Health Sector Cyber Laws and Regulations
by John Bandler
The health sector needs to comply with laws and regulations to protect patient health information and other private information, and to ensure our health sector is protected from cyberattack and natural disaster. The main rules are laid out in HIPAA, HITECH, and resulting regulation. As always, compliance should start with good cybersecurity, cybercrime protection, and privacy practices. Then, organizations can analyze details of these requirements.
This short article focuses on health sector requirements. Organizations should also consider general principles of law and other cybersecurity and privacy requirements. To zoom out a little and see the larger legal landscape, read my other article Cybersecurity Laws and Regulations Part 1 (general legal overview), and other articles.
HIPAA and HITECH in a minute
The federal privacy and security laws are HIPAA and HITECH, and from them come a number of regulations. The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1998, and the Health Information Technology for Economic and Clinical Health Act (HITECH) was enacted in 2009. HIPAA was one of the earliest laws to protect personal information and privacy, regardless of sector. (I remember when it was enacted I was still a state trooper, and new procedures were required so we could obtain medical records as evidence in assault cases.) These federal laws are overseen by the U.S. Department of Health and Human Services (HHS), which issues rules and regulations in accordance with the laws. Within HHS, enforcement is done by their Office for Civil Rights (OCR). There are also state laws which relate to the health sector and health information, and laws of general applicability which may apply too.
Reminder on law vs. regulation
Health sector legal requirements exemplify the difference between a law and a regulation, which I touch on in my law outline. Congress passed laws (statutes), such as HIPAA and HITECH. Then, HHS promulgated regulations in accordance with these laws, and these regulations are in the Code of Federal Regulations (CFR). Finally, HHS has issued guidance to accompany these laws and regulations. The various requirements (as laid out in the regulations) are termed "rules", such as the Privacy Rule, Security Rule, and Breach Notification Rule.
Definitions matter
As with any law or regulation, we need to be mindful of definitions and what and who is covered. What organizations fall under these rules, and what data falls under these rules? One important definition in HIPAA is that of protected health information (PHI). Another is what is a "covered entity", and what organizations must comply with the requirements, and how. It used to be that only "covered entities" were directly subject to HIPAA, and that "business associates" were not (though should have contractually imposed obligations). In 2009 HITECH changed that, and now business associates must comply with HIPPA and can be subject to enforcement actions.
Thus, it is helpful to consider HIPAA, HITECH, and the various regulations, guidance, and rules, notably the privacy rule (2000), security rule (2003), and breach reporting rule.
Chronology of HIPPA related legal requirements
Here is a brief chronology of HIPPA related laws and regulations, and where to find them.
- 1996: The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was enacted
- 2000: HHS published the Privacy Rule in accordance with HIPAA (Standards for Privacy of Individually Identifiable Health Information).
- The Privacy Rule is found at 45 CFR Part 160 and 45 CFR Part 164 Subparts A and E
- 2003: HHS published the Security Rule in accordance with HIPAA (Security Standards for the Protection of Electronic Protected Health Information).
- The Security Rule is found in 45 CFR Part 160 and Part 164, Subparts A and C
- 2009: The Health Information Technology for Economic and Clinical Health Act (HITECH).
- HITECH changes include making business associates directly responsible under HIPAA.
- 2010: Regulatory modifications
- 2013: Regulatory modifications
- More
Where to find the current laws and regulations
And here is where to find current laws and regulations regarding HIPPA:
- 45 CFR Part 160 - General Administrative Requirements https://www.law.cornell.edu/cfr/text/45/part-160
- 45 CFR Part 164 - Security and Privacy https://www.law.cornell.edu/cfr/text/45/part-164
- Security Rule: See 45 CFR 164 Subparts A and C
- Privacy Rule: See 45 CFR 164 Subparts A and E
- Breach Notification Rule: See 45 CFR 164 Subpart D
- Health Insurance Portability and Accountability Act (HIPAA) of 1996
- Public Law 104-191, Aug 21, 1996, 104th Congress (text) https://www.govinfo.gov/content/pkg/PLAW-104publ191/html/PLAW-104publ191.htm
- Public Law 104-191, Aug 21, 1996, 104th Congress (PDF) https://www.govinfo.gov/content/pkg/PLAW-104publ191/pdf/PLAW-104publ191.pdf
- U.S. Statutes at Large, 110 Stat. 1936, https://www.govinfo.gov/content/pkg/STATUTE-110/pdf/STATUTE-110-Pg1936.pdf#page=1
- Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009, enacted under Title XIII of the American Recovery and Reinvestment Act of 2009, Public Law 111–5
- Cornell Law School's Legal Information Institute is a free and reputable tool for to find regulations and statutes, https://www.law.cornell.edu/. There are other free and reputable online sources as well.
Research and the HHS website
When researching a government requirement, a primary source should be the government agency responsible for developing and enforcing those requirements. So let's talk about the HHS website, which has many helpful webpages. Unfortunately, the revision dates on many pages show they were updated as long ago as 2003 and 2013, and there have been many important changes to the laws and regulations since then.
We need our government to do better with the important task of reviewing and updating all of their resources, especially when they relate to complex and evolving rules. The government makes rules and then the government hopes for voluntary compliance but also pursues enforcement actions. It is only fitting that government resources should be helpful and kept current. HHS needs to do better.
These webpages at the HHS website may prove helpful, but check revision dates and note the possibility of recent changes to regulation:
- HHS on HIPAA, https://www.hhs.gov/hipaa/index.html
- Summary of the HIPAA Security Rule (webpage updated July 26, 2013 allegedly) https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
- The Security Rule (short but with links and updated in 2020!) https://www.hhs.gov/hipaa/for-professionals/security/index.html
- Summary of the HIPAA Privacy Rule (webpage updated July 26, 2013 allegedly) https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
- Summary of the HIPAA Privacy Rule (2003 PDF -- quite old!) https://www.hhs.gov/sites/default/files/privacysummary.pdf
- Submitting Notice of a Breach to the Secretary of HHS https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html
- Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html
- HIPAA Enforcement https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/index.html
- Direct Liability of Business Associates (following 2009 HITECH Act, page updated July 16, 2021) https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html
- APPARENTLY OBSOLETE page on Business Associates https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html. Confusingly, at the bottom of this page it indicates "Revised April 3, 2003" and below that "Content last reviewed May 24, 2019" but yet this page seems not to incorporate changes by HITECH in 2009 and incorrectly asserts "the HIPAA Privacy Rule applies only to covered entities – health plans, health care clearinghouses, and certain health care providers" whereas their webpage on "Direct Liability of Business Associates" makes clear there can be direct liability for business associates.
- "HIPAA Administrative Simplification" compilation of regulation text 45 CFR Parts 160, 162, and 164, as of 2013 (but without regulatory updates since 2013, which is almost a decade ago) https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf
- Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates, https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html (a new subsection on the CIPP/US BoK, so I wanted to include the link)
State laws may apply also
State laws and regulations may also apply, for example:
- State laws regarding medical providers and health records may include:
- New York State Public Health Law
- New York State Code of Rules and Regulations (NYCRR) Title 10, Department of Health
- State laws specific to health insurers (and financial institutions)
- NYCRR Title 23 Part 500, Cybersecurity Requirements for Financial Services Companies
Conclusion
How does an organization comply with these complex laws and regulations, including when some HHS guidance is out of date? And where this area of health sector law and regulation is a patchwork that fits into a broader patchwork of legal requirements for cybersecurity, privacy, and related issues.
My main takeaway -- as always -- is that organizations must first focus on protecting themselves and the data they hold, and prevent cybercrime and other incidents. In so doing, they comply with the spirit of laws and regulations. Then, organizations should analyze the legal requirements and ensure compliance. All of this requires a comprehensive cybersecurity program.
Hopefully this short article simply explains some of the basics. This is a brief summary with many simplifications, attempting to bring complex subject matter to all readers in an understandable and accessible manner. This article is for myself, students, clients, potential clients, and anyone else in need of basic information. It is not legal advice nor consulting advice, and is not tailored to your circumstances. I welcome your feedback on this new article including suggestions to improve it or additional laws or regulations to mention.
If your organization needs help with improving cybersecurity and protecting from cybercrime, creating or improving policies, and complying with cybersecurity related laws and regulations, contact me. Good policies are an important part of cybersecurity, along with Bandler's Four Pillars of Cybersecurity.
Additional reading
See all the links above for references and reading to the laws, regulations, regulators, and more.
- Cybersecurity Laws and Regulations Part 1 (general legal overview)
- Cybersecurity Laws and Regulations Part 2 (listing and brief summary of some laws and regulations)
- Health sector laws and regulations (This article)
- Financial sector cyber laws and regulations
- Cybersecurity Frameworks and Guidance
- Policies, Procedures, and Governance of an Organization
- Cybersecurity and Privacy for You and Your Organization
- New York Cybersecurity Requirements and the SHIELD Act
- Cybersecurity review and improvement for your organization - a checklist
- Bandler's Cybersecurity Tips
- My services page
- Cyberlaw Book
- Policies and Procedures Book
This article is hosted at https://johnbandler.com/health-sector-laws-and-regulations, copyright John Bandler, all rights reserved.
Originally posted 10/24/2021. Last updated 2/2/2024.