Bill Spells Out New Factors to Weigh in Setting HIPAA FinesMeasure Passed by Congress Would Require Considering Use of 'Recognized Security Practices'
Under legislation passed by Congress this weekend that awaits President Donald Trump’s signature, HIPAA enforcers, when considering financial penalties for compliance violations, would need to determine whether an organization had implemented “recognized security practices,” such as the National Institute of Standards and Technology’s cybersecurity framework.
The legislation, which would modify the HITECH Act, came about after some healthcare organizations and trade associations complained that the Department of Health and Human Services was unfairly penalizing entities reporting breaches of health information that were the result of cyberattacks and ransomware incidents, notes privacy attorney David Holtzman, principal of the consulting firm HITprivacy.
Under the bill, the HHS Office for Civil Rights would be required to consider whether a breached entity has made a good faith attempt to implement recognized security practices before it issued a HIPAA penalty.
Some observers say the measure could serve as motivation for more organizations to enhance their security programs.
Under HR 7898, passed by both the House and Senate,OCR - when determining a HIPAA Security Rule violation penalty, corrective action or duration of an audit - would consider if an organization had demonstrated recognized security practices, such as using the NIST framework “and other programs and processes that address cybersecurity and that are developed, recognized or promulgated through regulations under other statutory authorities.”
The bill would not subject a covered entity or business associate to liability for electing not to engage in the recognized security practices. But it also would not limit HHS’ authority to enforce the HIPAA Security Rule, nor would it “supersede or conflict” with obligations under HIPAA.
“This statute, if signed, would have to be implemented by rulemaking by HHS, so the key question is when that would happen and what issues the Biden administration will include in such a proposed rule,” says privacy attorney Iliana Peters of the law firm Polsinelli.
“Further, in my experience, the vast majority of covered entities and business associates have not implemented practices that comply with either NIST guidance or other certification programs,” she notes. “It will be interesting to see how much of an impact this type of ‘safe harbor’ program would have in practice.”
Regulatory attorney Krystyna Monticello of the law firm Attorneys at Oscislawski says the legislation could potentially help raise the bar in terms of the security practices adopted by covered entities and their vendors.
“The bill seems likely to encourage CEs or BAs to adopt more robust information management programs,” she says. “A covered entity or business associate that chose to implement the NIST or other cybersecurity framework would likely be looking at additional and more enhanced processes and security measures to align its practices with these recognized practices, above and beyond what HIPAA requires, and provide an additional defense in the event of a security incident or breach.”
Smaller entities, she says, “could feel pushed into adopting more stringent practices at far greater cost and resources than would be appropriate for their size, resources and operations.”
The HIPAA Security Rule “does not get into the details in the same respect as more comprehensive frameworks, which may specify a minimum level of user authentication,” notes privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
“This legislation is helpful in that it encourages, but does not mandate, covered entities and business associates to adopt more comprehensive frameworks,” he says. “HHS’ Office for Civil Rights would then take this into account as a show of information security good faith.”
Privacy attorney Kirk Nahra of the law firm WilmerHale adds: “This is a really useful provision that will formalize what has been the typical approach from OCR over the years – they do thorough investigations but have tended not to take action when companies have implemented meaningful and appropriate security programs - even when something doesn’t work in the program.”
The legislation would “make this enforcement approach more of a requirement than a general strategy,” he says.
Although the legislation would require HHS to consider whether recognized security practices were implemented, it would not change the organization’s underlying obligations to comply with the HIPAA Security Rule, Monticello says.
“For example, having in place a robust program that complies with NIST standards could potentially help a CE demonstrate that the breach could not have reasonably been avoided and that the CE went above and beyond the safeguards required under the security rule, which is relevant to the penalties that may be imposed under HIPAA,” she notes. “However, it would not require OCR to reduce any penalties or take other action related to its investigatory and enforcement activities.”
The legislation defines broadly what it considers to be “recognized security practices” and does not require OCR to create a more comprehensive list of recognized security practices, Monticello notes.
It’s not yet clear what other cybersecurity programs and processes OCR might consider in its HIPAA enforcement determinations if the bill become a law, she says. “This could afford some flexibility to organizations relying upon other industry best practices. However, it would also appear to give OCR considerable discretion during audits and other enforcement activity.”
Timing of Rulemaking
Carrying out the legislation with timely rulemaking could prove challenging because other HIPAA changes are already in the works.
Earlier this month, HHS OCR issued a notice of proposed rulemaking to modify the HIPAA Privacy Rule, including streamlining certain requirements for notices of privacy practices.
Holtzman points out that several provisions of the HITECH Act, which was enacted 10 years ago, have yet to be carried out through rulemaking. Those include provisions calling for sharing with consumers the proceeds of fines and penalties levied against healthcare organizations as well as an “accounting for disclosures” provision that would enable patients to know who has received information from their electronic health records.