CMMC and the HIPAA Privacy Rule: What is the Connection?

HIPAA Privacy and Security Rules

Consider this scenario; you are a Chief Information Security Officer (CISO) for a major university hospital system, with over 10 years of experience working with protected health information (PHI) under the following:

1. HIPAA Privacy Rule (“protecting the type of data while communicated”)
2. HIPAA Security Rule (“protecting the security of the data”)

The research department is bidding on a multi-million-dollar, multi-year contract with the Department of Defense (DoD) to research an advanced medical technology. The project requires clinical trials with patients to determine the effects of the technology on humans.

The vice president of research comes to the Chief Compliance Officer (CCO) and you with a request to review the compliance requirements within the request for proposal (RFP) and to determine compliance readiness.

You may be thinking that the hospital must meet both CMMC and HIPAA compliance requirements. And if you are thinking that way, then you are correct. But why should you care, and how do you link the two?

HIPAA Compliance: Why Should Healthcare Care About CMMC?

Adversaries are targeting Controlled Unclassified Information (CUI) within all 16 of the nation’s critical infrastructures, including the Defense Industrial Base (DIB), Healthcare, and Public Health sectors.

Healthcare clients with DoD contracts must obtain CMMC certification in most cases. DoD contracts require the protection of CUI under the CMMC framework. If PHI is involved, then by transference, PHI also requires protection under both the CMMC framework and HIPAA Privacy and Security Rules.

So, where would this be applicable? This would be applicable under a DoD contract to conduct medical research or in support of clinical trials.

The Convergence of Private Healthcare Information (PHI) and Controlled Unclassified Information (CUI)

Under a DoD contract, most data within healthcare is CUI while still maintaining the requirement to comply with HIPAA. Healthcare is busy enough maintaining compliance with HIPAA and now must understand the combined compliance requirements of HIPAA and CMMC. DoD contracts involving healthcare may state that CUI must be protected, with a mapping between PHI and CUI.

As an example, the Defense Health Agency (DHA) had an RFP that was once a part of the DoD’s Pathfinder program to be one of the first contractors to undergo CMMC certification. The contract dealt with both PHI (as a healthcare provider) and CUI (PHI considered to be CUI).

It is important to figure out how to map PHI and CUI. How does a DoD contractor figure out this complex mapping?

No fear; not all is lost.

The National Archives and Records Administration (NARA) manages a national CUI registry defining CUI data for various industrial sectors. In the table, CUI (left red box) maps from the Privacy category over to two healthcare components (right red box) with the sub-categories. PHI maps directly back to the CUI Registry.

Why isn’t HIPAA Compliance Good Enough for DoD Contracts?

Both CMMC and HIPAA provide a framework based on a balance of confidentiality, integrity, and availability of CUI and PHI, respectively.

CMMC focuses heavily on the confidentiality of CUI. CMMC mandates compliance to reduce the risk and impact of unauthorized disclosure or potential compromise of CUI within the defense supply chain.

HIPAA focuses on a narrow group of entities within a single industry. One of the biggest differences is that there is no mandated certification program for HIPAA as there is for CMMC.

For DoD contracts, CMMC certification of healthcare providers is required before contract award. Healthcare providers with DoD contracts are fined after a breach of PHI.

Summary

Handling CUI requires safeguarding or dissemination controls consistent with applicable law, regulations, and government-wide policies. Healthcare providers now have an additional burden of complying with both CMMC and HIPAA under a DoD contract since there is overlap between CUI and PHI. As you can imagine, meeting compliance requirements on both the front end (CMMC) and “back end implications” (HIPAA) can feel foreboding for healthcare providers balancing multiple compliance models and regulatory requirements.

We help you wade through the myriad of compliance frameworks, such as the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Breach Notification Rule, CMMC Model 2.0, NIST SP 800-53a, NIST SP 800-171, and the NIST Cybersecurity Framework (CSF), ensuring you are ready for that DoD contract with HIPAA implications as well.