Bill Proposes Easing HIPAA Enforcement Action in Some CasesHHS Would Consider an Organization's Security Measures Before Issuing Fines
Bipartisan healthcare legislation that a Senate health committee passed on Wednesday includes a provision that would incentivize healthcare entities to adopt "strong cybersecurity practices" by encouraging federal regulators to consider organizations' security efforts when making HIPAA enforcement decisions.
The Health, Education, Labor and Pensions Committee voted 20 to 3 to approve the Lower Health Care Costs Act of 2019, which includes a package of 54 proposals from 65 senators, including 36 Democrats and 29 Republicans.
"I hope we can present [this bill] to Majority Leader [Mitch] McConnell, R-Ky., and Minority Leader [Chuck] Schumer, D-N.Y., for the full Senate to consider next month and would expect that other committees will have their own contributions," said Senate health committee chairman Lamar Alexander, R-Tenn., in a statement about the passage of the bill.
The bill primarily aims to provide patients with more transparency about the cost and quality of healthcare services, including an end to "surprise" healthcare bills.
Putting in the Effort
Among provisions included in a section of the bill that focuses on health information exchange is a proposal for the Department of Health and Human Services to "recognize" the security efforts of healthcare entities when enforcing HIPAA.
The provision calls for incentivizing healthcare entities "to adopt strong cybersecurity practices by encouraging the secretary of HHS to consider entities' adoption of recognized cybersecurity practices when conducting audits or administering fines related to the HIPAA Security Rule."
Legal experts are weighing in on the potential impact of that provision.
"I don't think it would lead to a significant change in enforcement, but it certainly would further incentivize organizations to adopt comprehensive information security frameworks," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
"Historically, HHS's Office for Civil Rights has only sought financial enforcement in a small minority of cases where OCR perceives that there are widespread, systematic failures, and OCR generally does not pursue the maximum penalties available to them. This would likely continue to be the case."
The bill, if enacted, would require OCR to develop regulations on how to recognize when a HIPAA covered entity or business associate has adequately demonstrated that it had put into place information security practices that would merit OCR's consideration when the agency is conducting a compliance review or audit, notes privacy attorney David Holtzman of the security consulting firm CynergisTek.
"This proposed legislation could suggest to some organizations that they have a 'get out of jail free' card."
—Kate Borten, The Marblehead Group
"The goal is to incentivize organizations to go beyond the floor of requirements set by the HIPAA Security Rule by putting into place the recognized guidelines developed by the National Institute of Standards and Technology cybersecurity framework and the best practice approaches developed by the [federal advisory] CISA 405(d) workgroup," he says.
Free Pass, or Not?
Privacy attorney Kirk Nahra of the law firm WilmerHale says the provision potentially could have a positive impact.
"This is a perfectly reasonable way to try to encourage companies to adopt one of these meaningful [cybersecurity] frameworks to demonstrate security compliance," he says.
"It is something that HHS certainly would consider in practice today, but this encouragement certainly helps. However, even if it were to be adopted, I doubt it would end up being a free pass, but it would be part of the overall opportunity to demonstrate appropriate security compliance."
Further assessing the provision's potential impact, Nahra adds: "If it results in better security compliance, that is good for everyone. But I doubt it will make much enforcement difference overall in how OCR looks at cases."
Indeed, OCR already takes into consideration an organization's security program when it considers HIPAA enforcement action, says Kate Borten, president of privacy and security consulting firm The Marblehead Group.
"OCR recognizes that having strong security and privacy programs can't eliminate all risk of breach, and OCR doesn't penalize organizations in such circumstances," she notes. "However, most often, breaches occur when organizations are not doing an adequate job. This proposed legislation could suggest to some organizations that they have a 'get out of jail free' card."
Other provisions in the legislation include a proposal for HHS's Centers for Medicare and Medicaid Services to require commercial health insurers to make information - including health insurance claims data, in-network practitioners and expected out-of-pocket costs - available to patients through application programming interfaces.
The requirement, which is designed to provide consumers with more information to use when selecting a health insurance plan, also "emphasizes that all existing privacy and security protections for patient health data under HIPAA and state laws apply."
Another provision calls for the Government Accountability Office to conduct a study "on the privacy and security risks of electronic transmission of individually identifiable health information to and from entities not covered by HIPAA."
A GAO study is needed "to better understand existing gaps in privacy and security protections for health information as patients move their information to third parties, such as mobile applications, that are not covered by the HIPAA privacy and security rules," according to the bill.
"Ten years ago, the HITECH Act had a similar requirement for the GAO to address health information that falls outside of HIPAA," Greene says. "This issue only takes on more importance now, as the Office of the National Coordinator for Health IT, CMS and OCR regulations all support consumers obtaining access to health information on apps that fall outside of HIPAA."
Greene notes, however, that the Federal Trade Commission has jurisdiction over information that falls outside of HIPAA.
So what's the likelihood that Congress will pass the legislation and the president will sign it?
"I usually bet against anything passing both houses of Congress these days, although this seems like a pretty uncontroversial set of changes," Greene says. "The question is whether the overall legislation will find support, or whether these HIPAA provisions may end up in a different bill."
If the proposal is enacted, organizations would have the potential to avoid OCR's threat of punitive penalties or fines if they invest in building upon the minimum standard of security required by the NIST Cybersecurity Framework and the HIPAA Security Rule, Holtzman notes.
"Healthcare organizations are constantly under attack from bad actors determined to disrupt their operations or unlawfully release patient data that are well-resourced, often much better than our health systems," Holtzman says. "Organizations acting in good faith and applying best practices still face the probability of cyberattacks and the breaches that can result. Recognizing an organization's effort to improve their cyber posture is important and can be more effective than punitive approaches."