EBIA Weekly Newsletter

OCR Issues Security Crosswalk and Other HIPAA Guidance for Health Plans and Business Associates

   March 3, 2016

HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework (Feb. 2016); Permitted Uses and Disclosures: Exchange for Health Care Operations (Jan. 2016); Health App Use Scenarios & HIPAA (Feb. 2016)


Uses and Disclosures


HHS’s Office for Civil Rights (OCR) has released a “crosswalk” between the NIST Framework for Improving Critical Infrastructure Cybersecurity (Framework) and the HIPAA security rule. (NIST—the National Institute of Standards and Technology—is a non-regulatory federal agency whose mission consists, in part, of advancing technology in ways that enhance economic security.) The Framework identifies actions in different categories (such as risk assessment, access control, and anomaly detection) to help entities manage cybersecurity risks, and NIST has provided FAQs and other resources to assist organizations with its use and implementation. OCR’s crosswalk uses the Framework’s categories as a foundation, and then identifies corresponding provisions of the security rule, enabling organizations to identify potential gaps in their electronic security. OCR emphasizes that aligning security programs with the Framework may bolster—but does not guarantee—full compliance with the security rule.

Separately, OCR has released two new fact sheets of interest to group health plans and their business associates. One fact sheet discusses uses and disclosures of PHI for health care operations under the HIPAA privacy rule, using the example of a health plan hiring a care management company to provide nutritional advice and coaching to diabetic and pre-diabetic participants—services considered to be health care operations of the plan. The fact sheet notes that the health plan must have a business associate contract with the care management company. The care management company may request—and health care providers may disclose—PHI to allow the care management company to conduct these health care operations on behalf of the plan. A second fact sheet uses scenarios to address the application of HIPAA’s privacy and security rules to developers of health apps—such as a mobile app offered by a health plan allowing participants to request, download, and store health plan records; check the status of claims; and use wellness tools. OCR indicates that, in this case, the health app developer is a business associate of the health plan because it is creating, receiving, maintaining, or transmitting PHI on behalf of a covered entity.

EBIA Comment: In a news release accompanying the crosswalk, OCR noted that information maintained by health plans has become an increasingly attractive target for cyberattacks. Following re-design of its website late last year, OCR is steadily adding guidance for covered entities and business associates, including materials geared to providing practical analysis for real-life situations. Covered entities and business associates are well-advised to stay abreast of these materials, especially as they anticipate the second round of OCR audits starting sometime this year. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXIV.A (“What Is a Business Associate?”), XXVI.B (“Uses and Disclosures for Treatment, Payment, and Health Care Operations”), and XXX (“Core Security Requirements”). You may also be interested in our recorded webinar “HIPAA Basic Training: Get Your Privacy and Security Compliance on Track for 2016.”

Contributing Editors: EBIA Staff.