HIPAA privacy and security
HIPAA's privacy and security rules have a narrower footprint in Energy, Power & Commodities than in healthcare, but the exposure is real: utilities, grid operators, and commodity trading firms that administer employee health plans or handle protected health information through benefits programs fall squarely under U.S. Department of Health and Human Services Office for Civil Rights enforcement authority. The U.S. Federal Energy Regulatory Commission and state public utility commissions add a parallel layer, as data security obligations under critical infrastructure rules increasingly overlap with the administrative safeguards HIPAA demands of covered entities and business associates. Compliance teams in this sector are mapping their benefits vendors and occupational health contractors against the HHS Security Rule's technical safeguard requirements, particularly as OCR's 2024 HIPAA Security Rule proposed update moves toward finalization.
Watch
- HHS OCR proposed Security Rule update: new asset inventory and network segmentation requirements
- Business associate agreements with EHS and occupational health vendors tied to field operations
- FERC Critical Infrastructure Protection standards intersecting with HIPAA administrative safeguard audits
- OCR enforcement pattern: penalty actions against employer-sponsored health plan administrators in non-healthcare sectors
- State-level biometric and health data privacy laws (Illinois BIPA, Texas CUBI) running alongside federal HIPAA obligations
Recent material activity in Energy, Power & Commodities
Active monitoring in place across Energy, Power & Commodities. Material developments related to hipaa privacy and security will appear here as they are published.