March 11, 2025 • 58 mins
On January 6, HHS’ Office for Civil Rights published a Notice of Proposed Rulemaking titled “HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information.” Wes Morris, Senior Director of Consulting Services, Clearwater, speaks with Jennifer Kreick, Partner, Haynes and Boone LLP, and Thomas Tanabe, Associate, Haynes and Boone LLP, about the proposed updates to the HIPAA Security Rule and the practical impacts for health care organizations. They discuss what is driving these proposed updates and issues related to “required” and “addressable” specifications, sanctions, technology asset inventories and network maps, risk analysis, business associates, and costs and timeline related to implementation. Jennifer and Thomas recently authored an AHLA Bulletin on this topic. From AHLA’s Health Information and Technology Practice Group. Sponsored by Clearwater.
AHLA's Health Law Daily Podcast Is Here!
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Premium members. Get all your health law news from the major media outlets on this new podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Speaker 2 (00:04):
Support for A HLA comes from Clearwater. As the
healthcare industry's largestpure play provider of
cybersecurity and compliancesolutions, Clearwater helps
organizations across thehealthcare ecosystem move to a
more secure, compliant andresilient state so they can
achieve their mission. Thecompany provides a deep pool of
experts across a broad range ofcybersecurity, privacy, and
(00:28):
compliance domains.
Purpose-built software thatenables efficient
identification and managementof cybersecurity and compliance
risks, and a tech enabled 24 7365 security operations center
with managed threat detectionand response capabilities. For
more information, visitclearwater security.com.
Speaker 3 (00:53):
Hello, and welcome to this episode of ALA's
speaking of Health Law Podcast.
I'm Wes Morris, senior Directorof Consulting Services with
Clearwater and your host today.
Joining me today are JenniferCraig and Thomas tavi .
Jennifer is a partner at Hanesand Boone and co-chair of the
Firm's Healthcare and LifeSciences Practice Group. She
(01:16):
delivers practical legal adviceand guidance to healthcare
providers and other healthcareindustry clients in a variety
of regulatory and transactionalmatters. Jennifer regularly
counsels clients functioning ascovered entities, as well as
business associates on HIPAArelated matters, including
compliance, breach response,and regulatory enforcement.
(01:38):
Jennifer is a vice chair of theAmerican Health Law Lawyers,
pardon me, vice Chair of theAmerican Health Lawyers
Association, health Informationand Technology Practice Group,
and is certified by the TexasBoard of Legal Specialization
in health law . When she's notpracticing law, she's chasing
after her two girls , ages twoand five. Thomas Avi is an
(02:00):
associate with Hayes and Boonein their healthcare
transactions and regulatorypractice group. His practice
focuses on helping clients withhealth law, sorry, with
healthcare regulatory andbusiness transactional matters.
He's a member of the AmericanHealth Lawyers Association and
Dallas Bar Association's healthlaw section outside of
(02:22):
practicing law. Thomas is busytaking care of his two kids
under age two. So today ourtopic , uh, is the recently
published notice of proposedrulemaking or NPRM for the
HIPAA security rule to set thestage. The security rule was
the first one contemplated forpublication back in the late
(02:44):
1990s, but was not actuallypublished in until 2003 with a
compliance date of April, 2005, meaning that we are nearing
the , of the compliance in justa few weeks . If we consider
the state of technology in thelate nineties, and even when
the rule was first put into, to, into effect in 2005, the
(03:06):
world has changed dramaticallyin the intervening years. The
guiding watch words that havealways been used in the
security rule, which we'veoften referred to as being
technology agnostic , uh, havebeen the terms reasonable and
appropriate among some otherguiding principles. What was
(03:27):
reasonable and appropriate in2005 has changed significantly
since those days. So, to startus off, welcome Thomas.
Welcome, Jennifer. Let's startoff with Jennifer on this
because the landscape haschanged so much. What's driving
(03:49):
this change? Why, why now? Andwhat's really driving the
security rule to be changed atthis point in time?
Speaker 4 (03:58):
Wes, that's a great question, and thank you for
the, the background on thehistory of the security rule as
well. You know, it's been sucha long time. I, I , um, kind of
need a refresher sometimes. Um,I, I think that there were, and
we saw this in the commentary,a a lot of different reasons ,
uh, for this update. And, andthis was not a surprise. We
(04:20):
knew that this was coming. HHShad announced it and said,
sometime in 2024, we would seethis , um, these updates to the
security rule. Um, and so, youknow, I I , I think, like you
pointed out, a lot has changed, uh, um, in the , uh,
technology world. Um, this isthe first major update that we
(04:43):
have seen to the HIPAA securityrule a a comprehensive update
since 2013, since the omnibusrule came out. Um, I know you
remember , uh, reading throughthat new rulemaking and, and
that sort of thing. I, I did asa, as a young attorney. Um, and
so , uh, you know, what we'veseen is just a change in
(05:04):
technology. I think we've seena change in , um, the number ,
uh, and seriousness of thebreaches and incidents that are
affecting the healthcareindustry. The healthcare
industry is a target , um, uh,for cybersecurity incidents.
And , um, and it's , uh, youknow, that's something that HHS
(05:25):
is really focused on , um, aswell as , uh, just, you know,
generally , um, uh, theirexperience with enforcement.
Um, and, and that was somethingthat they pointed to over and
over , uh, as the, you know,kind of , uh, need for some of
these changes. Uh , you know,maybe some of these
(05:47):
requirements were alreadyincorporated or implied, but
they were not specificallyidentified. So, for example ,
um, the asset inventory HHS hadcommented that that had always
been a, an implied , um,requirement because it's
necessary to conduct a , aneffective risk analysis. Um,
(06:10):
but now we see it actuallylisted specifically as
something that , um, is goingto be required for or
potentially required if this ,um, proposed rule goes into
effect , um, uh, down the line.
And so , um, yeah, so I thinkthere's a lot of different
reasons. I, I'd be interestedin your thoughts too, Wes. Um,
(06:31):
anything that you, you've seenin your practice , um, that,
that you think these roles havebeen trying to address?
Speaker 3 (06:39):
Well, I could , uh, probably opine for an hour on
that point myself, ,I'm fortunate enough to have
become a privacy officer in2003 and a security officer in
2005 with the advent of both ofthese rules. So I've got a long
perspective about what hashappened. Um, I'm, I'm
(07:01):
interested , uh, Thomas, if Icould ask you to give some
perspective around , um, theHHS had mentioned way early,
back in early 2004 that theywere going to publish a rule ,
uh, in 2004 to make changes tothe security rule, but it,
there was a, an introductorypublication of it right at the
(07:25):
end of December, but the actualrule was actually published for
public comment in January of2000 of 25. Um, what happens
from here? What now that it'sbeen published, what, what goes
on with this rule?
Speaker 5 (07:41):
Right. So the current process , um, at the,
as of the date of this , uh,recording for this podcast ,
uh, we're currently in theirpublic commenting period. So
anyone can go onto HH s'swebsite and provide comments
and feedback on the proposedrule. And when HHS goes back to
(08:03):
re review those comments, theywill incorporate them into any
, uh, finalized rules that theymake. And that , uh, comment
period is going to end on March7th, 2025.
Speaker 3 (08:15):
Right? So it may be that by the time , uh, our
listeners hear this podcastthat the comment period has
closed or is very closed toclosing at that point. Um, and
so what happens once thosepublic comments are all
received? What does HHS do withthem? Do you know,
Speaker 5 (08:37):
From my understanding , uh, I'm not
privy to hh s's internalpolicies or procedures, but my
understanding is that they willreview all of the comments, and
when they do come out with a ,uh, final rule, or if they do,
they will address some of thosecomments in how they've
actually decided to finalizethe rules. And , um, they will
(08:58):
oftentimes incorporate certaincomments or , uh,
considerations in how theyactually go about things.
Speaker 3 (09:07):
Yeah, I've noticed that over the years it has been
practice that when a new rule,a final rule is published, that
it will contain a preamble anddiscussion around each of those
major considerations, and we'lltell you whether they accepted
or rejected a particularperspective that was offered to
(09:27):
them and why. And I find thatto be very useful. There are,
I've often felt that there aremany people who read a rule and
simply act upon the blackletter language of that rule to
say, well, this is what theymean, or This is the intent.
But it is critical to readthose comments and understand
(09:48):
the thinking behind them.
Oftentimes, it will change yourperspective dramatically. So.
Excellent. So when we thinkabout the rule, we think, first
of all, one of the things thatI, I noticed that's happening
in this one is removing adistinction between two
(10:09):
different states with certainimplementation specifications.
Jennifer, would you talk to usa bit about this required
versus addressable situationand what they're going for now?
Speaker 4 (10:21):
Yeah, absolutely. So , um, what we saw in the , uh,
or what's currently in therules is a distinction between
, um, uh, addressable andrequired specifications. And
essentially , um, that wasremoved in this final, in this
, um, proposed rulemaking. Um,and the intent behind that is
(10:44):
really just to make clear tocovered entities and business
associates , um, that the , uh,these things are not optional.
Um, and, and so, and , andthat's not a , that's not
necessarily a change. I thinkthere was maybe some confusion
around , um, you know, the, thelanguage that was used,
(11:07):
addressable does kind of seemlike it could be mean optional,
but that was really never thecase. I mean, there was always
a requirement if , if youweren't going to , um, be able
to meet that specific standard, um, to document that and use
alternative measures,reasonable measures, that sort
of thing. Um, but on the flipside, it does , uh, potentially
(11:29):
, uh, remove some of theflexibility that , um, that
covered entities and businessassociates previously had , um,
in , in how they were meetingthese , uh, these requirements.
And , and that's something thatI think we're seeing with this
, uh, proposed rule is it ismuch more specific. So they
(11:51):
still, A HHS is not dictatingwhat specific technology a
regulated entity must use, butit, but you still have to meet
each of these elements. So forexample, encryption with very
limited exceptions, multifactorauthentication , um, and a
(12:11):
malware, those sorts of things.
It's, it , we have much morespecific , um, requirements and
, uh, especially with thetiming , um, you know, so that
, that's another element that Ithink has changed significantly
if this rule goes into effect ,um, you know, we, we see very ,
(12:31):
but previously , um, you hadrequirements around timing that
were much more flexible. So, soyou still had to perform a , a
risk analysis, you know, when,when there's a change in law
or, or significant , um, changein your systems and , and that
sort of thing. But that, thatdoesn't really tell you well,
how often now we know theminimum is every 12 months as
(12:54):
well as, you know, when yoursystems change, if there is a,
and , and I think in theguidance they specifically
reference, you know, if there'san acquisition or, or merger or
some, some sort of , um,significant change to systems,
you know, that's when anotherone would be required. Um, I
think from a practicalperspective, what this means
(13:14):
for organizations is that theyare going to want to develop
timelines and checklists. Um,and really the key here is
going to be documentation , um,because that is how we are
going to evidence compliancewith these requirements. Um,
you know, especially when youhave the risk analysis might
(13:35):
not be that hard, that's goingto be documented in writing
anyway, it's got a date on it,that sort of thing. But some of
these other timeframes, likereviewing a sanctions policy
every 12 months, you'll wannamake sure that that review is
documented.
Speaker 3 (13:49):
Mm-hmm
. Speaking of which, they're
talking about moving thesanctions policy to a standard
rather than an implementationspecification under the , um,
security management , uh,standard. Um , from here, I'm
gonna just kind of open thefloor for either of you to ,
(14:12):
uh, answer and, and , uh, giveyour perspectives about this
thing. Why turn sanctions intoan actual standard?
Speaker 4 (14:22):
So Wes, I think that's a really great question.
Um, and I would also beinterested in hearing your,
I've got some thoughts on this , but I'd be interested
in hearing yours as well. Um,so I personally, so, so
basically what's happening hereis , um, this having this
sanctions policy is, is one ofthe standards , uh, for
(14:45):
compliance with the rule. Andwithin that they are , HHS is
much more specific about whatthis means , um, what the, what
a sanctions policy looks like.
Um, and so for example , uh, itis going to include written
policies and procedures forsanctioning workforce members.
It's going to include a reviewof these policies and
(15:08):
procedures at least every 12months, and then it's going to
actually require appropriateactions against workforce
members who fail to comply withsecurity policies and
procedures and to document ,um, those , uh, sanctions . Um,
and , and that's just , it'smuch more specific than what we
(15:30):
had before. I think it puts alot more teeth into your HIPAA
compliance program, and I thinkthis is actually going to be a
pretty significant change fororganizations who maybe had ,
um, you know, typically what Isee is just a one simple one
page kind of policy, or maybeit's even a paragraph around ,
(15:50):
um, you know, sanctions forworkforce members who violate
the HIPAA policies andprocedures as maybe
appropriate. Um, now I thinkwhat we're going to see is ,
uh, mu this is going to lookmuch more like a typical
compliance investigation , um,for, for, you know, and , and
maybe an entity that has arobust compliance program is
(16:12):
not gonna see a lot of changehere. But, you know, for some
of our smaller physicianpractices and, and other
entities , um, who maybe we'renot , uh, kind of having to
document and enforce thesepolicies, it , it , it's going
to look , look different
Speaker 3 (16:29):
Mm-hmm
. So , uh, you ask if I would
throw my perspective into thatas well. Um , what I have long
seen has been that we do muchbetter, and when I say we, I'm
referring to the healthcareindustry in general, we do much
better with identifyingviolations of the privacy rule
(16:52):
and applying sanctions there.
Um , and decent sanctions orreasonable sanctions, if you
will , uh, use a tieredapproach. What was the intent?
What was the , uh, situationand what was the damage or harm
done in, in terms ofdetermining what kind of a
(17:15):
sanction is appropriate? Um,would either of you suggest
that that would be anappropriate approach for the
security rule as well to usethat tiered perspective?
Thomas, maybe you have someperspective around that.
Speaker 5 (17:31):
I, I am , to be honest with you, a little
unsure whether they should. Ithink it would depend on the
individual organization and howthey set up those structures.
And , um, uh, I, I think italso would depend on, you know,
for example, the size of thoseentities. Um, a lot of the
comments regarding all of thesenew proposed rules , uh, relate
(17:53):
to the, the different sizing oforganizations and how they're
going to actually implementsome of these standards and
implementation specifications.
And so it will really be up to,and I think an individualized
and catered approach to eachentity.
Speaker 3 (18:08):
Okay. That's , uh, that's an excellent perspective
and I appreciate that verymuch. Um, would you think that
the, the harm or potential harmdone , uh, would be appropriate
to consider as a , uh, as apart of their tiering? Um, or
(18:32):
would you take more of anapproach of what the intent was
in terms of that? Because weknow that technology can be
quite tricky and people getfooled into disclosing
information and , uh, you know,clicking on bad links and
phishing emails and those kindsof things. So what's your
thought around the idea ofwhether harm should be a
(18:54):
consideration in the , uh,application of sanctions with
the security world ?
Speaker 4 (19:00):
I think that's a really good question , um, and
something that organizationsare going to need to consider.
I think what's tricky about thesecurity rule is you can have,
and honestly, I mean, we see alot of these unintentional
violations that potentiallycould, you know, result in ,
um, some harm, although you tryto mitigate that as much as
(19:23):
possible, right? Yes . So whatI'm thinking of, for example,
is , um, you know, somebodysends a spreadsheet to out
outside of the organizationunintentionally to the wrong
email address. Um, and, youknow, maybe that wasn't
encrypted and, and it didn'tquite follow the policy or the
email address wasn't doublechecked , but now you have ,
(19:45):
um, some, you know, you've gotPHI going outside the
organization , um, and it'sgot, let's say, sensitive , uh,
health information included.
Um, uh, you know, we , you cantake steps to kind of try to
mitigate some of that harm. Um,but, but ultimately , uh, you
could have a pretty , um, youknow , uh, kind of small error,
(20:09):
unintentional error thatresults in the disclosure of a
significant amount ofinformation, right? And it gets
tricky with the security ruleas well when we're talking
about , um, maybeconfigurations or, or something
gets , um, maybe pushed , uh,to next quarter in terms of ,
um, you know, patching or, or ,or something like that. Mm-hmm
(20:31):
. Um , and, you know, if thatresults in harm, you know,
there, there can be a lot ofunintentional , um, violations
using the wrong fax number, youknow, that sort of thing mm-hmm
. Um, but, but Ido think the , what is the harm
is a , um, important thing fororganizations to consider. I
(20:52):
think also another one that,that will want to be included
or , or taken into accountwould be , um, you know, kind
of di folks , um, continuouslyviolating policies. And, and we
see, I see that over and overwhere you have , um, you know,
the policy is to , uh, notremove the PHI or the policy is
(21:16):
not to send PHI using apersonal email address,
something like that. Um, andunfortunately you see
physicians maybe doing thatover and over and over, even
after being reminded that sortof thing. Um, and that can, I
think, cause a significant riskfor the organization. Um, and
so , uh, so another thing thatthat's going to, you know,
(21:39):
you're gonna wanna take intoaccount is , um, kind of these
repeat offenders or repeatviolations, even if it's maybe
low harm, low risk for that oneviolation. Is it something
that's repeated? Um,
Speaker 3 (21:53):
That's a good point,. Yeah. Um, and , and
there's, I think the key pointhere is in all of this though,
is this, is that the , theentire intent of this section
appears to be to give theorganization more teeth , uh,
and to give sanctions , uh,policies and processes more
(22:14):
teeth. And , uh, I do wannacircle back to one little
element there. And that is thisis that under this new , uh,
under these new requirements,you would have to review that
sanctions policy every 12months. So it can no longer be
something that gets written andthrown into a desk drawer and
pulled out and wiped off everyfew years. You're going to have
Speaker 4 (22:37):
That , that is a very good point, Wes. I think
that's the key there is, thatis a significant change for
sure.
Speaker 3 (22:43):
It really is. Yeah.
Uh , a lot more things likethat that are moving in the
direction of defined timeframesand those kinds of things. Uh,
and one of them, one of the newchanges, you, you mentioned it
early on , uh, was the , uh,technology asset inventory. We,
we know that to perform riskanalysis correctly in the way
(23:07):
that HHS has defined it, youmust start by identifying all
of your assets that maintaintransmit process or create
protected health information,electronic protected health
information. Um, and so in the, uh, in the process of doing
that, then to, to get to thefirst real stage of what are
(23:30):
the vulnerabilities and thethreats and those kinds of
things, you first have to knowwhere all of your information
lives. So this change appearsto be locking that into an
absolute you will do this not,and implied you will do this.
Would you agree with that?
Speaker 4 (23:48):
Exactly. Yes. No, you're exactly right, Wes. And
it is going to be a lot harderthan I think it looks on paper.
So, you know, theoretically ,um, coming up with a technology
asset inventory, a network mapthat is , uh, you know, seems
very obvious , um, and, youknow, every organization would
(24:09):
want to do something like that.
I think what gets tricky hereis , um, uh, and , and the way,
you know, and, and it , itshould be this way. Um, but the
way that the rule is written,your technology asset inventory
and network map is not onlygoing to include your own
(24:30):
technology assets, it is alsoit's going to need to track the
movement of PHI into and out ofyour information systems, you
know, whether that goes , um,to the cloud or offshore or
something like that, or to abusiness associate. Um, and
that's what's I think going tobe so challenging is that the
(24:51):
HHS specifically said here thatthe technology assets that are
used by a business associate ,um, could affect the
confidentiality, integrity andavailability of that electronic
PHI. And so it has to beincluded in the covered
entities network map. Um, andfor an organization that has a
(25:13):
lot of business associates orthat is changing regularly, so
you have, you know, you'recontracting with a, a new
business associate, you know,every six months or so, or, or
even more often than that, thatcan be a significant , um, re
it's gonna take significantresources to develop it and to
(25:33):
maintain it. Um, and that wasnot something that we saw
previously specificallyrequired even if , um, you
know, OCR believes that it was, uh, kind of an underlying
component of the risk analysis.
Speaker 3 (25:49):
Yeah. Um, when we think about that, you mentioned
both, both sides of this coin,the asset inventory and the
network map, but they're,they're different things and
they have to function together,correct?
Speaker 4 (26:07):
Yes, absolutely.
Yeah . Okay .
Speaker 3 (26:10):
Uh , so if the asset in the way that it's worded is
your item that you operate, youmaintain , uh, whatever the
case might be, and thereforeit's your responsibility to
risk analyze that. The networkmap though could be something
that you have to work withyour, if I'm understanding
(26:32):
correctly, you have to workwith your business associate
who is using this, this asseton their end that may be
appropriate , uh, for you to,to include in your network map.
So it's no longer a case of,well, where the walls of our
building are, that's where ourresponsibility ends. And then
you talk about businessassociates and the , and the
(26:55):
change to business associateagreements. We're gonna circle
back on that in a couple ofminutes. Um, what, what risks
or concerns do you see withthis idea of the BA's network
map versus the C'S network mapor even upstream and downstream
(27:16):
bas? What are some of the risksor concerns that you see around
that that will need to beconsidered by the entities, the
regulated entities here?
Speaker 4 (27:28):
Yeah, so I think it's going to , um, take a lot
of time to develop. It's goingto take resources dedicated to
analyzing these , um, issues. Ithink it's going to , uh, be a
challenge to link , uh,functions that are maybe
typically fall under kind ofthe IT side with the operations
(27:53):
side to know , um, you know,how PHI is, whether this
actually involves PHI and howthat is flowing. Um, and I
think it's going to take a lotof , uh, communications between
covered entities and businessassociates. And unfortunately,
I think depending on the, thebusiness associate , um, or
(28:15):
even the covered entity, youknow, you might find some
challenges with those sorts ofcommunications. They might not
have a sophisticated HIPAAcompliance program or a
dedicated , um, you know,security officer that has the,
the type of knowledge that theywould need to have in order to
(28:35):
answer questions about , um,the, the assets and, and the
flow of the information. Um,and, and so I think it's just,
it's going to be verychallenging for folks to , um,
to get this sort of thing , uh,mapped effectively.
Speaker 3 (28:53):
Okay. So , um, I wanna direct this one to
Thomas. Uh , uh, this, I thinkthis question , um, might be
very helpful there. We'vetalked about standards and
specifications, and we talkedabout the security management
process was always , uh, at 164 0.308 a right. And a one was
(29:18):
risk analysis as aspecification under that
standard. What are they doingwith these changes and how is
that gonna change even thebasic layout of the security
rule? Thomas, do you know?
Speaker 5 (29:33):
Yeah, I think in terms of , um, you know, the
risk analysis as well as withtheir , uh, technology asset
inventory and the networkmapping, I think the intent
that HHS is trying to getthrough with a lot of this is
addressing what they've seenrecently with those cyber ,
with cyber attacks as well as ,uh, breaches. And I, through
(29:54):
their , uh, recent audits andas well as addressing some of
these breaches, I think HHS hasnoticed that a lot of these
entities that are not incompliance with hipaa , uh,
don't have these , uh,strategies implemented
properly. And so when they areasked, you know, what segments
of your information systemshave been , um, touched by
(30:18):
these breaches or by these ,um, cyber attacks, it's hard
for them to quickly identifythose issues. And so I , I
think part of this riskanalysis as well as , um, the
technology assets and networkmapping is to have those in
place so that way , um,entities can quickly address
(30:38):
potential breaches or cyberattacks as they come.
Speaker 3 (30:42):
Mm-hmm. Yeah, it makes
sense to me. One of the thingsthat I thought about it was
that , uh, by, they're ,they're talking about making
risk analysis, for example, nolonger an implementation
specification, but an actualstandard, which means then it
becomes far easier for , uh,the regulators to give
(31:03):
implementation specificationsbelow that standard and to add
and change those things. Um,you know, as, as they go , uh,
any other perspectives that youmay have around that idea of
how they're reorganizing therule before we move on?
Speaker 4 (31:21):
Yeah. So I'll, I'll jump into , I think Thomas was
, um, pointing out the factthat , um, you know, OCR has
really focused on risk analysisor the lack of one in its
enforcement actions. It's, it'ssomething that's cited almost
every single time. Um, and, andThomas pulled up some , uh,
(31:45):
kind of data on it. And, and Ithink , um, what OCR said is ,
um, you know, when they auditedcovered entities and business
associates for compliance withhipaa, only 14% of covered
entities and only 17% of ofbusiness associates were
substantially fulfilling theirregulatory responsibilities
(32:06):
through specifically this riskanalysis for analysis process.
And I think to address thatissue, what we're seeing with
the new risk analysis standardis that they have , um, be made
very specific requirements forhow to conduct this risk
analysis. And in some ways, Ithink that's very helpful
(32:28):
because , um, what, what wewere seeing in our practice is
that most folks get this wrong.
Um, so when you ask, let ,let's say you're doing due
diligence on a deal, and youask for a copy of the risk
analysis, the HIPAA securityrule risk analysis, what you
get oftentimes looks much morelike a , um, kind of a gap
(32:51):
assessment, like a very highlevel, here's what's missing,
here's what's, you know, yes,we've got this policy and
procedure. No, we don't have X,Y, Z. Um, and that is not what
the risk analysis is reallyintended to do. And so , um,
you know, we have, we're seeingfrom OCR very specific
guidelines for how to conductone. Um, and then also, again,
(33:16):
how often, so now you've gotthis timing requirement here.
Um, Wes, I know you all do ,uh, you can assist with the,
the risk analysis. What, whatdo you see? Yes.
Speaker 3 (33:26):
Yeah. In fact, that's a, that's a core
function of clearwaters and hasbeen from the founding of the
company in 2009. We look atrisk analysis as there, there
are many ways to define risk,and many ways you can use
qualitative or quantitativeapproaches. You can , uh, start
(33:46):
from enterprise level, you canlook at business risk. But when
you , when we think about riskin the way that it is defined
by OCR is , uh, you have tostart with an asset based . Uh
, it's got to start from whereis my electronic protected
health information? If youdon't start from that place,
(34:09):
then there is likelihood ofmissing things. One of the
things that we often see is ,um, is someone using a controls
based approach of starting bydefining what the controls are
that protect the information,but they haven't defined what
information it's protecting,right. Or which systems
those controls are over. And inpart of, and yes, controls are
(34:31):
critical, but they're like thethird step. If you look at OCR
R'S guidance, you know, itstarts , uh, from 2010, it
starts with where are yourassets, then it's what are the
vulnerabilities? Then it's whatare the controls, right? And
then after that, then you getto what are the threat sources?
Or it might be that the threatsources come just above the
(34:54):
controls, but it's all rightthere. You've gotta be
examining this from that, thatperspective of a triple, you
have an asset that can beexploited and a threat source
that can exploit that asset,right? Yes. And if
Speaker 4 (35:09):
You've got that, then you gotta Right . And
assign the level of risk.
Speaker 3 (35:11):
Yeah . And that then gets you to being able to
determine likelihood impact andwhat risk really looks like.
Yeah, yeah. Uh , as you cantell, I'm, I'm , I , I , I
don't mean to take away any ofyour thunder, but I, I really ,
um, feel strongly about theasset based approach. One point
I also wanna make here is this, is that we have for the life
(35:34):
of our organization , uh,followed every , uh,
investigation or , uh, outcomethat resulted in a civil , uh,
civil money penalty or in acorrective action plan that has
been published by OCR. And wehave seen over the years, very
little change in this number.
(35:54):
It's usually somewhere between89 and 90% of all of the , uh,
investigations have as one oftheir foundational problems,
lack of a satisfactory riskanalysis. That's just crazy,
isn't it? 90%.
Speaker 4 (36:12):
It's crazy. 'cause it's been there for, so it's a
requirement. Yes . That's beenthere for so long.
Speaker 3 (36:16):
Yeah. Right. And , and, and I think the issue is,
is taking the wrong approach ornot understanding the
foundational nature, we, we atClearwater have always said,
your foundation to everythingelse in the security role
starts from your risk analysis.
If you haven't analyzed it, howcan you then define where to
(36:37):
put your controls, whatsafeguards to put in place,
whether they're administrativeor technical, that's really
less of a concern, but anysafeguard to put it into place.
But I'm taking too much of yourtime for me to tell you my
perspective now. So let ,let's, let's kind of talk , uh,
uh, let's move on a little bitfurther. Um, when we , uh, look
(36:58):
at this now, in the past, the ,and we've touched on this
before, I wanna give anopportunity to think about this
a little bit further. In thepast , uh, the approach has
been periodic or when there isa change to the environment,
now they're saying every 12months you will, or in response
(37:19):
to, so it could be more often,but there is a unique new
change in all of this with whenyou will do risk analysis. Talk
to me about that a little bit.
Yes . Around the businessassociates.
Speaker 4 (37:35):
Oh, the, yeah . So , um, you know, I I , I think the
, what we're seeing withbusiness associates is a lot ,
and , you know , and, and withthe 2013 omnibus rule ,
business associates becamedirectly responsible for HIPAA
compliance. Yes . And , andthat was a significant change.
What we're seeing with thisproposed rule is a , is more
(37:57):
kind of renewed focus on thebusiness associate aspect of
the relationship. Um, and youknow, I think that's just
recognizing the fact thatbusiness associates are going
to , um, you know, hold and,and maintain and, and have to
secure PHI and, and oftentimesthat can , um, it , you know,
(38:17):
if it's not done appropriately,it can result in insignificant
, um, harm to , to patients.
And so I think OCR is going to,is making , um, business
associates more responsibledirectly and also making
covered entities moreresponsible for their own
business associates. So nolonger can a covered entity
(38:40):
just enter into a businessassociate agreement and, you
know, hand over their PHI andsay, all right , we're done
here. You know, we trust you.
We're all good. That's notwhat's going, what you're gonna
be able to do with this. Ifthis new proposed , um, rule
goes into effect, there aregoing to be significant , uh,
requirements around , um,certifying compliance with the
(39:04):
, uh, security rule, and thenthe covered entity reviewing
those certifications. And thatfactors into the risk analysis
aspect as well. So mm-hmm . Um, you know,
that, that's OCR highlightedthat as a piece , um, that gets
incorporated the, the review ofthese business associates
certifications and then adetermination of the risk
(39:27):
associated with those businessassociates. Right.
Speaker 3 (39:31):
And yeah, and, and they said in clear language in
there, if I read thiscorrectly, was you must assess
the risk of continuing a BArelationship.
Speaker 4 (39:42):
Exactly.
Speaker 3 (39:43):
Uh , after you've reviewed the written
verification from the ba. Sothat's now a part of your risk
analysis process. What, whatrisks does do , does this
relationship create or add tothe risk to my P-E-P-H-I ?
Because at the end of the day,who is still responsible for
(40:04):
any loss or compromise? It'sthe covered entity , uh,
Speaker 4 (40:08):
Exactly.
Speaker 3 (40:10):
You know , and not, not the, the , uh, the
associate that they giveinformation to. So. Excellent.
Um, so we , uh, I , and I thinkwe've touched just a little bit
on this, but there is morebeing required in the business
associate area , um, uh, than ,than just , uh, the things
(40:32):
we've touched on so far. Whatare some of the other changes
that they are placing into therequirements around business
associates?
Speaker 4 (40:41):
So, you know, we mentioned this , uh,
certification , um, there's awritten analysis aspect of it
as well. Um, and , uh, sothat's going to require , um,
you know, reviewing thesetechnical safeguards and
analyzing them and thencertifying compliance. Um, and
that's gonna need to be done bya subject matter expert of the
(41:05):
business associate. Um, whichis, you know, just kind of an
interesting, especially if youare , um, maybe contracting for
kind of IT services and, andthat sort of thing, just trying
to , um, figure out who's theperson who can actually conduct
that analysis and certified inthat on behalf of the business
associate. It's gonna beinteresting. Um, the, you know,
(41:27):
another requirement which givesme a lot of heartburn is
notifying the covered entitywithin 24 hours of activation
of a contingency plan. That is, um, you know what , when you
have an incident or, orsomething that , um, requires
activation of a contingencyplan , um, you know, there is
(41:48):
often a lot of sensitivityaround that. Um, kinda re
reputational harm and, andrisk, and especially if you
were able to , um, you know,and 24 hours , um, to notify
you . At that point, youprobably don't even have your
arms around exactly whathappened or what PHI has been
impacted and, and that sort ofthing, who's been impacted. Um,
(42:12):
and so it , you know, that's,it's going to be a challenge.
Um, and then it gets factoredin probably to your risk
analysis, right? Um, you know,if that was right , if you've
had received those sorts ofnotifications and that sort of
thing. Um, and then you've gotjust the , uh, you know,
requirements around now , um,implementing these additional
(42:35):
requirements into your businessassociate agreements. Um, I
mean, I just can't imagine the,the resources and the efforts
that are to go into updatingall of these business associate
agreements. And I , and I thinkwe got some indication from OCR
that there would be, if thisrule goes into effect , um, you
(42:56):
know, typically the standardperiod for compliance is 180
days after the effective date.
Um, but there was someacknowledgement that , um,
there would be extensions forpotentially some of these
business associate agreement ,uh, requirements just because ,
um, it is going to take a longtime. Um, and folks don't
always have control over , um,and terminating an agreement or
(43:20):
something is not always anoption,
Speaker 3 (43:23):
Right? Uh , I don't recall if they spoke about
other types of agreements suchas MOUs . Do you recall if that
was also addressed in there?
Because with certain entitiesit's an MOU and not a BAA that
is put in place.
Speaker 4 (43:38):
Sure. Yeah. That's a good, that's a good point, Wes.
I would have to go back to therule and double check that,
whether that was specificallyaddressed mm-hmm
Speaker 3 (43:46):
. But
I think it's an important
consideration. The idea is thatMOUs are often used. I , I came
out of the government services, uh, before I got into working
with Clearwater, and we oftenused an MOU between inner
service agencies and thosesorts of things because we
weren't actually contracting abusiness associate relationship
(44:10):
in the sense of, you know,money flowing back and forth
or, you know , uh, remittanceand those kinds of things. But
these two agencies had to thinkabout how they would establish
and maintain theirrelationship, and they would do
it through the memorandum ofunderstanding instead. Um, and
I, I think, but I could bemistaken, so no one called me
(44:32):
out on this one. Uh , I thinkthat they do touch on other
types of documents, but I don'trecall if it , it's really
clearly spelled out. Uh, I doknow that I spent hours, and I
know you spent hours and daysanalyzing the comments and the
, the changes to the rulesthemself . There is a lot in
(44:53):
it, just a lot , uh,.
But when we think about theallot part of it, then there's
an additional component that wehave to think about. What's the
cost of doing this? What areyour thoughts?
Speaker 5 (45:11):
Yeah , Wes, so, you know, HHS has estimated that
this is going to cost , um,about $9 billion in just the
initial implementation for thefirst year, and then an
additional $6 billion a year ,uh, each year for the
consecutive four years. Andthis is to , uh, to implement
all of these reoccurringcompliance activities. Um, but
(45:33):
these estimates are likelyunderestimating , uh, the cost
and the amount of time thatcovered entities and business
associates will need to take inorder to comply , uh, with
these proposed rules. Uh, youknow, for example , um, when it
comes to meeting those , uh,technical safeguards and
producing a verification reportfor business associate
(45:53):
agreements , um, HHS hasestimated that it's going to
cost roughly around $240 , uh,which would only mean about two
hours of work time for aninformation security analyst to
perform those activities. A alot of commenters already have
discussed how these , uh,estimates are not necessarily
(46:15):
well grounded in what's beingseen in the industry. Uh,
additionally, a lot of theseestimates do not account for
actions entities will need totake to comply with the
existing security rule as italready stands. And a lot of hh
s's comments throughout theproposed rule was that they're
not already meeting the se thesecurity rule. And so those
(46:37):
additional steps would beadditional costs that they're
just not going to account for,
Speaker 3 (46:43):
Right? Because in the publication of the original
rule, and with each change toit, they have published a cost
table, right? That has said,this is what we think this will
cost. So if I'm hearing youcorrectly, what you're saying
is, is is that they assume ,uh, that you have , uh, borne
(47:04):
those costs in 2005 and in 2009and in 2013. And so now this
new one is, is to be aggregatedon top of those, but there are
a lot of entities, if I'munderstanding you correctly,
that you're saying it's gonnabe a bigger bite because they
haven't been doing some of thethings they should have from
(47:24):
2005 correctly yet.
Speaker 5 (47:27):
Exactly. And so, like for one example was with
their technology assetinventory, you know, that was
something we earlier discussedas something that was always
kind of expected of entities todo. So HHS didn't include those
estimates to getting , uh,asset inventories up to date in
their calculations for how muchthese proposed rules are going
(47:49):
to cost entities. Andadditionally, I I , I think one
of the biggest things that Ihad seen throughout a lot of
the comments was a concern forhow these costs and the time to
implement these costs are goingto affect especially smaller ,
uh, entities as well as ruralentities , uh, and how they can
afford and take the time to,to, to do these. I know a lot
(48:12):
of commenters have requestedthere being minimum thresholds
or exceptions , uh, for , uh,different sizes of entities.
Speaker 3 (48:21):
Okay? So sort of like they've done with the ,
uh, 4 0 5 D thing where theytalk about small, medium and
large practices. Um, and eventhough 4 0 5 D is not
regulatory, but it is aframework that we can work
within , uh, to help tounderstand what an entity looks
like. So something that's alittle bit more like that , uh,
(48:44):
let's talk about the timelines.
So one of the first things wehave to consider is this, is
that , uh, notice of proposedrulemakings are issued that
sometimes never come tofruition. The most visible one
for my purposes was , uh, in2020, in December of 2020, a
(49:07):
notice proposed rulemaking wasissued for the privacy rule
that proposed to implementsignificant amounts of change.
And after the comment period,it has just simply disappeared
never to be heard from again.
Could that happen to thesecurity rule to this NPRM?
Speaker 4 (49:28):
Absolutely, it could. Um, I think right now,
you know, we are seeing so muchfocus on cybersecurity and ,
um, uh, just safety , um, ofhealth information and
protection and privacy of it,you know, with some of the
incidents that happened lastyear, these high profile
(49:51):
incidents , um, and I thinkwe're gonna see more of it. It
it's an issue that is not goingaway, I think. And so, you
know, it wouldn't surprise meif we saw something go into
effect , um, although it maylook a lot different. Um, but
it's, it's absolutely apossibility, Wes, that we see
(50:11):
this one just hang out there,just like some of the others
have done, and nothing actuallyever , um, becomes effective.
Speaker 3 (50:20):
Okay. So if it is issued, you had mentioned
earlier that the standardperiod of 180 days from date of
final issuance until thecompliance date, that date is
the date. We're supposed to befully in compliance with every
element of that rule. But asyou had noted, this is complex,
(50:43):
but you also mentioned thatthere were some exceptions and
extensions. What, what was oneof the extensions that you
thought, or that you noted ,uh, that was in consideration?
Speaker 4 (50:54):
Yeah, so I think that , um, we saw some
commentary around extensionsfor, for updating the , these
business associate agreements.
And we saw that , uh, back in2013 as well, when, when
updates needed to be made tobusiness associate agreements,
there were some extensions foraround that as
Speaker 3 (51:12):
Well. Okay.
Speaker 4 (51:13):
Um, and so, so I think we would see something
similar here and , and theremay be others as well that ,
Speaker 3 (51:20):
Well , that makes sense. Um, because many
organizations have these , uh,contracts and business
associate agreements on cycles,and so to suddenly throw their
entire cycle into an uproar andsay, you must do it by the 1st
of July, or something likethat, it would just be very
(51:41):
difficult for manyorganizations to effectively
handle, at least the way that Isee the world. Alright . We
have covered a lot of ground inour time and , um, and there's,
we could again spend hourscovering even more. Um, we've,
we've talked about some of thechanges to the structure of the
(52:05):
security rule. Uh, the factthat things that were
previously implementationspecifications would now become
standards. That new standardswould also be created, the both
the sanctions one and as wellas the , uh, the , uh, asset ,
uh, the information asset , uh,not the map, but I think I the
(52:25):
map inventory the map as well.
Yeah, the inventory and themap, because I think the
mapping is also addressed atthat same level. So that would
be a new standard at what waspreviously secure security
management process. Right. Um,and, and then moving some of
these other things such as the, uh, risk analysis and risk
management , uh, into their ownstandard categories along with
(52:50):
one that I really findinteresting, and that is the
information system activityreview. I think that many
organizations struggle toeffectively manage this. Uh,
and, and there are two sides toit. You have the administrative
side of you must do this, butthen you also have the
(53:11):
technical side of, and this ishow you'll do it, right? And so
I would, I will enjoy seeingwhat OCR publishes around that
particular standard , uh, andhow they lock that down to say,
this is what we expect, becauseI've seen it all over the
place. In fact, I've writtenwhite papers to explain that
(53:34):
trying to keep all of your logsfor six years in a large entity
would be an absolute nightmareand take up, you know,
terabytes, of data onany given year. And so you have
to consider what is actuallyretained for that six year span
and, you know, that sort ofthing. Uh, this has been an
(53:56):
interesting conversation. Iwould love to give you the last
chance to wrap up yourperspectives on this , uh, and
to, and to tell us what youthink is important before we
close this out today.
Speaker 4 (54:11):
Well, there's so much , um, that we talked about
today and, and I think there'sso much in the, the proposed
rule itself that we couldcover. Um, so , um, you know, I
think it's just all about thechanging landscape. Um, the,
the focus, increased focus oncybersecurity and compliance
and , um, the privacy of , uh,protected health information.
(54:36):
Um, you know, I think , uh,some of these changes like
Thomas pointed out, are notnew. They have been, you know,
in the rule , maybe justreorganized or made more clicks
and clarifying updates, thatsort of thing. Um, but I think
the overall, what I was leftwith when I read the , um, the
proposed rule was this kind ofidea of we really mean it this
(55:01):
time, . Um , I likethat. And so , you
know, even if some of thesechanges aren't new, I think
they, I think OCR means it, and, um, I think we will see some
increased enforcement in thisarea or continued enforcement.
Speaker 3 (55:17):
You all ,
Speaker 5 (55:17):
I just wanna
Speaker 3 (55:18):
Please your final thoughts on that. Yeah,
Speaker 5 (55:21):
Yeah. I just wanted to echo the, the same things
that Jennifer has mentioned.
You know, as much as we'vetalked about this being a
proposed rule, I think itwould, it , it is still great
for our listeners to considerreviewing the NPRM, simply
because there is a lot ofclarifications in there on
existing standards andexpectations that HHM has. So
(55:43):
even if the proposed rules donot go into effect, they will
help entities guide themthrough HIPAA compliance with
this, with the existingsecurity rule.
Speaker 3 (55:54):
That is an excellent point. Um, and , and it goes
back to what I mentionedearlier, which is, is that with
each publication, they giveclarification and it's
important to read theclarification , uh, and
understand what the intent is,not just the black letter
(56:15):
language. And I think you hiton that beautifully to cover
that particular point. We willsee where the future goes.
There is much more that canoccur , uh, and of , and of
course, how long it takes afterthe comment period closes
before all the commentary isreviewed, discussed, and
(56:36):
decisions are made about how toproceed from there. Could be
relatively short, could berelatively lengthy. We don't
know. It could take quite awhile. So it could be maybe
this year we would seesomething, maybe it would be
two years from now before wesee a final rule published. Or
as you mentioned, it could bethat it languishes, we just
(56:57):
don't know. But I love thatpoint about use this as an
opportunity to examine your ownsystems and your own practices
and say, what are we doing wellnow? And what do we need to
change now? As well as whatwould be imposed upon us if
(57:21):
this goes forward. A fantasticway to sort of wrap this up.
This has been a very enjoyableconversation with both of you.
I appreciate you today and ,uh, I'll just wrap it up with ,
uh, on behalf of , uh, ourrespective firms and the
American Health LawAssociation. We're gonna wrap
(57:44):
it up and say so long and havea great rest of your day.
Speaker 2 (57:53):
Thank you for listening. If you enjoyed this
episode, be sure to subscribeto ALA's speaking of health
Law, wherever you get yourpodcasts. To learn more about a
HLA and the educationalresources available to the
health law community, visitAmerican health law.org.
Speaker 2 (00:04):
Support for A HLA comes from Clearwater. As the
healthcare industry's largestpure play provider of
cybersecurity and compliancesolutions, Clearwater helps
organizations across thehealthcare ecosystem move to a
more secure, compliant andresilient state so they can
achieve their mission. Thecompany provides a deep pool of
experts across a broad range ofcybersecurity, privacy, and
(00:28):
compliance domains.
Purpose-built software thatenables efficient
identification and managementof cybersecurity and compliance
risks, and a tech enabled 24 7365 security operations center
with managed threat detectionand response capabilities. For
more information, visitclearwater security.com.
Speaker 3 (00:53):
Hello, and welcome to this episode of ALA's
speaking of Health Law Podcast.
I'm Wes Morris, senior Directorof Consulting Services with
Clearwater and your host today.
Joining me today are JenniferCraig and Thomas tavi .
Jennifer is a partner at Hanesand Boone and co-chair of the
Firm's Healthcare and LifeSciences Practice Group. She
(01:16):
delivers practical legal adviceand guidance to healthcare
providers and other healthcareindustry clients in a variety
of regulatory and transactionalmatters. Jennifer regularly
counsels clients functioning ascovered entities, as well as
business associates on HIPAArelated matters, including
compliance, breach response,and regulatory enforcement.
(01:38):
Jennifer is a vice chair of theAmerican Health Law Lawyers,
pardon me, vice Chair of theAmerican Health Lawyers
Association, health Informationand Technology Practice Group,
and is certified by the TexasBoard of Legal Specialization
in health law . When she's notpracticing law, she's chasing
after her two girls , ages twoand five. Thomas Avi is an
(02:00):
associate with Hayes and Boonein their healthcare
transactions and regulatorypractice group. His practice
focuses on helping clients withhealth law, sorry, with
healthcare regulatory andbusiness transactional matters.
He's a member of the AmericanHealth Lawyers Association and
Dallas Bar Association's healthlaw section outside of
(02:22):
practicing law. Thomas is busytaking care of his two kids
under age two. So today ourtopic , uh, is the recently
published notice of proposedrulemaking or NPRM for the
HIPAA security rule to set thestage. The security rule was
the first one contemplated forpublication back in the late
(02:44):
1990s, but was not actuallypublished in until 2003 with a
compliance date of April, 2005, meaning that we are nearing
the , of the compliance in justa few weeks . If we consider
the state of technology in thelate nineties, and even when
the rule was first put into, to, into effect in 2005, the
(03:06):
world has changed dramaticallyin the intervening years. The
guiding watch words that havealways been used in the
security rule, which we'veoften referred to as being
technology agnostic , uh, havebeen the terms reasonable and
appropriate among some otherguiding principles. What was
(03:27):
reasonable and appropriate in2005 has changed significantly
since those days. So, to startus off, welcome Thomas.
Welcome, Jennifer. Let's startoff with Jennifer on this
because the landscape haschanged so much. What's driving
(03:49):
this change? Why, why now? Andwhat's really driving the
security rule to be changed atthis point in time?
Speaker 4 (03:58):
Wes, that's a great question, and thank you for
the, the background on thehistory of the security rule as
well. You know, it's been sucha long time. I, I , um, kind of
need a refresher sometimes. Um,I, I think that there were, and
we saw this in the commentary,a a lot of different reasons ,
uh, for this update. And, andthis was not a surprise. We
(04:20):
knew that this was coming. HHShad announced it and said,
sometime in 2024, we would seethis , um, these updates to the
security rule. Um, and so, youknow, I I , I think, like you
pointed out, a lot has changed, uh, um, in the , uh,
technology world. Um, this isthe first major update that we
(04:43):
have seen to the HIPAA securityrule a a comprehensive update
since 2013, since the omnibusrule came out. Um, I know you
remember , uh, reading throughthat new rulemaking and, and
that sort of thing. I, I did asa, as a young attorney. Um, and
so , uh, you know, what we'veseen is just a change in
(05:04):
technology. I think we've seena change in , um, the number ,
uh, and seriousness of thebreaches and incidents that are
affecting the healthcareindustry. The healthcare
industry is a target , um, uh,for cybersecurity incidents.
And , um, and it's , uh, youknow, that's something that HHS
(05:25):
is really focused on , um, aswell as , uh, just, you know,
generally , um, uh, theirexperience with enforcement.
Um, and, and that was somethingthat they pointed to over and
over , uh, as the, you know,kind of , uh, need for some of
these changes. Uh , you know,maybe some of these
(05:47):
requirements were alreadyincorporated or implied, but
they were not specificallyidentified. So, for example ,
um, the asset inventory HHS hadcommented that that had always
been a, an implied , um,requirement because it's
necessary to conduct a , aneffective risk analysis. Um,
(06:10):
but now we see it actuallylisted specifically as
something that , um, is goingto be required for or
potentially required if this ,um, proposed rule goes into
effect , um, uh, down the line.
And so , um, yeah, so I thinkthere's a lot of different
reasons. I, I'd be interestedin your thoughts too, Wes. Um,
(06:31):
anything that you, you've seenin your practice , um, that,
that you think these roles havebeen trying to address?
Speaker 3 (06:39):
Well, I could , uh, probably opine for an hour on
that point myself,
become a privacy officer in2003 and a security officer in
2005 with the advent of both ofthese rules. So I've got a long
perspective about what hashappened. Um, I'm, I'm
(07:01):
interested , uh, Thomas, if Icould ask you to give some
perspective around , um, theHHS had mentioned way early,
back in early 2004 that theywere going to publish a rule ,
uh, in 2004 to make changes tothe security rule, but it,
there was a, an introductorypublication of it right at the
(07:25):
end of December, but the actualrule was actually published for
public comment in January of2000 of 25. Um, what happens
from here? What now that it'sbeen published, what, what goes
on with this rule?
Speaker 5 (07:41):
Right. So the current process , um, at the,
as of the date of this , uh,recording for this podcast ,
uh, we're currently in theirpublic commenting period. So
anyone can go onto HH s'swebsite and provide comments
and feedback on the proposedrule. And when HHS goes back to
(08:03):
re review those comments, theywill incorporate them into any
, uh, finalized rules that theymake. And that , uh, comment
period is going to end on March7th, 2025.
Speaker 3 (08:15):
Right? So it may be that by the time , uh, our
listeners hear this podcastthat the comment period has
closed or is very closed toclosing at that point. Um, and
so what happens once thosepublic comments are all
received? What does HHS do withthem? Do you know,
Speaker 5 (08:37):
From my understanding , uh, I'm not
privy to hh s's internalpolicies or procedures, but my
understanding is that they willreview all of the comments, and
when they do come out with a ,uh, final rule, or if they do,
they will address some of thosecomments in how they've
actually decided to finalizethe rules. And , um, they will
(08:58):
oftentimes incorporate certaincomments or , uh,
considerations in how theyactually go about things.
Speaker 3 (09:07):
Yeah, I've noticed that over the years it has been
practice that when a new rule,a final rule is published, that
it will contain a preamble anddiscussion around each of those
major considerations, and we'lltell you whether they accepted
or rejected a particularperspective that was offered to
(09:27):
them and why. And I find thatto be very useful. There are,
I've often felt that there aremany people who read a rule and
simply act upon the blackletter language of that rule to
say, well, this is what theymean, or This is the intent.
But it is critical to readthose comments and understand
(09:48):
the thinking behind them.
Oftentimes, it will change yourperspective dramatically. So.
Excellent. So when we thinkabout the rule, we think, first
of all, one of the things thatI, I noticed that's happening
in this one is removing adistinction between two
(10:09):
different states with certainimplementation specifications.
Jennifer, would you talk to usa bit about this required
versus addressable situationand what they're going for now?
Speaker 4 (10:21):
Yeah, absolutely. So , um, what we saw in the , uh,
or what's currently in therules is a distinction between
, um, uh, addressable andrequired specifications. And
essentially , um, that wasremoved in this final, in this
, um, proposed rulemaking. Um,and the intent behind that is
(10:44):
really just to make clear tocovered entities and business
associates , um, that the , uh,these things are not optional.
Um, and, and so, and , andthat's not a , that's not
necessarily a change. I thinkthere was maybe some confusion
around , um, you know, the, thelanguage that was used,
(11:07):
addressable does kind of seemlike it could be mean optional,
but that was really never thecase. I mean, there was always
a requirement if , if youweren't going to , um, be able
to meet that specific standard, um, to document that and use
alternative measures,reasonable measures, that sort
of thing. Um, but on the flipside, it does , uh, potentially
(11:29):
, uh, remove some of theflexibility that , um, that
covered entities and businessassociates previously had , um,
in , in how they were meetingthese , uh, these requirements.
And , and that's something thatI think we're seeing with this
, uh, proposed rule is it ismuch more specific. So they
(11:51):
still, A HHS is not dictatingwhat specific technology a
regulated entity must use, butit, but you still have to meet
each of these elements. So forexample, encryption with very
limited exceptions, multifactorauthentication , um, and a
(12:11):
malware, those sorts of things.
It's, it , we have much morespecific , um, requirements and
, uh, especially with thetiming , um, you know, so that
, that's another element that Ithink has changed significantly
if this rule goes into effect ,um, you know, we, we see very ,
(12:31):
but previously , um, you hadrequirements around timing that
were much more flexible. So, soyou still had to perform a , a
risk analysis, you know, when,when there's a change in law
or, or significant , um, changein your systems and , and that
sort of thing. But that, thatdoesn't really tell you well,
how often now we know theminimum is every 12 months as
(12:54):
well as, you know, when yoursystems change, if there is a,
and , and I think in theguidance they specifically
reference, you know, if there'san acquisition or, or merger or
some, some sort of , um,significant change to systems,
you know, that's when anotherone would be required. Um, I
think from a practicalperspective, what this means
(13:14):
for organizations is that theyare going to want to develop
timelines and checklists. Um,and really the key here is
going to be documentation , um,because that is how we are
going to evidence compliancewith these requirements. Um,
you know, especially when youhave the risk analysis might
(13:35):
not be that hard, that's goingto be documented in writing
anyway, it's got a date on it,that sort of thing. But some of
these other timeframes, likereviewing a sanctions policy
every 12 months, you'll wannamake sure that that review is
documented.
Speaker 3 (13:49):
Mm-hmm
talking about moving thesanctions policy to a standard
rather than an implementationspecification under the , um,
security management , uh,standard. Um , from here, I'm
gonna just kind of open thefloor for either of you to ,
(14:12):
uh, answer and, and , uh, giveyour perspectives about this
thing. Why turn sanctions intoan actual standard?
Speaker 4 (14:22):
So Wes, I think that's a really great question.
Um, and I would also beinterested in hearing your,
I've got some thoughts on this
in hearing yours as well. Um,so I personally, so, so
basically what's happening hereis , um, this having this
sanctions policy is, is one ofthe standards , uh, for
(14:45):
compliance with the rule. Andwithin that they are , HHS is
much more specific about whatthis means , um, what the, what
a sanctions policy looks like.
Um, and so for example , uh, itis going to include written
policies and procedures forsanctioning workforce members.
It's going to include a reviewof these policies and
(15:08):
procedures at least every 12months, and then it's going to
actually require appropriateactions against workforce
members who fail to comply withsecurity policies and
procedures and to document ,um, those , uh, sanctions . Um,
and , and that's just , it'smuch more specific than what we
(15:30):
had before. I think it puts alot more teeth into your HIPAA
compliance program, and I thinkthis is actually going to be a
pretty significant change fororganizations who maybe had ,
um, you know, typically what Isee is just a one simple one
page kind of policy, or maybeit's even a paragraph around ,
(15:50):
um, you know, sanctions forworkforce members who violate
the HIPAA policies andprocedures as maybe
appropriate. Um, now I thinkwhat we're going to see is ,
uh, mu this is going to lookmuch more like a typical
compliance investigation , um,for, for, you know, and , and
maybe an entity that has arobust compliance program is
(16:12):
not gonna see a lot of changehere. But, you know, for some
of our smaller physicianpractices and, and other
entities , um, who maybe we'renot , uh, kind of having to
document and enforce thesepolicies, it , it , it's going
to look , look different
Speaker 3 (16:29):
Mm-hmm
throw my perspective into thatas well. Um , what I have long
seen has been that we do muchbetter, and when I say we, I'm
referring to the healthcareindustry in general, we do much
better with identifyingviolations of the privacy rule
(16:52):
and applying sanctions there.
Um , and decent sanctions orreasonable sanctions, if you
will , uh, use a tieredapproach. What was the intent?
What was the , uh, situationand what was the damage or harm
done in, in terms ofdetermining what kind of a
(17:15):
sanction is appropriate? Um,would either of you suggest
that that would be anappropriate approach for the
security rule as well to usethat tiered perspective?
Thomas, maybe you have someperspective around that.
Speaker 5 (17:31):
I, I am , to be honest with you, a little
unsure whether they should. Ithink it would depend on the
individual organization and howthey set up those structures.
And , um, uh, I, I think italso would depend on, you know,
for example, the size of thoseentities. Um, a lot of the
comments regarding all of thesenew proposed rules , uh, relate
(17:53):
to the, the different sizing oforganizations and how they're
going to actually implementsome of these standards and
implementation specifications.
And so it will really be up to,and I think an individualized
and catered approach to eachentity.
Speaker 3 (18:08):
Okay. That's , uh, that's an excellent perspective
and I appreciate that verymuch. Um, would you think that
the, the harm or potential harmdone , uh, would be appropriate
to consider as a , uh, as apart of their tiering? Um, or
(18:32):
would you take more of anapproach of what the intent was
in terms of that? Because weknow that technology can be
quite tricky and people getfooled into disclosing
information and , uh, you know,clicking on bad links and
phishing emails and those kindsof things. So what's your
thought around the idea ofwhether harm should be a
(18:54):
consideration in the , uh,application of sanctions with
the security world ?
Speaker 4 (19:00):
I think that's a really good question , um, and
something that organizationsare going to need to consider.
I think what's tricky about thesecurity rule is you can have,
and honestly, I mean, we see alot of these unintentional
violations that potentiallycould, you know, result in ,
um, some harm, although you tryto mitigate that as much as
(19:23):
possible, right? Yes . So whatI'm thinking of, for example,
is , um, you know, somebodysends a spreadsheet to out
outside of the organizationunintentionally to the wrong
email address. Um, and, youknow, maybe that wasn't
encrypted and, and it didn'tquite follow the policy or the
email address wasn't doublechecked , but now you have ,
(19:45):
um, some, you know, you've gotPHI going outside the
organization , um, and it'sgot, let's say, sensitive , uh,
health information included.
Um, uh, you know, we , you cantake steps to kind of try to
mitigate some of that harm. Um,but, but ultimately , uh, you
could have a pretty , um, youknow , uh, kind of small error,
(20:09):
unintentional error thatresults in the disclosure of a
significant amount ofinformation, right? And it gets
tricky with the security ruleas well when we're talking
about , um, maybeconfigurations or, or something
gets , um, maybe pushed , uh,to next quarter in terms of ,
um, you know, patching or, or ,or something like that. Mm-hmm
(20:31):
. Um , and, you know, if thatresults in harm, you know,
there, there can be a lot ofunintentional , um, violations
using the wrong fax number, youknow, that sort of thing mm-hmm
is a , um, important thing fororganizations to consider. I
(20:52):
think also another one that,that will want to be included
or , or taken into accountwould be , um, you know, kind
of di folks , um, continuouslyviolating policies. And, and we
see, I see that over and overwhere you have , um, you know,
the policy is to , uh, notremove the PHI or the policy is
(21:16):
not to send PHI using apersonal email address,
something like that. Um, andunfortunately you see
physicians maybe doing thatover and over and over, even
after being reminded that sortof thing. Um, and that can, I
think, cause a significant riskfor the organization. Um, and
so , uh, so another thing thatthat's going to, you know,
(21:39):
you're gonna wanna take intoaccount is , um, kind of these
repeat offenders or repeatviolations, even if it's maybe
low harm, low risk for that oneviolation. Is it something
that's repeated? Um,
Speaker 3 (21:53):
That's a good point,
there's, I think the key pointhere is in all of this though,
is this, is that the , theentire intent of this section
appears to be to give theorganization more teeth , uh,
and to give sanctions , uh,policies and processes more
(22:14):
teeth. And , uh, I do wannacircle back to one little
element there. And that is thisis that under this new , uh,
under these new requirements,you would have to review that
sanctions policy every 12months. So it can no longer be
something that gets written andthrown into a desk drawer and
pulled out and wiped off everyfew years. You're going to have
Speaker 4 (22:37):
That , that is a very good point, Wes. I think
that's the key there is, thatis a significant change for
sure.
Speaker 3 (22:43):
It really is. Yeah.
Uh , a lot more things likethat that are moving in the
direction of defined timeframesand those kinds of things. Uh,
and one of them, one of the newchanges, you, you mentioned it
early on , uh, was the , uh,technology asset inventory. We,
we know that to perform riskanalysis correctly in the way
(23:07):
that HHS has defined it, youmust start by identifying all
of your assets that maintaintransmit process or create
protected health information,electronic protected health
information. Um, and so in the, uh, in the process of doing
that, then to, to get to thefirst real stage of what are
(23:30):
the vulnerabilities and thethreats and those kinds of
things, you first have to knowwhere all of your information
lives. So this change appearsto be locking that into an
absolute you will do this not,and implied you will do this.
Would you agree with that?
Speaker 4 (23:48):
Exactly. Yes. No, you're exactly right, Wes. And
it is going to be a lot harderthan I think it looks on paper.
So, you know, theoretically ,um, coming up with a technology
asset inventory, a network mapthat is , uh, you know, seems
very obvious , um, and, youknow, every organization would
(24:09):
want to do something like that.
I think what gets tricky hereis , um, uh, and , and the way,
you know, and, and it , itshould be this way. Um, but the
way that the rule is written,your technology asset inventory
and network map is not onlygoing to include your own
(24:30):
technology assets, it is alsoit's going to need to track the
movement of PHI into and out ofyour information systems, you
know, whether that goes , um,to the cloud or offshore or
something like that, or to abusiness associate. Um, and
that's what's I think going tobe so challenging is that the
(24:51):
HHS specifically said here thatthe technology assets that are
used by a business associate ,um, could affect the
confidentiality, integrity andavailability of that electronic
PHI. And so it has to beincluded in the covered
entities network map. Um, andfor an organization that has a
(25:13):
lot of business associates orthat is changing regularly, so
you have, you know, you'recontracting with a, a new
business associate, you know,every six months or so, or, or
even more often than that, thatcan be a significant , um, re
it's gonna take significantresources to develop it and to
(25:33):
maintain it. Um, and that wasnot something that we saw
previously specificallyrequired even if , um, you
know, OCR believes that it was, uh, kind of an underlying
component of the risk analysis.
Speaker 3 (25:49):
Yeah. Um, when we think about that, you mentioned
both, both sides of this coin,the asset inventory and the
network map, but they're,they're different things and
they have to function together,correct?
Speaker 4 (26:07):
Yes, absolutely.
Yeah . Okay .
Speaker 3 (26:10):
Uh , so if the asset in the way that it's worded is
your item that you operate, youmaintain , uh, whatever the
case might be, and thereforeit's your responsibility to
risk analyze that. The networkmap though could be something
that you have to work withyour, if I'm understanding
(26:32):
correctly, you have to workwith your business associate
who is using this, this asseton their end that may be
appropriate , uh, for you to,to include in your network map.
So it's no longer a case of,well, where the walls of our
building are, that's where ourresponsibility ends. And then
you talk about businessassociates and the , and the
(26:55):
change to business associateagreements. We're gonna circle
back on that in a couple ofminutes. Um, what, what risks
or concerns do you see withthis idea of the BA's network
map versus the C'S network mapor even upstream and downstream
(27:16):
bas? What are some of the risksor concerns that you see around
that that will need to beconsidered by the entities, the
regulated entities here?
Speaker 4 (27:28):
Yeah, so I think it's going to , um, take a lot
of time to develop. It's goingto take resources dedicated to
analyzing these , um, issues. Ithink it's going to , uh, be a
challenge to link , uh,functions that are maybe
typically fall under kind ofthe IT side with the operations
(27:53):
side to know , um, you know,how PHI is, whether this
actually involves PHI and howthat is flowing. Um, and I
think it's going to take a lotof , uh, communications between
covered entities and businessassociates. And unfortunately,
I think depending on the, thebusiness associate , um, or
(28:15):
even the covered entity, youknow, you might find some
challenges with those sorts ofcommunications. They might not
have a sophisticated HIPAAcompliance program or a
dedicated , um, you know,security officer that has the,
the type of knowledge that theywould need to have in order to
(28:35):
answer questions about , um,the, the assets and, and the
flow of the information. Um,and, and so I think it's just,
it's going to be verychallenging for folks to , um,
to get this sort of thing , uh,mapped effectively.
Speaker 3 (28:53):
Okay. So , um, I wanna direct this one to
Thomas. Uh , uh, this, I thinkthis question , um, might be
very helpful there. We'vetalked about standards and
specifications, and we talkedabout the security management
process was always , uh, at 164 0.308 a right. And a one was
(29:18):
risk analysis as aspecification under that
standard. What are they doingwith these changes and how is
that gonna change even thebasic layout of the security
rule? Thomas, do you know?
Speaker 5 (29:33):
Yeah, I think in terms of , um, you know, the
risk analysis as well as withtheir , uh, technology asset
inventory and the networkmapping, I think the intent
that HHS is trying to getthrough with a lot of this is
addressing what they've seenrecently with those cyber ,
with cyber attacks as well as ,uh, breaches. And I, through
(29:54):
their , uh, recent audits andas well as addressing some of
these breaches, I think HHS hasnoticed that a lot of these
entities that are not incompliance with hipaa , uh,
don't have these , uh,strategies implemented
properly. And so when they areasked, you know, what segments
of your information systemshave been , um, touched by
(30:18):
these breaches or by these ,um, cyber attacks, it's hard
for them to quickly identifythose issues. And so I , I
think part of this riskanalysis as well as , um, the
technology assets and networkmapping is to have those in
place so that way , um,entities can quickly address
(30:38):
potential breaches or cyberattacks as they come.
Speaker 3 (30:42):
Mm-hmm
sense to me. One of the thingsthat I thought about it was
that , uh, by, they're ,they're talking about making
risk analysis, for example, nolonger an implementation
specification, but an actualstandard, which means then it
becomes far easier for , uh,the regulators to give
(31:03):
implementation specificationsbelow that standard and to add
and change those things. Um,you know, as, as they go , uh,
any other perspectives that youmay have around that idea of
how they're reorganizing therule before we move on?
Speaker 4 (31:21):
Yeah. So I'll, I'll jump into , I think Thomas was
, um, pointing out the factthat , um, you know, OCR has
really focused on risk analysisor the lack of one in its
enforcement actions. It's, it'ssomething that's cited almost
every single time. Um, and, andThomas pulled up some , uh,
(31:45):
kind of data on it. And, and Ithink , um, what OCR said is ,
um, you know, when they auditedcovered entities and business
associates for compliance withhipaa, only 14% of covered
entities and only 17% of ofbusiness associates were
substantially fulfilling theirregulatory responsibilities
(32:06):
through specifically this riskanalysis for analysis process.
And I think to address thatissue, what we're seeing with
the new risk analysis standardis that they have , um, be made
very specific requirements forhow to conduct this risk
analysis. And in some ways, Ithink that's very helpful
(32:28):
because , um, what, what wewere seeing in our practice is
that most folks get this wrong.
Um, so when you ask, let ,let's say you're doing due
diligence on a deal, and youask for a copy of the risk
analysis, the HIPAA securityrule risk analysis, what you
get oftentimes looks much morelike a , um, kind of a gap
(32:51):
assessment, like a very highlevel, here's what's missing,
here's what's, you know, yes,we've got this policy and
procedure. No, we don't have X,Y, Z. Um, and that is not what
the risk analysis is reallyintended to do. And so , um,
you know, we have, we're seeingfrom OCR very specific
guidelines for how to conductone. Um, and then also, again,
(33:16):
how often, so now you've gotthis timing requirement here.
Um, Wes, I know you all do ,uh, you can assist with the,
the risk analysis. What, whatdo you see? Yes.
Speaker 3 (33:26):
Yeah. In fact, that's a, that's a core
function of clearwaters and hasbeen from the founding of the
company in 2009. We look atrisk analysis as there, there
are many ways to define risk,and many ways you can use
qualitative or quantitativeapproaches. You can , uh, start
(33:46):
from enterprise level, you canlook at business risk. But when
you , when we think about riskin the way that it is defined
by OCR is , uh, you have tostart with an asset based . Uh
, it's got to start from whereis my electronic protected
health information? If youdon't start from that place,
(34:09):
then there is likelihood ofmissing things. One of the
things that we often see is ,um, is someone using a controls
based approach of starting bydefining what the controls are
that protect the information,but they haven't defined what
information it's protecting,right.
those controls are over. And inpart of, and yes, controls are
(34:31):
critical, but they're like thethird step. If you look at OCR
R'S guidance, you know, itstarts , uh, from 2010, it
starts with where are yourassets, then it's what are the
vulnerabilities? Then it's whatare the controls, right? And
then after that, then you getto what are the threat sources?
Or it might be that the threatsources come just above the
(34:54):
controls, but it's all rightthere. You've gotta be
examining this from that, thatperspective of a triple, you
have an asset that can beexploited and a threat source
that can exploit that asset,right? Yes. And if
Speaker 4 (35:09):
You've got that, then you gotta Right . And
assign the level of risk.
Speaker 3 (35:11):
Yeah . And that then gets you to being able to
determine likelihood impact andwhat risk really looks like.
Yeah, yeah. Uh , as you cantell, I'm, I'm , I , I , I
don't mean to take away any ofyour thunder, but I, I really ,
um, feel strongly about theasset based approach. One point
I also wanna make here is this, is that we have for the life
(35:34):
of our organization , uh,followed every , uh,
investigation or , uh, outcomethat resulted in a civil , uh,
civil money penalty or in acorrective action plan that has
been published by OCR. And wehave seen over the years, very
little change in this number.
(35:54):
It's usually somewhere between89 and 90% of all of the , uh,
investigations have as one oftheir foundational problems,
lack of a satisfactory riskanalysis. That's just crazy,
isn't it? 90%.
Speaker 4 (36:12):
It's crazy. 'cause it's been there for, so it's a
requirement. Yes . That's beenthere for so long.
Speaker 3 (36:16):
Yeah. Right. And , and, and I think the issue is,
is taking the wrong approach ornot understanding the
foundational nature, we, we atClearwater have always said,
your foundation to everythingelse in the security role
starts from your risk analysis.
If you haven't analyzed it, howcan you then define where to
(36:37):
put your controls, whatsafeguards to put in place,
whether they're administrativeor technical, that's really
less of a concern, but anysafeguard to put it into place.
But I'm taking too much of yourtime for me to tell you my
perspective now. So let ,let's, let's kind of talk , uh,
uh, let's move on a little bitfurther. Um, when we , uh, look
(36:58):
at this now, in the past, the ,and we've touched on this
before, I wanna give anopportunity to think about this
a little bit further. In thepast , uh, the approach has
been periodic or when there isa change to the environment,
now they're saying every 12months you will, or in response
(37:19):
to, so it could be more often,but there is a unique new
change in all of this with whenyou will do risk analysis. Talk
to me about that a little bit.
Yes . Around the businessassociates.
Speaker 4 (37:35):
Oh, the, yeah . So , um, you know, I I , I think the
, what we're seeing withbusiness associates is a lot ,
and , you know , and, and withthe 2013 omnibus rule ,
business associates becamedirectly responsible for HIPAA
compliance. Yes . And , andthat was a significant change.
What we're seeing with thisproposed rule is a , is more
(37:57):
kind of renewed focus on thebusiness associate aspect of
the relationship. Um, and youknow, I think that's just
recognizing the fact thatbusiness associates are going
to , um, you know, hold and,and maintain and, and have to
secure PHI and, and oftentimesthat can , um, it , you know,
(38:17):
if it's not done appropriately,it can result in insignificant
, um, harm to , to patients.
And so I think OCR is going to,is making , um, business
associates more responsibledirectly and also making
covered entities moreresponsible for their own
business associates. So nolonger can a covered entity
(38:40):
just enter into a businessassociate agreement and, you
know, hand over their PHI andsay, all right , we're done
here. You know, we trust you.
We're all good. That's notwhat's going, what you're gonna
be able to do with this. Ifthis new proposed , um, rule
goes into effect, there aregoing to be significant , uh,
requirements around , um,certifying compliance with the
(39:04):
, uh, security rule, and thenthe covered entity reviewing
those certifications. And thatfactors into the risk analysis
aspect as well. So mm-hmm
that, that's OCR highlightedthat as a piece , um, that gets
incorporated the, the review ofthese business associates
certifications and then adetermination of the risk
(39:27):
associated with those businessassociates. Right.
Speaker 3 (39:31):
And yeah, and, and they said in clear language in
there, if I read thiscorrectly, was you must assess
the risk of continuing a BArelationship.
Speaker 4 (39:42):
Exactly.
Speaker 3 (39:43):
Uh , after you've reviewed the written
verification from the ba. Sothat's now a part of your risk
analysis process. What, whatrisks does do , does this
relationship create or add tothe risk to my P-E-P-H-I ?
Because at the end of the day,who is still responsible for
(40:04):
any loss or compromise? It'sthe covered entity , uh,
Speaker 4 (40:08):
Exactly.
Speaker 3 (40:10):
You know , and not, not the, the , uh, the
associate that they giveinformation to. So. Excellent.
Um, so we , uh, I , and I thinkwe've touched just a little bit
on this, but there is morebeing required in the business
associate area , um, uh, than ,than just , uh, the things
(40:32):
we've touched on so far. Whatare some of the other changes
that they are placing into therequirements around business
associates?
Speaker 4 (40:41):
So, you know, we mentioned this , uh,
certification , um, there's awritten analysis aspect of it
as well. Um, and , uh, sothat's going to require , um,
you know, reviewing thesetechnical safeguards and
analyzing them and thencertifying compliance. Um, and
that's gonna need to be done bya subject matter expert of the
(41:05):
business associate. Um, whichis, you know, just kind of an
interesting, especially if youare , um, maybe contracting for
kind of IT services and, andthat sort of thing, just trying
to , um, figure out who's theperson who can actually conduct
that analysis and certified inthat on behalf of the business
associate. It's gonna beinteresting. Um, the, you know,
(41:27):
another requirement which givesme a lot of heartburn is
notifying the covered entitywithin 24 hours of activation
of a contingency plan. That is, um, you know what , when you
have an incident or, orsomething that , um, requires
activation of a contingencyplan , um, you know, there is
(41:48):
often a lot of sensitivityaround that. Um, kinda re
reputational harm and, andrisk, and especially if you
were able to , um, you know,and 24 hours , um, to notify
you . At that point, youprobably don't even have your
arms around exactly whathappened or what PHI has been
impacted and, and that sort ofthing, who's been impacted. Um,
(42:12):
and so it , you know, that's,it's going to be a challenge.
Um, and then it gets factoredin probably to your risk
analysis, right? Um, you know,if that was right , if you've
had received those sorts ofnotifications and that sort of
thing. Um, and then you've gotjust the , uh, you know,
requirements around now , um,implementing these additional
(42:35):
requirements into your businessassociate agreements. Um, I
mean, I just can't imagine the,the resources and the efforts
that are to go into updatingall of these business associate
agreements. And I , and I thinkwe got some indication from OCR
that there would be, if thisrule goes into effect , um, you
(42:56):
know, typically the standardperiod for compliance is 180
days after the effective date.
Um, but there was someacknowledgement that , um,
there would be extensions forpotentially some of these
business associate agreement ,uh, requirements just because ,
um, it is going to take a longtime. Um, and folks don't
always have control over , um,and terminating an agreement or
(43:20):
something is not always anoption,
Speaker 3 (43:23):
Right? Uh , I don't recall if they spoke about
other types of agreements suchas MOUs . Do you recall if that
was also addressed in there?
Because with certain entitiesit's an MOU and not a BAA that
is put in place.
Speaker 4 (43:38):
Sure. Yeah. That's a good, that's a good point, Wes.
I would have to go back to therule and double check that,
whether that was specificallyaddressed mm-hmm
Speaker 3 (43:46):
consideration. The idea is thatMOUs are often used. I , I came
out of the government services, uh, before I got into working
with Clearwater, and we oftenused an MOU between inner
service agencies and thosesorts of things because we
weren't actually contracting abusiness associate relationship
(44:10):
in the sense of, you know,money flowing back and forth
or, you know , uh, remittanceand those kinds of things. But
these two agencies had to thinkabout how they would establish
and maintain theirrelationship, and they would do
it through the memorandum ofunderstanding instead. Um, and
I, I think, but I could bemistaken, so no one called me
(44:32):
out on this one. Uh , I thinkthat they do touch on other
types of documents, but I don'trecall if it , it's really
clearly spelled out. Uh, I doknow that I spent hours, and I
know you spent hours and daysanalyzing the comments and the
, the changes to the rulesthemself . There is a lot in
(44:53):
it, just a lot , uh,
But when we think about theallot part of it, then there's
an additional component that wehave to think about. What's the
cost of doing this? What areyour thoughts?
Speaker 5 (45:11):
Yeah , Wes, so, you know, HHS has estimated that
this is going to cost , um,about $9 billion in just the
initial implementation for thefirst year, and then an
additional $6 billion a year ,uh, each year for the
consecutive four years. Andthis is to , uh, to implement
all of these reoccurringcompliance activities. Um, but
(45:33):
these estimates are likelyunderestimating , uh, the cost
and the amount of time thatcovered entities and business
associates will need to take inorder to comply , uh, with
these proposed rules. Uh, youknow, for example , um, when it
comes to meeting those , uh,technical safeguards and
producing a verification reportfor business associate
(45:53):
agreements , um, HHS hasestimated that it's going to
cost roughly around $240 , uh,which would only mean about two
hours of work time for aninformation security analyst to
perform those activities. A alot of commenters already have
discussed how these , uh,estimates are not necessarily
(46:15):
well grounded in what's beingseen in the industry. Uh,
additionally, a lot of theseestimates do not account for
actions entities will need totake to comply with the
existing security rule as italready stands. And a lot of hh
s's comments throughout theproposed rule was that they're
not already meeting the se thesecurity rule. And so those
(46:37):
additional steps would beadditional costs that they're
just not going to account for,
Speaker 3 (46:43):
Right? Because in the publication of the original
rule, and with each change toit, they have published a cost
table, right? That has said,this is what we think this will
cost. So if I'm hearing youcorrectly, what you're saying
is, is is that they assume ,uh, that you have , uh, borne
(47:04):
those costs in 2005 and in 2009and in 2013. And so now this
new one is, is to be aggregatedon top of those, but there are
a lot of entities, if I'munderstanding you correctly,
that you're saying it's gonnabe a bigger bite because they
haven't been doing some of thethings they should have from
(47:24):
2005 correctly yet.
Speaker 5 (47:27):
Exactly. And so, like for one example was with
their technology assetinventory, you know, that was
something we earlier discussedas something that was always
kind of expected of entities todo. So HHS didn't include those
estimates to getting , uh,asset inventories up to date in
their calculations for how muchthese proposed rules are going
(47:49):
to cost entities. Andadditionally, I I , I think one
of the biggest things that Ihad seen throughout a lot of
the comments was a concern forhow these costs and the time to
implement these costs are goingto affect especially smaller ,
uh, entities as well as ruralentities , uh, and how they can
afford and take the time to,to, to do these. I know a lot
(48:12):
of commenters have requestedthere being minimum thresholds
or exceptions , uh, for , uh,different sizes of entities.
Speaker 3 (48:21):
Okay? So sort of like they've done with the ,
uh, 4 0 5 D thing where theytalk about small, medium and
large practices. Um, and eventhough 4 0 5 D is not
regulatory, but it is aframework that we can work
within , uh, to help tounderstand what an entity looks
like. So something that's alittle bit more like that , uh,
(48:44):
let's talk about the timelines.
So one of the first things wehave to consider is this, is
that , uh, notice of proposedrulemakings are issued that
sometimes never come tofruition. The most visible one
for my purposes was , uh, in2020, in December of 2020, a
(49:07):
notice proposed rulemaking wasissued for the privacy rule
that proposed to implementsignificant amounts of change.
And after the comment period,it has just simply disappeared
never to be heard from again.
Could that happen to thesecurity rule to this NPRM?
Speaker 4 (49:28):
Absolutely, it could. Um, I think right now,
you know, we are seeing so muchfocus on cybersecurity and ,
um, uh, just safety , um, ofhealth information and
protection and privacy of it,you know, with some of the
incidents that happened lastyear, these high profile
(49:51):
incidents , um, and I thinkwe're gonna see more of it. It
it's an issue that is not goingaway, I think. And so, you
know, it wouldn't surprise meif we saw something go into
effect , um, although it maylook a lot different. Um, but
it's, it's absolutely apossibility, Wes, that we see
(50:11):
this one just hang out there,just like some of the others
have done, and nothing actuallyever , um, becomes effective.
Speaker 3 (50:20):
Okay. So if it is issued, you had mentioned
earlier that the standardperiod of 180 days from date of
final issuance until thecompliance date, that date is
the date. We're supposed to befully in compliance with every
element of that rule. But asyou had noted, this is complex,
(50:43):
but you also mentioned thatthere were some exceptions and
extensions. What, what was oneof the extensions that you
thought, or that you noted ,uh, that was in consideration?
Speaker 4 (50:54):
Yeah, so I think that , um, we saw some
commentary around extensionsfor, for updating the , these
business associate agreements.
And we saw that , uh, back in2013 as well, when, when
updates needed to be made tobusiness associate agreements,
there were some extensions foraround that as
Speaker 3 (51:12):
Well. Okay.
Speaker 4 (51:13):
Um, and so, so I think we would see something
similar here and , and theremay be others as well that ,
Speaker 3 (51:20):
Well , that makes sense. Um, because many
organizations have these , uh,contracts and business
associate agreements on cycles,and so to suddenly throw their
entire cycle into an uproar andsay, you must do it by the 1st
of July, or something likethat, it would just be very
(51:41):
difficult for manyorganizations to effectively
handle, at least the way that Isee the world. Alright . We
have covered a lot of ground inour time and , um, and there's,
we could again spend hourscovering even more. Um, we've,
we've talked about some of thechanges to the structure of the
(52:05):
security rule. Uh, the factthat things that were
previously implementationspecifications would now become
standards. That new standardswould also be created, the both
the sanctions one and as wellas the , uh, the , uh, asset ,
uh, the information asset , uh,not the map, but I think I the
(52:25):
map inventory the map as well.
Yeah, the inventory and themap, because I think the
mapping is also addressed atthat same level. So that would
be a new standard at what waspreviously secure security
management process. Right. Um,and, and then moving some of
these other things such as the, uh, risk analysis and risk
management , uh, into their ownstandard categories along with
(52:50):
one that I really findinteresting, and that is the
information system activityreview. I think that many
organizations struggle toeffectively manage this. Uh,
and, and there are two sides toit. You have the administrative
side of you must do this, butthen you also have the
(53:11):
technical side of, and this ishow you'll do it, right? And so
I would, I will enjoy seeingwhat OCR publishes around that
particular standard , uh, andhow they lock that down to say,
this is what we expect, becauseI've seen it all over the
place. In fact, I've writtenwhite papers to explain that
(53:34):
trying to keep all of your logsfor six years in a large entity
would be an absolute nightmareand take up, you know,
terabytes,
to consider what is actuallyretained for that six year span
and, you know, that sort ofthing. Uh, this has been an
(53:56):
interesting conversation. Iwould love to give you the last
chance to wrap up yourperspectives on this , uh, and
to, and to tell us what youthink is important before we
close this out today.
Speaker 4 (54:11):
Well, there's so much , um, that we talked about
today and, and I think there'sso much in the, the proposed
rule itself that we couldcover. Um, so , um, you know, I
think it's just all about thechanging landscape. Um, the,
the focus, increased focus oncybersecurity and compliance
and , um, the privacy of , uh,protected health information.
(54:36):
Um, you know, I think , uh,some of these changes like
Thomas pointed out, are notnew. They have been, you know,
in the rule , maybe justreorganized or made more clicks
and clarifying updates, thatsort of thing. Um, but I think
the overall, what I was leftwith when I read the , um, the
proposed rule was this kind ofidea of we really mean it this
(55:01):
time,
know, even if some of thesechanges aren't new, I think
they, I think OCR means it, and, um, I think we will see some
increased enforcement in thisarea or continued enforcement.
Speaker 3 (55:17):
You all ,
Speaker 5 (55:17):
I just wanna
Speaker 3 (55:18):
Please your final thoughts on that. Yeah,
Speaker 5 (55:21):
Yeah. I just wanted to echo the, the same things
that Jennifer has mentioned.
You know, as much as we'vetalked about this being a
proposed rule, I think itwould, it , it is still great
for our listeners to considerreviewing the NPRM, simply
because there is a lot ofclarifications in there on
existing standards andexpectations that HHM has. So
(55:43):
even if the proposed rules donot go into effect, they will
help entities guide themthrough HIPAA compliance with
this, with the existingsecurity rule.
Speaker 3 (55:54):
That is an excellent point. Um, and , and it goes
back to what I mentionedearlier, which is, is that with
each publication, they giveclarification and it's
important to read theclarification , uh, and
understand what the intent is,not just the black letter
(56:15):
language. And I think you hiton that beautifully to cover
that particular point. We willsee where the future goes.
There is much more that canoccur , uh, and of , and of
course, how long it takes afterthe comment period closes
before all the commentary isreviewed, discussed, and
(56:36):
decisions are made about how toproceed from there. Could be
relatively short, could berelatively lengthy. We don't
know. It could take quite awhile. So it could be maybe
this year we would seesomething, maybe it would be
two years from now before wesee a final rule published. Or
as you mentioned, it could bethat it languishes, we just
(56:57):
don't know. But I love thatpoint about use this as an
opportunity to examine your ownsystems and your own practices
and say, what are we doing wellnow? And what do we need to
change now? As well as whatwould be imposed upon us if
(57:21):
this goes forward. A fantasticway to sort of wrap this up.
This has been a very enjoyableconversation with both of you.
I appreciate you today and ,uh, I'll just wrap it up with ,
uh, on behalf of , uh, ourrespective firms and the
American Health LawAssociation. We're gonna wrap
(57:44):
it up and say so long and havea great rest of your day.
Speaker 2 (57:53):
Thank you for listening. If you enjoyed this
episode, be sure to subscribeto ALA's speaking of health
Law, wherever you get yourpodcasts. To learn more about a
HLA and the educationalresources available to the
health law community, visitAmerican health law.org.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Intentionally Disturbing
Join me on this podcast as I navigate the murky waters of human behavior, current events, and personal anecdotes through in-depth interviews with incredible people—all served with a generous helping of sarcasm and satire. After years as a forensic and clinical psychologist, I offer a unique interview style and a low tolerance for bullshit, quickly steering conversations toward depth and darkness. I honor the seriousness while also appreciating wit. I’m your guide through the twisted labyrinth of the human psyche, armed with dark humor and biting wit.