commenter recommended that the
Department remove the ``addressable'' designation from the Security
Rule because it leads to ambiguity in the rule's application, we
declined to do so at that time because we were concerned that it would
reduce the rule's scalability and flexibility.\265\ However, as we
noted in 2003, the rule's flexibility of approach is primarily provided
for in paragraph (b)(2) of 45 CFR 164.306 and in the standards
themselves.\266\ The addressability feature merely provided an added
level of flexibility \267\ in a way that the Department now believes is
inadequate to ensure that regulated entities implement reasonable and
appropriate security safeguards.
---------------------------------------------------------------------------
\262\ 68 FR 8334, 8336 (Feb. 20, 2003).
\263\ 42 U.S.C. 17931(a); 78 FR 5566 (Jan. 25, 2013).
\264\ 78 FR 5566 (Jan. 25, 2013).
\265\ Id. at 5591.
\266\ See 68 FR 8334, 8341 (Feb. 20, 2003).
\267\ Id. at 8344.
---------------------------------------------------------------------------
Changes to the health care environment and the operations of
regulated entities have increased the importance of implementing strong
security measures to protect ePHI and the information systems that
create, receive, maintain, or transmit it. While we recognize the
burdens posed by such implementation on regulated entities, there is
also a clearly documented increase in the number of breaches of
unsecured PHI and instances of cybercriminals accessing ePHI without
authorization at regulated entities. The changes to the health care
environment, including the increase in breaches and cyberattacks, and
operations of regulated entities have made it increasingly likely that
unauthorized persons will seek to obtain ePHI and disrupt the U.S.
health care system. Additionally, the clearly documented failure of
regulated entities to fully implement the policies and procedures
required by the Security Rule and apply the required security measures
throughout their operations has caused the Department to question
whether the existing Security Rule should be revised to clarify and
strengthen the obligations of regulated entities and revisit our
[[Page 917]]
decision from 2013.\268\ In many cases involving a breach of ePHI that
OCR has investigated, a breach may not have occurred, or would have
been less widespread and disruptive, had the regulated entities fully
implemented the provisions of the Security Rule.\269\
---------------------------------------------------------------------------
\268\ See ``2016-2017 HIPAA Audits Industry Report,'' supra note
121, p. 4 (``[M]ost covered entities failed to meet the requirements
for other selected provisions in the audit, such as adequately
safeguarding protected health information (PHI) [. . .] OCR also
found that most covered entities and business associates failed to
implement the HIPAA Security Rule requirements for risk analysis and
risk management.''); ``Enforcement Highlights,'' Office for Civil
Rights, U.S. Department of Health and Human Services, <a href="https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html">https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html</a>.
\269\ See, e.g., ``Montefiore Medical Center,'' supra note 248;
``Doctors' Management Services, Inc.,'' supra note 246.
---------------------------------------------------------------------------
2. NCVHS Believes That the Security Standards Evolve To Address Changes
in the Health Care Environment
The Department is not alone in believing that the Security Rule
should be strengthened to address concerns about whether -regulated
entities are sufficiently protecting the confidentiality, integrity,
and availability of ePHI. An inquiry conducted by NCVHS between July
2021 and September 2023 reached the same conclusion.\270\ During this
inquiry, NCVHS listened to the testimony of cybersecurity experts and
Department officials. The experts and Department officials
``consistently voiced their concerns about the major increase in
incidents and, in particular, the widespread lack of robust risk
analysis on the part of covered entities and business associates that
would lead to prior planning for, and mitigation of, a range of
cybersecurity threats.'' \271\ In response to this inquiry and
consistent with their statutory mandate,\272\ NCVHS transmitted two
letters to the Secretary with recommendations for improving
cybersecurity practices in the health care industry, including
recommendations for modifying the Security Rule.\273\ As part of the
explanation for its concerns, NCVHS cited a 2021 survey of acute and
ambulatory care organizations that found only 32 percent of those
organizations had a comprehensive security program, while only 26
percent of the long-term and post-acute care facilities met the minimum
security requirements.\274\ Specifically, NCVHS made the following
recommendations for improvements to the Security Rule:
---------------------------------------------------------------------------
\270\ Letter from NCVHS Chair Jacki Monson (2023), supra note
123, p. 2 (detailing the inquiry undertaken by NCVHS into the scope
and breadth of security risks and how to best address those
challenges).
\271\ Id.
\272\ See 42 U.S.C. 1320d-1(f).
\273\ See Letter from NCVHS Chair Jacki Monson (2022), supra
note 123; Letter from NCVHS Chair Jacki Monson (2023), supra note
123.
\274\ See Letter from NCVHS Chair Jacki Monson (2022), supra
note 123, p. 4 (citing a survey performed by a College of Healthcare
Information Management Executives (CHIME) as explained at Jill
McKeon, ``32% of Healthcare Organizations Have a Comprehensive
Security Program,'' Health IT Security (Nov. 22, 2021), <a href="https://healthitsecurity.com/news/32-of-healthcare-organizations-have-a-comprehensive-securityprogram">https://healthitsecurity.com/news/32-of-healthcare-organizations-have-a-comprehensive-securityprogram</a>).
---------------------------------------------------------------------------
<bullet> Eliminate from the addressable implementation
specifications the choice not to implement a specification or
alternative, and instead require regulated entities to implement the
specification or adopt a documented reasonable alternative.\275\
---------------------------------------------------------------------------
\275\ See Letter from NCVHS Chair Jacki Monson (2022), supra
note 123, p. 4; see also Letter from NCVHS Chair Jacki Monson
(2023), supra note 123, Appendix p. 1.
---------------------------------------------------------------------------
<bullet> Include specific minimum cybersecurity hygiene
requirements that are reflective of modern industry best practices,
including designation of a qualified information security official,
elimination of default passwords, adoption of MFA, institution of
offline backups, installation of critical patches within a reasonable
time, and transparency of impact and vulnerability disclosures.\276\
---------------------------------------------------------------------------
\276\ See Letter from NCVHS Chair Jacki Monson (2022), supra
note 123, p. 5-10; see also Letter from NCVHS Chair Jacki Monson
(2023), supra note 123, Appendix p. 2.
---------------------------------------------------------------------------
<bullet> Require that regulated entities implement a security
program and that they implement standard minimum security
controls.\277\
---------------------------------------------------------------------------
\277\ Letter from NCVHS Chair Jacki Monson (2023), supra note
123, Appendix p. 1-4.
---------------------------------------------------------------------------
<bullet> Require that regulated entities adopt a risk-based
approach in their security program.\278\
---------------------------------------------------------------------------
\278\ Id. at Appendix p. 4-5.
---------------------------------------------------------------------------
<bullet> Require that regulated entities perform a risk analysis in
a manner that conforms with guidance from NIST and CISA.\279\
---------------------------------------------------------------------------
\279\ Id. at Appendix p. 4-6.
---------------------------------------------------------------------------
<bullet> Define compensating controls more specifically and provide
a wider range of examples that apply to a greater variety of types of
entities.\280\
---------------------------------------------------------------------------
\280\ Id. at Appendix p. 6-7.
---------------------------------------------------------------------------
<bullet> Reinforce the need for regulated entities to account for
AI systems and data within their risk analysis for all and any new
technology.\281\
---------------------------------------------------------------------------
\281\ Id. at Appendix p. 7-8.
---------------------------------------------------------------------------
<bullet> Establish a consistent floor for cyber incident reporting
and harmonize such requirements with incident reporting provisions
applicable to health care critical infrastructure actors and health
care Federal contractors.\282\
---------------------------------------------------------------------------
\282\ Id. at 9-10.
---------------------------------------------------------------------------
The Department, in drafting this NPRM, relied on the
recommendations of NCVHS, OCR's enforcement experience, news reports,
and our assessment of the environment. Consistent with NCVHS'
recommendation to revisit the Security Rule's classification of some
implementation specifications as ``addressable,'' the Department also
believes that it is appropriate to revisit our decision regarding the
amount of flexibility regulated entities have in determining reasonable
and appropriate safeguards, as described above. Based on OCR's
experience in investigations and audits, we believe that regulated
entities would benefit from greater specificity in the Security Rule.
The Department has provided extensive guidance on questions to consider
when adopting and implementing security measures and ways to comply
with the Security Rule,\283\ as directed by the HITECH Act. And yet,
despite this proliferation of guidance, regulated entities continue not
to comply. For example, despite the explanation in 45 CFR 164.306(d)
about addressable implementation specifications and the notable changes
in the environment in which health care is provided, we are concerned
that some regulated entities proceed as if compliance with an
addressable implementation specification is optional--and that where
there is an addressable implementation specification, that compliance
with the relevant standard is also optional. That interpretation is
incorrect and weakens the cybersecurity posture of regulated entities.
We believe that compliance with the implementation specifications
currently designated as addressable is not--and should not be--
optional, particularly in light of the shift to an interconnected and
cloud-based environment and a significant increase in the number of
breaches of unsecured PHI from both internal and external actors,
regardless of the regulated entity's specific circumstances. Thus, we
believe that it is necessary to strengthen the Security Rule to reflect
the changes in the health care environment and the evolution of
[[Page 918]]
technology and to underscore that compliance with all of our proposals,
if finalized, is required.
---------------------------------------------------------------------------
\283\ The Department has issued, among other things, a video
presentation on trends in real world cyberattacks, a cybersecurity
checklist and infographic, guidance on ransomware, a crosswalk with
the NIST CSF, and an ongoing series of newsletters on various topics
pertaining to cybersecurity. See ``Cyber Security Guidance
Material,'' Office for Civil Rights, U.S. Department of Health and
Human Services, <a href="https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html">https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html</a>.
---------------------------------------------------------------------------
3. A Strengthened Security Rule Would Continue To Be Flexible and
Scalable While Providing Regulated Entities With Greater Clarity
The Security Rule's fundamental flexibility and scalability
generally would remain should the proposals in this NPRM be adopted.
However, we are proposing to reduce that flexibility to better
strengthen protections and address the changed nature of the
environment in which health care is provided. The Department is also
proposing in this NPRM to strengthen the Security Rule by providing
greater clarity regarding the nature of its flexibility and scalability
and the Department's expectations, as requested by regulated entities
and other stakeholders. In fact, in response to a request for
information published in 2022,\284\ several commenters urged the
Department to propose regulations that establish a single set of clear
standards for regulated entities, raise the floor for security
requirements and expectations, and encourage regulated entities to
safeguard ePHI while maintaining flexibility and scalability.
Commenters also encouraged the Department to rely on commonly
available, non-proprietary frameworks that allow regulated entities to
adopt critical security measures. We believe that our proposals are
consistent with those recommendations.
---------------------------------------------------------------------------
\284\ See 87 FR 19833 (Apr. 6, 2022).
---------------------------------------------------------------------------
Under the proposal, regulated entities would retain the ability to
determine the security measures that are reasonable and appropriate to
fulfill the required standards and implementation specifications,
taking into consideration the factors listed at proposed 45 CFR
164.306(b)(2). In fact, the NPRM, if adopted as proposed, would add to
the rule's flexibility and scalability by adding a new factor for
regulated entities to consider when determining the reasonable and
appropriate security measures.\285\
---------------------------------------------------------------------------
\285\ See proposed 45 CFR 164.306(b)(2)(v).
---------------------------------------------------------------------------
Additionally, if modifications are adopted as proposed, the
Security Rule would remain flexible and scalable by retaining broad
standards with which regulated entities could comply in a variety of
ways. In 2003, the 13 implementation specifications that the Security
Rule requires were considered so basic that no covered entity could
effectively protect ePHI without implementing them.\286\ While the
Department agrees that these implementation specifications remain
essential, we no longer believe that they are sufficient to address the
risks to ePHI today. Rather, regulated entities must do more to ensure
the confidentiality, integrity, and availability of ePHI today because
of the changes in the environment in which health care is provided, how
ePHI is maintained, the level of connectivity between information
systems, and the technological sophistication of bad actors.
---------------------------------------------------------------------------
\286\ 68 FR 8334, 8336 (Feb. 20, 2003).
---------------------------------------------------------------------------
We acknowledged in 2003 and again acknowledge here that ``there is
no such thing as a totally secure system that carries no risks to
security.'' \287\ We posited at that time that Congress intended to set
an ``exceptionally high goal for the security of [ePHI],'' while also
recognizing that securing ePHI did not require that covered entities do
so without regard for the cost.\288\ However, we also made clear that a
covered entity is required to implement adequate security measures and
that cost was but one factor for a covered entity to consider when
determining what constituted appropriate security measures.\289\ As we
noted, ``Cost is not meant to free covered entities from this
responsibility.'' \290\ In the 2013 Omnibus Rule, we further explained
that ``[regulated entities] have the flexibility to choose security
measures appropriate for their size, resources, and the nature of the
security risks they face, enabling them to reasonably implement any
given Security Rule standard. [. . .] Thus, the costs of implementing
for [. . .] business associates will be proportional to their size and
resources.'' \291\ We continue to believe that this is the case.
Additionally, as discussed above, there is a significant cost
associated with breaches and unauthorized access--financial,
reputational (for both the individual and the regulated entity), and
more. Thus, we believe that the standards and implementation
specifications that we propose in this NPRM are the minimum that
regulated entities should be doing to protect the security of ePHI and
lower the costs associated with breaches and other incidents.
---------------------------------------------------------------------------
\287\ Id. at 8346.
\288\ Id. At that time, the Security Rule applied directly only
to covered entities. As discussed above, Congress later extended the
application of the Security Rule directly to business associates.
\289\ 68 FR 8334, 8343 (Feb. 20, 2003).
\290\ Id.
\291\ 78 FR 5566, 5589 (Jan. 25, 2013).
---------------------------------------------------------------------------
4. Small and Rural Health Care Providers Must Implement Strong Security
Measures To Provide Efficient and Effective Health Care
The statute requires that we consider the ``needs and capabilities
of small health care providers and rural health care providers (as such
providers are defined by the Secretary).'' \292\ We recognize that
small and rural health care providers may have needs and capabilities
that differ from those of other regulated entities. For example, small
health care providers and rural health care providers are often located
at a greater distance from other health care providers.\293\ It may be
more challenging for them to attract and retain clinicians and
administrative support staff.\294\ They also face difficulty attracting
and retaining security experts and must make difficult decisions
regarding investments in competing priorities.\295\ Often, preparation
for security incidents or other occurrences that adversely affect the
confidentiality, integrity, or availability of ePHI is neglected in
favor of other priorities, putting small and rural health care
providers at greater risk for such an occurrence.\296\
---------------------------------------------------------------------------
\292\ 42 U.S.C. 1320d-2(d)(1)(A)(v).
\293\ See ``Why Health Care is Harder to Access in Rural
America,'' U.S. Government Accountability Office (May 16, 2023)
(When local hospitals close in rural areas, residents have to travel
more than 20 miles further to receive common health care and 40
miles further to receive less common health care, such as substance
use disorder treatment. Such rural areas generally have fewer health
care providers overall.), <a href="https://www.gao.gov/blog/why-health-care-harder-access-rural-america">https://www.gao.gov/blog/why-health-care-harder-access-rural-america</a>.
\294\ See ``A National Staffing Emergency in Rural Health
Care,'' American Hospital Association (Dec. 19, 2023), <a href="https://www.aha.org/advancing-health-podcast/2023-12-20-national-staffing-emergency-rural-health-care">https://www.aha.org/advancing-health-podcast/2023-12-20-national-staffing-emergency-rural-health-care</a>.
\295\ See Debi Primeau, ``How Small Organizations Handle HIPAA
Compliance,'' Journal of the American Health Information Management
Association, Volume 88, Issue 4, p. 18-21, 19 (Apr. 2017); Kat
Jercich, ``Rural hospitals are more vulnerable to cyberattacks--
here's how they can protect themselves,'' Healthcare IT News (Sept.
8, 2021); see also Tami Lichtenberg, ``Recovering from a
Cybersecurity Attack and Protecting the Future in Small, Rural
Health Organizations'' (Oct. 4, 2023), <a href="https://www.ruralhealthinfo.org/rural-monitor/cybersecurity-attacks">https://www.ruralhealthinfo.org/rural-monitor/cybersecurity-attacks</a>.
\296\ See ``How Small Organizations Handle HIPAA Compliance,''
supra note 295, p. 19; ``Rural hospitals are more vulnerable to
cyberattacks--here's how they can protect themselves,'' supra note
295.
---------------------------------------------------------------------------
We continue to believe that it is just as important for small and
rural health care providers to implement strong security measures as it
is for larger health care providers and other categories of regulated
entities. According to experts, ``Cybercriminals go after small
businesses, especially those in the healthcare industry,
[[Page 919]]
because they are easy targets.'' \297\ In 2017, 93 percent of small
rural and critical access hospitals and 86 percent of physician offices
relied on health IT to inform their clinical practice.\298\ And yet,
small health care providers ar
[…truncated; see source link]Indexed from Federal Register on January 6, 2025.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.