“Unattainable Implementation, Impracticable Timelines“ – HLC and Confidentiality Coalition Urge HIPAA Security Rule NPRM Revisions

Today, the Healthcare Leadership Council (HLC), an association of CEOs and C-suite executives from all sectors of healthcare, submitted comments to the Department of Health and Human Services’ Office of Civil Rights (OCR) in response to its Health Insurance Portability and Accountability Act of 1996 (HIPAA) proposed notice of rulemaking (NPRM) to modify the Security Standards for the Protection of Electronic Protected Health Information (“Security Rule”). The comments were on behalf of HLC and the Confidentiality Coalition, a diverse alliance dedicated to balancing the protection of confidential health information with the need for efficient, interoperable systems that enhance healthcare delivery.

While expressing support for the goal of strengthening cybersecurity to protect the privacy of personal health information, the letter outlines several areas of concern, including:

• Requiring a one-size-fits-all approach, as numerous requirements imposed regardless of company size and level of technological infrastructure/capabilities creates burdens even when there is no risk.
• Impracticable timelines, such as restoring critical systems within 72 hours, which are not feasible and fail to recognize the complexity of systems and the unique challenges breaches and subsequent restoration efforts present depending on the type of attack.
• Duplicative requirements, given varieties of applicable technologies and the broad definitions of “a relevant electronic information system.”
• Prescriptive processes, which increase the burden on regulated entities and add uncertainty between the Security Rule and existing, widely accepted industry standards.
• Overly broad definitions and applications, which risk interpretations and complicate access to information needed to treat patients.

“These proposed changes risk reducing the current effective risk-based security, increase unnecessary burdens and unintentionally weaken systems by mandating the disclosure of network maps and response strategies.” said HLC’s Executive Vice President and Chief Policy Officer Katie Mahoney. “We urge OCR to reconsider and revise the unattainable implementation and unilateral enforcement requirements in the NPRM carefully and pragmatically.”

You can read our comment letter here.