A provision added to the Senate HELP bill aimed at lowering healthcare costs proposes incentivizing providers to bolster cybersecurity and urges HHS to consider their security before making HIPAA enforcement decisions.
The Senate HELP Committee approved its Lower Health Care Costs Act of 2019, which includes provisions to both incentivize healthcare providers to adopt strong cybersecurity programs and urges the Department of Health and Human Services to consider those programs before making HIPAA enforcement decisions.
On Wednesday, the HELP committee passed the proposed legislation by a vote of 20 to 3. While the bill is primarily focused on reducing the amount patients pay out of pocket for healthcare services and providing more transparency about those costs, there are several items that pertain to HIPAA.
Initially introduced in May as the “Improving the Exchange of Health Information” provision of the legislation, the policy would recognize the security practices of healthcare providers and incentivize covered entities to implement strong cybersecurity policies.
Further, the legislation would urge the Department of Health and Human Services to consider a provider’s adoption of those cybersecurity policies and practices when conducting audits or administering HIPAA fines related to potential violations.
The bill in no way provides a safe harbor for all HIPAA enforcements, but it’s aimed at incentivizing healthcare providers to build their security programs based on recognized cybersecurity frameworks, as well as apply security policies beyond HIPAA compliance.
The provision would also mandate HHS Office for Civil Rights to develop regulations that would help their team recognize benchmarks to show when those covered entities and business associates have built cybersecurity programs strong enough to merit a reduction of penalties, in case of a security incident or breach.
Another provision proposes the Centers for Medicare and Medicaid require health insurers to make claims data, in-network practitioners, and potential out-of-pocket expenses available to patients through APIs ensuring “all existing privacy and security protections for patient health data under HIPAA and state laws apply.”
APIs are a key component to several proposed HHS rules, including the Trusted Exchange Framework and Common Agreement and information blocking rule. Congress, security leaders, and other industry stakeholders have all expressed concerns around the API-driven ecosystem.
For the American Medical Informatics Association, the concern is that the privacy, security, and fraud issues that are raised by APIs are far too big of a challenge for HHS to handle on its own.
One of the new provisions passed on Wednesday would attempt to close some of those gaps by urging the Government Accountability Office to assess the privacy and security risks of electronic data sharing of patient health information to and from entities not covered by HIPAA.
The GAO study would be imperative to better understanding the challenges posed by APIs, especially around consumer-based apps used to transmit and store patient data.
It’s important to note that under HIPAA, OCR does already take into account a provider’s security program when applying fines. There are four categories that assess a provider’s accountability after a breach: no knowledge that HIPAA was being violated, reasonable cause, willful neglect – corrected, and willful neglect, not corrected in a timely fashion.
HHS recently moved to reduce the maximum civil monetary penalties for HIPAA violations.
The bill moves to the Senate floor, where Senate HELP Committee Chair Lamar Alexander, R-Tennessee, said he hoped it would be considered next month. Alexander also said he expects other committees will have their own provisions to add to the bill.
Date: July 10, 2019
Source: Health IT Security