HHS Focuses on Cyberattacks, Senators Propose HIPAA Modernization
Privacy breaches—particularly due to cyberattacks—continue to be a top priority at HHS’s Office of Civil Rights (OCR). Noting increased cyberattacks on healthcare in 2021, the Director of OCR posted a call to HIPAA-covered entities (such as group health plans and business associates) to improve their overall cybersecurity efforts in 2022, providing resources and best practices.
Simultaneously, OCR issued two reports to Congress summarizing HIPAA enforcement activities and reported protected health information (PHI) breaches in 2020. Hacking and IT incidents (e.g., malware, ransomware, phishing) represented the leading cause of large PHI breaches, just as in the preceding two years. Other highlights from the reports for employer health plan sponsors:
- OCR received 72 reports of large (impacting at least 500 individuals) health plan breaches affecting over 6 million individuals, and nearly 5,000 reports of smaller health plan breaches affecting close to 40,000 individuals.
- Between 2016 and 2020, OCR increased its compliance reviews, which are usually initiated because of a breach report, by over 94%.
- OCR also conducts compliance audits independent of any complaint or breach event. No new audits were initiated in 2020 but OCR is developing criteria for future audits. The results of OCR’s Phase 2 audits were previously reported.
Separately, lawmakers—noting that HIPAA is more than 25 years old—are looking at whether additional tools are needed to protect individual health privacy. In February, Senators Bill Cassidy (R-LA) and Tammy Baldwin (D-WI) introduced the Health Data Use and Privacy Commission Act, with the goal of modernizing health privacy laws. This Act would establish a health and privacy commission to conduct a comprehensive study of many privacy issues, including employers’ practices with respect to employees’ health information, and make recommendations to Congress.
While Congress isn’t likely to tackle major new health privacy legislation in 2022, employers sponsoring group health plans should be actively monitoring their cybersecurity compliance now given the existing risks of cyberattacks and HIPAA enforcement.
On the regulatory front, the National Institute of Standards and Technology (NIST) last year requested public comments in an effort to update its 2008 HIPAA security rule guidance. If this update occurs in 2022, group health plans will likely need to review and update their security policies and procedures and consider conducting a new risk assessment.