The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services has been busy lately, issuing three news releases on the HIPAA Privacy and Security Rules.
On February 24th, OCR published a crosswalk between the HIPAA Security Rule and the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework). The document outlines the safeguards required by the Security Rule and maps them to the applicable subcategory in the Cybersecurity Framework and other commonly used frameworks. The Security Rule does not require healthcare organizations to follow the Cybersecurity Framework, but OCR points out that many organizations already follow the Cybersecurity Framework and that the crosswalk can help organizations discover gaps in their security policies. OCR released the crosswalk less than a week after Hollywood Presbyterian reported that it paid hackers to end a malware attack on the hospital’s computer systems.
Shortly after releasing the crosswalk, OCR published its monthly update on cyber awareness. This month’s update provides tips for safeguarding protected health information and shares lessons learned from the National Security Agency (NSA) at the Usenix Enigma security conference about security vulnerabilities used by hackers and best practices to strengthen security systems. OCR also highlighted security threats to medical devices, such as malware attacks that could render the device unusable or nonfunctional despite remaining usable. FDA has been working to raise awareness of these issues with draft guidance released in January.
On the privacy side, OCR published additional guidance this week to clarify how much providers may reasonably charge for copies of health information and when individuals may request to send their health information to third parties under the HIPAA Privacy Rule. The information is organized as frequently asked questions (FAQs), which accompany a fact sheet on patients’ rights to access their health information and a first set of FAQs on sharing medical records with patients. OCR’s intention in publishing these guidance documents is to help providers understand when and how protected health information may be shared with patients, providers, hospitals, and health insurance plans after hearing confusion from many individuals.