Health Law Alert by Lamb McErlane attorneys: Vasilios J. Kalogredis, Esq. and Sonal Parekh, Esq.

The HHS Office for Civil Rights (“OCR”) and the National Institute of Standards and Technology (“NIST”) published, on February 16, 2024, a final version of the cybersecurity resource guide, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (the “Guide”), in relation to compliance with the HIPAA Security Rule.

The Guide provides practical guidance and resources that can be used by regulated entities to safeguard electronic protected health information (“ePHI”), conduct risk assessments and risk management, and better understand the security concepts discussed in the HIPAA Security Rule.

The HIPAA Security Rule concentrates on safeguarding the confidentiality, integrity, and availability of ePHI. Recognizing that there is no one single compliance approach that will work for all regulated entities (i.e., covered healthcare providers, health plans, healthcare clearinghouses, and business associates), the Guide provides several approaches which may be used in whole or in part to help improve a regulated entity’s cybersecurity and compliance with the Security Rule. Accordingly, the Guide provides guidance for assessing and managing risk to ePHI, identifies typical activities that a regulated entity might consider when implementing an information security program, and lists additional resources that may be useful when implementing the Security Rule.

The Guide contains multiple risk assessment tables and other appendices that explain key considerations, including relevant questions that need to be asked, for parties when implementing specifications for, and maintaining compliance with, the HIPAA Security Rule.

To support regulated entities, the Guide is aimed to: (i) ensure each regulated entity is selecting security practices and controls that adequately safeguard ePHI; (ii) inform on the development of compliance strategies in connection with the size and structure of an entity; (iii) provide guidance on best practices for developing and implementing a risk management program; and (iv) create appropriate documentation that demonstrates effective compliance with the Security Rule. In addition to compliance with the Security Rule, the Guide stresses the importance, from a business-standpoint, of employing cyber practices to avert costly breach clean-up expenses or immense reputational harm due to a cyber event.

Ultimately, the Guide should be reviewed (i) to ensure a regulated entity’s HIPAA Security Rule plan is robust and addresses the necessary considerations; and (ii) if a regulated entity is asked to justify decisions made with respect to its HIPAA Security Rule compliance. The Guide can be found here.

If you have any questions regarding HIPAA compliance, please feel free to contact Bill Kalogredis, Esq. or Sonal Parekh, Esq.

Vasilios J. (Bill) Kalogredis, Esq. has been advising physicians, dentists, and other healthcare professionals and their businesses as to contractual, regulatory and transactional matters for over 45 years. He is Chairman of Lamb McErlane PC’s Health Law Department. Bill can be reached by email at bkalogredis@lambmcerlane.com or by phone at 610-701-4402.

Sonal Parekh, Esq., is an associate at Lamb McErlane PC who focuses on healthcare transactional matters and a broad range of healthcare regulatory-related issues on behalf of healthcare systems, physicians, dentists, and other healthcare providers, and is a pharmacist by education and training. Sonal can be reached by email at sparekh@lambmcerlane.com or by phone at 610-701-4416.

*This alert is for educational purposes only and is not intended to be legal advice. Should you require legal advice on this topic or have any questions or concerns, please contact Vasilios J. (Bill) Kalogredis, Esq. or Sonal Parekh, Esq.