Health IT Groups Laud Proposed Bill Incentivizing Best Practice Security

Several health IT industry stakeholder groups have issued support of legislation recently passed by the House Energy and Commerce Committee. The proposed HR 7898 bill would require the Department of Health and Human Services to incentivize best practice security for meeting HIPAA requirements.

Specifically, the proposal would amend the HITECH Act to require HHS to take into consideration whether a covered entity or business associate has met recognized security practices when making certain determinations, such as enforcement actions, or for other regulatory purposes.

The HIPAA Safe Harbor bill easily moved from the E&C committee to the Senate and is expected to pass this week.

The legislation would also require HHS to take cybersecurity into consideration, when determining fines related to security incidents, as well as decreasing the length and extent of an audit when it’s determined the provider has met best practice cybersecurity requirements.

“[The HHS] Secretary shall consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place that may mitigate fines... result in the early, favorable termination of an audit… [or] mitigate the remedies that would otherwise be agreed to in any agreement with respect to resolving potential violations of the HIPAA Security rule… between the covered entity or business associate and HHS,” according to the the proposed legislation.

Recognized security practices refer to standards, guidelines, best practices, methodologies,  procedures, and processes developed by NIST and other programs that adequately address cybersecurity and recognized by other statutory authorities.

Among the recognized cybersecurity best practices are those established by the Cybersecurity Act of 2015, implemented by a joint standing taskforce of the Healthcare and Public Health Sector Coordinating Council Cybersecurity Working Group, HHS, NIST, and the Department of Homeland Security.

On the other hand, the bill’s language specifies that the proposed HITECH changes don’t give HHS the authority to increase fines or the length or extent of an audit when it’s found an impacted covered entity is not in compliance with the recognized security standards.

The proposed legislation has received overwhelming support from both HITRUST and HSCC, a public-private partnership of health companies and providers, representing 300 healthcare organizations.

For HITRUST, incentivizing HIPAA-covered entities and business associates will improve the cyber posture of the healthcare sector, overall, thus improving patient data protections.

The bill also better recognizes healthcare entities that have achieved HITRUST Cybersecurity Standard Framework (CSF) Certification, while encouraging other organizations to take a more proactive approach to demonstrate compliance with HIPAA.

“The bill is a step in the right direction to improving the security of health information across the continuum of care and recognizes and rewards these investments,” according to HITRUST. “HITRUST applauds and encourages the benefits of HIPAA safe harbor.”

For HSCC, the bill is an important step that acknowledges the efforts of many organizations within the healthcare sector to address cybersecurity issues across their networks but have been continually attacked and victimized by hackers, despite these efforts.

Particularly in recent months, ransomware actors have increasingly targeted the healthcare sector, while other double extortion threat actors have stolen data from a host of nonprofit providers.

The legislation recognizes these dire cyber threats facing the sector, while addressing concerns of many health IT leaders that HIPAA enforcement actions “have applied severe penalties against organizations victimized by cyberattacks in spite of their well-resourced programs that employ industry best cybersecurity practices.”

“The bill rebalances this inequity by directing HHS, when making determinations against HIPAA-covered entities and their business associates victimized by a cyberattack, to take into account their use of recognized security best practices during the last 12 months,” HSCC officials wrote.

“More importantly, this provision serves as a positive incentive for health providers to increase investment in cybersecurity for the benefit of regulatory compliance and, ultimately, patient safety,” they continued.

In support of cybersecurity efforts across the healthcare sector, HHS recently finalized rules that would provide a safe harbor for cybersecurity tech donations between health systems, hospitals, and provider offices.

The finalized changes to the Anti-Kickback Statute and Stark Laws are designed to remove real or perceived barriers to sharing valuable cybersecurity tools with providers, which often have limited resources, and should address the growing cybersecurity risks on data systems.