Share this article on:
Enforcement of HIPAA compliance by the HHS’ Office for Civil Rights is viewed by many as overly punitive. Compliance investigations following complaints or data breaches often uncover violations of HIPAA Rules, which can lead to sizable financial penalties.
Organizations that have adopted good cybersecurity best practices could still receive a financial penalty following a data breach, even though they have made reasonable efforts to improve their security posture.
There have been calls for the HHS to take good faith efforts to improve cybersecurity into consideration when investigating breaches and to use discretion when considering enforcement actions.
While the threat of financial penalties for should encourage healthcare organizations to invest more in cybersecurity defenses, some consider the HHS approach to be having the opposite effect. Why invest heavily in cybersecurity when the HHS could still issue a financial penalty over a data breach?
An alternative approach, which is favored by several industry groups, is to incentivize healthcare entities to adopt strong cybersecurity best practices by taking the steps that have been taken to improve cybersecurity into account, such as adoption of the NIST cybersecurity framework. In cases where the covered entity can demonstrate that it has adopted strong cybersecurity practices, the entity should be protected against financial penalties.
A safe harbor such as this has long been proposed by CHIME, which believes good faith efforts to improve cybersecurity should be recognized by OCR when investigating breaches. Instead, at present, the HHS appears to be “victimizing the victim.”
Support for incentivizing healthcare organizations to improve cybersecurity rather than punishing them for failures is growing. The recently introduced Lower Health Care Cost Acts of 2019 includes such a requirement. The bill was proposed by Senate Committee on Health, Education, Labor, and Provisions (HELP) chairman Lamar Alexander (R-Tenn.) and Ranking Member Patty Murray (D-Wash.) and calls for the HHS Secretary to consider an organization’s security practices when investigating data breaches or potential HIPAA violations.
Privacy and security concerns have been raised about the proposed interoperability and data blocking rules introduced by the ONC and CMS in February. The rules call for the use of APIs to solve interoperability issues, reduce data blocking, and make it easier for patients to gain access to their health data.
Complying with patient requests for their data to be sent to health apps has potential to result in a HIPAA violation and possible financial penalty. Several healthcare organizations and industry groups have expressed concern about liability for unauthorized disclosures of PHI after it has been sent to third parties at the patient’s request. OCR has recently clarified, through a series of FAQs, that once ePHI has been transferred to a third-party app at the request of the patient, the covered entity is no longer liable for any further disclosures.
Since app developers are not typically business associates, HIPAA restrictions no longer apply once the information has been disclosed to the app and there have been several cases of health data being provided to third parties without the knowledge of the patient.
The Lower Health Care Cost Acts of 2019 will help to address privacy and security concerns by calling for the Government Accountability Office (GAO) to conduct a study to identify existing gaps in privacy and security protections when patients have their health information transferred to third parties such as mobile apps which are not covered by HIPAA Rules. The findings of that study could guide efforts to improve privacy and security protections for health information once it is transferred beyond the reach of HIPAA.
The HELP committee is seeking comments on the proposed bill up until June 5, 2019.