chevron-down Created with Sketch Beta.

ABA Health eSource

January 2025

Chair's Column: Importance of Health Policy

Matthew R Fisher

Summary

  • In his January 2025 column, Section Chair, Matt Fisher discusses section's role in shaping health policy specifically in regard to the HIPAA Security Rule Changes.
Chair's Column: Importance of Health Policy
Michael Kai via Getty Images

Jump to:

Importance of Health Policy

The ability to comment on public policy, with a particular focus on health policy, is one of the distinguishing benefits of the Health Law Section (HLS). As the recognized leader in health law within the American Bar Association, the HLS can prepare and submit comments to the government when proposed rules or legislation are released. The details of how the HLS can actively participate in the rulemaking process were discussed in this column a couple of months ago.

As a quick refresher: The HLS formed policy working groups to enable a quicker response when proposed rules or legislation becomes public. The working groups are intended to be ready to react and dive into the drafting of comments as quickly as possible. The comments that the HLS prepares are intended to focus on the potential impacts and interpretations of what is proposed by the government. As we all know, despite good intentions, proposed rules often do not work as intended and the expertise that HLS members can bring is often quite helpful in teasing out those unexpected interpretations in advance. The comments do not focus on whether the policy is “good” or “bad,” but on how the proposals interact with existing law and regulations.

The opportunity to influence regulations and law is a powerful way for HLS members to be involved. Further, while the HLS likes to play an active role in the policy making process, the opportunities also hopefully get all members thinking about how each individual can also play a role. Even if an HLS member does not participate in the drafting of the HLS’s official comments, they could be inspired to submit comments on their own, which is also valuable.

Proposed HIPAA Security Rule Changes

Why did I spend time providing a reminder about the impact the HLS can have on public policy? Because the Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS) published a notice of proposed rulemaking on January 6, 2025, to substantially and materially update the Security Rule under HIPAA. I will admit that I have a personal bias of interest in HIPAA, privacy, and security because those are the areas of health law that I aim to practice in the most as well as the areas holding the greatest personal interest for me. Beyond my personal bias, HIPAA and the requirements of the Security Rule impact a substantial number of clients (whether as private attorneys, in-house counsel, or government attorneys) for the vast bulk of HLS members.

The HLS is mobilizing the relevant policy working groups to draft comments that the HLS will submit to OCR concerning the proposed changes. Playing an active role in the process of updating the Security Rule is important, because the rule has been largely the same since its original promulgation back in 2003. As should be relatively obvious, the world is in a much different place in 2025 than it was in 2003. The pace of change from a technology standpoint has resulted in not only the explosion of data creation in healthcare, but also a correlative increase in the risk of all of that data being exposed, stolen, or otherwise accessed without authorization.

What Is Being Proposed

To ensure that everyone is operating from the same knowledge base, it’s helpful to provide a quick overview of what the proposed rule would do to the Security Rule. Here is a summary of the key changes, in OCR’s own words:

  • Remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required with specific, limited exceptions;
  • Require written documentation of all Security Rule policies, procedures, plans, and analyses;
  • Update definitions and revise implementation specifications to reflect changes in technology and terminology;
  • Add specific compliance time periods for many existing requirements;
  • Require the development and revision of a technology asset inventory and a network map that illustrates the movement of electronic private health information (ePHI) throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI;
  • Require greater specificity for conducting a risk analysis;
  • Require notification of certain regulated entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated;
  • Strengthen requirements for planning for contingencies and responding to security incidents by enhancing documentation and testing processes;
  • Require regulated entities to conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements;
  • Require that business associates verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate;
  • Require encryption of ePHI at rest and in transit, with limited exceptions;
  • Require regulated entities to establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner;
  • Require the use of multi-factor authentication, with limited exceptions;
  • Require vulnerability scanning at least every six months and penetration testing at least once every 12 months;
  • Require network segmentation;
  • Require separate technical controls for backup and recovery of ePHI and relevant electronic information systems;
  • Require regulated entities to review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures;
  • Require business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation; and
  • Require group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

The comprehensive proposed changes will result in a significant change in operations for pretty much every organization that is subject to HIPAA. Compliance efforts will be extensive and expansive with the full impact likely not known unless or until a final rule is promulgated. However, it is possible to begin identifying the pervasive impact not only from the operational perspective, but from the legal advice perspective as well.

Why Does this Matter to You?

While each HLS member may not be personally impacted from the perspective of having to comply, the changes will very likely impact clients or even maybe the firms that we work at given the new requirements for business associates. Leaving aside the potential for personal impact, the proposed rule is one of the more significant changes where we as healthcare lawyers can provide unique value through the expertise and knowledge we have developed as part of our jobs and profession. We can help positively (at least from the optimistic perspective) impact the development of health policy that will have a long lasting impact.

The HLS certainly has a role to play in that process and it will. The process demonstrates the opportunity that we offer our members to make a tangible impact on health law generally and the health law portion of the bar. Hopefully, this provides good insight into the importance of involvement and why we want to make the HLS as inclusive as possible to accurately represent all of the different voices within the health law bar.

    Author