25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

HELP Committee Calls for HHS to Recognize Good Faith Efforts to Improve Cybersecurity in its HIPAA Enforcement Activities

Posted By on May 30, 2019

Enforcement of HIPAA compliance by the HHS’ Office for Civil Rights is viewed by many as overly punitive.  Compliance investigations following complaints or data breaches often uncover violations of HIPAA Rules, which can lead to sizable financial penalties.

Organizations that have adopted good cybersecurity best practices could still receive a financial penalty following a data breach, even though they have made reasonable efforts to improve their security posture.

There have been calls for the HHS to take good faith efforts to improve cybersecurity into consideration when investigating breaches and to use discretion when considering enforcement actions.

While the threat of financial penalties for should encourage healthcare organizations to invest more in cybersecurity defenses, some consider the HHS approach to be having the opposite effect. Why invest heavily in cybersecurity when the HHS could still issue a financial penalty over a data breach?

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

An alternative approach, which is favored by several industry groups, is to incentivize healthcare entities to adopt strong cybersecurity best practices by taking the steps that have been taken to improve cybersecurity into account, such as adoption of the NIST cybersecurity framework. In cases where the covered entity can demonstrate that it has adopted strong cybersecurity practices, the entity should be protected against financial penalties.

A safe harbor such as this has long been proposed by CHIME, which believes good faith efforts to improve cybersecurity should be recognized by OCR when investigating breaches.  Instead, at present, the HHS appears to be “victimizing the victim.”

Support for incentivizing healthcare organizations to improve cybersecurity rather than punishing them for failures is growing. The recently introduced Lower Health Care Cost Acts of 2019 includes such a requirement. The bill was proposed by Senate Committee on Health, Education, Labor, and Provisions (HELP) chairman Lamar Alexander (R-Tenn.) and Ranking Member Patty Murray (D-Wash.) and calls for the HHS Secretary to consider an organization’s security practices when investigating data breaches or potential HIPAA violations.

Privacy and security concerns have been raised about the proposed interoperability and data blocking rules introduced by the ONC and CMS in February. The rules call for the use of APIs to solve interoperability issues, reduce data blocking, and make it easier for patients to gain access to their health data.

Complying with patient requests for their data to be sent to health apps has potential to result in a HIPAA violation and possible financial penalty. Several healthcare organizations and industry groups have expressed concern about liability for unauthorized disclosures of PHI after it has been sent to third parties at the patient’s request. OCR has recently clarified, through a series of FAQs, that once ePHI has been transferred to a third-party app at the request of the patient, the covered entity is no longer liable for any further disclosures.

Since app developers are not typically business associates, HIPAA restrictions no longer apply once the information has been disclosed to the app and there have been several cases of health data being provided to third parties without the knowledge of the patient.

The Lower Health Care Cost Acts of 2019 will help to address privacy and security concerns by calling for the Government Accountability Office (GAO) to conduct a study to identify existing gaps in privacy and security protections when patients have their health information transferred to third parties such as mobile apps which are not covered by HIPAA Rules. The findings of that study could guide efforts to improve privacy and security protections for health information once it is transferred beyond the reach of HIPAA.

The HELP committee is seeking comments on the proposed bill up until June 5, 2019.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist