Healthcare Associations ask for Leniency for Breached Entities that Implement Cybersecurity Best Practices

by | Mar 12, 2019

Several healthcare groups have asked for leniency to be shown for healthcare organizations that would mean avoiding financial penalties for breaches of protected health information if the breached entity that has implemented certain standards for securing protected health information (PHI).

The proposal were made in response to the Department of Health and Human Services’ request for information (RFI) on possible changes to HIPAA to lessen the burden on healthcare organizations and improve data sharing for the coordination of patient care. The HHS was sent over 1,300 comments on possible changes before to the February 12, 2019 deadline.

The ‘safe harbor’ suggestion was submitted by the College of Healthcare Information Management Executives (CHIME), the Association for Executives in Healthcare Information Technology (AEHIT), the Association for Executives in Healthcare Information Security (AEHIS), the American Medical Association (AMA), and the American Hospital Association (AHA).

Healthcare groups can implement cybersecurity frameworks, design layered defenses to keep their networks secure, supply security awareness training to staff, and adopt cybersecurity best practices, yet still suffer a data breach.

OCR has already stated that its area of focus for enforcement is egregious breaches of HIPAA Rules, such as widespread noncompliance and HIPAA-covered bodies that have little regard for HIPAA Rules. However, all breaches of 500 or more records are investigated, and if HIPAA violations are discovered, financial penalties could be applied.

It has been claimed that bodies that have made reasonable efforts to keep patient information private and confidential should not be in danger of significant penalties.

CHIME suggested OCR should allow “A safe harbor for providers who have demonstrated they are meeting a set of best practices such as those developed under the public-private effort known as the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP).”

The AHA suggested healthcare groups that suffer cyberattacks should be given support and resources, and rather than punishing the breached body, “Enforcement efforts should rightly focus on investigating and prosecuting the attackers.”

Most healthcare groups take significant steps to stop cyberattacks. The AHA said that when an attack happens, an investigation is required to determine how access to systems and data was gained. Lessons can be learned, safeguards enhanced, and details of the weaknesses and threats should then be shared widely to allow other healthcare groups to prevent similar attacks.

The AHA said that there should be “A safe harbor for HIPAA covered entities that have shown, perhaps through a certification process, that they are in compliance with best practices in cybersecurity, such as those promulgated by HHS, in cooperation with the private sector.”

The AMA proposes that “OCR could revise [the HIPAA Security Rule] to include a new clause stating that covered entities that adopt and implement a security framework – such as the NIST Cybersecurity Framework – or take steps toward applying the Health Industry Cybersecurity Practices – the primary publication of the Cybersecurity Act of 2015 Task Group – are in compliance with the Security Rule.”

The AMA also proposes that OCR should alter its approach to securing health information from applying penalties for failures to providing positive incentives to encourage healthcare groups to enhance security and better protect health data.

CHIME said that the current policy that calls for breach reports to be submitted and listed on the OCR breach portal forever is unduly punitive and that there should be a mechanism for removing breached bodies from the listings once they have taken actions to correct vulnerabilities that contributed to the breach.

The HHS is now reviewing all comments and feedback submitted in relation to its RFI and will decide which aspects of HIPAA Rules should be changed. A notice of suggested will then be issued, although the HSS has not given a time frame for completing this.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy