Understanding the Nuances of the Healthcare Cybersecurity Regulatory Landscape
A patchwork of key healthcare cybersecurity and privacy regulations aim to keep cyber threats at bay, but compliance can be challenging.
Source: Getty Images
- Considering the complexity and magnitude of cyber threats facing the healthcare sector today, it stands to reason that the regulations that aim to protect patients and organizations from these threats must be equally intricate.
These intricacies can make health data regulations difficult to understand and comply with, making it all the more crucial that covered entities and other organizations that maintain health data have a solid understanding of the regulatory landscape.
On a recent episode of Healthcare Strategies, Elizabeth Hodge, partner in the Healthcare Practice Group at Akerman, provided a refresher on this patchwork of healthcare cybersecurity and privacy regulations and offered tips for maintaining compliance.
Specifically focusing on HIPAA, the Federal Trade Commission’s Health Breach Notification Rule, and state laws, Hodge explored the statutes through the lens of compliance, cyber threat mitigation, and breach response, and offered best practices for navigating the regulatory landscape.
One of the first steps to understanding the regulatory landscape is understanding what these regulations are not. Despite an increased focus on healthcare data security and patient privacy in recent years, misconceptions about the sector’s foundational data protection laws persist. Addressing these misconceptions is a crucial step in preventing noncompliance.
Enacted in 1996, HIPAA has served as a compass for managing security and privacy in the healthcare sector for many years. Even so, there are persisting misconceptions about what HIPAA covers and what it does not.
“A lot of lay people think that HIPAA protects all health information everywhere and don't realize that the scope of the law is actually fairly narrow,” Hodge noted. “It only applies to health plans, healthcare clearinghouses, and healthcare providers who conduct standard transactions, and then of course their business associates who receive PHI.”
Additionally, patients may assume that HIPAA protections will shield their health data regardless of what entity collects it or where that data is held. In truth, only covered entities and their business associates are subject to HIPAA.
Providers may face confusion about HIPAA’s parameters too, even if they interact with it daily.
“We also see on the provider side, some confusion about when they can release information and when they can't,” Hodge added.
“Sometimes HIPAA is used as a shield or sometimes as a sword. There is still some confusion out there among those folks even though the regulations have been out for 20 plus years now.”
In addition to HIPAA confusion, Hodge noted that there are frequently questions circulating about the Federal Trade Commission’s role in protecting health data held by entities that are not HIPAA, specifically when it comes to the digital health space.
“The FTC is the big player in that space because very few digital health apps are subject to HIPAA,” Hodge stated. “A very small number are, so most digital health apps fall under the FTC’s jurisdiction.”
In addition to the FTC’s Health Breach Notification Rule, other regulations that touch on health data include substance use disorder regulations, state laws, such as the recently enacted My Health, My Data Act in Washington state, and international laws.
“One [challenge] is that once they identify that they've had an incident, trying to figure out all the breach notification laws that might be in play, because, depending on the type of entity, you may be subject to HIPAA, or you may be under the FTC's jurisdiction,” Hodge said.
“All 50 states also have breach notification laws. Some apply to health information, some exclude it. We're seeing more states include health information in their definition of personal information subject to breach notification laws. And then we're seeing consumer privacy laws at the state level rolling out too.”
With all these regulatory elements at play, day-to-day compliance and data breach response can get complicated. Keeping an eye on the latest guidance from government agencies and practicing response plans in accordance with the laws your entity is subject to can go a long way.
Hodge stressed the importance of maintaining a thorough incident response plan that considers not only compliance activities, but also operational disruptions.
“Other challenges we see are organizations not having in place incident response plans that really look at the full impact of an incident, especially if you're talking about something like a ransomware incident where not only might your data be compromised, but also your operations,” Hodge noted.
Hodge advised testing the incident response plan periodically to ensure that roles and responsibilities are established.
“Also, keep your backups offline and test to make sure you can recover your backups, because if you do have good backups of your data, you can recover a lot more quickly than if you don't. And you also want to test your backups to make sure that you can really recover them,” Hodge said.
“And then I would invest in administrative technical and physical safeguards and also train and educate your workforce about being vigilant against cyber threats.”
Planning to be offline longer than anticipated, having patient diversion plans in place, and identifying a breach response team can all make the process more streamlined in the event of an actual breach.
Additionally, Hodge recommended speaking with peers to discuss lessons learned from past data security incidents. Working together as a sector to navigate incident response and regulatory compliance can strengthen each organization and equip the industry to better confront cyber threats.
