HHS Releases Cybersecurity Guide

On March 8, 2023 the Department of Health and Human Services released a cybersecurity implementation guide for the health care industry—the HPH Sector Cybersecurity Framework Implementation Guide (Guide). The Guide is designed to help prevent cybersecurity incidents and provides steps health care organizations can take to manage and address cyber risks. The Guide is designed to assist health care organizations in assessing current cybersecurity practices and identifying gaps for improvement. The Guide adapts the 2018 NIST Framework for Improving Critical Infrastructure Cybersecurity for health care organizations. According to HHS Chief Information Security Officer La Monte R. Yarborough, “This Framework Implementation Guide joins a growing list of jointly produced resources that are aligned with the NIST framework—allowing organizations of all sizes to implement cybersecurity best practices, protect their patients, and make the sector more resilient.”

Source: The HPH Sector Cybersecurity Framework Implementation Guide

OCR Issues Annual Report on HIPAA Compliance and Breaches

The HHS Office for Civil Rights (OCR) recently issued two reports to Congress addressing HIPAA compliance and reported breaches for 2021. The reports contain data on, among other things, the number of HIPAA cases investigated, areas of non-compliance, and insights into reported breaches. Areas needing improvement with regard to compliance with the Security Rule include risk analysis and risk management; information system activity reviews; audit controls; and access controls. As suspected, the majority of breaches in terms of the number of individuals impacted were related to hacking/IT incidents.

Source: OCR Reports

OCR Issues Bulletin on Online Tracking Technologies

The HHS Office for Civil Rights (OCR) recently issued a bulletin to address the use of online tracking technologies by covered entities and their business associates. Online tracking technologies, like Google Analytics or Meta Pixel, track how internet users interact with a website or mobile application. When used by covered entities or their business associates, the use of such technologies can run afoul of HIPAA. This bulletin provides guidance on remaining compliant with HIPAA when using such technologies. 

Source: The OCR Bulletin

End of the COVID-19 Public Health Emergency

The COVID-19 Public Health Emergency (PHE) will end May 11, 2023, over 3 years since the COVID-19 pandemic began. During the PHE, the Centers for Medicare & Medicaid Services (CMS) and other regulatory agencies eased certain restrictions for health care providers so as to expand access to care during the PHE. Many of these waivers, regulations and guidance announcements relied upon and utilized by health care providers will end following the expiration of the PHE. For health care providers who have relied on a PHE waiver to offer services, it is critical to identify those waivers, confirm the applicable expiration date and take appropriate steps to change current operations to reflect the loss of the waivers and the implementation of the pre-PHE regulations, rules and guidelines.

Source: For additional information on the waivers and the impact of the end of the PHE on those waivers, click here.