HHS OCR Outlines Top HIPAA Enforcement, Rule-Making PlansDirector Lisa Pino Urges Entities to Sharpen Focus on Cyberattacks
The federal agency enforcing HIPAA is urging covered entities and business associates to sharpen their focus on protecting their organizations against hacking incidents as cyberattacks against all critical infrastructure industries, including the healthcare sector, continue to surge.
"For healthcare, 2021 was even more turbulent as cybercriminals took advantage of hospitals and healthcare systems responding to the COVID-19 pandemic," said Lisa Pino, director of the Department of Health and Human Services' Office for Civil Rights on Tuesday.
Pino's remarks came during a presentation about the HIPAA enforcement agency's policy and rule-making priorities at the 31st annual HIPAA Summit, which was conducted virtually this year due to the pandemic.
"More than one healthcare provider was forced to cancel surgeries, chemotherapy, radiology exams and other services, because their systems, software or networks had been disabled," she said, referring to numerous ransomware attacks on hospital and healthcare sector entities last year.
On top of those ransomware threats, exploitation of critical security vulnerabilities, such as Apache Log4J flaws, also poses potential hacking risks for organizations of all sizes, she said.
"These reports underscore why it is so important for healthcare to be vigilant in their approach to cybersecurity," she says. "I call on covered entities and business associates in 2022 to strengthen your organization’s cyber posture."
Essential steps covered entities and business associates should take include maintaining offline, encrypted backups of data and regularly testing backups; conducting regular scans to identify and address vulnerabilities; regularly patching and updating software and operating systems; and training employees on phishing and other common scams, Pino says.
She says conducting comprehensive and timely enterprisewide security risk analysis is also essential.
HHS OCR recently submitted to Congress its annual report of breaches affecting protected health information as called for under the HITECH Act, Pino said.
The report, which analyzed breaches reported in calendar year 2020, says OCR received 656 notifications of breaches affecting 500 or more individuals, representing an increase of 61% from the number of reports received in calendar year 2019. These reported 2020 breaches affected more than 37.6 million individuals.
Hacking incidents were the most commonly reported category of breaches. Of the 429 hacking incidents reported to OCR in 2020 as affecting 500 or more individuals, 199 involved ransomware.
OCR's report to Congress also shows that the agency received 66,509 reports of breaches affecting fewer than 500 individuals, with unauthorized access or disclosure reported as the most frequent type of smaller breach reported. These breaches affected a total of nearly 313,000 individuals.
For comparison, Pino said, in 2016, OCR received 114 reports of large breaches involving a hacking/IT incident, while in 2021 it received 527 such reports.
"The Biden-Harris administration recognizes that the United States faces persistent and increasingly sophisticated malicious cyber[actors] that threatens the public and private sectors, and ultimately the American people's privacy and security. And they understand cyberattacks all too well."
Pino served as a senior counselor during the Obama administration, driving the Department of Homeland Security's breach mitigation response in the 2015 cyberattack on the Office of Personnel Management. That incident compromised the records of 22 million "surrogate profiles," the largest hacking incident in federal history, she says.
Among HHS OCR's rule-making priorities this year is a planned request for information pertaining to a yet-unmet provision of the HITECH Act of 2009 for how HHS OCR might distribute to victims a percentage of the funds it collects from HIPAA violation settlements and civil monetary penalties, Pino says.
In that RFI, OCR will also seek public comment for how the agency should consider the security practices of covered entities and business associates when determining the enforcement actions in potential HIPAA breach and other violation cases, she says.
That planned rule-making comes after Congress last year passed legislation modifying the HITECH Act to require HHS OCR to consider whether a breached entity has made a "good faith" attempt to implement "recognized" security practices before the agency issues a HIPAA enforcement action.
Other slated rule-making work includes efforts by OCR and HHS' Substance Abuse and Mental Health Services Administration to "better harmonize" 42 CFR Part 2, the federal law that governs the confidentiality of substance use disorder information, with certain permissions and requirements of HIPAA, Pino says.
Other regulatory work includes plans to issue a final rule modifying the HIPAA privacy rule "to support and remove barriers" in the coordination of patient care and individual engagement, she says.
HHS OCR received more than 1,400 public comments on its proposed rule, issued in December 2020, for modifying the HIPAA privacy rule.
On the enforcement front, Pino also says OCR, among other cases, will continue to pursue complaints involving potential violations of the HIPAA right of access provision that supports the right of individuals to access and obtain copies of their health information.
To date, since 2019, HHS OCR has taken enforcement actions in 25 such right of access cases.
Overall in 2021, HHS OCR took enforcement actions in 14 HIPAA violation cases, "and more announcements are forthcoming," she says.
Pino declined to comment during her presentation on how or if OCR's approach to HIPAA enforcement has been affected by a 2021 federal ruling by the 5th Circuit Court of Appeals in overturning an enforcement action against the University of Texas MD Anderson Cancer Center.
In that case, in which the cancer center appealed a $4.3 million HIPAA civil monetary penalty, the Louisiana appeals court took issue with OCR's interpretation of HIPAA requirements and how it sets civil monetary penalties.
"OCR's robust enforcement of the HIPAA rules continues," Pino says.