About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline
LOG IN
LOG IN

1 [1] (December 4, 2024)

handle is hein.crs/governg0001 and id is 1 raw text is: Congressional Research Service inforrning the ag slative debate since 1914 Cybersecurity and Digital Health Information As the technologies used in health care expand, so too do cybersecurity vulnerabilities. Increasingly, health care actors use electronic health records (EHRs), artificial intelligence (AI) technologies, and telehealth services to provide and facilitate care. While these technologies have their advantages, stakeholders have noted they also increase the number of potential cybersecurity vulnerabilities an entity may be exposed to through greater technological complexity and the number of actors with which an entity may interact. Cyberattacks targeting sensitive health information maintained by health care providers and health plans have sharply increased over the past decade. Health care data and information are valuable and therefore are an attractive target for cyberattacks. Cybersecurity experts predict that cyberattacks involving health information will continue to affect a growing number of people in the future. Health care providers, health plans, and health care clearinghouses that hold or transmit electronic protected health information (e-PHI) are subject to the Health Insurance Portability and Accountability Act (HIPAA; P.L. 104-191) Security Rule and Breach Notification Rule. These HIPAA rules are administered and enforced by the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS). OCR works with other HHS agencies to provide guidance and compliance tools for HIPAA-covered entities. Any breach of unsecured protected health information (PHI) must be reported to OCR pursuant to the Breach Notification Rule. A breach is the acquisition, access, use, or disclosure of protected health information in a manner not permitted under the [HIPAA Rules] which compromises [its] security or privacy. Protected health information is unsecured if it is not rendered unusable, unreadable, or indecipherable to unauthorized persons (such as through encryption). There are generally five types of digital breaches reported to OCR: a hacking or information technology (IT) incident of electronic equipment or a network server, unauthorized access to or disclosure of records containing PHI, theft of electronic equipment/portable devices, loss of electronic media, and improper disposal of PHI. During 2022, OCR was notified of 626 breaches where each affected 500 or more people, the majority of which were hacking incidents. Over 41 million people were affected by these breaches. OCR was notified of 63,966 breaches affecting fewer than 500 people during the same period, with the most common cause being unauthorized access to, or disclosure of, PHI. 257,105 people were affected by these breaches. Updated December 4, 2024 HIPAA HIPAA was enacted to improve the efficiency and effectiveness of the health care system, in part by ensuring that patients have access to their health information and establishing privacy and security measures for such data. Pursuant to HIPAA, several rules were promulgated, including the Privacy Rule, the Security Rule, and the Breach Notification Rule-the latter two are especially important for e-PHI. The HIPAA Rules apply to covered entities that possess PHI or e-PHI, such as health care providers, health plans, health care clearinghouses, and business associates. HIPAA Security Rule. Issued in 2003, the HIPAA Security Rule establishes national standards to protect individuals' [e-PHI] that is created, received, used, or maintained by a covered entity. The Security Rule enumerates 18 administrative, physical, and technical safeguards (or standards) for e-PHI to ensure its confidentiality, integrity, and security. These standards are designed to be flexible and scalable to entities of all sizes, as well as technology neutral, so that entities may adopt novel technologies as they emerge. Covered entities and business associates have discretion in how they accomplish the 18 standards, depending upon the organization's size, complexity and capabilities, its technical infrastructure, hardware, and software security capabilities, the costs of security measures, and the probability and criticality of potential risks to [e-PHI]. Each security standard is accompanied by one or more implementation specifications. Specifications may be required, meaning an organization must implement them, or addressable, meaning an organization may implement equivalent alternative measures if reasonable and appropriate. For example, the security management process standard is accompanied by four required implementation specifications, one of which is a risk analysis. Every covered entity and business associate must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of [e-PHI] in its possession. This analysis is the foundation of all other safeguards in the Security Rule. OCR has published guidance and jointly released a HIPAA Security Risk Assessment (SRA) Tool with the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP/ONC) to help entities properly conduct this risk analysis. The National Institute of Standards and Technology (NIST) and OCR also collaborated on a revised special publication that in part provides guidance on how to conduct this risk analysis.

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline.

Purchase Access

Already a HeinOnline Subscriber?

Log In

profiles profiles most