In November 2024, the U.S. Department of Health and Human Services’ Office of Civil Rights announced a new enforcement initiative focusing on the requirement under the Health Insurance Portability and Accountability Act of 1996 for covered entities and business associates to conduct accurate and thorough security risk assessments.
With the settlement with BST & Co CPAs LLP, announced on Aug. 18, the OCR is establishing a trend of enforcement actions similar to what was achieved under its Right of Access Initiative announced in 2019.
The risk assessment initiative is something that all covered entities and business associates will need to pay attention to and ensure that their security risk assessments are meeting the expectations of the OCR for being accurate and thorough. This will require an understanding of the legal requirements under HIPAA and a look at all aspects of technology used in the processing of electronic protected health information.
HIPAA establishes requirements for the protection of electronic protected health information through its security and privacy rules.
Under HIPAA, covered entities and business associates are required to ensure the confidentiality, integrity and availability of all electronic protected health information they create, receive, maintain or transmit. They must also protect against reasonably anticipated threats or hazards to the security or integrity of such information.
The HIPAA security rule allows for flexibility in how these standards are met, taking into account factors such as the size, complexity, capabilities, technical infrastructure, costs and potential risks to electronic protected health information. A critical component of these requirements is the encryption of electronic protected health information during electronic transmission to safeguard against unauthorized access or disclosure.
Flexibility of the Security Rule
The security rule establishes standards and implementation specifications for the protection of electronic protected health information. The implementation specifications are split into two categories: required and addressable.
It is easy to understand that required specifications are just that — required — but it is important to clarify that addressable implementation specifications are not optional.
Instead, they provide flexibility for covered entities to implement alternative measures that achieve the same purpose as the addressable specification, provided that such measures are reasonable and appropriate for the entity’s specific circumstances.
When a covered entity determines that an addressable implementation specification is not reasonable and appropriate, it must document the reasons for this determination and implement an alternative measure that accomplishes the intent of the standard. This approach allows entities to tailor their security measures to their size, complexity, capabilities and the nature of the risks to electronic protected health information they face.
Transmission Security
Specifically, Title 45 of the Code of Federal Regulations, Section 164.312(e)(1), requires the implementation of technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted. Encryption is identified as an addressable implementation specification within this section.
Encryption is defined in Section 164.304 as “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.”
This means that covered entities must evaluate whether encryption, or a similar algorithmic process used to transform data, is a reasonable and appropriate safeguard in their specific environment. If deemed reasonable and appropriate, such a process must be implemented.
Alternatively, if not implemented, the entity must document the rationale and implement an equivalent alternative measure to achieve the same intent of the applicable standard. This process is essential for maintaining the confidentiality and integrity of electronic protected health information.
Necessity of encryption in communication chain
The necessity of using encryption to prevent unauthorized disclosures among entities in the communication chain of a transmission is underscored by the requirement to implement technical security measures to electronic protected health information transmission.
This is especially true when considering the types of transmissions modern covered entities and business associates conduct as part of their daily operations, such as internal transmissions between locations or information systems, transmissions to external entities, or transmission to external vendors such as payment processors.
Each transmission will often transect the networks of multiple entities as part of the communication chain. This can be through an internet service provider, managed security services provider, software-as-a-service vendor, data exchange, transaction processor, or other types of entities before the data gets to the intended recipient.
Some of these transmissions will fall outside of the HIPAA security and privacy rules requirements thanks to an exception defined under the HIPAA omnibus final rule referred to as the conduit exception.
To fit under the exception a fact-based assessment must be conducted to determine if the entity that is aiding in the transmission only has “occasional, random access to protected health information.”
This assessment must look at the data being transmitted in its entirety, including any metadata, to make a proper determination. The conduit exception is very narrowly tailored to account for certain types of service providers such as internet service providers or the postal service or mail couriers.
It is important to note that most data processors have more than random access to electronic protected health information that they process or transmit as necessary to either ensure the security of the information they are processing or to allow for the entity to conduct the service it is providing.
This can be through simple data backup measures or through the technical processing of metadata. Arguably, these transmissions, and the access of the intermediary technology vendors, will have greater than random access to the electronic protected health information contained in the data they process, especially if it is not encrypted.
A good example of this, and one often dealt with by HIPAA privacy officers, is the transmission of electronic protected health information over SMS messages. Often, providers neglect to consider the types of access a telecommunications provider will have to the electronic protected health information contained in these types of messages, which fall outside of the conduit exception.
Transmissions that are encrypted make this assessment and determination easier as technology providers or data processors will not have access to the data unless they have the key to decrypt that data.
Compliance and documentation
Covered entities and business associates must ensure compliance with all applicable requirements of the security rule, including both required and addressable specifications. This involves conducting a thorough risk analysis to identify potential risks and vulnerabilities to electronic protected health information and implementing security measures to mitigate those risks.
When considering electronic transmissions of electronic protected health information, such as information traveling over an internal network or to external partners, such as payment processors or cloud service providers, this will require a detailed look at the data being transmitted to ensure that any electronic protected health information transmitted and any potential access along the communication chain is accounted for.
This includes both the visible information, and the metadata or machine-readable data associated with many modern data types. This assessment must be a dynamic process that reassesses any previous decisions regarding security measures used to protect electronic protected health information.
Consideration must be given to any new technologies or capabilities of the entity, any changes in potential threats or risks to the electronic protected health information, or any other material changes that could affect the security of the electronic protected health information, both while the covered entity or business associate has direct control over the data and while the data is traveling from the covered entity or business associate to another entity.
Additionally, covered entities and business associates must maintain documentation of their security measures and the rationale for any alternative measures adopted in place of addressable specifications.
It is also important to note that there are some electronic transmissions, such as the acceptance and processing of electronic payments for medical services, that must also comply with other industry standards, such as the Payment Card Industry Data Security Standard.
Compliance with these standards does not guarantee compliance with the security rule and should not be considered a substitute for taking measures to meet information security obligations under HIPAA.
Conclusion
In summary, while the HIPAA security rule provides flexibility through addressable specifications, it mandates that covered entities and business associates either implement these specifications or adopt alternative measures that meet the standards’ intent.
This ensures that all entities, regardless of size or complexity, maintain robust protections for electronic protected health information, including during the entire communication chain involving that information.
Electronic transactions, even if done in compliance with other industry standards such as Payment Card Industry Data Security Standard, must be reviewed to ensure that protected health information included in the transactions is protected as required under the security rule through encryption or similar means.
Only through this cybersecurity review and management process will an entity meet their compliance obligations to conduct accurate and thorough security risk assessments as a HIPAA-covered entity or business associate, and, hopefully, remain out of the crosshairs of the new risk assessment initiative.
This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.