Many view the HHS’ Office for Civil Rights’ enforcement of HIPAA compliance as excessively punitive. Compliance investigations after receiving complaints or data breaches reports usually result to the discovery of HIPAA Rules violations and sizable financial penalties.
Companies that have implemented good cybersecurity best practices may still be penalized after a data breach, despite the fact that they took steps to enhance their security posture.
Some are requesting the HHS to consider good faith efforts to strengthen cybersecurity during breach investigations and to employ prudence when thinking of enforcement actions.
Considering the sizeable financial penalties, healthcare organizations should be encouraged to invest even more in cybersecurity solutions. However, it seems that the HHS approach has an opposite effect. Why spend more when the HHS could still penalize over a data breach?
An alternate approach that is preferred by a number of industry groups is to give incentives to healthcare organizations that follow strong cybersecurity best practices to strengthen cybersecurity, for instance the NIST cybersecurity framework. If the covered entity could prove its adoption of strong cybersecurity practices, the entity ought to be shielded from financial penalties. CHIME has proposed this safe harbor for a long time. Yet it seems that HHS is still “victimizing the victim.”
There is a growing support for giving incentives for healthcare organizations to enhance cybersecurity. The just lately launched Lower Health Care Cost Acts of 2019 comes with such a requirement. Senate Committee on Health, Education, Labor, and Provisions (HELP) chairman Lamar Alexander (R-Tenn.) and Ranking Member Patty Murray (D-Wash.) proposed the bill and wants the HHS Secretary to take into consideration an organization’s security progrmas during the investigation of data breaches or possible HIPAA violations.
Privacy and security issues were brought up regarding the suggested interoperability and data blocking rules presented by the CMS and ONC in February. The rules demand using APIs to resolve interoperability problems, decrease data blocking, and allow patients to easily access their health information.
Sending patient data upon their request to health apps can potentially result in a HIPAA violation and financial penalty. A number of healthcare companies and industry groups have indicated concern regarding liability for unauthorized PHI disclosures when sent to third parties even at the request of patients. OCR has lately stated that when ePHI has been sent to a third-party app upon the patient’s request, further disclosure is no longer the liability of the covered entity.
Considering that app developers are not normally business associates, HIPAA limitations are not applicable after the disclosure of the information to the app. There have been a number of cases of sharing health data to third parties without the patient’s consent.
The Lower Health Care Cost Acts of 2019 is going to help deal with privacy and security issues by asking the Government Accountability Office (GAO) to do a study to determine present gaps in privacy and security protections in case patients transfer their health data to third parties including mobile apps that the HIPAA Rules do not cover. The study findings could serve as a guide to enhance privacy and security protections of health data when transferred beyond the restriction of HIPAA.
The HELP committee will accept feedback on the proposed bill up to June 5, 2019.