Healthcare privacy and security regulatory activity began slowly in 2022. But by the end of the year, between the Dobbs decision, significant regulatory guidance, and the deluge of healthcare privacy class actions, 2022 will have a lasting effect.
Dobbs in the Driver’s Seat
The impact of Dobbs on the healthcare industry cannot be overstated. While providers, employers, and insurance companies scrambled to reassess the way they provide and record information about women’s reproductive healthcare, regulators showed they recognized Dobbs as impacting many corners of operations:
Ransomware Wobbles, Snooping Surges
Ransomware attacks declined significantly through mid-2022, but came roaring back at the end of the year and into the first quarter of 2023. Throughout 2022, however, we saw a significant increase in snooping incidents. Many of these incidents were driven by workforce members (including licensed care providers) looking for and diverting controlled substances, implicating insurance billing, patient safety, and inventory controls. What do ransomware and snooping have in common? Both can be detected early with appropriate auditing of system activity and timely reviews of those audit reports.
Recognized Security Practices – Take Two?
The passage of the HIPAA Safe Harbor amendment in January 2021 (requiring the OCR to consider whether an entity had in place recognized security practices prior to an incident) was warmly welcomed by the healthcare industry. Both newly initiated and years-old investigations asked entities for proof of their recognized security practices. The problem? Entities were not clear on what “recognized security practices” really meant; it turns out, neither was the OCR. In April, the OCR requested public comment on how it should measure security practices, providing the CISO’s office a unique opportunity to frame HIPAA Security Rule compliance standards.
State Attorneys General Take an Interest in HIPAA-Regulated Entities
In 2022, we saw a marked increase in the number of state attorneys general interested in healthcare entities’ compliance and incident response posture. After providing notification, the attorneys general of Florida, New York, New Jersey, and Texas initiated investigations into HIPAA and state regulatory compliance.
OCR’s Right of Access Initiative – Big Problems Continue for Smaller Entities
The OCR’s Right of Access (ROA) Initiative continued to be a focus in 2022, with 17 such settlements as of the end of December 2022. While many non-ROA settlements have generally involved larger entities — and thus larger monetary assessments — the ROA settlements show a very different trend, exemplified by the entities involved in the 2022 ROA settlements: