Share this article on:
The College of Healthcare Information Management Executives (CHIME) has told Congress that complying with HIPAA Rules is not enough to prevent data breaches and HIPAA compliance can, in some cases, result in a lessening of healthcare cybersecurity defenses.
Russell P. Branzell, President and CEO of CHIME and Shafiq Rab, CHCIO Chair of the CHIME Board of Trustees recently responded to a request for information (RFI) by Congress on ways to address rising healthcare costs.
In a March 1, 2019 letter to Lamar Alexander, Chairman of the Committee on Health, Education, Labor, and Pensions (HELP), they explained that the use of technology in healthcare helps to reduce costs and can, if harnessed correctly, improve efficiency as well as outcomes.
“Significant advancements in healthcare technology have been made possible through policy, however, often overly stringent prescriptive mandates have added to healthcare costs, impeded innovation and increased burdens on clinicians.”
The use of technology and data sharing are essential for improving the level of care that can be provided to patients, yet both introduce new risks to the confidentiality, integrity, and availability of healthcare data. While policies are being introduced to encourage the use of technology and improve interoperability, it is also essential for cybersecurity measures to be implemented to protect patient data. Any policy recommendations must also include security requirements.
“As we increase interoperability, additional threats to data integrity will arise. Without proper safeguards, the safe and secure transmission of sensitive data will continue to be a challenge and will hinder efforts to care outcomes,” wrote CHIME.
Healthcare organizations that comply with HIPAA Rules will have met the minimum standards for healthcare data privacy and security set by the HHS. That does not mean that HIPAA-compliant organizations are well protected against cyberattacks. HIPAA is complex and compliance requires a significant amount of resources. That can mean fewer resources are then available to tackle cybersecurity issues and protect against actual cyber threats.
Healthcare providers are devoting resources to meeting standards set by the HHS and its Office for Civil Rights (OCR), even though the measures introduced for HIPAA compliance may not address the most serious threats. As a result, their ability to protect patient data could be diminished rather than increased as a result.
CHIME also pointed out that enforcement of compliance with HIPAA Rules, via breach investigations and compliance audits, are unduly punitive. OCR appears to be more focused on punishment rather than helping healthcare providers recover from a breach, learn from it, and share the lessons learned with other healthcare organizations.
Healthcare providers should not have the burden of protecting PHI in areas outside their control. CHIME suggests safe harbors should be introduced “for organizations that demonstrate, and certify, cybersecurity readiness.” That may require amendments to the HITECH Act, along with a change to the language used for the definition of a breach so it no longer presumes guilt.
CHIME has also called for the HHS to issue better guidance for healthcare providers to help them assess threats that are within their control. Healthcare providers should not have full responsibility for protecting PHI outside of their domain. CHIME has also suggested that the balance of responsibility for security needs to be split more evenly between covered entities and their business associates.
When considering enforcement actions, OCR should assess the level of effort that has gone into protecting systems and PHI and policies should be pursued that reward healthcare providers for good faith efforts to prevent cyberattacks, such as demonstrating sufficient compliance with NIST’s Cybersecurity Framework (CSF).
These measures will help encourage healthcare providers to invest more in cybersecurity, which in turn will help to prevent more breaches and allow healthcare providers to avoid the high costs of mitigating those breaches, thus helping to reduce healthcare costs.