Date Announced for HHS Secretary Confirmation Senate Hearing. The Senate Committee on Finance announced that a hearing entitled “Hearing to consider the nomination of Robert F. Kennedy, Jr., of California, to be Secretary of Health and Human Services” has been scheduled for 10 am ET on January 29. Go here to review the statements from Chair Mike Crapo (R-ID) and Ranking Member Ron Wayden (D-OR), when available, and to watch the hearing live.

President Trump Issues Repeal of Existing AI Executive Order. Within hours of being inaugurated, President Donald Trump issued an executive order repealing former President Biden's 2023 executive order on Artificial Intelligence (AI). The previous executive order had required developers to share safety testing information with the government and tasked HHS with creating a strategic AI plan. It also directed the National Institute of Standards and Technology to develop safety testing standards for AI and directed other federal agencies to assess critical infrastructure risks potentially posed by AI.

Biden Administration Releases Cybersecurity Executive Order. Right before the change of Administration’s, President Biden released an executive order entitled “Strengthening and Promoting Innovation in the Nation’s Cybersecurity.” The order The Biden administration is imposing new security standards for companies that do business with the U.S. government with a new executive order. The directive requires software companies to demonstrate the security of their development processes. However, it is unclear whether the incoming Trump administration will uphold the new rules.

OCR Settles HIPAA Case Against Heath System Over Patient Access to Records. The Office for Civil Rights (OCR) announced a settlement with a Florida health system, concerning a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The settlement resolves litigation resulting from an investigation about a complaint alleging a lack of timely access to an individual’s protected health information (PHI). OCR’s investigation determined that the health system failed to provide timely access within 30 calendar days. They agreed to pay $60,000. The agreement marks OCR’s 52nd Right of Access enforcement action.

OCR initiated an investigation after receiving a complaint from an individual that he was not given timely access to his medical records, despite multiple requests by mail, telephone and the health system’s patient portal, beginning on December 30, 2020. The individual did not receive access to his medical records until approximately nine months later, after OCR initiated its investigation. OCR found that the health system failed to take timely action in response to the patient’s right of access requests in accordance with the HIPAA Privacy Rule. In July 2024, OCR issued a Notice of Proposed Determination to propose imposing a civil monetary penalty, and the health system subsequently requested a hearing before an Administrative Law Judge. On December 13, 2024, the health system agreed to a settlement agreement, including payment of $60,000, to resolve pending administrative litigation. Go here to access the Notice of Proposed Determination and here for the Settlement Agreement.

OCR Settles HIPAA Ransomware Cybersecurity Investigation for $10k. The Office for Civil Rights (OCR) announced a settlement with a provider of surgical services in Michigan, for a potential violation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. In March 2023, OCR received a breach report concerning a ransomware incident that had affected the provider’s information system. The provider concluded that the protected health information of 15,298 patients had been encrypted and exfiltrated from its network. OCR’s investigation determined that they had failed to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in their systems.

Under the terms of the resolution agreement, the provider agreed to implement a corrective action plan that OCR will monitor for two years and paid $10,000 to OCR. Under the corrective action plan, they will take steps to ensure compliance with the HIPAA Security Rule and protect the security of ePHI, including: (i) Conducting an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI; (ii) Implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in their risk analysis; (iii) Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules; and (iv) Training its workforce on its HIPAA policies and procedures. The resolution agreement and corrective action plan may be found here.

HHS Outlines its Data Exchange Approach in JAMA article. Staff from various agencies within the Department of Health and Human Services published an article in JAMA Network Open entitled “A Unified Approach to Health Data Exchange: A Report From the US DHHS.” The article outlines that to unlock the potential of EHR data to improve patient health, public health, and health care, it is essential to streamline the exchange of health data. The authors describe how HHS has implemented three foundational building blocks called for by the 2016 21st Century Cures Act to create a unified approach for secure, high-quality, and timely exchange of health data across the health care system:

• The United States Core Data for Interoperability provides a minimum baseline for data elements that must be available in federally regulated health information technology systems such as certified EHRs.
• These data elements now must be accessible using Fast Healthcare Interoperability Resources—a secure, flexible, and open-industry standard for health data exchange.
• The Trusted Exchange Framework and Common Agreement provides a network to securely exchange health data across the country. The 3 building blocks of United States Core Data for Interoperability, Fast Healthcare Interoperability Resources, and Trusted Exchange Framework and Common Agreement are now in place thanks to diligent public and private sector work over 2 administrations. Across DHHS, we are working to refine these building blocks and increase their adoption through regulatory authorities, grants, and public-private partnerships.

The authors contend that these technological building blocks are creating a unified approach to health data exchange for patient access, clinical care, quality improvement, scientific research, public health, and other uses of health data. They state that collaborations between the public, nonprofit, and private sectors are needed to maximize their potential. They conclude that, by unlocking the potential of health data, these building blocks are the foundation of a 21st-century digital health care system that will improve the experience of patients and clinicians and result in better health outcomes.

CISA Publishes De-Escalation Action Guide. The Cybersecurity and Infrastructure Security Agency (CISA) released a new resource, the De-escalation Action Guide, a companion to the De-escalation Series. This resource is designed to assist critical infrastructure owners and operators, as well as any personnel responsible for securing public gathering locations and venues. In the Guide, CISA provides an overview of four categories of actions that may be taken to de-escalate a potentially violent situation and consolidates the CISA De-escalation Series into a single resource to assist end users identify and navigate suspicious activity or potentially escalating situations.

HC3 Issues Threat Brief on Wi-Fi 7. HHS' Health Sector Cybersecurity Coordination Center (HC3) issues a new Threat Brief on Wi-Fi 7 for health care organizations. The threat brief describes the basic concepts, capabilities and limitations, security protocols, attack examples, and defense and mitigations. To reach a wide variety of users, the slides included in the Threat Brief offer non-technical and technical discussions. It also includes links to resources and reference materials.