Compliance Corner

Federal Updates

HHS Releases 2022 Cybersecurity Newsletter

November 08, 2022

October is National Cybersecurity Awareness month, and the Department of Health and Human Services (HHS) issued a newsletter to educate stakeholders on the importance of cybersecurity awareness.

Specifically for health insurance plans, cybersecurity awareness falls under the HIPAA Security Rule which covers electronic protected health information (ePHI). PHI is information about a participant’s past, present, or future physical or mental health condition and information about payment for medical care or treatment which could be used to identify the participant. When the information is transmitted or maintained in electronic form, it is known as ePHI and falls under HIPAA’s Security Rule, although entities should also be concerned with HIPAA’s Privacy Rule which regulates the physical security and confidentiality of PHI in all formats.

The HIPAA Security Rule requires covered entities to have documented policies and procedures in place to respond to potential security incidents, including identifying, responding to, mitigating, and documenting security incidents and their outcomes. Employers who sponsor a group health plan have responsibilities under those rules, including identifying a privacy and security officer, conducting risk analysis, training workforce members, maintaining written policies and procedures, and safeguarding protected health information.

The HHS newsletter reminds entities of their obligations to protect ePHI and includes a real-world example of the conclusion of a recent HHS Office for Civil Rights (OCR) investigation. This investigation concerned Oklahoma State University – Center for Health Sciences (OSU-CHS) in which a hacker successfully gained unauthorized access to a server containing ePHI, resulting in the disclosure of ePHI of nearly 300,000 individuals. Although OSU-CHS initially reported the breach, the investigation found numerous violations, eventually leading to a monetary settlement of $875,000 and additional corrective action requirements. It is a cautionary tale to other entities of the need to better protect ePHI.

Both the recent settlement news and the HHS newsletter serve as reminders to covered entities that OCR is actively pursuing HIPAA violations, especially those related to data security. Employers should conduct routine risk assessments and review their HIPAA obligations with their advisers and outside counsel when developing a comprehensive strategy for adhering to HIPAA’s privacy, security and breach response requirements.

HHS: October 2022 OCR Cybersecurity Newsletter »