Contents
AMA submits comments on CISA cybersecurity reporting proposed regulation
The AMA commented (PDF) on a proposed regulation from the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) that focuses on sector-based criteria for certain entities to report information on cybersecurity incidents that impact them.
The comment letter stated that at a foundational level, the AMA supports cyber incident reporting for the largest entities within the Health Care and Public Health Sector as cyber incident reporting is a meaningful piece of an entity’s comprehensive cybersecurity plan.
However, the AMA also remains deeply concerned that physicians and patients have been insufficiently prepared to meet the cybersecurity challenges of an increasingly digital health care system. Cybersecurity is a national priority, and physicians, other health care providers and patients need tools—as well as a skilled workforce—to secure sensitive patient information in the digital sphere. AMA comments also emphasized that every individual provider of patient care should not be required to report covered cyber incidents and ransom payments. In addition, the AMA urged CISA to explicitly include health insurance companies and intermediaries (e.g., clearinghouses) as covered entities under this regulation, as the Change Healthcare cyberattack clearly demonstrated the interconnectedness of the health care ecosystem and the importance of health insurance companies, intermediaries and clearinghouses in maintaining public health and safety.
The letter also asked for more clarity on CISA actions after the submission of covered Cyber Incident and Ransom Payment Reports and the creation of a new regional extension center program to help educate small entities across all critical infrastructure sectors on cybersecurity best practices.
Biden administration enhances reproductive health care privacy
The Biden administration, through the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services (HHS), issued a final rule modifying the Health Insurance Portability and Accountability Act (HIPAA) privacy rule to enhance reproductive health care privacy. This action seeks to safeguard reproductive health care access and privacy, and bolster patient-physician confidentiality.
The final rule fortifies privacy by prohibiting the use or disclosure of protected health information (PHI) related to reproductive health by covered entities (e.g., physicians, hospitals, health plans, health care clearinghouses) and their business associates. The final rule also permits covered entities to use or disclose PHI for non-prohibited purposes under the privacy rule.
Prohibited purposes include using PHI to:
- Investigate any person for seeking, obtaining, providing or facilitating lawful reproductive health care
- Impose liability on any person for seeking, obtaining, providing or facilitating lawful reproductive health care
- Identify any person for the purposes of investigation or liability
To enforce the prohibition, the final rule mandates that covered entities obtain a signed attestation from requestors affirming that the PHI will not be used for prohibited purposes. This requirement applies to requests for PHI for health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures to coroners and medical examiners.
The Office of the National Coordinator for Health Information Technology (ONC) has confirmed that complying with OCR’s reproductive health regulations will not constitute information blocking. For example, if a request is made to a physician for reproductive health PHI, and the physician requests that an attestation be signed that the PHI will not be used for prohibited purposes and that attestation is not signed, is not complete or cannot be relied on, a physician can withhold that PHI without being considered an information blocker.
The AMA has been urging both OCR and ONC to provide much needed education and resources to help physicians implement and comply with the regulations and to protect patient and physician information from misuse.
Physicians must be in compliance with the final rule by Dec. 23, 2024.
Below are several helpful resources provided by OCR. These include:
- Resources to help communicate with other clinicians and community members (PDF)
- A fact sheet summary of the rule
- A recorded briefing by OCR staff reviewing the rule
- Model attestation (PDF) for a requested use or disclosure of protected health information
