Health Sector Cyber Laws and Regulations

by John Bandler

The health sector needs to comply with laws and regulations to protect patient health information and other private information, and to ensure our health sector is protected from cyberattack and natural disaster. The main rules are laid out in HIPAA, HITECH, and resulting regulation. As always, compliance should start with good cybersecurity, cybercrime protection, and privacy practices. Then, organizations can analyze details of these requirements.

This short article focuses on health sector requirements. Organizations should also consider general principles of law and other cybersecurity and privacy requirements. To zoom out a little and see the larger legal landscape, read my other article Cybersecurity Laws and Regulations Part 1 (general legal overview), and other articles.

HIPAA and HITECH in a minute

The federal privacy and security laws are HIPAA and HITECH, and from them come a number of regulations. The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, and the Health Information Technology for Economic and Clinical Health Act (HITECH) was enacted in 2009. HIPAA was one of the earliest laws to protect personal information and privacy, regardless of sector. (I remember when it was enacted I was still a state trooper, and new procedures were required so we could obtain medical records as evidence in assault cases.) These federal laws are overseen by the U.S. Department of Health and Human Services (HHS), which issues rules and regulations in accordance with the laws. Within HHS, enforcement is done by their Office for Civil Rights (OCR). There are also state laws which relate to the health sector and health information, and laws of general applicability which may apply too.

Reminder on law vs. regulation

Health sector legal requirements exemplify the difference between a law and a regulation, which I touch on in my law outline. Congress passed laws (statutes), such as HIPAA and HITECH. Then, HHS promulgated regulations in accordance with these laws, and these regulations are in the Code of Federal Regulations (CFR). Finally, HHS has issued guidance to accompany these laws and regulations. The various requirements (as laid out in the regulations) are termed "rules", such as the Privacy Rule, Security Rule, and Breach Notification Rule.

Definitions matter

As with any law or regulation, we need to be mindful of definitions and what and who is covered. What organizations fall under these rules, and what data falls under these rules? One important definition in HIPAA is that of protected health information (PHI). Another is what is a "covered entity", and what organizations must comply with the requirements, and how. It used to be that only "covered entities" were directly subject to HIPAA, and that "business associates" were not (though should have contractually imposed obligations). In 2009 HITECH changed that, and now business associates must comply with HIPAA and can be subject to enforcement actions.

Thus, it is helpful to consider HIPAA, HITECH, and the various regulations, guidance, and rules, notably the privacy rule (2000), security rule (2003), and breach reporting rule.

Chronology of HIPAA related legal requirements

Here is a brief chronology of HIPAA related laws and regulations, and where to find them.

  • 1996: The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was enacted (on 8/21/1996 to be exact)
  • 2000: HHS published the Privacy Rule in accordance with HIPAA (Standards for Privacy of Individually Identifiable Health Information).
    • The Privacy Rule is found at 45 CFR Part 160 and 45 CFR Part 164 Subparts A and E
  • 2003: HHS published the Security Rule in accordance with HIPAA (Security Standards for the Protection of Electronic Protected Health Information).
    • The Security Rule is found in 45 CFR Part 160 and Part 164, Subparts A and C
  • 2009: The Health Information Technology for Economic and Clinical Health Act (HITECH).
    • HITECH changes include making business associates directly responsible under HIPAA.
  • 2010: Regulatory modifications
  • 2013: Regulatory modifications
  • More

Where to find the current laws and regulations

And here is where to find current laws and regulations regarding HIPAA:

Research and the HHS website

When researching a government requirement, a primary source should be the government agency responsible for developing and enforcing those requirements. So let's talk about the HHS website, which has many helpful webpages. Unfortunately, the revision dates on many pages show they were updated as long ago as 2003 and 2013, and there have been many important changes to the laws and regulations since then.

We need our government to do better with the important task of reviewing and updating all of their resources, especially when they relate to complex and evolving rules. The government makes rules and then the government hopes for voluntary compliance but also pursues enforcement actions. It is only fitting that government resources should be helpful and kept current. HHS needs to do better.

These webpages at the HHS website may prove helpful, but check revision dates and note the possibility of recent changes to regulation:

State laws may apply also

State laws and regulations may also apply, for example:

  • State laws regarding medical providers and health records may include:
    • New York State Public Health Law
    • New York State Code of Rules and Regulations (NYCRR) Title 10, Department of Health
  • State laws specific to health insurers (and financial institutions)

Conclusion

How does an organization comply with these complex laws and regulations, including when some HHS guidance is out of date? And where this area of health sector law and regulation is a patchwork that fits into a broader patchwork of legal requirements for cybersecurity, privacy, and related issues.

My main takeaway -- as always -- is that organizations must first focus on protecting themselves and the data they hold, and prevent cybercrime and other incidents. In so doing, they comply with the spirit of laws and regulations. Then, organizations should analyze the legal requirements and ensure compliance.  All of this requires a comprehensive cybersecurity program.

Hopefully this short article simply explains some of the basics. This is a brief summary with many simplifications, attempting to bring complex subject matter to all readers in an understandable and accessible manner. This article is for myself, students, clients, potential clients, and anyone else in need of basic information. It is not legal advice nor consulting advice, and is not tailored to your circumstances. I welcome your feedback on this new article including suggestions to improve it or additional laws or regulations to mention.

If your organization needs help with improving cybersecurity and protecting from cybercrime, creating or improving policies, and complying with cybersecurity related laws and regulations, contact me. Good policies are an important part of cybersecurity, along with Bandler's Four Pillars of Cybersecurity.

Additional reading

See all the links above for references and reading to the laws, regulations, regulators, and more.

This article is hosted at https://johnbandler.com/health-sector-laws-and-regulations, copyright John Bandler, all rights reserved.

Originally posted 10/24/2021. Last updated 12/4/2024.