The HHS Office for Civil Rights (“OCR”) and the National Institute of Standards and Technology (“NIST”) published, on Feb. 16, 2024, a final version of the cybersecurity resource guide, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (the “Guide”), in relation to compliance with the HIPAA Security Rule.

The Guide provides practical guidance and resources that can be used by regulated entities to safeguard electronic protected health information (“ePHI“), conduct risk assessments and risk management, and better understand the security concepts discussed in the HIPAA Security Rule.

The HIPAA Security Rule concentrates on safeguarding the confidentiality, integrity, and availability of ePHI. Recognizing that there is no one single compliance approach that will work for all regulated entities (i.e., covered healthcare providers, health plans, healthcare clearinghouses, and business associates), the Guide provides several approaches that may be used in whole or in part to help improve a regulated entity’s cybersecurity and compliance with the Security Rule.

Accordingly, the Guide provides guidance for assessing and managing risk to ePHI, identifies typical activities that a regulated entity might consider when implementing an information security program, and lists additional resources that may be useful when implementing the Security Rule.

The Guide contains multiple risk assessment tables and other appendices that explain key considerations, including relevant questions that need to be asked of parties when implementing specifications for and maintaining compliance with the HIPAA Security Rule.

To support regulated entities, the Guide is aimed to (i) ensure each regulated entity is selecting security practices and controls that adequately safeguard ePHI; (ii) inform on the development of compliance strategies in connection with the size and structure of an entity; (iii) provide guidance on best practices for developing and implementing a risk management program; and (iv) create appropriate documentation that demonstrates effective compliance with the Security Rule. In addition to compliance with the Security Rule, the Guide stresses the importance, from a business standpoint, of employing cyber practices to avert costly breach clean-up expenses or immense reputational harm due to a cyber event.

Ultimately, the Guide should be reviewed (i) to ensure a regulated entity’s HIPAA Security Rule plan is robust and addresses the necessary considerations; and (ii) if a regulated entity is asked to justify decisions made with respect to its HIPAA Security Rule compliance.

Learn more at Lamb McErlane.

__________

Vasilios J. (Bill) Kalogredis, Esq. has been advising physicians, dentists, and other healthcare professionals and their businesses as to contractual, regulatory and transactional matters for over 45 years. He is Chairman of Lamb McErlane PC’s Health Law Department.

Sonal Parekh, Esq., is an associate at Lamb McErlane PC who focuses on healthcare transactional matters and a broad range of healthcare regulatory-related issues on behalf of healthcare systems, physicians, dentists, and other healthcare providers, and is a pharmacist by education and training.

__________

*This alert is for educational purposes only and is not intended to be legal advice. Should you require legal advice on this topic or have any questions or concerns, please contact Vasilios J. (Bill) Kalogredis, Esq. or Sonal Parekh, Esq.