What’s the difference between HIPAA requirements for covered entities, business associates and cybersecurity requirements for government contractors?

When most people in the health care sector think about the privacy and security of data, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) immediately comes to mind. Not surprising given that HIPAA is almost thirty (30) years old, patients are familiar with it because of the HIPAA Authorizations and covered entities and business associates (45 CFR 160.103) have been required to comply with the respective Privacy Rule, Security Rule and Breach Notification Rule since before 2010.

What about cybersecurity requirements in the scenario where a person contracts with the United States Government (Government) and protected health information (PHI), individually identifiable health information (IIHI) or personally identifiable information (PII) are involved? Additionally, what if the information overlaps into the realms of Federal Contract Information (FCI), Controlled Unclassified Information (CUI) – what cybersecurity requirements and standards apply if HIPAA is not mentioned in a request for proposal, contract, grant, or award?

To be clear, I am not writing about the submission of a version of CMS Form 855 – Medicare Enrollment Application for different types of providers and suppliers and the subsequent registration PECOS, which is the first step in providers and suppliers being able to eventually bill Medicare for claims associated with the treatment or supplying of goods to Medicare Beneficiaries. Instead, I am focused on the federal procurement process, which is required for Government grants, contracts and awards. Just like the CMS Form 855, which has certification and attestation requirements, so does the System for Award Management (SAM).

First, SAM is under the umbrella of the U.S. General Services Administration (GSA). All contractors, subcontractors, grantees and subgrantees, as well as those applying for awards, must register through SAM. If approved, then an Unique Entity Identifier (UEI) is assigned. Among other items, SAM’s General Certifications and Representations require the authorized representative to certify:

(2) Will give the awarding agency, the Comptroller General of the United States and, if appropriate, the State, through any authorized representative, access to and the right to examine all records, books, papers, or documents related to the award; and will establish a proper accounting system in accordance with generally accepted accounting standards or agency directives (See 2 C.F.R. § 200-302 Financial Management and 2 C.F.R. § 200.303 Internal controls); …

(6) Will comply with all applicable requirements of all other Federal laws, executive orders, regulations, and public policies governing financial assistance and any Federal financial assistance awards and any Federal financial assistance project covered by this certification document, including but not limited to: (h) Civil Actions for False Claims Act, 31 U.S.C. § 3730; (i) False Claims Act, 31 U.S.C. §3729, 18 U.S.C. §§ 287 and 1001. (emphasis added).

For those who are unfamiliar, 2 C.F.R. § 200.303 is the first clue that cybersecurity compliance is relevant. Importantly, §200.303(e) expressly requires that SAM registrants “[t]ake reasonable cybersecurity measures to safeguard information including personally identifiable information (PII) and other types of information.”

What are “reasonable cybersecurity measures”? If we go off of the definition of 200.303(e), a good place to ascertain what constitutes “reasonable cybersecurity measures” is found at 81 Fed. Reg. 30439 (May 16, 2016) – Federal Acquisition Regulation; Basic Safeguarding of Contractor Information Systems. This translates toFederal Acquisition Regulation (FAR) 52.204-21, which identifies 15 basic cybersecurity requirements to safeguard FCI, CUI, PHI and/or PII. Table A sets forth the 15 basic controls found at 52.204-21(b)(1).

Additionally, FAR 52.204-21(b)(2) states, “[t]his clause does not relieve the Contractor of any other specific safeguarding requirements specified by Federal agencies and departments relating to covered contractor information systems generally or other Federal safeguarding requirements for controlled unclassified information (CUI) as established by Executive Order 13356.” (emphasis added).

Hence, contractors, grantees, award recipients and their subs are required to actually read the Government agency regulations and directives, among other documents, addressing the specific legal requirements tied to cybersecurity. There are several laws that are commonly referenced in agreements with the Government or Government agency regulations. For example, required compliance with the Privacy Act of 1974, 5 U.S.C. § 552a, the Federal Information Security Management Act of 2002 and as revised in 2014 (FISMA) and Federal Risk and Authorization Management Program (FedRAMP), which was established by the Office of Management and Budget (OMB) in December 2011. Subsequently, FedRAMP Authorization Act was enacted as part of the FY23 National Defense Authorization Act (NDAA), Sec. 592,1 which codifies the FedRAMP program as the authoritative standardized approach to security assessment and authorization for cloud computing products and services that process unclassified federal information.

The National Institute of Standards and Technology (NIST) was established through Pub. L. 100–418, title V, §5111, Aug. 23, 1988, 102 Stat. 1427, to replace the National Bureau of Standards. From 1988 onward, NIST has conducted cybersecurity research and developed cybersecurity guidance for industry, government, and academia. The two primary types of guidance, which are incorporated into FAR, DFARS, FISMA, FedRAMP, (defined infra), Government agency regulations and contracting agreements alike are: (1) NIST Special Publications (aka NIST SP); and (2) Federal Information Processing Standards (FIPS). FAR, DFARS, FISMA and FedRAMP all require NIST compliance with either NIST SP 800-53 and/or NIST SP 800-171.

SAM registrants that store, maintain, or transmit FCI, CUI, and PII to a Government agency must adhere to mandated cybersecurity controls. Begin with FAR 52.204-21, which may be incorporated into a procurement, grant or award document either directly or indirectly by referencing FAR in general and related Government agency regulations. The relevant NIST SP 800-53 and/or 800-171 must also be referenced and can provide the framework for implementing the 15 basic cybersecurity requirements set forth by FAR. Therefore, from the outset of being evaluated to contract or to receive grants awards with the Government, persons are put on notice that basic cybersecurity safeguards must be implemented.