HIPAA Security Rule to be updated

On December 27, 2024, the office of Civil rights (OCR) at the US department of Health and Human Services (HHS) issued a Notice for Proposed Rule Making (NPRM) to modify HIPAA Security Rule. Public comments can be submitted upto 7th March 2025.

According to HHS, the objective of NPRM is to strengthen the Security Rule’s standards and implementation specifications with new proposals and clarifications, including:

  • Remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required with specific, limited exceptions.
  • Require written documentation of all Security Rule policies, procedures, plans, and analyses.
  • Update definitions and revise implementation specifications to reflect changes in technology and terminology.
  • Add specific compliance time periods for many existing requirements.
  • Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
  • Require greater specificity for conducting a risk analysis. New express requirements would include a written assessment that contains, among other things:
    • A review of the technology asset inventory and network map.
    • Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI.
    • Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems
    • An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
  • Require notification of certain regulated entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.
  • Strengthen requirements for planning for contingencies and responding to security incidents. Specifically, regulated entities would be required to, for example:
    • Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.
    • Perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration.
    • Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents.
    • Implement written procedures for testing and revising written security incident response plans.
  • Require regulated entities to conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements.
  • Require that business associates verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate.
  • Require encryption of ePHI at rest and in transit, with limited exceptions.
  • Require regulated entities to establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner. New express requirements would include:
    • Deploying anti-malware protection.
    • Removing extraneous software from relevant electronic information systems.
    • Disabling network ports in accordance with the regulated entity’s risk analysis.
  • Require the use of multi-factor authentication, with limited exceptions.
  • Require vulnerability scanning at least every six months and penetration testing at least once every 12 months.
  • Require network segmentation.
  • Require separate technical controls for backup and recovery of ePHI and relevant electronic information systems.
  • Require regulated entities to review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures.
  • Require business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.
  • Require group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

The NPRM is now available for public comments within 60 days of the publications. As a result HIPAA Compliance in 2025 will undergo a major overhaul. This also means that every HIPAA compliance certification undertaken so far by organizations need to be revisited in 2025. Once the new rule is adopted and timelines set for compliance we will come to know of the requirements.

Indian Companies who are now looking at DPDPA compliance and are exposed to HIPAA Compliance requirements by way of their earlier contractual commitments with the covered entities in USA will now have to simultaneously work on both DPDPA and the HIPAA-2025.

Naavi is looking forward to interns in Bangalore and elsewhere who are interested in working in this field. They may contact Naavi at the earliest.

Naavi

Also Refer:

HIPAA Security Rule NPRM

Final Rule on Administrative Simplifications effective from 11th February 2025

Posted in Cyber Law | Leave a comment

DPDPA- Corporate Action before March 31 2025

The DPDPA as an act has been in place for now over 16 months. The excuse “Rules are not notified” has begun to fade with the notification of the “Draft Rules”. Habitual procrastinators may still find excuse that the draft rule is only for public consultation and there is time for its finalization and thereafter there would be time for setting up of the Board and there after for implementation upto perhaps 2 years.

Good luck to such all those “Optimistic Chronic Procrastinators” .

But for those corporate managers who are cautious and risk averse, it is time to start their journey towards DPDPA Compliance immediately.

In this context the following corporate actions are recommended immediately.

1.In the next Board meeting pass a resolution stating that the Company has taken note of the release of the draft DPDPA rules and the impending implementation in the coming year and need to initiate immediate steps for compliance

2.The first step for compliance is to formally designate a “DPDPA Compliance Officer” (who may be the current CRO or CISO or CIO or CCO or CDO or the DPO if that designation exists with an issue of a letter of designation from the Board with the immediate task of submitting a report on the DPDPA Risk of the Company and the further actions to be taken. (The Compliance officer may be promoted as DPO in future if required and if suitable)

3.Ensure that the Compliance officer is deputed to an appropriate training drill such as the C.DPO.DA. of FDPPI so that he is prepared to take up the challenge of doing a proper DPDPA Risk Assessment and recommend further actions.

    4.The above task is recommended to be completed before 31st March 2025 and developments recorded in the next Annual Report.

    In the immediate future a detailed audit needs to be undertaken under a framework like DGPSI and institute a Risk Mitigation plan along with appropriate Cyber Insurance coverage where required.

    Before committing purchase of any software for compliance, be sure to check if it is suitable for DPDPA Compliance or not.

    In order to assist such companies who want to take off, FDPPI will be providing the following services .

    1. Conduct C.DPO.DA. program for 3 days at Mumbai on January 24, 25 and 26 (Registration now open with Early Bird Discount available now).

    2.Conduct a similar physical program in Delhi if possible before March 2025. (To be Scheduled)

    3.Conduct at least one Virtual program before March 2025 (To Be Scheduled)

    4. Institute a quick Business Impact Assessment through a Virtual interaction with corporate Managements (on a short virtual session) on request. (At a Cost of Rs 10000-25000)

    (P.S: Considering the current assignments of FDPPI/Naavi booked with FDPPI, there could be scope for not more than 5 to six assessments before March 2025).

    Interested company officials need to contact FDPPI immediately by visiting the website www.fdppi.in or contact Naavi through www.naavi.org.

    The detailed coverage of Mumbai Program for C.DPO.DA. is as followsNaavi

    All participants of the program would be eligible to get participation certificates with CPE credits for 18 hours and may also take the online examination to get the complete certificate as “Certified Data Protection Officer and Data Auditor”.

    Necessary reading materials in the form of two books, worth Rs 3000/- would be provided to the participants. The registrants would also be eligible for one year free membership of FDPPI.

    Posted in Cyber Law | Leave a comment

    Comments on DPDPA Rules-5: Business Contact Address

    We have already discussed the status of Business Contact Address under DPDPA 2023 earlier and categorically held the view that

    a) We cannot determine the nature of an email as personal or business with reference to the domain name attached to the email address. Accordingly Vijay@ujvala.com can be a personal email while Vijay@gmail.com can be a business email depending on the choice of “Vijay”.

    b) We need to collect the choice of the data principal himself while collecting the email as to whether it is personal or business email.

    c)By default and in the absence of information to the contrary, name@companyname.com can be considered a business contact address while name@gmail.com can be considered as a personal address while Designation@companyname.com can be considered as non-personal data.

    The recognition of “Business Contact Data” being different from personal data is seen from DPDPA 2023 requiring the publication of business contact address of the Compliance official/DPO under Section 8 of DPDPA 2023 and Rule 9 of the DPDPA Rules.

    Naavi

    Reference articles:

    Business Contact address and DPDPA 2023

    Is Business Contact Data, Personal Data under GDPR?

    Posted in Cyber Law | Leave a comment

    Comments on DPDPA Rules-4: Verifiable Guardian Consent

    One of the most discussed provisions of the DPDPA Rules is the rule 10 and 11 related to the handling of personal data of a minor.

    As per the Act, a data fiduciary intending to process the personal data of a minor or a person with a disability who has a lawful guardian needs to obtain the consent from the parent or guardian. Additionally the law requires that the processing shall not harm the child and there shall be no behavioural monitoring or targeted advertisements to the children.

    The issues involved here are

    1. How do we know if a data principal is a minor or a disabled person?
    2. How do we know who is the guardian who is legally authorized to provide consent on behalf of the minor or the disabled person
    3. How do we know at what future date the consent given by the guardian as expired?
    4. How do we know if the parent/guardian is not having conflicts of guardianship?
    5. Does a “Verifiable” consent include verification of disability, verification of guardianship and verification of age

    Under Rule 10 of the rules it is mandated that the Data Fiduciary shall observe “Due Diligence” and adopt “appropriate” technical and organizational measures to ensue

    a) That the identity and age available with the data fiduciary is reliable

    b) The claimed guardian is an “adult” himself

    The words “Due Diligence” and “Appropriate” read with “Fiduciary” means that it is the responsibility of the data fiduciary to find such technology and procedure that satisfies compliance.

    The compliance to this section requires that every data principal has to be verified that he is not a minor. If the person is a minor, the age should be collected and verified. Also the data fiduciary needs to collect the identity of the guardian and check if he is the authorized guardian.

    There is at present no proper solution available to meet this requirement. There are some views that this section leads to denial of some internet services to persons with digitally illiterate parents. There is every possibilities that “Andolan Jeevies” will latch onto such comments and try to stall the implementation of the rules.

    It is our view, if in an attempt to protect Children from the adverse impact of the Internet and the Social Media, some minors or disabled persons are unable to open Face Book accounts or Instagram accounts, it would be a blessing in disguise.

    In the era of Artificial Intelligence, I donot see how the technology can accept defeat in not being able to protect the interest of the children. We had already discussed in an earlier article titled “Is there no solution for Age-gating?” some solutions in this direction.

    Now we can look forward to a workable technical solution that is “DGPSI Compliant”.

    As we are aware, Australia has been the first country to ban access to social media for children below the age of 16. The tech companies will face a penalty of Australian Dollars 49.5 million for violation. The Indian provision for “Parental Consent” is therefore not as stringent as the Australian provision. If the rule is challenged in a Court, it is necessary to defend the rule citing the Australian approach.

    Naavi

    Posted in Cyber Law | Leave a comment

    Comments on DPDPA Rules-3: The rules on Consent Manager is disappointing.

    The DPDPA Rules on Consent Manager (Rule no 4 with Schedule 1) is disappointing since it indicates that the ministry is stuck with its concept of account aggregator and has failed to go beyond the myopic view that the consent manager should be an intermediary without any visibility on the data being submitted by the data principal to the data fiduciary.

    It is strange that the Consent Manager is expected to be a platform to “Provide”, “Manage”, “Review” and “Withdraw Consent”, retain the consent information for 7 years, provide access to the consent all without having any visibility to the data exchanged.

    Consent Manager is envisaged as a glorified log manager and the only personal data maintained is about the log account of the data principal. The log itself will have the information on the notice issued but not what the data principal has furnished.

    For example, if the notice says, please give your name, address and e-mail, the data principal may give some name, some address and some email and the consent manager will not know what is the information given. He just keeps the log record that a notice was received and was responded to.

    If the Consent Manager account is kept in the name of Vijayashankar Nagaraja Rao and I submit Vijay as a response to the notice, the consent manager has no way to know. If all the information required to be submitted to a notice is to be validated by the consent manager then he needs visibility to the data. If not, he cannot have any control.

    Further, the consent manager may only have a few fields of data with him which can be automatically uploaded as a response to the notice and additional information may be either directly provided by the data principal directly on the data fiduciary website or through another data fiduciary (as indicated in the illustration). This means that the consent manager has to aggregate data elements available with him and the data elements collected from the second data fiduciary and populate the notice response in a “Data Blind Environment”.

    The “Consent” in DPDPA environment is not a consent given by a data principal X to a data fiduciary B. It is a consent for a specified purpose of processing by B. It is possible that today I give a consent to B for Process 1 and next week I give a consent to process 2. Each notice is therefore distinct and the consent manager will not have the information with him for all the purposes for which I may like to provide consent at different points of time.

    Hence his services are only useful to share information that either he himself has or what he can fetch at the instance of the data principal from another data fiduciary which may be the Digi Locker or another Bank etc.

    Hence the replication of the Account Aggregator model to this “Consent Manager” was a mistake.

    Having prescribed that the consent manager shall not have any visibility to the data exchanged by the data principal to the data fiduciary, or by one data fiduciary to another at the instance of the data principal, there is no need for stringent credentials for the consent manager and the capital criteria etc.

    The rule as proposed has killed the potential of the Consent Manager who could have been used to assist in overcoming the language barrier and the tendency of data fiduciaries to ask for and obtain permissions which are not required.

    Instead, the system envisaged duplicates the flow of data in the loop, data principal to data fiduciary-consent manager- data principal-back to consent manager- data fiduciary, where as presently the data principal while being on the data fiduciary’s web site provides all the information himself.

    May be a “Form completion assistant” with a cookie could be a better option for the data principal to reduce his consent fatigue and fill up the forms faster than what he does not without reading and evaluating the permissions.

    There is an urgent need to change the rule regarding the consent manager. …..

    Naavi

    Posted in Cyber Law | Leave a comment

    Comments on DPDPA Rules-2: Do we require a notification for Section 44 ?

    The DPDPA Rules contain two sets of rules. One set appliable immediately on publication and another set for which separate dates will be notified.

    The rules that will become immediately applicable namely Rules 1, 2 and 16 to 20 are related to

    1. Short title and commencement and Definitions
    2. Establishment and functioning of the Data Protection Board

    The other rules are related to the obligations.

    There is however lack of clarity on when will Section 44 of DPDPA 2023 be considered effective.

    Section 44 is the section which addresses the amendments to ITA 2000 and RTI Act. This determines when the obligations under Section 43A of ITA 2000 will extinguish and penalties under Section 33 of DPDPA 2023 kick in.

    Since there is no rule associated with either Section 33 or 44 of the DPDPA 2023, in the present set of rules, we need to await the next notification for this purpose probably within the 2 year limit which the Minister has indicated in his interview.

    FDPPI had presented a set of comments on 5th August 2024 based on the first draft of the rules then available in which we had made the comment that this should be made effective after one year.

    It is considered necessary that a separate rule or a notification should specify when Section 44 of the DPDPA 2023 becomes effective and it has to be synchronized with the notification of Section 33 of DPDPA 2023 on penalties.

    For this purpose, either a separate Rule 23 is added to the rules or one more sub clause could be added in Rule 1 stating

    4. The sections 33 and 44 of DPDPA 2023 shall come into force with effect from ………………..

    If a separate Rule 23 is added, it can also define the current and future role of the Adjudicator of ITA 2000 including a mention that the Adjudicator of ITA 2000 shall continue to be the authority to which a data principal affected by a personal data breach can apply for compensation under Section 43 of ITA 2000.

    Naavi

      Posted in Cyber Law | Leave a comment