HELP Committee Approves Bill Calling for HIPAA Enforcement Safe Harbor
The Senate Health, Education, Labor and Pensions (HELP) Committee has approved the Lower Health Care Costs (LHCC) Act of 2019, which has implications for HIPAA-covered entities.
One of the main aims of the bill is to improve transparency of health care costs and service quality. The bill is intended to end surprise health bills and make sure patients are kept well informed about healthcare costs.
The LHCC Act includes a provision that incentivizes healthcare organizations to adopt strong cybersecurity practices by calling for the Department of Health and Human Services’ Office for Civil Rights to consider the organization’s good faith security efforts when making decisions about enforcement actions.
The bipartisan bill passed the HELP committee by 20 votes to 3. The bill includes 54 different proposals from 65 senators. With the bill now passed, HELP committee chairman Lamar Alexander (R-Tenn) hopes to present the bill to the Majority and Minority Leaders for consideration by the full senate in July.
Many healthcare organizations have been calling for OCR to consider adoption of security frameworks and other good faith efforts to improve security posture when deciding on whether a penalty for noncompliance is appropriate. A safe harbor for organizations that adopt a cybersecurity framework such as the framework developed by NIST has been proposed by several industry groups.
The LHCC Act falls short of proposing a safe harbor from all enforcement actions, but could incentivize healthcare organizations to adopt security frameworks, invest time and resources in cybersecurity, and go above and beyond the minimum standards required by HIPAA.
The provision should not be viewed as a ‘get out of jail free’ card. When financial penalties are issued by OCR, they are usually for multiple compliance failures and/or egregious violations of HIPAA Rules. Adoption of the NIST Cybersecurity Framework would likely do little to prevent financial penalties.
The impact of the new requirement may only be minimal. Currently, when OCR investigates a data breach, many factors are taken into consideration when deciding whether financial penalties are appropriate. OCR has previously made it clear that HIPAA compliance is about minimizing, not eliminating risks. OCR accepts that even organizations with strong cybersecurity protections can still be breached. The organization’s security program is already considered when OCR decides whether enforcement actions are appropriate.
In addition to the HIPAA enforcement provision, the bill proposes that the CMS require health insurers to make information such as claim data and expected out-of-pocket-expenses available to patients via APIs to help patients decide on the best health plan. This would also help to communicate that patients’ privacy and security is protected and HIPAA and state laws apply.
Concern has been raised about the risks to individually identifiable health information when it is transferred electronically to and from non-HIPAA-covered entities. The bill proposes the Government Accountability Office (GAO) conduct a study to identify any risks associated with such transfers. In addition, a study is required to identify privacy and security gaps when health information is transferred to third parties via mobile apps created by developers not bound by HIPAA.
The bill must first go before the full senate and house; however, if the bill does not pass both houses, the provisions related to HIPAA may be added to a different bill.