NIST Urged to Make HIPAA Security Rule Implementation Guidance More Usable by Small Providers

By | October 5, 2022

The Health Sector Coordinating Council (HSCC) has urged the National Institute for Standards & Technology to provide tailored guidance for smaller and lesser-resourced healthcare organizations on implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, and makes several other recommendations to improve the utility of its new HIPAA Security Rule implementation guidance.

Background

Recently, NIST issued a draft update (SP 800-66r2) to its 2008 publication: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, and sought feedback from industry stakeholders ahead of the publication of the final version of the guidance.

SP 800-66r2 provides guidance for HIPAA-regulated entities on assessing and managing risks to ePHI, suggests activities that should be considered as part of an information security program, and provides several useful resources that HIPAA-regulated entities can use to help them implement the requirements of the HIPAA Security Rule.

HSCC is a private sector-led critical infrastructure advisory council of large, medium, and small health industry stakeholders, that works with government partners to identify and mitigate threats and vulnerabilities that have the potential to affect the ability of the sector to deliver healthcare services. HSCC has a Cybersecurity Working Group that represents 350 healthcare organizations that collaborate toward improving the cyber security and resiliency of the healthcare industry and patient safety.

HSCC Recommendations for Improving NIST HIPAA Security Rule Guidance

Improve the Structure to Better Meet the Needs of Smaller Healthcare Organizations

HSCC has made several recommendations for NIST to consider prior to releasing the final version of its guidance. One of the main issues is NIST has created a document that can be used by healthcare organizations of all sizes; however, HSCC suggests this one-size-fits-all approach has resulted in the guidance not being well adapted for smaller healthcare organizations, which are the ones that would benefit most from additional guidance on HIPAA Security Rule compliance.

The problem with the one-size-fits-all approach is the guidance document – which runs to 139 pages – provides detailed information, but much of that information is not relevant to smaller HIPAA-regulated entities. Resources have been shared to help HIPAA-regulated entities achieve compliance with the HIPAA Security Rule, but there are insufficient resources provided specifically for smaller healthcare organizations and suggests the suggested resources could be better organized to improve the utility of the publication.

Stress the Importance of Adopting Recognized Security Practices

HSCC draws attention to its publication, Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HCIP) which was developed under the 405(d) Program and Task Group, to help organizations of all sizes manage cyber threats. HCIP has been developed to be scalable and has the flexibility to be easily used by smaller healthcare organizations, without prescribing to a single pathway for improving cyber posture. HSCC recommends this tool, and other similar resources should be referenced in its Security Rule guidance.

Now that H.R. 7898 (Public Law 116-321) has been signed into law, content should be included in the Security Rule guidance on how the adoption of recognized security practices provides benefits to healthcare organizations in the form of shorter compliance audits and fewer fines, altogether with information on how to implement the security best practices promulgated under section 405(d) of the Cybersecurity Act of 2015 by adopting the NIST Cybersecurity Framework (NIST CSF) and following the recommendations outlined in publications such as the HICP.

HCSS also recommends NIST should stress the importance of following cybersecurity best practices, and that by adopting those practices will help HIPAA-regulated entities with HIPAA Security Rule compliance, compliance with other Federal mandates, and how following these best practices can help to ensure business continuity and patient safety. HSCC has recommended NIST publish separate guidance for small- and mid-sized healthcare organizations with more tailored resources that stresses the importance of practicing good cyber hygiene.

HSCC also draws attention to the use of the terms ‘risk assessment’ and ‘risk analysis’ in the document, which are often used as synonyms, even though NIST has separate definitions for both. To avoid confusion, HSCC recommends NIST uses these terms consistently and clarifies when a risk analysis or risk assessment is required.

Help Small Healthcare Providers Prepare for the End of the COVID-19 PHE

HSCC has also drawn attention to the flexibilities introduced in response to the COVID-19 Public Health Emergency (PHE), specifically, the notice of enforcement discretion issued by OCR stating sanctions and penalties will not be imposed for the good faith use of communications technologies for providing telehealth services during the PHE, which would normally not be considered HIPAA-compliant. The guidance should make it clear that as the PHE winds down, healthcare providers should migrate to more secure methods of communication to better protect patient privacy and reduce cyber incidents.

The post NIST Urged to Make HIPAA Security Rule Implementation Guidance More Usable by Small Providers appeared first on HIPAA Journal.