Rural Hospital Cybersecurity Enhancement Act and Better HIPAA Protections for Reproductive Health Data

The Rural Hospital Cybersecurity Enhancement Act

The bill forwarded by Senate Homeland Security and Governmental Affairs Committee attempts to deal with the present scarcity of cybersecurity expertise in rural hospitals, which are more and more attacked by cybercriminals. Rural hospitals lack the resources required to use cybersecurity and find it hard to get skilled cybersecurity experts and, therefore, are looked at as soft targets by cybercriminals.

Sen. Josh Hawley (R-MO) with Sens. Gary Peters (D-MI) and Jon Ossoff (D-GA) as co-sponsors, presented the Rural Hospital Cybersecurity Enhancement Act, which demands the development of a complete rural hospital cybersecurity workforce development strategy to deal with the present deficit of cybersecurity personnel at rural hospitals. The Rural Hospital Cybersecurity Enhancement Act necessitates the Secretary of the Department of Homeland Security to create an extensive rural hospital cybersecurity workforce development strategy to handle the increasing requirement for skilled cybersecurity experts in rural hospitals within a year of passing the act.

When creating the cybersecurity workforce development strategy, the Secretary must think about partners among rural hospitals, private industry entities, educational organizations, and non-profits to broaden cybersecurity education and training classes focused on the requirements of rural hospitals, the creation of a cybersecurity program and teaching assets for rural schools, and make recommendations for legislation, rulemaking, and/or assistance for applying the strategy.

Rural hospitals are working under growing financial stress and do not have the required financing for cybersecurity. Presently, a number of rural hospitals have committed cybersecurity employees and IT personnel are typically lacking and overworked. Cybersecurity roles in rural hospitals usually have small salaries, and having fewer funds means people who have cybersecurity jobs don’t have access to the most recent cybersecurity resources that could be available in other jobs. The worldwide deficit of competent cybersecurity experts is unlikely to be solved soon, therefore the purpose of the bill is to tackle the lack through training programs at rural schools and training rural hospital employees through education on basic elements of cybersecurity.

Sen. Rand Paul (R-TX) tabled a revision to the first bill, stating that CISA must not request more money for the suggested measures, and the revised bill will now be up for voting on the Senate floor. The progress of the Rural Hospital Cybersecurity Enhancement Act happened a couple of days after the news that an Illinois rural hospital will be closed on June 16, 2023, because, partly, to the monetary pressures of a ransomware attack.

24 State Attorneys General Give Help for Better HIPAA Protections for Reproductive Health Data

An alliance of 24 state attorneys general wrote to the Department of Health and Human Services (HHS) to give their assistance for the suggested change to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to reinforce reproductive health data privacy.

The Supreme Court decision in Dobbs v. Jackson Women’s Health Organization in June 2022 revoked Roe v. Wade and took away the federal right to abortion. A lot of states created their own legislation prohibiting or severely limiting abortions in their specific states, and that legislation allows criminal or civil penalties for anybody that seeks, offers, or helps with an abortion. Presently, 15 states have released nearly complete prohibitions on abortions and many others have limited abortions or are about to introduce prohibitions or limitations. Idaho has additionally lately passed an abortion trafficking regulation, which is going to limit the capability of state residents to go out of state to get an abortion.

Subsequent to the Supreme Court decision, the HHS’ Office for Civil Rights (OCR) released instructions to HIPAA-covered entities about the HIPAA Privacy Law and how it allows but doesn’t call for disclosures of reproductive health data when the disclosure is necessitated by law or is for the purpose of law enforcement. OCR affirmed that when a patient residing in a state that has prohibited abortions notifies their healthcare provider that they are looking for an abortion in a state where abortion is lawful, the HIPAA Privacy Rule wouldn’t let the healthcare provider expose that data to the authorities to be able to stop the abortion.

OCR consequently released a notice of proposed rulemaking (NPRM) regarding an intended change to the HIPAA Privacy Rule to further reinforce reproductive health information privacy, making it unlawful to disclose a patient’s PHI when that data is wanted for particular civil, criminal, and administrative inspections or proceedings versus a patient in association with a legitimate abortion or other reproductive treatment.

According to the NPRM, an alliance of 24 state attorneys general lately wrote to the OCR Director, Melanie Fontes Rainer, and HHS’ Secretary, Xavier Becerra, to validate their agreement to the recommended HIPAA Privacy Rule modifications. The alliance is led by New York Attorney General, Leticia James, and the letter has been approved by the state Attorneys General in Arizona, Colorado, California, Connecticut, Delaware, Illinois, Hawaii, Maine, Massachusetts, Maryland, Minnesota, Michigan, Nevada, New York, New Jersey, North Carolina, New Mexico, Oregon, Pennsylvania, Vermont, Rhode Island, Wisconsin, Washington, and Washington D.C. The state AGs asked for the HHS to move quickly to challenge [the proposed rule] and implement the regular compliance date of 180 days following the successful date of the final rule.

Suggestions to Further Enhance Reproductive Health Data Privacy

Besides verifying their support, comment is given on places where the protections mentioned in the suggested rule could be increased more. The suggested Privacy Rule update explores a wide meaning of “reproductive health care” as a subsection of health care; however, the state AGs suggest likewise making another meaning of “reproductive health,” to make it very clear that the update is not just applicable to companies of gynecological and/or fertility-related care but likewise to other HIPAA regulated entities. This could aid to prevent any probable vagueness regarding the types of health care included in the suggested rule and they suggest that good examples of reproductive health care are included into the regulating text of the final rule.

The state AGs additionally demand the HHS to determine “birth” and “death” individually, to be able to explain that finishing the pregnancy isn’t a public health reporting event and is consequently not governed by the HIPAA Privacy Rule reporting specifications. They additionally require securing of the language in the proposed ruling, which forbids “use or disclosure “mainly for investigation on any individual for the simple act of looking for, getting, offering, or assisting reproductive health care. There is an issue that a different principal objective may be created as a pretext for acquiring PHI for a forbidden reason. This possible loophole may be shut by leaving the word ‘primary’.

Amongst the other suggestions are for the HHS to make sure that requesters and companies get sufficient guidance on the attestation requirement of the proposed ruling, which demands attestation that the request isn’t being done to get reproductive health data to take legitimate action versus a person, and for the HHS to make a nationally accessible, online system to give patients correct and clear details on reproductive care and privacy privileges, and to perform a public awareness plan to advertise the website.