Proposed HIPAA Privacy Rule Update and CISA’s Updated Zero Trust Maturity Model

The HHS’ Office for Civil Rights has issued a Notice of Proposed Rulemaking (NPRM) concerning a  HIPAA Privacy Rule update to reinforce the protection of privacy for reproductive health information. The proposed revision is in response to the decision of the Supreme Court in Dobbs v. Jackson Women’s Health Organization as well as the overturning of Roe v. Wade, which took away the federal right to abortion that has been in effect for nearly 50 years.

Since that decision came out in 2022, states have been hurrying to pass abortion legislation. There are already 18 states that have approved full or partial prohibitions on abortions, and 4 more states are about to announce full or partial prohibitions. There is apprehension that those states will try to indict state inhabitants that pursue abortions outside the state and will ask for the health information of people from healthcare companies that offer reproductive health services or provide reproductive health care.

After the Supreme Court’s overturn of Roe v. Wade, approximately 50 years of precedent have altered instantly. The Biden-Harris Administration is dedicated to keeping women’s legal access to reproductive health care safe, which includes abortion care. There are two executive orders signed by President Biden that call on HHS to do the necessary immediately.  

Presently, the HIPAA Privacy Rule allows but doesn’t call for HIPAA-covered entities to give reproductive health data to authorities. OCR has published guidance about the sharing of reproductive health data and has explained the situations when reproductive health data may be lawfully disclosed. OCR has likewise stated that not complying with the HIPAA Regulations regarding reproductive health care is one of OCR’s enforcement priorities.

The proposed update is meant to improve privacy protections and reinforce the confidentiality of the patient and provider by barring disclosures of reproductive health data to inspect or sue patients, healthcare providers, and others affected in the giving of legal reproductive health care, such as abortion care.

Particularly, the proposed update to the HIPAA Privacy Rule will ban sharing of reproductive health care data for:

  • Criminal, administrative, or civil investigations into or proceeding against any person concerning seeking, getting, giving, or coordinating reproductive health care, where this kind of health care is legal under the conditions in which it is given.
  • The Identifying of any person for the reason of starting such investigations or proceedings.

These limitations are applicable in these circumstances:

  • Reproductive health care is needed, acquired, given, or facilitated in and outside a state that allows health care and where it is legal to have an investigation or proceeding.
  • Reproductive health care that is safe, mandatory, or particularly authorized by the federal government, irrespective of the state where such health care is provided.
  • Reproductive health care that is provided in the state wherein an investigation or proceeding is legal and is permitted by state laws in which such health care is given.

Reproductive health care is defined as including, though not restricted to, prenatal care, miscarriage management, abortion, contraception use, infertility treatment, and treatment for reproductive-associated conditions like ovarian cancer.

As per the proposed rule, upon receipt of a request for protected health information (PHI), it must be confirmed if it is associated with the use or disclosure of PHI for a forbidden purpose. The verifications will be required for health monitoring activities, judicial and administrative proceedings, disclosures to medical examiners and coroners, and law enforcement purposes.

Healthcare providers have felt sad, fearful, and angry. Their patients may end up in jail for giving or acquiring evidence-dependent and medically appropriate care. Trust is important in the patient-doctor relationship. Medical mistrust can ruin the patients’ relationship with their healthcare providers and endanger patient health. The proposed rule is going to safeguard this trust in the patient-provider relationship, and make sure that when seeing the doctor, the patient’s private medical data will not be shared and used against the patient.

OCR is going to accept responses on the proposed rule for 60 days beginning on the date it is published in the Federal Register.

CISA’s New Version of its Zero Trust Maturity Model

A new version of the Zero Trust Maturity Model has been released by the Cybersecurity and Infrastructure Security Agency (CISA) with the purpose of helping federal agencies to take on zero trust security. Although the guidance is principally designed for government agencies, any organization can use it to enhance its security posture using zero trust.

The traditional security creates perimeter defenses to protect internal systems from unauthorized persons. Only the trusted are inside the network. Organizations are using the perimeter security model for countless years. However, it is only effective if there is a boundary to secure and most IT resources and critical assets are inside that border. Nowadays, the majority of networks are not completely on-site, and remote working is quite prevalent. Hence, many trusted persons are beyond the border. Additionally, with perimeter security, in case of a breach of the perimeter, an attacker can target big portions of the system, IT resources, and critical information. Zero trust is dependent on the supposition that a system has been breached and restricts data access, networks, and infrastructure to the lowest level, then continually evaluates the validity of access by means of nonstop verification.

CISA’s Zero Trust Maturity Model is founded on 5 pillars that are used to evaluate the present level of zero trust maturity:

  • Identity
  • Devices
  • Network
  • Data and applications
  • Workloads

Version 2 of the Zero Trust Security Model integrates recommendations gathered using the public comment system that led to the inclusion of a new maturity level. There are currently four maturity levels in the model: traditional, initial, advanced, and optimal. CISA added ‘Initial’ to recognize that organizations are on varied starting points on their path to zero trust.

The new Model likewise includes a number of new features and updates to current functions, which companies must take into consideration when they plan and decide concerning the implementation of a zero-trust architecture. The updated maturity model additionally gives a gradient of implementation throughout each of the five pillars to enable the use of zero trust, assisting organizations while they make minor improvements on their path toward the total application of zero trust architecture.

According to Chris Butera, Technical Director for Cybersecurity of CISA, the agency has been acutely fixated on guiding agencies, who are at different levels in their implementation of zero trust architecture. As one of the countless guides, the new model will help agencies go through a methodical process and shift towards a higher zero trust maturity.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.