HIPAA Enforcement Safe Harbor Called for in HELP Committee Bill

There may be some implications for HIPAA-covered entities after the Senate Health, Education, Labor and Pensions (HELP) Committee approved the Lower Health Care Costs (LHCC) Act of 2019.

One of the main targets of the bill is to enhance the transparency of healthcare expenses and service quality. The bill aims to bring a finish to surprise health bills and make sure patients are kept updated about healthcare costs.

The LHCC Act incorporates a provision that encourages healthcare groups to implement strong cybersecurity practices by calling for the Department of Health and Human Services’ Office for Civil Rights to think about the organization’s good faith security efforts when making decisions regarding enforcement actions.

The bipartisan bill gained approval at the HELP committee by 20 votes to 3. The bill includes 54 different proposals from 65 different senators. With the bill now passed, HELP committee chairman Lamar Alexander (R-Tenn) says that he hopes to send the bill to the Majority and Minority Leaders for consideration by the full senate in July 2019.

Many healthcare groups have been asking for OCR to think about the adoption of security frameworks and other good faith efforts to enhance security posture when deciding on whether a fine for noncompliance is adequate. A safe harbor for groups would be to adopt a cybersecurity framework such as the framework developed by NIST has been proposed by several health sector groups.

The LHCC Act does not go as far as proposing a safe harbor from all enforcement actions, but could incentivize healthcare groups to adopt security frameworks, invest time and resources in cybersecurity, and go above and beyond the minimum standards necessary under HIPAA.

The provision should not be seen as a ‘get out of jail free’ card. When financial penalties are applied by OCR, they are usually for a number of different compliance failures and/or egregious violations of HIPAA Rules. Adoption of the NIST Cybersecurity Framework would likely do little to stop financial penalties.

The impact of the new requirement may only be small. At present, when OCR reviews a data breach, many factors are taken into consideration when deciding whether financial penalties are adequate. OCR has previously made it clear that HIPAA compliance is about minimizing, not completely preventing risks. OCR accepts that even groups with strong cybersecurity measures can still be breached. The group’s security program is already considered when OCR decides whether enforcement actions are appropriate.

Along with the HIPAA enforcement provision, the bill proposes that the CMS require health insurers to make information such as claim data and expected out-of-pocket-expenses accessible to patients using APIs to help patients decide on the best health plan. This would also help to communicate that patients’ privacy and security is safeguarded and HIPAA and state laws are applicable.

There has been some worry regarding the risks to individually identifiable health information when it is sent electronically to and from non-HIPAA-covered groups. The bill proposes the Government Accountability Office (GAO) complete a study to identify any risks associated with such transfers. Also, a study is required to spot privacy and security gaps when health information is transferred to third parties using mobile apps created by developers not bound by HIPAA.

The bill must first pass through the full senate and house with approval; however, if the bill does not pass both houses, the provisions linked to HIPAA may be added to a different bill for approval.

Author: Maria Perez