Healthcare Associations ask for Leniency for Breached Entities that Implement Cybersecurity Best Practices

Several healthcare groups have asked for leniency to be shown for healthcare organizations that would mean avoiding financial penalties for breaches of protected health information if the breached entity that has implemented certain standards for securing protected health information (PHI).

The proposal were made in response to the Department of Health and Human Services’ request for information (RFI) on possible changes to HIPAA to lessen the burden on healthcare organizations and improve data sharing for the coordination of patient care. The HHS was sent over 1,300 comments on possible changes before to the February 12, 2019 deadline.

The ‘safe harbor’ suggestion was submitted by the College of Healthcare Information Management Executives (CHIME), the Association for Executives in Healthcare Information Technology (AEHIT), the Association for Executives in Healthcare Information Security (AEHIS), the American Medical Association (AMA), and the American Hospital Association (AHA).

Healthcare groups can implement cybersecurity frameworks, design layered defenses to keep their networks secure, supply security awareness training to staff, and adopt cybersecurity best practices, yet still suffer a data breach.

OCR has already stated that its area of focus for enforcement is egregious breaches of HIPAA Rules, such as widespread noncompliance and HIPAA-covered bodies that have little regard for HIPAA Rules. However, all breaches of 500 or more records are investigated, and if HIPAA violations are discovered, financial penalties could be applied.

It has been claimed that bodies that have made reasonable efforts to keep patient information private and confidential should not be in danger of significant penalties.

CHIME suggested OCR should allow “A safe harbor for providers who have demonstrated they are meeting a set of best practices such as those developed under the public-private effort known as the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP).”

The AHA suggested healthcare groups that suffer cyberattacks should be given support and resources, and rather than punishing the breached body, “Enforcement efforts should rightly focus on investigating and prosecuting the attackers.”

Most healthcare groups take significant steps to stop cyberattacks. The AHA said that when an attack happens, an investigation is required to determine how access to systems and data was gained. Lessons can be learned, safeguards enhanced, and details of the weaknesses and threats should then be shared widely to allow other healthcare groups to prevent similar attacks.

The AHA said that there should be “A safe harbor for HIPAA covered entities that have shown, perhaps through a certification process, that they are in compliance with best practices in cybersecurity, such as those promulgated by HHS, in cooperation with the private sector.”

The AMA proposes that “OCR could revise [the HIPAA Security Rule] to include a new clause stating that covered entities that adopt and implement a security framework – such as the NIST Cybersecurity Framework – or take steps toward applying the Health Industry Cybersecurity Practices – the primary publication of the Cybersecurity Act of 2015 Task Group – are in compliance with the Security Rule.”

The AMA also proposes that OCR should alter its approach to securing health information from applying penalties for failures to providing positive incentives to encourage healthcare groups to enhance security and better protect health data.

CHIME said that the current policy that calls for breach reports to be submitted and listed on the OCR breach portal forever is unduly punitive and that there should be a mechanism for removing breached bodies from the listings once they have taken actions to correct vulnerabilities that contributed to the breach.

The HHS is now reviewing all comments and feedback submitted in relation to its RFI and will decide which aspects of HIPAA Rules should be changed. A notice of suggested will then be issued, although the HSS has not given a time frame for completing this.