Summary
- In his January 2025 column, Section Chair, Matt Fisher discusses section's role in shaping health policy specifically in regard to the HIPAA Security Rule Changes.
The ability to comment on public policy, with a particular focus on health policy, is one of the distinguishing benefits of the Health Law Section (HLS). As the recognized leader in health law within the American Bar Association, the HLS can prepare and submit comments to the government when proposed rules or legislation are released. The details of how the HLS can actively participate in the rulemaking process were discussed in this column a couple of months ago.
As a quick refresher: The HLS formed policy working groups to enable a quicker response when proposed rules or legislation becomes public. The working groups are intended to be ready to react and dive into the drafting of comments as quickly as possible. The comments that the HLS prepares are intended to focus on the potential impacts and interpretations of what is proposed by the government. As we all know, despite good intentions, proposed rules often do not work as intended and the expertise that HLS members can bring is often quite helpful in teasing out those unexpected interpretations in advance. The comments do not focus on whether the policy is “good” or “bad,” but on how the proposals interact with existing law and regulations.
The opportunity to influence regulations and law is a powerful way for HLS members to be involved. Further, while the HLS likes to play an active role in the policy making process, the opportunities also hopefully get all members thinking about how each individual can also play a role. Even if an HLS member does not participate in the drafting of the HLS’s official comments, they could be inspired to submit comments on their own, which is also valuable.
Why did I spend time providing a reminder about the impact the HLS can have on public policy? Because the Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS) published a notice of proposed rulemaking on January 6, 2025, to substantially and materially update the Security Rule under HIPAA. I will admit that I have a personal bias of interest in HIPAA, privacy, and security because those are the areas of health law that I aim to practice in the most as well as the areas holding the greatest personal interest for me. Beyond my personal bias, HIPAA and the requirements of the Security Rule impact a substantial number of clients (whether as private attorneys, in-house counsel, or government attorneys) for the vast bulk of HLS members.
The HLS is mobilizing the relevant policy working groups to draft comments that the HLS will submit to OCR concerning the proposed changes. Playing an active role in the process of updating the Security Rule is important, because the rule has been largely the same since its original promulgation back in 2003. As should be relatively obvious, the world is in a much different place in 2025 than it was in 2003. The pace of change from a technology standpoint has resulted in not only the explosion of data creation in healthcare, but also a correlative increase in the risk of all of that data being exposed, stolen, or otherwise accessed without authorization.
To ensure that everyone is operating from the same knowledge base, it’s helpful to provide a quick overview of what the proposed rule would do to the Security Rule. Here is a summary of the key changes, in OCR’s own words:
The comprehensive proposed changes will result in a significant change in operations for pretty much every organization that is subject to HIPAA. Compliance efforts will be extensive and expansive with the full impact likely not known unless or until a final rule is promulgated. However, it is possible to begin identifying the pervasive impact not only from the operational perspective, but from the legal advice perspective as well.
While each HLS member may not be personally impacted from the perspective of having to comply, the changes will very likely impact clients or even maybe the firms that we work at given the new requirements for business associates. Leaving aside the potential for personal impact, the proposed rule is one of the more significant changes where we as healthcare lawyers can provide unique value through the expertise and knowledge we have developed as part of our jobs and profession. We can help positively (at least from the optimistic perspective) impact the development of health policy that will have a long lasting impact.
The HLS certainly has a role to play in that process and it will. The process demonstrates the opportunity that we offer our members to make a tangible impact on health law generally and the health law portion of the bar. Hopefully, this provides good insight into the importance of involvement and why we want to make the HLS as inclusive as possible to accurately represent all of the different voices within the health law bar.